Managed XDR

manager.ps1 (Cobalt Strike) — malware analysis report

File info

Filename
manager.ps1
File type
ASCII text, with very long lines
File size
402.6 KB
First seen
Last seen

Environment

w10/x86 en

Hashes

SHA1
c76ecb854b8b372cdae86ed27262c78c8889e09c
SHA256
5bbc4b012c35601e0a5478812d1c53cf69912d519a828d7a0adb0a655c7d0382
MD5
9e9f7dc7d875b12763dbbdc409056c6b

Malwares

  • Cobalt Strike

Signatures

Privilege Escalation

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_queries_computername: Retrieves the computer name
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497.001 antivm_queries_computername: Retrieves the computer name

Other

yara_rules: Static rules
no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
checktokenmembership: Checks user token with CheckTokenMembership call
writes_data: Writes big amount of data to disk

Related reports

Managed XDR