cobaltstrike | 16c7bda207cb29e36c50337ced9239ff09c6089a84132e5ee1f2366a644dc9f7

Analysis

max time kernel
93s
max time network
94s
platform
windows7_x64
resource
win7-en-20211208
submitted
07-01-2022 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16c7bda207cb29e36c50337ced9239ff09c6089a84132e5ee1f2366a644dc9f7.exe
Size

56.8MB
MD5

bc6684c0ea7c60d44ae6ff4434810e09
SHA1

cbdc8ae37e94d69261b1985e1d3f2183f6174e01
SHA256

16c7bda207cb29e36c50337ced9239ff09c6089a84132e5ee1f2366a644dc9f7
SHA512

17d2e6c593318ebb0aa867dd973a2004350cf0330be8c5a2807f90720adf4fc870a5504cb3035eb427e15847ffac4f6a2052bddb47bad55754f0150ee149600d

Score

10^/10

cobaltstrike backdoor evasion trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 2 IoCs

Processes:

exploer.exeSetup5.exe

pid process

760 exploer.exe
568 Setup5.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Loads dropped DLL 5 IoCs

Processes:

16c7bda207cb29e36c50337ced9239ff09c6089a84132e5ee1f2366a644dc9f7.exeSetup5.exe

pid process

1880 16c7bda207cb29e36c50337ced9239ff09c6089a84132e5ee1f2366a644dc9f7.exe
568 Setup5.exe
568 Setup5.exe
568 Setup5.exe
568 Setup5.exe

pid	process
760	exploer.exe
568	Setup5.exe

pid	process
1880	16c7bda207cb29e36c50337ced9239ff09c6089a84132e5ee1f2366a644dc9f7.exe
568	Setup5.exe
568	Setup5.exe
568	Setup5.exe
568	Setup5.exe

Drops file in System32 directory 5 IoCs

Processes:

attrib.exeexploer.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\System32\qwave.exe	attrib.exe
File created	C:\Windows\System32\qcap.exe	exploer.exe
File opened for modification	C:\Windows\System32\qcap.exe	attrib.exe
File created	C:\Windows\System32\qwave.exe	exploer.exe
File opened for modification	C:\Windows\System32\qwave.exe	exploer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Setup5.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\Setup5.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\Setup5.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\Setup5.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\Setup5.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\Setup5.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\Setup5.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\Setup5.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\Setup5.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\Setup5.exe	nsis_installer_2

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

Setup5.exe

pid process

568 Setup5.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

exploer.exe

pid process

760 exploer.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

16c7bda207cb29e36c50337ced9239ff09c6089a84132e5ee1f2366a644dc9f7.exe

pid process

1880 16c7bda207cb29e36c50337ced9239ff09c6089a84132e5ee1f2366a644dc9f7.exe

pid	process
568	Setup5.exe

pid	process
760	exploer.exe

pid	process
1880	16c7bda207cb29e36c50337ced9239ff09c6089a84132e5ee1f2366a644dc9f7.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

16c7bda207cb29e36c50337ced9239ff09c6089a84132e5ee1f2366a644dc9f7.execmd.exeexploer.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1880 wrote to memory of 1156	1880	16c7bda207cb29e36c50337ced9239ff09c6089a84132e5ee1f2366a644dc9f7.exe	cmd.exe
PID 1880 wrote to memory of 1156	1880	16c7bda207cb29e36c50337ced9239ff09c6089a84132e5ee1f2366a644dc9f7.exe	cmd.exe
PID 1880 wrote to memory of 1156	1880	16c7bda207cb29e36c50337ced9239ff09c6089a84132e5ee1f2366a644dc9f7.exe	cmd.exe
PID 1880 wrote to memory of 760	1880	16c7bda207cb29e36c50337ced9239ff09c6089a84132e5ee1f2366a644dc9f7.exe	exploer.exe
PID 1880 wrote to memory of 760	1880	16c7bda207cb29e36c50337ced9239ff09c6089a84132e5ee1f2366a644dc9f7.exe	exploer.exe
PID 1880 wrote to memory of 760	1880	16c7bda207cb29e36c50337ced9239ff09c6089a84132e5ee1f2366a644dc9f7.exe	exploer.exe
PID 1156 wrote to memory of 568	1156	cmd.exe	Setup5.exe
PID 1156 wrote to memory of 568	1156	cmd.exe	Setup5.exe
PID 1156 wrote to memory of 568	1156	cmd.exe	Setup5.exe
PID 1156 wrote to memory of 568	1156	cmd.exe	Setup5.exe
PID 1156 wrote to memory of 568	1156	cmd.exe	Setup5.exe
PID 1156 wrote to memory of 568	1156	cmd.exe	Setup5.exe
PID 1156 wrote to memory of 568	1156	cmd.exe	Setup5.exe
PID 760 wrote to memory of 1068	760	exploer.exe	cmd.exe
PID 760 wrote to memory of 1068	760	exploer.exe	cmd.exe
PID 760 wrote to memory of 1068	760	exploer.exe	cmd.exe
PID 1068 wrote to memory of 1580	1068	cmd.exe	attrib.exe
PID 1068 wrote to memory of 1580	1068	cmd.exe	attrib.exe
PID 1068 wrote to memory of 1580	1068	cmd.exe	attrib.exe
PID 760 wrote to memory of 1536	760	exploer.exe	cmd.exe
PID 760 wrote to memory of 1536	760	exploer.exe	cmd.exe
PID 760 wrote to memory of 1536	760	exploer.exe	cmd.exe
PID 1536 wrote to memory of 364	1536	cmd.exe	attrib.exe
PID 1536 wrote to memory of 364	1536	cmd.exe	attrib.exe
PID 1536 wrote to memory of 364	1536	cmd.exe	attrib.exe
PID 760 wrote to memory of 1060	760	exploer.exe	WerFault.exe
PID 760 wrote to memory of 1060	760	exploer.exe	WerFault.exe
PID 760 wrote to memory of 1060	760	exploer.exe	WerFault.exe
PID 760 wrote to memory of 1060	760	exploer.exe	WerFault.exe
PID 760 wrote to memory of 1060	760	exploer.exe	WerFault.exe
PID 760 wrote to memory of 1760	760	exploer.exe	cmd.exe
PID 760 wrote to memory of 1760	760	exploer.exe	cmd.exe
PID 760 wrote to memory of 1760	760	exploer.exe	cmd.exe
PID 1760 wrote to memory of 888	1760	cmd.exe	attrib.exe
PID 1760 wrote to memory of 888	1760	cmd.exe	attrib.exe
PID 1760 wrote to memory of 888	1760	cmd.exe	attrib.exe
PID 760 wrote to memory of 904	760	exploer.exe	WerFault.exe
PID 760 wrote to memory of 904	760	exploer.exe	WerFault.exe
PID 760 wrote to memory of 904	760	exploer.exe	WerFault.exe
PID 760 wrote to memory of 904	760	exploer.exe	WerFault.exe
PID 760 wrote to memory of 904	760	exploer.exe	WerFault.exe
PID 760 wrote to memory of 668	760	exploer.exe	WerFault.exe
PID 760 wrote to memory of 668	760	exploer.exe	WerFault.exe
PID 760 wrote to memory of 668	760	exploer.exe	WerFault.exe
PID 760 wrote to memory of 668	760	exploer.exe	WerFault.exe
PID 760 wrote to memory of 668	760	exploer.exe	WerFault.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

1580 attrib.exe
364 attrib.exe
888 attrib.exe

pid	process
1580	attrib.exe
364	attrib.exe
888	attrib.exe

C:\Users\Admin\AppData\Local\Temp\16c7bda207cb29e36c50337ced9239ff09c6089a84132e5ee1f2366a644dc9f7.exe
"C:\Users\Admin\AppData\Local\Temp\16c7bda207cb29e36c50337ced9239ff09c6089a84132e5ee1f2366a644dc9f7.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\system32\cmd.exe
cmd " /c " C:\Users\Admin\AppData\Local\Temp\Setup5.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\Setup5.exe
C:\Users\Admin\AppData\Local\Temp\Setup5.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:568

C:\Users\Public\exploer.exe
C:\Users\Public\exploer.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C attrib +s +h C:\Windows\temp\svchost.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\system32\attrib.exe
attrib +s +h C:\Windows\temp\svchost.exe
4⤵
- Views/modifies file attributes
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C attrib +s +h C:\Windows\System32\qwave.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\system32\attrib.exe
attrib +s +h C:\Windows\System32\qwave.exe
4⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:364

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe
3⤵
PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C attrib +s +h C:\Windows\System32\qcap.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\system32\attrib.exe
attrib +s +h C:\Windows\System32\qcap.exe
4⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:888

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe
3⤵
PID:904

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe
3⤵
PID:668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Setup5.exe
MD5
f5b875d37f61f584b06773be32348d99

SHA1
3d1d83b0ec0637d8e787e2a9360ff94e6cd65db7

SHA256
2594946449cff84eec6cd8f715a294eea17f31edf67d344b4340312429500f49

SHA512
91622dbe4ae1956ff14d3cc364635facc366bf0e7f7aab02ecafbc55b0970e196d1ad20f4695fdbf805f76a170e39c6776f3e5da05112f036fca4d79eebe600a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup5.exe
MD5
f5b875d37f61f584b06773be32348d99

SHA1
3d1d83b0ec0637d8e787e2a9360ff94e6cd65db7

SHA256
2594946449cff84eec6cd8f715a294eea17f31edf67d344b4340312429500f49

SHA512
91622dbe4ae1956ff14d3cc364635facc366bf0e7f7aab02ecafbc55b0970e196d1ad20f4695fdbf805f76a170e39c6776f3e5da05112f036fca4d79eebe600a

Download Submit
C:\Users\Public\exploer.exe
MD5
41613750aa14b52bd1be35b0df84b2ab

SHA1
61b3b7a964fbb32440231db533921bd22b5b1c6c

SHA256
104d560b8b5e5aa995de035598c171ea0e4905c94d148077c8d87c9ce44c4fce

SHA512
3e4faab7e760c49c3d8e0f35626e293478aa0ea80e147a884e61e7ced9dace0cc100883e58f9ac932d6cc3f9f4adb91a31fa90f9aec7418202d939dceda3f7cc

Download Submit
C:\Users\Public\exploer.exe
MD5
41613750aa14b52bd1be35b0df84b2ab

SHA1
61b3b7a964fbb32440231db533921bd22b5b1c6c

SHA256
104d560b8b5e5aa995de035598c171ea0e4905c94d148077c8d87c9ce44c4fce

SHA512
3e4faab7e760c49c3d8e0f35626e293478aa0ea80e147a884e61e7ced9dace0cc100883e58f9ac932d6cc3f9f4adb91a31fa90f9aec7418202d939dceda3f7cc

Download Submit
C:\Windows\System32\qcap.exe
MD5
41613750aa14b52bd1be35b0df84b2ab

SHA1
61b3b7a964fbb32440231db533921bd22b5b1c6c

SHA256
104d560b8b5e5aa995de035598c171ea0e4905c94d148077c8d87c9ce44c4fce

SHA512
3e4faab7e760c49c3d8e0f35626e293478aa0ea80e147a884e61e7ced9dace0cc100883e58f9ac932d6cc3f9f4adb91a31fa90f9aec7418202d939dceda3f7cc

Download Submit
C:\Windows\System32\qwave.exe
MD5
41613750aa14b52bd1be35b0df84b2ab

SHA1
61b3b7a964fbb32440231db533921bd22b5b1c6c

SHA256
104d560b8b5e5aa995de035598c171ea0e4905c94d148077c8d87c9ce44c4fce

SHA512
3e4faab7e760c49c3d8e0f35626e293478aa0ea80e147a884e61e7ced9dace0cc100883e58f9ac932d6cc3f9f4adb91a31fa90f9aec7418202d939dceda3f7cc

Download Submit
C:\Windows\temp\svchost.exe
MD5
41613750aa14b52bd1be35b0df84b2ab

SHA1
61b3b7a964fbb32440231db533921bd22b5b1c6c

SHA256
104d560b8b5e5aa995de035598c171ea0e4905c94d148077c8d87c9ce44c4fce

SHA512
3e4faab7e760c49c3d8e0f35626e293478aa0ea80e147a884e61e7ced9dace0cc100883e58f9ac932d6cc3f9f4adb91a31fa90f9aec7418202d939dceda3f7cc

Download Submit
\Users\Admin\AppData\Local\Temp\Setup5.exe
MD5
f5b875d37f61f584b06773be32348d99

SHA1
3d1d83b0ec0637d8e787e2a9360ff94e6cd65db7

SHA256
2594946449cff84eec6cd8f715a294eea17f31edf67d344b4340312429500f49

SHA512
91622dbe4ae1956ff14d3cc364635facc366bf0e7f7aab02ecafbc55b0970e196d1ad20f4695fdbf805f76a170e39c6776f3e5da05112f036fca4d79eebe600a

Download Submit
\Users\Admin\AppData\Local\Temp\Setup5.exe
MD5
f5b875d37f61f584b06773be32348d99

SHA1
3d1d83b0ec0637d8e787e2a9360ff94e6cd65db7

SHA256
2594946449cff84eec6cd8f715a294eea17f31edf67d344b4340312429500f49

SHA512
91622dbe4ae1956ff14d3cc364635facc366bf0e7f7aab02ecafbc55b0970e196d1ad20f4695fdbf805f76a170e39c6776f3e5da05112f036fca4d79eebe600a

Download Submit
\Users\Admin\AppData\Local\Temp\Setup5.exe
MD5
f5b875d37f61f584b06773be32348d99

SHA1
3d1d83b0ec0637d8e787e2a9360ff94e6cd65db7

SHA256
2594946449cff84eec6cd8f715a294eea17f31edf67d344b4340312429500f49

SHA512
91622dbe4ae1956ff14d3cc364635facc366bf0e7f7aab02ecafbc55b0970e196d1ad20f4695fdbf805f76a170e39c6776f3e5da05112f036fca4d79eebe600a

Download Submit
\Users\Admin\AppData\Local\Temp\nsiE8E9.tmp\InstallOptions.dll
MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
\Users\Public\exploer.exe
MD5
41613750aa14b52bd1be35b0df84b2ab

SHA1
61b3b7a964fbb32440231db533921bd22b5b1c6c

SHA256
104d560b8b5e5aa995de035598c171ea0e4905c94d148077c8d87c9ce44c4fce

SHA512
3e4faab7e760c49c3d8e0f35626e293478aa0ea80e147a884e61e7ced9dace0cc100883e58f9ac932d6cc3f9f4adb91a31fa90f9aec7418202d939dceda3f7cc

Download Submit
memory/364-75-0x0000000000000000-mapping.dmp

Download
memory/568-62-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Filesize
8KB

Download
memory/568-60-0x0000000000000000-mapping.dmp

Download
memory/668-115-0x0000000001E20000-0x0000000001E72000-memory.dmp

Filesize
328KB

Download
memory/668-105-0x00000000000A0000-0x00000000000BA000-memory.dmp

Filesize
104KB

Download
memory/668-119-0x0000000001E77000-0x0000000001E78000-memory.dmp

Filesize
4KB

Download
memory/668-118-0x0000000001E76000-0x0000000001E77000-memory.dmp

Filesize
4KB

Download
memory/668-103-0x0000000000060000-0x000000000009A000-memory.dmp

Filesize
232KB

Download
memory/668-116-0x0000000001E72000-0x0000000001E74000-memory.dmp

Filesize
8KB

Download
memory/668-106-0x0000000000000000-mapping.dmp

Download
memory/668-111-0x00000000001F0000-0x000000000020E000-memory.dmp

Filesize
120KB

Download
memory/668-117-0x0000000001E74000-0x0000000001E76000-memory.dmp

Filesize
8KB

Download
memory/668-113-0x0000000001CB0000-0x0000000001CF0000-memory.dmp

Filesize
256KB

Download
memory/668-114-0x0000000001CB0000-0x0000000001CF0000-memory.dmp

Filesize
256KB

Download
memory/760-66-0x000000013F2D0000-0x000000013F384000-memory.dmp

Filesize
720KB

Download
memory/760-70-0x00000000007B0000-0x00000000007F1000-memory.dmp

Filesize
260KB

Download
memory/760-67-0x000000013F2D0000-0x000000013F384000-memory.dmp

Filesize
720KB

Download
memory/760-69-0x000000001AC60000-0x000000001AC62000-memory.dmp

Filesize
8KB

Download
memory/760-56-0x0000000000000000-mapping.dmp

Download
memory/888-90-0x0000000000000000-mapping.dmp

Download
memory/904-101-0x0000000001FA0000-0x0000000001FF2000-memory.dmp

Filesize
328KB

Download
memory/904-108-0x000000001AD54000-0x000000001AD56000-memory.dmp

Filesize
8KB

Download
memory/904-112-0x000000001AD57000-0x000000001AD58000-memory.dmp

Filesize
4KB

Download
memory/904-110-0x000000001AD56000-0x000000001AD57000-memory.dmp

Filesize
4KB

Download
memory/904-107-0x000000001AD52000-0x000000001AD54000-memory.dmp

Filesize
8KB

Download
memory/904-100-0x0000000001C10000-0x0000000001C50000-memory.dmp

Filesize
256KB

Download
memory/904-93-0x0000000000060000-0x000000000009A000-memory.dmp

Filesize
232KB

Download
memory/904-95-0x00000000000A0000-0x00000000000BA000-memory.dmp

Filesize
104KB

Download
memory/904-96-0x0000000000000000-mapping.dmp

Download
memory/904-98-0x0000000001BB0000-0x0000000001BCE000-memory.dmp

Filesize
120KB

Download
memory/904-99-0x0000000001C10000-0x0000000001C50000-memory.dmp

Filesize
256KB

Download
memory/1060-86-0x0000000002072000-0x0000000002074000-memory.dmp

Filesize
8KB

Download
memory/1060-83-0x0000000001B20000-0x0000000001B3E000-memory.dmp

Filesize
120KB

Download
memory/1060-85-0x0000000001FE0000-0x0000000002020000-memory.dmp

Filesize
256KB

Download
memory/1060-87-0x0000000002074000-0x0000000002076000-memory.dmp

Filesize
8KB

Download
memory/1060-88-0x0000000002076000-0x0000000002077000-memory.dmp

Filesize
4KB

Download
memory/1060-82-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp

Filesize
8KB

Download
memory/1060-81-0x0000000000000000-mapping.dmp

Download
memory/1060-80-0x0000000000060000-0x000000000007A000-memory.dmp

Filesize
104KB

Download
memory/1060-84-0x0000000001FE0000-0x0000000002020000-memory.dmp

Filesize
256KB

Download
memory/1060-77-0x0000000000110000-0x000000000014A000-memory.dmp

Filesize
232KB

Download
memory/1060-78-0x0000000000110000-0x000000000014A000-memory.dmp

Filesize
232KB

Download
memory/1060-79-0x0000000000060000-0x000000000007A000-memory.dmp

Filesize
104KB

Download
memory/1068-71-0x0000000000000000-mapping.dmp

Download
memory/1156-54-0x0000000000000000-mapping.dmp

Download
memory/1536-74-0x0000000000000000-mapping.dmp

Download
memory/1580-72-0x0000000000000000-mapping.dmp

Download
memory/1760-89-0x0000000000000000-mapping.dmp

Download