Overview

overview

10

Static

static

16c7bda207...f7.exe

windows7_x64

10

16c7bda207...f7.exe

windows10_x64

10

Analysis

  • max time kernel
    104s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    07-01-2022 10:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16c7bda207cb29e36c50337ced9239ff09c6089a84132e5ee1f2366a644dc9f7.exe

  • Size

    56.8MB

  • MD5

    bc6684c0ea7c60d44ae6ff4434810e09

  • SHA1

    cbdc8ae37e94d69261b1985e1d3f2183f6174e01

  • SHA256

    16c7bda207cb29e36c50337ced9239ff09c6089a84132e5ee1f2366a644dc9f7

  • SHA512

    17d2e6c593318ebb0aa867dd973a2004350cf0330be8c5a2807f90720adf4fc870a5504cb3035eb427e15847ffac4f6a2052bddb47bad55754f0150ee149600d

Score
10/10
cobaltstrikebackdoorevasiontrojan

Malware Config

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 4 IoCs
    installer
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
    1⤵
      PID:2388
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe
        2⤵
          PID:2692
      • C:\Users\Admin\AppData\Local\Temp\16c7bda207cb29e36c50337ced9239ff09c6089a84132e5ee1f2366a644dc9f7.exe
        "C:\Users\Admin\AppData\Local\Temp\16c7bda207cb29e36c50337ced9239ff09c6089a84132e5ee1f2366a644dc9f7.exe"
        1⤵
        • Suspicious behavior: RenamesItself
        • Suspicious use of WriteProcessMemory
        PID:2496
        • C:\Windows\system32\cmd.exe
          cmd " /c " C:\Users\Admin\AppData\Local\Temp\Setup5.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2892
          • C:\Users\Admin\AppData\Local\Temp\Setup5.exe
            C:\Users\Admin\AppData\Local\Temp\Setup5.exe
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:3624
        • C:\Users\Public\exploer.exe
          C:\Users\Public\exploer.exe
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3532
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /C attrib +s +h C:\Windows\temp\svchost.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2324
            • C:\Windows\system32\attrib.exe
              attrib +s +h C:\Windows\temp\svchost.exe
              4⤵
              • Views/modifies file attributes
              PID:3144
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /C attrib +s +h C:\Windows\System32\qwave.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3748
            • C:\Windows\system32\attrib.exe
              attrib +s +h C:\Windows\System32\qwave.exe
              4⤵
              • Drops file in System32 directory
              • Views/modifies file attributes
              PID:3048
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe
            3⤵
              PID:488
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /C attrib +s +h C:\Windows\System32\qcap.exe
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3408
              • C:\Windows\system32\attrib.exe
                attrib +s +h C:\Windows\System32\qcap.exe
                4⤵
                • Drops file in System32 directory
                • Views/modifies file attributes
                PID:3732
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe
              3⤵
                PID:3104
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe
                3⤵
                  PID:2436

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Hidden Files and Directories

            2
            T1158

            Privilege Escalation

            Defense Evasion

            Hidden Files and Directories

            2
            T1158

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WerFault.exe.log
              MD5

              91956ff35074949b1b46ba17a2fbfa2b

              SHA1

              de40118e583776ed948431fa0af9cc89d6b12c8b

              SHA256

              842737052b8f428220890a78b60b4df441b0fbe324b1d7e6a892c7e03f4aa9ae

              SHA512

              935bee27d0b1e198bbe6b2446afe0d755041dd3ac0b003736143b4df1551a39bf735827b3f352e90c67929dcef89fdbc03563fc0a9a954ef5c07e797fdc6a562

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\Setup5.exe
              MD5

              f5b875d37f61f584b06773be32348d99

              SHA1

              3d1d83b0ec0637d8e787e2a9360ff94e6cd65db7

              SHA256

              2594946449cff84eec6cd8f715a294eea17f31edf67d344b4340312429500f49

              SHA512

              91622dbe4ae1956ff14d3cc364635facc366bf0e7f7aab02ecafbc55b0970e196d1ad20f4695fdbf805f76a170e39c6776f3e5da05112f036fca4d79eebe600a

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\Setup5.exe
              MD5

              f5b875d37f61f584b06773be32348d99

              SHA1

              3d1d83b0ec0637d8e787e2a9360ff94e6cd65db7

              SHA256

              2594946449cff84eec6cd8f715a294eea17f31edf67d344b4340312429500f49

              SHA512

              91622dbe4ae1956ff14d3cc364635facc366bf0e7f7aab02ecafbc55b0970e196d1ad20f4695fdbf805f76a170e39c6776f3e5da05112f036fca4d79eebe600a

              Download Submit
            • C:\Users\Public\exploer.exe
              MD5

              41613750aa14b52bd1be35b0df84b2ab

              SHA1

              61b3b7a964fbb32440231db533921bd22b5b1c6c

              SHA256

              104d560b8b5e5aa995de035598c171ea0e4905c94d148077c8d87c9ce44c4fce

              SHA512

              3e4faab7e760c49c3d8e0f35626e293478aa0ea80e147a884e61e7ced9dace0cc100883e58f9ac932d6cc3f9f4adb91a31fa90f9aec7418202d939dceda3f7cc

              Download Submit
            • C:\Users\Public\exploer.exe
              MD5

              41613750aa14b52bd1be35b0df84b2ab

              SHA1

              61b3b7a964fbb32440231db533921bd22b5b1c6c

              SHA256

              104d560b8b5e5aa995de035598c171ea0e4905c94d148077c8d87c9ce44c4fce

              SHA512

              3e4faab7e760c49c3d8e0f35626e293478aa0ea80e147a884e61e7ced9dace0cc100883e58f9ac932d6cc3f9f4adb91a31fa90f9aec7418202d939dceda3f7cc

              Download Submit
            • C:\Windows\System32\qcap.exe
              MD5

              41613750aa14b52bd1be35b0df84b2ab

              SHA1

              61b3b7a964fbb32440231db533921bd22b5b1c6c

              SHA256

              104d560b8b5e5aa995de035598c171ea0e4905c94d148077c8d87c9ce44c4fce

              SHA512

              3e4faab7e760c49c3d8e0f35626e293478aa0ea80e147a884e61e7ced9dace0cc100883e58f9ac932d6cc3f9f4adb91a31fa90f9aec7418202d939dceda3f7cc

              Download Submit
            • C:\Windows\System32\qwave.exe
              MD5

              41613750aa14b52bd1be35b0df84b2ab

              SHA1

              61b3b7a964fbb32440231db533921bd22b5b1c6c

              SHA256

              104d560b8b5e5aa995de035598c171ea0e4905c94d148077c8d87c9ce44c4fce

              SHA512

              3e4faab7e760c49c3d8e0f35626e293478aa0ea80e147a884e61e7ced9dace0cc100883e58f9ac932d6cc3f9f4adb91a31fa90f9aec7418202d939dceda3f7cc

              Download Submit
            • C:\Windows\temp\svchost.exe
              MD5

              41613750aa14b52bd1be35b0df84b2ab

              SHA1

              61b3b7a964fbb32440231db533921bd22b5b1c6c

              SHA256

              104d560b8b5e5aa995de035598c171ea0e4905c94d148077c8d87c9ce44c4fce

              SHA512

              3e4faab7e760c49c3d8e0f35626e293478aa0ea80e147a884e61e7ced9dace0cc100883e58f9ac932d6cc3f9f4adb91a31fa90f9aec7418202d939dceda3f7cc

              Download Submit
            • \Users\Admin\AppData\Local\Temp\nsuDC39.tmp\InstallOptions.dll
              MD5

              325b008aec81e5aaa57096f05d4212b5

              SHA1

              27a2d89747a20305b6518438eff5b9f57f7df5c3

              SHA256

              c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

              SHA512

              18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

              Download Submit
            • memory/488-133-0x0000022025C20000-0x0000022025C5A000-memory.dmp
              Filesize

              232KB

              Download
            • memory/488-141-0x00000220276F0000-0x0000022027730000-memory.dmp
              Filesize

              256KB

              Download
            • memory/488-147-0x0000022027743000-0x0000022027745000-memory.dmp
              Filesize

              8KB

              Download
            • memory/488-139-0x0000022025F20000-0x0000022025F22000-memory.dmp
              Filesize

              8KB

              Download
            • memory/488-148-0x0000022027746000-0x0000022027747000-memory.dmp
              Filesize

              4KB

              Download
            • memory/488-194-0x0000022025F20000-0x0000022025F22000-memory.dmp
              Filesize

              8KB

              Download
            • memory/488-142-0x00000220276F0000-0x0000022027730000-memory.dmp
              Filesize

              256KB

              Download
            • memory/488-146-0x0000022027740000-0x0000022027742000-memory.dmp
              Filesize

              8KB

              Download
            • memory/488-195-0x0000022025F20000-0x0000022025F22000-memory.dmp
              Filesize

              8KB

              Download
            • memory/488-140-0x0000022025F20000-0x0000022025F22000-memory.dmp
              Filesize

              8KB

              Download
            • memory/488-134-0x0000022025C60000-0x0000022025C7A000-memory.dmp
              Filesize

              104KB

              Download
            • memory/488-135-0x0000000000000000-mapping.dmp
              Download
            • memory/488-136-0x0000022025D60000-0x0000022025D7E000-memory.dmp
              Filesize

              120KB

              Download
            • memory/488-137-0x0000022025F20000-0x0000022025F22000-memory.dmp
              Filesize

              8KB

              Download
            • memory/488-138-0x0000022025F20000-0x0000022025F22000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2324-127-0x0000000000000000-mapping.dmp
              Download
            • memory/2436-174-0x0000024A34F80000-0x0000024A34F82000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2436-185-0x0000024A350B0000-0x0000024A35102000-memory.dmp
              Filesize

              328KB

              Download
            • memory/2436-193-0x0000024A34F80000-0x0000024A34F82000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2436-190-0x0000024A4F276000-0x0000024A4F277000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2436-189-0x0000024A4F273000-0x0000024A4F275000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2436-188-0x0000024A4F270000-0x0000024A4F272000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2436-183-0x0000024A34F80000-0x0000024A34F82000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2436-177-0x0000024A34F80000-0x0000024A34F82000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2436-176-0x0000024A34FB0000-0x0000024A34FF0000-memory.dmp
              Filesize

              256KB

              Download
            • memory/2436-175-0x0000024A34FB0000-0x0000024A34FF0000-memory.dmp
              Filesize

              256KB

              Download
            • memory/2436-173-0x0000024A34F80000-0x0000024A34F82000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2436-172-0x0000024A34F80000-0x0000024A34F82000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2436-171-0x0000024A34F80000-0x0000024A34F82000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2436-170-0x0000024A34D00000-0x0000024A34D1E000-memory.dmp
              Filesize

              120KB

              Download
            • memory/2436-169-0x0000000000000000-mapping.dmp
              Download
            • memory/2436-168-0x0000024A34CD0000-0x0000024A34CEA000-memory.dmp
              Filesize

              104KB

              Download
            • memory/2436-167-0x0000024A34C90000-0x0000024A34CCA000-memory.dmp
              Filesize

              232KB

              Download
            • memory/2692-196-0x0000022766E80000-0x0000022766EB1000-memory.dmp
              Filesize

              196KB

              Download
            • memory/2692-197-0x0000000000000000-mapping.dmp
              Download
            • memory/2892-115-0x0000000000000000-mapping.dmp
              Download
            • memory/3048-131-0x0000000000000000-mapping.dmp
              Download
            • memory/3104-156-0x00000274A9500000-0x00000274A9502000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3104-149-0x00000274A9210000-0x00000274A924A000-memory.dmp
              Filesize

              232KB

              Download
            • memory/3104-155-0x00000274A9500000-0x00000274A9502000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3104-154-0x00000274A9500000-0x00000274A9502000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3104-152-0x00000274A9350000-0x00000274A936E000-memory.dmp
              Filesize

              120KB

              Download
            • memory/3104-153-0x00000274A9500000-0x00000274A9502000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3104-151-0x0000000000000000-mapping.dmp
              Download
            • memory/3104-150-0x00000274A9250000-0x00000274A926A000-memory.dmp
              Filesize

              104KB

              Download
            • memory/3104-166-0x00000274C3610000-0x00000274C3662000-memory.dmp
              Filesize

              328KB

              Download
            • memory/3104-157-0x00000274A95B0000-0x00000274A95F0000-memory.dmp
              Filesize

              256KB

              Download
            • memory/3104-165-0x00000274A9500000-0x00000274A9502000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3104-159-0x00000274A9500000-0x00000274A9502000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3104-191-0x00000274A9500000-0x00000274A9502000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3104-158-0x00000274A95B0000-0x00000274A95F0000-memory.dmp
              Filesize

              256KB

              Download
            • memory/3104-186-0x00000274C3603000-0x00000274C3605000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3104-184-0x00000274C3600000-0x00000274C3602000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3104-187-0x00000274C3606000-0x00000274C3607000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3144-128-0x0000000000000000-mapping.dmp
              Download
            • memory/3408-143-0x0000000000000000-mapping.dmp
              Download
            • memory/3532-125-0x0000000001580000-0x00000000015C1000-memory.dmp
              Filesize

              260KB

              Download
            • memory/3532-120-0x00000000004C0000-0x0000000000574000-memory.dmp
              Filesize

              720KB

              Download
            • memory/3532-119-0x00000000004C0000-0x0000000000574000-memory.dmp
              Filesize

              720KB

              Download
            • memory/3532-116-0x0000000000000000-mapping.dmp
              Download
            • memory/3532-124-0x0000000003120000-0x0000000003122000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3624-121-0x0000000000000000-mapping.dmp
              Download
            • memory/3732-144-0x0000000000000000-mapping.dmp
              Download
            • memory/3748-130-0x0000000000000000-mapping.dmp
              Download