cobaltstrike | 943b5a4ebb2fd89ebbd523fe751ca58ec1bccf0107f63385da39a29918c335aa

General

Target

aliyun.exe
Size

187KB
MD5

f216599fa211f9fa54e4bd40982537fe
SHA1

36f27fdc005737ab5b7b26bc791d94ece69256a9
SHA256

943b5a4ebb2fd89ebbd523fe751ca58ec1bccf0107f63385da39a29918c335aa
SHA512

cbee942a7d355c15765d9c9ff93d45be213bd4b1d5cbceb441399f5e150cc84966c027c1965f61a43d92e46dc5ff858162f1dc69392e3d84b221ae347b88c908

Score

10^/10

cobaltstrike 1 backdoor evasion trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1

C2

http://service-nhlr0jfu-1259036304.gz.apigw.tencentcs.com:443/api/groovy

Attributes

access_type
512
beacon_type
2048
host
service-nhlr0jfu-1259036304.gz.apigw.tencentcs.com,/api/groovy
http_header1
AAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
3000
port_number
443
sc_process32
%windir%\syswow64\WerFault.exe
sc_process64
%windir%\sysnative\WerFault.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCHMO8y1wBCAjFbDB4YeNRRkTcqs19kCI4v83hQQdz4fzzBhu5JinovYNc0vrQC32y5DAPf9LcS4lpMkSopFeixUvRO4boT0+EiOPu5DIUHUwccExusG5w8jCn1b6dtf+8+9RZITmCxWW/bUhuUKNk+mWnlYLTw9HkpgiwmOqpA8wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/api/package
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Win64; x64; Trident/4.0)
watermark
1

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

1976 attrib.exe
856 attrib.exe
996 attrib.exe

pid	process
1976	attrib.exe
856	attrib.exe
996	attrib.exe

Drops file in System32 directory 5 IoCs

Processes:

attrib.exealiyun.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\System32\qwave.exe	attrib.exe
File created	C:\Windows\System32\qcap.exe	aliyun.exe
File opened for modification	C:\Windows\System32\qcap.exe	attrib.exe
File created	C:\Windows\System32\qwave.exe	aliyun.exe
File opened for modification	C:\Windows\System32\qwave.exe	aliyun.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

aliyun.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1580 wrote to memory of 1864	1580	aliyun.exe	cmd.exe
PID 1580 wrote to memory of 1864	1580	aliyun.exe	cmd.exe
PID 1580 wrote to memory of 1864	1580	aliyun.exe	cmd.exe
PID 1864 wrote to memory of 856	1864	cmd.exe	attrib.exe
PID 1864 wrote to memory of 856	1864	cmd.exe	attrib.exe
PID 1864 wrote to memory of 856	1864	cmd.exe	attrib.exe
PID 1580 wrote to memory of 1248	1580	aliyun.exe	cmd.exe
PID 1580 wrote to memory of 1248	1580	aliyun.exe	cmd.exe
PID 1580 wrote to memory of 1248	1580	aliyun.exe	cmd.exe
PID 1248 wrote to memory of 996	1248	cmd.exe	attrib.exe
PID 1248 wrote to memory of 996	1248	cmd.exe	attrib.exe
PID 1248 wrote to memory of 996	1248	cmd.exe	attrib.exe
PID 1580 wrote to memory of 1256	1580	aliyun.exe	WerFault.exe
PID 1580 wrote to memory of 1256	1580	aliyun.exe	WerFault.exe
PID 1580 wrote to memory of 1256	1580	aliyun.exe	WerFault.exe
PID 1580 wrote to memory of 1256	1580	aliyun.exe	WerFault.exe
PID 1580 wrote to memory of 1256	1580	aliyun.exe	WerFault.exe
PID 1580 wrote to memory of 1016	1580	aliyun.exe	cmd.exe
PID 1580 wrote to memory of 1016	1580	aliyun.exe	cmd.exe
PID 1580 wrote to memory of 1016	1580	aliyun.exe	cmd.exe
PID 1016 wrote to memory of 1976	1016	cmd.exe	attrib.exe
PID 1016 wrote to memory of 1976	1016	cmd.exe	attrib.exe
PID 1016 wrote to memory of 1976	1016	cmd.exe	attrib.exe
PID 1580 wrote to memory of 1824	1580	aliyun.exe	WerFault.exe
PID 1580 wrote to memory of 1824	1580	aliyun.exe	WerFault.exe
PID 1580 wrote to memory of 1824	1580	aliyun.exe	WerFault.exe
PID 1580 wrote to memory of 1824	1580	aliyun.exe	WerFault.exe
PID 1580 wrote to memory of 1824	1580	aliyun.exe	WerFault.exe
PID 1580 wrote to memory of 1708	1580	aliyun.exe	WerFault.exe
PID 1580 wrote to memory of 1708	1580	aliyun.exe	WerFault.exe
PID 1580 wrote to memory of 1708	1580	aliyun.exe	WerFault.exe
PID 1580 wrote to memory of 1708	1580	aliyun.exe	WerFault.exe
PID 1580 wrote to memory of 1708	1580	aliyun.exe	WerFault.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

856 attrib.exe
996 attrib.exe
1976 attrib.exe

pid	process
856	attrib.exe
996	attrib.exe
1976	attrib.exe

C:\Users\Admin\AppData\Local\Temp\aliyun.exe
"C:\Users\Admin\AppData\Local\Temp\aliyun.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C attrib +s +h C:\Windows\Temp\svchost.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\system32\attrib.exe
attrib +s +h C:\Windows\Temp\svchost.exe
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C attrib +s +h C:\Windows\System32\qwave.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\system32\attrib.exe
attrib +s +h C:\Windows\System32\qwave.exe
3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe
2⤵
PID:1256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C attrib +s +h C:\Windows\System32\qcap.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\system32\attrib.exe
attrib +s +h C:\Windows\System32\qcap.exe
3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1976

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe
2⤵
PID:1824

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe
2⤵
PID:1708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\qcap.exe
Filesize
217KB

MD5
c77a5182acc530bd313f2d3c55fdaf96

SHA1
879c5be809c12640cb12d9596bbade46e935c84d

SHA256
ad2585cf8a5398884e97e37718798e459eb50c3118786df780898914f6859c8d

SHA512
b60d206f3701e5f5b21e318ca4c5f450e1cbe4d8e9ebd3fa5b19d8268c1c868d3d7475669c830e5d60c2c9550527539ca338332223e37f2e40c702060cc174a6

Download Submit
C:\Windows\System32\qwave.exe
Filesize
217KB

MD5
c77a5182acc530bd313f2d3c55fdaf96

SHA1
879c5be809c12640cb12d9596bbade46e935c84d

SHA256
ad2585cf8a5398884e97e37718798e459eb50c3118786df780898914f6859c8d

SHA512
b60d206f3701e5f5b21e318ca4c5f450e1cbe4d8e9ebd3fa5b19d8268c1c868d3d7475669c830e5d60c2c9550527539ca338332223e37f2e40c702060cc174a6

Download Submit
C:\Windows\Temp\svchost.exe
Filesize
217KB

MD5
c77a5182acc530bd313f2d3c55fdaf96

SHA1
879c5be809c12640cb12d9596bbade46e935c84d

SHA256
ad2585cf8a5398884e97e37718798e459eb50c3118786df780898914f6859c8d

SHA512
b60d206f3701e5f5b21e318ca4c5f450e1cbe4d8e9ebd3fa5b19d8268c1c868d3d7475669c830e5d60c2c9550527539ca338332223e37f2e40c702060cc174a6

Download Submit
memory/856-60-0x0000000000000000-mapping.dmp

Download
memory/996-63-0x0000000000000000-mapping.dmp

Download
memory/1016-75-0x0000000000000000-mapping.dmp

Download
memory/1248-62-0x0000000000000000-mapping.dmp

Download
memory/1256-70-0x00000000000A0000-0x00000000000BA000-memory.dmp

Filesize
104KB

Download
memory/1256-71-0x0000000000000000-mapping.dmp

Download
memory/1256-74-0x0000000001D90000-0x0000000001DD0000-memory.dmp

Filesize
256KB

Download
memory/1256-73-0x0000000000170000-0x000000000018E000-memory.dmp

Filesize
120KB

Download
memory/1256-65-0x0000000000060000-0x000000000009A000-memory.dmp

Filesize
232KB

Download
memory/1256-67-0x0000000000060000-0x000000000009A000-memory.dmp

Filesize
232KB

Download
memory/1256-68-0x00000000000A0000-0x00000000000BA000-memory.dmp

Filesize
104KB

Download
memory/1580-56-0x00000000038F0000-0x0000000003CF0000-memory.dmp

Filesize
4.0MB

Download
memory/1580-54-0x000007FEFBF01000-0x000007FEFBF03000-memory.dmp

Filesize
8KB

Download
memory/1580-57-0x0000000002F60000-0x000000000301C000-memory.dmp

Filesize
752KB

Download
memory/1580-58-0x00000000038F0000-0x0000000003CF0000-memory.dmp

Filesize
4.0MB

Download
memory/1580-55-0x0000000002F60000-0x000000000301C000-memory.dmp

Filesize
752KB

Download
memory/1708-97-0x0000000001DF0000-0x0000000001E42000-memory.dmp

Filesize
328KB

Download
memory/1708-94-0x0000000000000000-mapping.dmp

Download
memory/1708-93-0x00000000000A0000-0x00000000000BA000-memory.dmp

Filesize
104KB

Download
memory/1708-90-0x0000000000060000-0x000000000009A000-memory.dmp

Filesize
232KB

Download
memory/1824-86-0x0000000000190000-0x00000000001AE000-memory.dmp

Filesize
120KB

Download
memory/1824-84-0x0000000000000000-mapping.dmp

Download
memory/1824-87-0x0000000001C00000-0x0000000001C52000-memory.dmp

Filesize
328KB

Download
memory/1824-83-0x00000000000A0000-0x00000000000BA000-memory.dmp

Filesize
104KB

Download
memory/1824-80-0x0000000000060000-0x000000000009A000-memory.dmp

Filesize
232KB

Download
memory/1864-59-0x0000000000000000-mapping.dmp

Download
memory/1976-76-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing