Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-06-2022 07:26
Static task
static1
Behavioral task
behavioral1
Sample
aliyun.exe
Resource
win7-20220414-en
General
-
Target
aliyun.exe
-
Size
187KB
-
MD5
f216599fa211f9fa54e4bd40982537fe
-
SHA1
36f27fdc005737ab5b7b26bc791d94ece69256a9
-
SHA256
943b5a4ebb2fd89ebbd523fe751ca58ec1bccf0107f63385da39a29918c335aa
-
SHA512
cbee942a7d355c15765d9c9ff93d45be213bd4b1d5cbceb441399f5e150cc84966c027c1965f61a43d92e46dc5ff858162f1dc69392e3d84b221ae347b88c908
Malware Config
Extracted
cobaltstrike
1
http://service-nhlr0jfu-1259036304.gz.apigw.tencentcs.com:443/api/groovy
-
access_type
512
-
beacon_type
2048
-
host
service-nhlr0jfu-1259036304.gz.apigw.tencentcs.com,/api/groovy
-
http_header1
AAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
3000
-
port_number
443
-
sc_process32
%windir%\syswow64\WerFault.exe
-
sc_process64
%windir%\sysnative\WerFault.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCHMO8y1wBCAjFbDB4YeNRRkTcqs19kCI4v83hQQdz4fzzBhu5JinovYNc0vrQC32y5DAPf9LcS4lpMkSopFeixUvRO4boT0+EiOPu5DIUHUwccExusG5w8jCn1b6dtf+8+9RZITmCxWW/bUhuUKNk+mWnlYLTw9HkpgiwmOqpA8wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.481970944e+09
-
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/api/package
-
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Win64; x64; Trident/4.0)
-
watermark
1
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exepid process 1976 attrib.exe 856 attrib.exe 996 attrib.exe -
Drops file in System32 directory 5 IoCs
Processes:
attrib.exealiyun.exeattrib.exedescription ioc process File opened for modification C:\Windows\System32\qwave.exe attrib.exe File created C:\Windows\System32\qcap.exe aliyun.exe File opened for modification C:\Windows\System32\qcap.exe attrib.exe File created C:\Windows\System32\qwave.exe aliyun.exe File opened for modification C:\Windows\System32\qwave.exe aliyun.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
aliyun.execmd.execmd.execmd.exedescription pid process target process PID 1580 wrote to memory of 1864 1580 aliyun.exe cmd.exe PID 1580 wrote to memory of 1864 1580 aliyun.exe cmd.exe PID 1580 wrote to memory of 1864 1580 aliyun.exe cmd.exe PID 1864 wrote to memory of 856 1864 cmd.exe attrib.exe PID 1864 wrote to memory of 856 1864 cmd.exe attrib.exe PID 1864 wrote to memory of 856 1864 cmd.exe attrib.exe PID 1580 wrote to memory of 1248 1580 aliyun.exe cmd.exe PID 1580 wrote to memory of 1248 1580 aliyun.exe cmd.exe PID 1580 wrote to memory of 1248 1580 aliyun.exe cmd.exe PID 1248 wrote to memory of 996 1248 cmd.exe attrib.exe PID 1248 wrote to memory of 996 1248 cmd.exe attrib.exe PID 1248 wrote to memory of 996 1248 cmd.exe attrib.exe PID 1580 wrote to memory of 1256 1580 aliyun.exe WerFault.exe PID 1580 wrote to memory of 1256 1580 aliyun.exe WerFault.exe PID 1580 wrote to memory of 1256 1580 aliyun.exe WerFault.exe PID 1580 wrote to memory of 1256 1580 aliyun.exe WerFault.exe PID 1580 wrote to memory of 1256 1580 aliyun.exe WerFault.exe PID 1580 wrote to memory of 1016 1580 aliyun.exe cmd.exe PID 1580 wrote to memory of 1016 1580 aliyun.exe cmd.exe PID 1580 wrote to memory of 1016 1580 aliyun.exe cmd.exe PID 1016 wrote to memory of 1976 1016 cmd.exe attrib.exe PID 1016 wrote to memory of 1976 1016 cmd.exe attrib.exe PID 1016 wrote to memory of 1976 1016 cmd.exe attrib.exe PID 1580 wrote to memory of 1824 1580 aliyun.exe WerFault.exe PID 1580 wrote to memory of 1824 1580 aliyun.exe WerFault.exe PID 1580 wrote to memory of 1824 1580 aliyun.exe WerFault.exe PID 1580 wrote to memory of 1824 1580 aliyun.exe WerFault.exe PID 1580 wrote to memory of 1824 1580 aliyun.exe WerFault.exe PID 1580 wrote to memory of 1708 1580 aliyun.exe WerFault.exe PID 1580 wrote to memory of 1708 1580 aliyun.exe WerFault.exe PID 1580 wrote to memory of 1708 1580 aliyun.exe WerFault.exe PID 1580 wrote to memory of 1708 1580 aliyun.exe WerFault.exe PID 1580 wrote to memory of 1708 1580 aliyun.exe WerFault.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 856 attrib.exe 996 attrib.exe 1976 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aliyun.exe"C:\Users\Admin\AppData\Local\Temp\aliyun.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C attrib +s +h C:\Windows\Temp\svchost.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +s +h C:\Windows\Temp\svchost.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C attrib +s +h C:\Windows\System32\qwave.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +s +h C:\Windows\System32\qwave.exe3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C attrib +s +h C:\Windows\System32\qcap.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +s +h C:\Windows\System32\qcap.exe3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\System32\qcap.exeFilesize
217KB
MD5c77a5182acc530bd313f2d3c55fdaf96
SHA1879c5be809c12640cb12d9596bbade46e935c84d
SHA256ad2585cf8a5398884e97e37718798e459eb50c3118786df780898914f6859c8d
SHA512b60d206f3701e5f5b21e318ca4c5f450e1cbe4d8e9ebd3fa5b19d8268c1c868d3d7475669c830e5d60c2c9550527539ca338332223e37f2e40c702060cc174a6
-
C:\Windows\System32\qwave.exeFilesize
217KB
MD5c77a5182acc530bd313f2d3c55fdaf96
SHA1879c5be809c12640cb12d9596bbade46e935c84d
SHA256ad2585cf8a5398884e97e37718798e459eb50c3118786df780898914f6859c8d
SHA512b60d206f3701e5f5b21e318ca4c5f450e1cbe4d8e9ebd3fa5b19d8268c1c868d3d7475669c830e5d60c2c9550527539ca338332223e37f2e40c702060cc174a6
-
C:\Windows\Temp\svchost.exeFilesize
217KB
MD5c77a5182acc530bd313f2d3c55fdaf96
SHA1879c5be809c12640cb12d9596bbade46e935c84d
SHA256ad2585cf8a5398884e97e37718798e459eb50c3118786df780898914f6859c8d
SHA512b60d206f3701e5f5b21e318ca4c5f450e1cbe4d8e9ebd3fa5b19d8268c1c868d3d7475669c830e5d60c2c9550527539ca338332223e37f2e40c702060cc174a6
-
memory/856-60-0x0000000000000000-mapping.dmp
-
memory/996-63-0x0000000000000000-mapping.dmp
-
memory/1016-75-0x0000000000000000-mapping.dmp
-
memory/1248-62-0x0000000000000000-mapping.dmp
-
memory/1256-70-0x00000000000A0000-0x00000000000BA000-memory.dmpFilesize
104KB
-
memory/1256-71-0x0000000000000000-mapping.dmp
-
memory/1256-74-0x0000000001D90000-0x0000000001DD0000-memory.dmpFilesize
256KB
-
memory/1256-73-0x0000000000170000-0x000000000018E000-memory.dmpFilesize
120KB
-
memory/1256-65-0x0000000000060000-0x000000000009A000-memory.dmpFilesize
232KB
-
memory/1256-67-0x0000000000060000-0x000000000009A000-memory.dmpFilesize
232KB
-
memory/1256-68-0x00000000000A0000-0x00000000000BA000-memory.dmpFilesize
104KB
-
memory/1580-56-0x00000000038F0000-0x0000000003CF0000-memory.dmpFilesize
4.0MB
-
memory/1580-54-0x000007FEFBF01000-0x000007FEFBF03000-memory.dmpFilesize
8KB
-
memory/1580-57-0x0000000002F60000-0x000000000301C000-memory.dmpFilesize
752KB
-
memory/1580-58-0x00000000038F0000-0x0000000003CF0000-memory.dmpFilesize
4.0MB
-
memory/1580-55-0x0000000002F60000-0x000000000301C000-memory.dmpFilesize
752KB
-
memory/1708-97-0x0000000001DF0000-0x0000000001E42000-memory.dmpFilesize
328KB
-
memory/1708-94-0x0000000000000000-mapping.dmp
-
memory/1708-93-0x00000000000A0000-0x00000000000BA000-memory.dmpFilesize
104KB
-
memory/1708-90-0x0000000000060000-0x000000000009A000-memory.dmpFilesize
232KB
-
memory/1824-86-0x0000000000190000-0x00000000001AE000-memory.dmpFilesize
120KB
-
memory/1824-84-0x0000000000000000-mapping.dmp
-
memory/1824-87-0x0000000001C00000-0x0000000001C52000-memory.dmpFilesize
328KB
-
memory/1824-83-0x00000000000A0000-0x00000000000BA000-memory.dmpFilesize
104KB
-
memory/1824-80-0x0000000000060000-0x000000000009A000-memory.dmpFilesize
232KB
-
memory/1864-59-0x0000000000000000-mapping.dmp
-
memory/1976-76-0x0000000000000000-mapping.dmp