Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-06-2022 07:26
Static task
static1
Behavioral task
behavioral1
Sample
aliyun.exe
Resource
win7-20220414-en
General
-
Target
aliyun.exe
-
Size
187KB
-
MD5
f216599fa211f9fa54e4bd40982537fe
-
SHA1
36f27fdc005737ab5b7b26bc791d94ece69256a9
-
SHA256
943b5a4ebb2fd89ebbd523fe751ca58ec1bccf0107f63385da39a29918c335aa
-
SHA512
cbee942a7d355c15765d9c9ff93d45be213bd4b1d5cbceb441399f5e150cc84966c027c1965f61a43d92e46dc5ff858162f1dc69392e3d84b221ae347b88c908
Malware Config
Extracted
cobaltstrike
1
http://service-nhlr0jfu-1259036304.gz.apigw.tencentcs.com:443/api/groovy
-
access_type
512
-
beacon_type
2048
-
host
service-nhlr0jfu-1259036304.gz.apigw.tencentcs.com,/api/groovy
-
http_header1
AAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
3000
-
port_number
443
-
sc_process32
%windir%\syswow64\WerFault.exe
-
sc_process64
%windir%\sysnative\WerFault.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCHMO8y1wBCAjFbDB4YeNRRkTcqs19kCI4v83hQQdz4fzzBhu5JinovYNc0vrQC32y5DAPf9LcS4lpMkSopFeixUvRO4boT0+EiOPu5DIUHUwccExusG5w8jCn1b6dtf+8+9RZITmCxWW/bUhuUKNk+mWnlYLTw9HkpgiwmOqpA8wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.481970944e+09
-
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/api/package
-
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Win64; x64; Trident/4.0)
-
watermark
1
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exepid process 4600 attrib.exe 2808 attrib.exe 308 attrib.exe -
Drops file in System32 directory 5 IoCs
Processes:
aliyun.exeattrib.exeattrib.exedescription ioc process File created C:\Windows\System32\qwave.exe aliyun.exe File opened for modification C:\Windows\System32\qwave.exe aliyun.exe File opened for modification C:\Windows\System32\qwave.exe attrib.exe File created C:\Windows\System32\qcap.exe aliyun.exe File opened for modification C:\Windows\System32\qcap.exe attrib.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
aliyun.execmd.execmd.execmd.exedescription pid process target process PID 3196 wrote to memory of 4456 3196 aliyun.exe cmd.exe PID 3196 wrote to memory of 4456 3196 aliyun.exe cmd.exe PID 4456 wrote to memory of 4600 4456 cmd.exe attrib.exe PID 4456 wrote to memory of 4600 4456 cmd.exe attrib.exe PID 3196 wrote to memory of 4704 3196 aliyun.exe cmd.exe PID 3196 wrote to memory of 4704 3196 aliyun.exe cmd.exe PID 4704 wrote to memory of 2808 4704 cmd.exe attrib.exe PID 4704 wrote to memory of 2808 4704 cmd.exe attrib.exe PID 3196 wrote to memory of 2820 3196 aliyun.exe WerFault.exe PID 3196 wrote to memory of 2820 3196 aliyun.exe WerFault.exe PID 3196 wrote to memory of 2820 3196 aliyun.exe WerFault.exe PID 3196 wrote to memory of 2820 3196 aliyun.exe WerFault.exe PID 3196 wrote to memory of 4188 3196 aliyun.exe cmd.exe PID 3196 wrote to memory of 4188 3196 aliyun.exe cmd.exe PID 4188 wrote to memory of 308 4188 cmd.exe attrib.exe PID 4188 wrote to memory of 308 4188 cmd.exe attrib.exe PID 3196 wrote to memory of 348 3196 aliyun.exe WerFault.exe PID 3196 wrote to memory of 348 3196 aliyun.exe WerFault.exe PID 3196 wrote to memory of 348 3196 aliyun.exe WerFault.exe PID 3196 wrote to memory of 348 3196 aliyun.exe WerFault.exe PID 3196 wrote to memory of 2560 3196 aliyun.exe WerFault.exe PID 3196 wrote to memory of 2560 3196 aliyun.exe WerFault.exe PID 3196 wrote to memory of 2560 3196 aliyun.exe WerFault.exe PID 3196 wrote to memory of 2560 3196 aliyun.exe WerFault.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 2808 attrib.exe 308 attrib.exe 4600 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aliyun.exe"C:\Users\Admin\AppData\Local\Temp\aliyun.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C attrib +s +h C:\Windows\Temp\svchost.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +s +h C:\Windows\Temp\svchost.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C attrib +s +h C:\Windows\System32\qwave.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +s +h C:\Windows\System32\qwave.exe3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C attrib +s +h C:\Windows\System32\qcap.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +s +h C:\Windows\System32\qcap.exe3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WerFault.exe.logFilesize
454B
MD536045bba1a33c0d5fac07bf65e4b3dd7
SHA12718ba581981a68e07083f35442fe5afe709457e
SHA256d87cb9b06b0fed485cae4e76ba48d5dc83add0b186ea09358d4252e463069634
SHA51263b7b80d30f63a1b61ea32a740109152ca448570472ae2683fab2aa759809d4718c9d100c2b96f0369fb39eade9fddefdf41608caa4029ac60bc055f803c9857
-
C:\Windows\System32\qcap.exeFilesize
217KB
MD5c77a5182acc530bd313f2d3c55fdaf96
SHA1879c5be809c12640cb12d9596bbade46e935c84d
SHA256ad2585cf8a5398884e97e37718798e459eb50c3118786df780898914f6859c8d
SHA512b60d206f3701e5f5b21e318ca4c5f450e1cbe4d8e9ebd3fa5b19d8268c1c868d3d7475669c830e5d60c2c9550527539ca338332223e37f2e40c702060cc174a6
-
C:\Windows\System32\qwave.exeFilesize
217KB
MD5c77a5182acc530bd313f2d3c55fdaf96
SHA1879c5be809c12640cb12d9596bbade46e935c84d
SHA256ad2585cf8a5398884e97e37718798e459eb50c3118786df780898914f6859c8d
SHA512b60d206f3701e5f5b21e318ca4c5f450e1cbe4d8e9ebd3fa5b19d8268c1c868d3d7475669c830e5d60c2c9550527539ca338332223e37f2e40c702060cc174a6
-
C:\Windows\Temp\svchost.exeFilesize
217KB
MD5c77a5182acc530bd313f2d3c55fdaf96
SHA1879c5be809c12640cb12d9596bbade46e935c84d
SHA256ad2585cf8a5398884e97e37718798e459eb50c3118786df780898914f6859c8d
SHA512b60d206f3701e5f5b21e318ca4c5f450e1cbe4d8e9ebd3fa5b19d8268c1c868d3d7475669c830e5d60c2c9550527539ca338332223e37f2e40c702060cc174a6
-
memory/308-145-0x0000000000000000-mapping.dmp
-
memory/348-152-0x00007FF9AC6F0000-0x00007FF9AD1B1000-memory.dmpFilesize
10.8MB
-
memory/348-155-0x00007FF9AC6F0000-0x00007FF9AD1B1000-memory.dmpFilesize
10.8MB
-
memory/348-151-0x0000021B5E800000-0x0000021B5E81E000-memory.dmpFilesize
120KB
-
memory/348-149-0x0000000000000000-mapping.dmp
-
memory/348-148-0x0000021B5E6D0000-0x0000021B5E6EA000-memory.dmpFilesize
104KB
-
memory/348-147-0x0000021B5E690000-0x0000021B5E6CA000-memory.dmpFilesize
232KB
-
memory/2560-161-0x00007FF9AC6F0000-0x00007FF9AD1B1000-memory.dmpFilesize
10.8MB
-
memory/2560-160-0x00007FF9AC6F0000-0x00007FF9AD1B1000-memory.dmpFilesize
10.8MB
-
memory/2560-158-0x0000000000000000-mapping.dmp
-
memory/2560-157-0x00000233BEAC0000-0x00000233BEADA000-memory.dmpFilesize
104KB
-
memory/2560-156-0x00000233BEA80000-0x00000233BEABA000-memory.dmpFilesize
232KB
-
memory/2808-138-0x0000000000000000-mapping.dmp
-
memory/2820-153-0x00007FF9AC6F0000-0x00007FF9AD1B1000-memory.dmpFilesize
10.8MB
-
memory/2820-141-0x000002BB884A0000-0x000002BB884BA000-memory.dmpFilesize
104KB
-
memory/2820-142-0x0000000000000000-mapping.dmp
-
memory/2820-140-0x000002BB88460000-0x000002BB8849A000-memory.dmpFilesize
232KB
-
memory/2820-150-0x00007FF9AC6F0000-0x00007FF9AD1B1000-memory.dmpFilesize
10.8MB
-
memory/3196-132-0x0000000003850000-0x000000000390C000-memory.dmpFilesize
752KB
-
memory/3196-131-0x0000000003450000-0x0000000003850000-memory.dmpFilesize
4.0MB
-
memory/3196-135-0x0000000003450000-0x0000000003850000-memory.dmpFilesize
4.0MB
-
memory/3196-130-0x0000000003850000-0x000000000390C000-memory.dmpFilesize
752KB
-
memory/4188-144-0x0000000000000000-mapping.dmp
-
memory/4456-133-0x0000000000000000-mapping.dmp
-
memory/4600-134-0x0000000000000000-mapping.dmp
-
memory/4704-137-0x0000000000000000-mapping.dmp