cobaltstrike | 943b5a4ebb2fd89ebbd523fe751ca58ec1bccf0107f63385da39a29918c335aa

General

Target

aliyun.exe
Size

187KB
MD5

f216599fa211f9fa54e4bd40982537fe
SHA1

36f27fdc005737ab5b7b26bc791d94ece69256a9
SHA256

943b5a4ebb2fd89ebbd523fe751ca58ec1bccf0107f63385da39a29918c335aa
SHA512

cbee942a7d355c15765d9c9ff93d45be213bd4b1d5cbceb441399f5e150cc84966c027c1965f61a43d92e46dc5ff858162f1dc69392e3d84b221ae347b88c908

Score

10^/10

cobaltstrike 0 1 backdoor evasion trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1

C2

http://service-nhlr0jfu-1259036304.gz.apigw.tencentcs.com:443/api/groovy

Attributes

access_type
512
beacon_type
2048
host
service-nhlr0jfu-1259036304.gz.apigw.tencentcs.com,/api/groovy
http_header1
AAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
3000
port_number
443
sc_process32
%windir%\syswow64\WerFault.exe
sc_process64
%windir%\sysnative\WerFault.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCHMO8y1wBCAjFbDB4YeNRRkTcqs19kCI4v83hQQdz4fzzBhu5JinovYNc0vrQC32y5DAPf9LcS4lpMkSopFeixUvRO4boT0+EiOPu5DIUHUwccExusG5w8jCn1b6dtf+8+9RZITmCxWW/bUhuUKNk+mWnlYLTw9HkpgiwmOqpA8wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/api/package
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Win64; x64; Trident/4.0)
watermark
1

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

4600 attrib.exe
2808 attrib.exe
308 attrib.exe

pid	process
4600	attrib.exe
2808	attrib.exe
308	attrib.exe

Drops file in System32 directory 5 IoCs

Processes:

aliyun.exeattrib.exeattrib.exe

description	ioc	process
File created	C:\Windows\System32\qwave.exe	aliyun.exe
File opened for modification	C:\Windows\System32\qwave.exe	aliyun.exe
File opened for modification	C:\Windows\System32\qwave.exe	attrib.exe
File created	C:\Windows\System32\qcap.exe	aliyun.exe
File opened for modification	C:\Windows\System32\qcap.exe	attrib.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

aliyun.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3196 wrote to memory of 4456	3196	aliyun.exe	cmd.exe
PID 3196 wrote to memory of 4456	3196	aliyun.exe	cmd.exe
PID 4456 wrote to memory of 4600	4456	cmd.exe	attrib.exe
PID 4456 wrote to memory of 4600	4456	cmd.exe	attrib.exe
PID 3196 wrote to memory of 4704	3196	aliyun.exe	cmd.exe
PID 3196 wrote to memory of 4704	3196	aliyun.exe	cmd.exe
PID 4704 wrote to memory of 2808	4704	cmd.exe	attrib.exe
PID 4704 wrote to memory of 2808	4704	cmd.exe	attrib.exe
PID 3196 wrote to memory of 2820	3196	aliyun.exe	WerFault.exe
PID 3196 wrote to memory of 2820	3196	aliyun.exe	WerFault.exe
PID 3196 wrote to memory of 2820	3196	aliyun.exe	WerFault.exe
PID 3196 wrote to memory of 2820	3196	aliyun.exe	WerFault.exe
PID 3196 wrote to memory of 4188	3196	aliyun.exe	cmd.exe
PID 3196 wrote to memory of 4188	3196	aliyun.exe	cmd.exe
PID 4188 wrote to memory of 308	4188	cmd.exe	attrib.exe
PID 4188 wrote to memory of 308	4188	cmd.exe	attrib.exe
PID 3196 wrote to memory of 348	3196	aliyun.exe	WerFault.exe
PID 3196 wrote to memory of 348	3196	aliyun.exe	WerFault.exe
PID 3196 wrote to memory of 348	3196	aliyun.exe	WerFault.exe
PID 3196 wrote to memory of 348	3196	aliyun.exe	WerFault.exe
PID 3196 wrote to memory of 2560	3196	aliyun.exe	WerFault.exe
PID 3196 wrote to memory of 2560	3196	aliyun.exe	WerFault.exe
PID 3196 wrote to memory of 2560	3196	aliyun.exe	WerFault.exe
PID 3196 wrote to memory of 2560	3196	aliyun.exe	WerFault.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

2808 attrib.exe
308 attrib.exe
4600 attrib.exe

pid	process
2808	attrib.exe
308	attrib.exe
4600	attrib.exe

C:\Users\Admin\AppData\Local\Temp\aliyun.exe
"C:\Users\Admin\AppData\Local\Temp\aliyun.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C attrib +s +h C:\Windows\Temp\svchost.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\system32\attrib.exe
attrib +s +h C:\Windows\Temp\svchost.exe
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C attrib +s +h C:\Windows\System32\qwave.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\system32\attrib.exe
attrib +s +h C:\Windows\System32\qwave.exe
3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2808

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe
2⤵
PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C attrib +s +h C:\Windows\System32\qcap.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\system32\attrib.exe
attrib +s +h C:\Windows\System32\qcap.exe
3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:308

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe
2⤵
PID:348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe
2⤵
PID:2560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WerFault.exe.log
Filesize
454B

MD5
36045bba1a33c0d5fac07bf65e4b3dd7

SHA1
2718ba581981a68e07083f35442fe5afe709457e

SHA256
d87cb9b06b0fed485cae4e76ba48d5dc83add0b186ea09358d4252e463069634

SHA512
63b7b80d30f63a1b61ea32a740109152ca448570472ae2683fab2aa759809d4718c9d100c2b96f0369fb39eade9fddefdf41608caa4029ac60bc055f803c9857

Download Submit
C:\Windows\System32\qcap.exe
Filesize
217KB

MD5
c77a5182acc530bd313f2d3c55fdaf96

SHA1
879c5be809c12640cb12d9596bbade46e935c84d

SHA256
ad2585cf8a5398884e97e37718798e459eb50c3118786df780898914f6859c8d

SHA512
b60d206f3701e5f5b21e318ca4c5f450e1cbe4d8e9ebd3fa5b19d8268c1c868d3d7475669c830e5d60c2c9550527539ca338332223e37f2e40c702060cc174a6

Download Submit
C:\Windows\System32\qwave.exe
Filesize
217KB

MD5
c77a5182acc530bd313f2d3c55fdaf96

SHA1
879c5be809c12640cb12d9596bbade46e935c84d

SHA256
ad2585cf8a5398884e97e37718798e459eb50c3118786df780898914f6859c8d

SHA512
b60d206f3701e5f5b21e318ca4c5f450e1cbe4d8e9ebd3fa5b19d8268c1c868d3d7475669c830e5d60c2c9550527539ca338332223e37f2e40c702060cc174a6

Download Submit
C:\Windows\Temp\svchost.exe
Filesize
217KB

MD5
c77a5182acc530bd313f2d3c55fdaf96

SHA1
879c5be809c12640cb12d9596bbade46e935c84d

SHA256
ad2585cf8a5398884e97e37718798e459eb50c3118786df780898914f6859c8d

SHA512
b60d206f3701e5f5b21e318ca4c5f450e1cbe4d8e9ebd3fa5b19d8268c1c868d3d7475669c830e5d60c2c9550527539ca338332223e37f2e40c702060cc174a6

Download Submit
memory/308-145-0x0000000000000000-mapping.dmp

Download
memory/348-152-0x00007FF9AC6F0000-0x00007FF9AD1B1000-memory.dmp

Filesize
10.8MB

Download
memory/348-155-0x00007FF9AC6F0000-0x00007FF9AD1B1000-memory.dmp

Filesize
10.8MB

Download
memory/348-151-0x0000021B5E800000-0x0000021B5E81E000-memory.dmp

Filesize
120KB

Download
memory/348-149-0x0000000000000000-mapping.dmp

Download
memory/348-148-0x0000021B5E6D0000-0x0000021B5E6EA000-memory.dmp

Filesize
104KB

Download
memory/348-147-0x0000021B5E690000-0x0000021B5E6CA000-memory.dmp

Filesize
232KB

Download
memory/2560-161-0x00007FF9AC6F0000-0x00007FF9AD1B1000-memory.dmp

Filesize
10.8MB

Download
memory/2560-160-0x00007FF9AC6F0000-0x00007FF9AD1B1000-memory.dmp

Filesize
10.8MB

Download
memory/2560-158-0x0000000000000000-mapping.dmp

Download
memory/2560-157-0x00000233BEAC0000-0x00000233BEADA000-memory.dmp

Filesize
104KB

Download
memory/2560-156-0x00000233BEA80000-0x00000233BEABA000-memory.dmp

Filesize
232KB

Download
memory/2808-138-0x0000000000000000-mapping.dmp

Download
memory/2820-153-0x00007FF9AC6F0000-0x00007FF9AD1B1000-memory.dmp

Filesize
10.8MB

Download
memory/2820-141-0x000002BB884A0000-0x000002BB884BA000-memory.dmp

Filesize
104KB

Download
memory/2820-142-0x0000000000000000-mapping.dmp

Download
memory/2820-140-0x000002BB88460000-0x000002BB8849A000-memory.dmp

Filesize
232KB

Download
memory/2820-150-0x00007FF9AC6F0000-0x00007FF9AD1B1000-memory.dmp

Filesize
10.8MB

Download
memory/3196-132-0x0000000003850000-0x000000000390C000-memory.dmp

Filesize
752KB

Download
memory/3196-131-0x0000000003450000-0x0000000003850000-memory.dmp

Filesize
4.0MB

Download
memory/3196-135-0x0000000003450000-0x0000000003850000-memory.dmp

Filesize
4.0MB

Download
memory/3196-130-0x0000000003850000-0x000000000390C000-memory.dmp

Filesize
752KB

Download
memory/4188-144-0x0000000000000000-mapping.dmp

Download
memory/4456-133-0x0000000000000000-mapping.dmp

Download
memory/4600-134-0x0000000000000000-mapping.dmp

Download
memory/4704-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads