Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 21:27
Behavioral task
behavioral1
Sample
2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240704-en
General
-
Target
2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
de0d33ff2d524a170bec443015ea98a0
-
SHA1
a740b6acd1e8c7810e8e7fc39173b3e5a2576583
-
SHA256
674787aabddeafed1b06a7a1ff5c0c476e3c99b1e49049cc91a809c497a6c62a
-
SHA512
27d0c8bafac1b2181f555cf5af2e99c7810a031aabc7f9c4efa78e83372c2311c71b15c894fbc1bf741ea6fdf9249818c6a2d35d5bc302051e58c0813f5cddfa
-
SSDEEP
49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l+:RWWBibj56utgpPFotBER/mQ32lUK
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000900000002362a-5.dat cobalt_reflective_dll behavioral2/files/0x000800000002362d-15.dat cobalt_reflective_dll behavioral2/files/0x0007000000023631-19.dat cobalt_reflective_dll behavioral2/files/0x0007000000023632-23.dat cobalt_reflective_dll behavioral2/files/0x000800000002362e-32.dat cobalt_reflective_dll behavioral2/files/0x0007000000023635-40.dat cobalt_reflective_dll behavioral2/files/0x0007000000023636-41.dat cobalt_reflective_dll behavioral2/files/0x0007000000023638-52.dat cobalt_reflective_dll behavioral2/files/0x0007000000023639-64.dat cobalt_reflective_dll behavioral2/files/0x000700000002363a-75.dat cobalt_reflective_dll behavioral2/files/0x000700000002363b-77.dat cobalt_reflective_dll behavioral2/files/0x0007000000023637-49.dat cobalt_reflective_dll behavioral2/files/0x0007000000023634-44.dat cobalt_reflective_dll behavioral2/files/0x000700000002363c-83.dat cobalt_reflective_dll behavioral2/files/0x000700000002363d-88.dat cobalt_reflective_dll behavioral2/files/0x000700000002363e-97.dat cobalt_reflective_dll behavioral2/files/0x000700000002363f-101.dat cobalt_reflective_dll behavioral2/files/0x0007000000023643-132.dat cobalt_reflective_dll behavioral2/files/0x0007000000023642-125.dat cobalt_reflective_dll behavioral2/files/0x0007000000023640-112.dat cobalt_reflective_dll behavioral2/files/0x0007000000023644-136.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/4776-79-0x00007FF605350000-0x00007FF6056A1000-memory.dmp xmrig behavioral2/memory/5108-80-0x00007FF673C10000-0x00007FF673F61000-memory.dmp xmrig behavioral2/memory/4680-65-0x00007FF7DE320000-0x00007FF7DE671000-memory.dmp xmrig behavioral2/memory/3652-63-0x00007FF7D5830000-0x00007FF7D5B81000-memory.dmp xmrig behavioral2/memory/1080-58-0x00007FF7DFA70000-0x00007FF7DFDC1000-memory.dmp xmrig behavioral2/memory/4848-98-0x00007FF67B390000-0x00007FF67B6E1000-memory.dmp xmrig behavioral2/memory/2488-105-0x00007FF7ED040000-0x00007FF7ED391000-memory.dmp xmrig behavioral2/memory/2836-102-0x00007FF78F380000-0x00007FF78F6D1000-memory.dmp xmrig behavioral2/memory/4460-96-0x00007FF6D43A0000-0x00007FF6D46F1000-memory.dmp xmrig behavioral2/memory/4708-95-0x00007FF6978A0000-0x00007FF697BF1000-memory.dmp xmrig behavioral2/memory/972-84-0x00007FF7D5930000-0x00007FF7D5C81000-memory.dmp xmrig behavioral2/memory/3844-121-0x00007FF7C9ED0000-0x00007FF7CA221000-memory.dmp xmrig behavioral2/memory/3468-131-0x00007FF679F80000-0x00007FF67A2D1000-memory.dmp xmrig behavioral2/memory/3588-130-0x00007FF745B40000-0x00007FF745E91000-memory.dmp xmrig behavioral2/memory/832-139-0x00007FF7B68B0000-0x00007FF7B6C01000-memory.dmp xmrig behavioral2/memory/5028-150-0x00007FF73D270000-0x00007FF73D5C1000-memory.dmp xmrig behavioral2/memory/1728-151-0x00007FF784BB0000-0x00007FF784F01000-memory.dmp xmrig behavioral2/memory/232-152-0x00007FF62A150000-0x00007FF62A4A1000-memory.dmp xmrig behavioral2/memory/4384-148-0x00007FF6C5A00000-0x00007FF6C5D51000-memory.dmp xmrig behavioral2/memory/4064-145-0x00007FF7474C0000-0x00007FF747811000-memory.dmp xmrig behavioral2/memory/972-153-0x00007FF7D5930000-0x00007FF7D5C81000-memory.dmp xmrig behavioral2/memory/4880-169-0x00007FF662090000-0x00007FF6623E1000-memory.dmp xmrig behavioral2/memory/1668-170-0x00007FF74F6C0000-0x00007FF74FA11000-memory.dmp xmrig behavioral2/memory/972-175-0x00007FF7D5930000-0x00007FF7D5C81000-memory.dmp xmrig behavioral2/memory/4708-203-0x00007FF6978A0000-0x00007FF697BF1000-memory.dmp xmrig behavioral2/memory/4460-205-0x00007FF6D43A0000-0x00007FF6D46F1000-memory.dmp xmrig behavioral2/memory/2836-207-0x00007FF78F380000-0x00007FF78F6D1000-memory.dmp xmrig behavioral2/memory/3844-218-0x00007FF7C9ED0000-0x00007FF7CA221000-memory.dmp xmrig behavioral2/memory/2488-220-0x00007FF7ED040000-0x00007FF7ED391000-memory.dmp xmrig behavioral2/memory/3588-223-0x00007FF745B40000-0x00007FF745E91000-memory.dmp xmrig behavioral2/memory/1080-224-0x00007FF7DFA70000-0x00007FF7DFDC1000-memory.dmp xmrig behavioral2/memory/4680-230-0x00007FF7DE320000-0x00007FF7DE671000-memory.dmp xmrig behavioral2/memory/3468-228-0x00007FF679F80000-0x00007FF67A2D1000-memory.dmp xmrig behavioral2/memory/3652-227-0x00007FF7D5830000-0x00007FF7D5B81000-memory.dmp xmrig behavioral2/memory/4064-233-0x00007FF7474C0000-0x00007FF747811000-memory.dmp xmrig behavioral2/memory/4776-236-0x00007FF605350000-0x00007FF6056A1000-memory.dmp xmrig behavioral2/memory/5108-235-0x00007FF673C10000-0x00007FF673F61000-memory.dmp xmrig behavioral2/memory/4384-243-0x00007FF6C5A00000-0x00007FF6C5D51000-memory.dmp xmrig behavioral2/memory/4848-245-0x00007FF67B390000-0x00007FF67B6E1000-memory.dmp xmrig behavioral2/memory/5028-249-0x00007FF73D270000-0x00007FF73D5C1000-memory.dmp xmrig behavioral2/memory/1728-248-0x00007FF784BB0000-0x00007FF784F01000-memory.dmp xmrig behavioral2/memory/832-252-0x00007FF7B68B0000-0x00007FF7B6C01000-memory.dmp xmrig behavioral2/memory/4880-254-0x00007FF662090000-0x00007FF6623E1000-memory.dmp xmrig behavioral2/memory/232-256-0x00007FF62A150000-0x00007FF62A4A1000-memory.dmp xmrig behavioral2/memory/1668-258-0x00007FF74F6C0000-0x00007FF74FA11000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4708 zkLtQjT.exe 4460 aSBVkKt.exe 2836 zqNyXmM.exe 3844 QqxBMqU.exe 2488 TdjYpzS.exe 3588 GPUXBBG.exe 3468 TyvopfN.exe 4680 FJaPouE.exe 1080 pnJZpzg.exe 3652 uaKMkcw.exe 4064 oPmjucd.exe 4776 UUzQeNB.exe 5108 bUUjkJs.exe 4384 VzClKcX.exe 4848 JCVJMNG.exe 5028 hCnNJVB.exe 1728 RIRdNGu.exe 232 IvbYajS.exe 832 ZwBjDJa.exe 4880 QxXmiCo.exe 1668 qnkbAZM.exe -
resource yara_rule behavioral2/memory/972-0-0x00007FF7D5930000-0x00007FF7D5C81000-memory.dmp upx behavioral2/files/0x000900000002362a-5.dat upx behavioral2/memory/4708-8-0x00007FF6978A0000-0x00007FF697BF1000-memory.dmp upx behavioral2/files/0x000800000002362d-15.dat upx behavioral2/files/0x0007000000023631-19.dat upx behavioral2/memory/2836-18-0x00007FF78F380000-0x00007FF78F6D1000-memory.dmp upx behavioral2/memory/4460-17-0x00007FF6D43A0000-0x00007FF6D46F1000-memory.dmp upx behavioral2/files/0x0007000000023632-23.dat upx behavioral2/files/0x000800000002362e-32.dat upx behavioral2/files/0x0007000000023635-40.dat upx behavioral2/files/0x0007000000023636-41.dat upx behavioral2/files/0x0007000000023638-52.dat upx behavioral2/memory/3588-53-0x00007FF745B40000-0x00007FF745E91000-memory.dmp upx behavioral2/files/0x0007000000023639-64.dat upx behavioral2/files/0x000700000002363a-75.dat upx behavioral2/memory/4776-79-0x00007FF605350000-0x00007FF6056A1000-memory.dmp upx behavioral2/memory/5108-80-0x00007FF673C10000-0x00007FF673F61000-memory.dmp upx behavioral2/files/0x000700000002363b-77.dat upx behavioral2/memory/4064-66-0x00007FF7474C0000-0x00007FF747811000-memory.dmp upx behavioral2/memory/4680-65-0x00007FF7DE320000-0x00007FF7DE671000-memory.dmp upx behavioral2/memory/3652-63-0x00007FF7D5830000-0x00007FF7D5B81000-memory.dmp upx behavioral2/memory/1080-58-0x00007FF7DFA70000-0x00007FF7DFDC1000-memory.dmp upx behavioral2/memory/3468-57-0x00007FF679F80000-0x00007FF67A2D1000-memory.dmp upx behavioral2/files/0x0007000000023637-49.dat upx behavioral2/files/0x0007000000023634-44.dat upx behavioral2/memory/2488-33-0x00007FF7ED040000-0x00007FF7ED391000-memory.dmp upx behavioral2/memory/3844-25-0x00007FF7C9ED0000-0x00007FF7CA221000-memory.dmp upx behavioral2/files/0x000700000002363c-83.dat upx behavioral2/files/0x000700000002363d-88.dat upx behavioral2/files/0x000700000002363e-97.dat upx behavioral2/memory/4848-98-0x00007FF67B390000-0x00007FF67B6E1000-memory.dmp upx behavioral2/files/0x000700000002363f-101.dat upx behavioral2/memory/1728-107-0x00007FF784BB0000-0x00007FF784F01000-memory.dmp upx behavioral2/memory/2488-105-0x00007FF7ED040000-0x00007FF7ED391000-memory.dmp upx behavioral2/memory/2836-102-0x00007FF78F380000-0x00007FF78F6D1000-memory.dmp upx behavioral2/memory/5028-99-0x00007FF73D270000-0x00007FF73D5C1000-memory.dmp upx behavioral2/memory/4460-96-0x00007FF6D43A0000-0x00007FF6D46F1000-memory.dmp upx behavioral2/memory/4708-95-0x00007FF6978A0000-0x00007FF697BF1000-memory.dmp upx behavioral2/memory/4384-86-0x00007FF6C5A00000-0x00007FF6C5D51000-memory.dmp upx behavioral2/memory/972-84-0x00007FF7D5930000-0x00007FF7D5C81000-memory.dmp upx behavioral2/memory/3844-121-0x00007FF7C9ED0000-0x00007FF7CA221000-memory.dmp upx behavioral2/memory/3468-131-0x00007FF679F80000-0x00007FF67A2D1000-memory.dmp upx behavioral2/memory/4880-133-0x00007FF662090000-0x00007FF6623E1000-memory.dmp upx behavioral2/files/0x0007000000023643-132.dat upx behavioral2/memory/3588-130-0x00007FF745B40000-0x00007FF745E91000-memory.dmp upx behavioral2/files/0x0007000000023642-125.dat upx behavioral2/memory/232-129-0x00007FF62A150000-0x00007FF62A4A1000-memory.dmp upx behavioral2/files/0x0007000000023640-112.dat upx behavioral2/memory/832-139-0x00007FF7B68B0000-0x00007FF7B6C01000-memory.dmp upx behavioral2/files/0x0007000000023644-136.dat upx behavioral2/memory/1668-142-0x00007FF74F6C0000-0x00007FF74FA11000-memory.dmp upx behavioral2/memory/5028-150-0x00007FF73D270000-0x00007FF73D5C1000-memory.dmp upx behavioral2/memory/1728-151-0x00007FF784BB0000-0x00007FF784F01000-memory.dmp upx behavioral2/memory/232-152-0x00007FF62A150000-0x00007FF62A4A1000-memory.dmp upx behavioral2/memory/4384-148-0x00007FF6C5A00000-0x00007FF6C5D51000-memory.dmp upx behavioral2/memory/4064-145-0x00007FF7474C0000-0x00007FF747811000-memory.dmp upx behavioral2/memory/972-153-0x00007FF7D5930000-0x00007FF7D5C81000-memory.dmp upx behavioral2/memory/4880-169-0x00007FF662090000-0x00007FF6623E1000-memory.dmp upx behavioral2/memory/1668-170-0x00007FF74F6C0000-0x00007FF74FA11000-memory.dmp upx behavioral2/memory/972-175-0x00007FF7D5930000-0x00007FF7D5C81000-memory.dmp upx behavioral2/memory/4708-203-0x00007FF6978A0000-0x00007FF697BF1000-memory.dmp upx behavioral2/memory/4460-205-0x00007FF6D43A0000-0x00007FF6D46F1000-memory.dmp upx behavioral2/memory/2836-207-0x00007FF78F380000-0x00007FF78F6D1000-memory.dmp upx behavioral2/memory/3844-218-0x00007FF7C9ED0000-0x00007FF7CA221000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\aSBVkKt.exe 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GPUXBBG.exe 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\pnJZpzg.exe 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zqNyXmM.exe 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uaKMkcw.exe 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VzClKcX.exe 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JCVJMNG.exe 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\IvbYajS.exe 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\UUzQeNB.exe 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bUUjkJs.exe 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RIRdNGu.exe 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qnkbAZM.exe 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZwBjDJa.exe 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zkLtQjT.exe 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QqxBMqU.exe 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TdjYpzS.exe 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TyvopfN.exe 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FJaPouE.exe 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\oPmjucd.exe 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hCnNJVB.exe 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QxXmiCo.exe 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 972 wrote to memory of 4708 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 972 wrote to memory of 4708 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 972 wrote to memory of 4460 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 972 wrote to memory of 4460 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 972 wrote to memory of 2836 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 972 wrote to memory of 2836 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 972 wrote to memory of 3844 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 972 wrote to memory of 3844 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 972 wrote to memory of 2488 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 972 wrote to memory of 2488 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 972 wrote to memory of 3588 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 972 wrote to memory of 3588 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 972 wrote to memory of 3468 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 972 wrote to memory of 3468 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 972 wrote to memory of 4680 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 972 wrote to memory of 4680 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 972 wrote to memory of 1080 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 972 wrote to memory of 1080 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 972 wrote to memory of 3652 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 972 wrote to memory of 3652 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 972 wrote to memory of 4064 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 972 wrote to memory of 4064 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 972 wrote to memory of 4776 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 972 wrote to memory of 4776 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 972 wrote to memory of 5108 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 972 wrote to memory of 5108 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 972 wrote to memory of 4384 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 972 wrote to memory of 4384 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 972 wrote to memory of 4848 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 972 wrote to memory of 4848 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 972 wrote to memory of 5028 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 972 wrote to memory of 5028 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 972 wrote to memory of 1728 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 972 wrote to memory of 1728 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 972 wrote to memory of 232 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 972 wrote to memory of 232 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 972 wrote to memory of 832 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 113 PID 972 wrote to memory of 832 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 113 PID 972 wrote to memory of 4880 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 114 PID 972 wrote to memory of 4880 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 114 PID 972 wrote to memory of 1668 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 115 PID 972 wrote to memory of 1668 972 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\System\zkLtQjT.exeC:\Windows\System\zkLtQjT.exe2⤵
- Executes dropped EXE
PID:4708
-
-
C:\Windows\System\aSBVkKt.exeC:\Windows\System\aSBVkKt.exe2⤵
- Executes dropped EXE
PID:4460
-
-
C:\Windows\System\zqNyXmM.exeC:\Windows\System\zqNyXmM.exe2⤵
- Executes dropped EXE
PID:2836
-
-
C:\Windows\System\QqxBMqU.exeC:\Windows\System\QqxBMqU.exe2⤵
- Executes dropped EXE
PID:3844
-
-
C:\Windows\System\TdjYpzS.exeC:\Windows\System\TdjYpzS.exe2⤵
- Executes dropped EXE
PID:2488
-
-
C:\Windows\System\GPUXBBG.exeC:\Windows\System\GPUXBBG.exe2⤵
- Executes dropped EXE
PID:3588
-
-
C:\Windows\System\TyvopfN.exeC:\Windows\System\TyvopfN.exe2⤵
- Executes dropped EXE
PID:3468
-
-
C:\Windows\System\FJaPouE.exeC:\Windows\System\FJaPouE.exe2⤵
- Executes dropped EXE
PID:4680
-
-
C:\Windows\System\pnJZpzg.exeC:\Windows\System\pnJZpzg.exe2⤵
- Executes dropped EXE
PID:1080
-
-
C:\Windows\System\uaKMkcw.exeC:\Windows\System\uaKMkcw.exe2⤵
- Executes dropped EXE
PID:3652
-
-
C:\Windows\System\oPmjucd.exeC:\Windows\System\oPmjucd.exe2⤵
- Executes dropped EXE
PID:4064
-
-
C:\Windows\System\UUzQeNB.exeC:\Windows\System\UUzQeNB.exe2⤵
- Executes dropped EXE
PID:4776
-
-
C:\Windows\System\bUUjkJs.exeC:\Windows\System\bUUjkJs.exe2⤵
- Executes dropped EXE
PID:5108
-
-
C:\Windows\System\VzClKcX.exeC:\Windows\System\VzClKcX.exe2⤵
- Executes dropped EXE
PID:4384
-
-
C:\Windows\System\JCVJMNG.exeC:\Windows\System\JCVJMNG.exe2⤵
- Executes dropped EXE
PID:4848
-
-
C:\Windows\System\hCnNJVB.exeC:\Windows\System\hCnNJVB.exe2⤵
- Executes dropped EXE
PID:5028
-
-
C:\Windows\System\RIRdNGu.exeC:\Windows\System\RIRdNGu.exe2⤵
- Executes dropped EXE
PID:1728
-
-
C:\Windows\System\IvbYajS.exeC:\Windows\System\IvbYajS.exe2⤵
- Executes dropped EXE
PID:232
-
-
C:\Windows\System\ZwBjDJa.exeC:\Windows\System\ZwBjDJa.exe2⤵
- Executes dropped EXE
PID:832
-
-
C:\Windows\System\QxXmiCo.exeC:\Windows\System\QxXmiCo.exe2⤵
- Executes dropped EXE
PID:4880
-
-
C:\Windows\System\qnkbAZM.exeC:\Windows\System\qnkbAZM.exe2⤵
- Executes dropped EXE
PID:1668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:81⤵PID:464
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD560585c8023078cb182c62dcc9fe5fbb3
SHA1fe007c855c6d74e8bbb9e29b7a4711ad82d8ed40
SHA256306f36b76ed00dfa1bf385da1121cbdea333dbb3b5e934506da2d4d6f854bcb5
SHA512f86fac394461c0671a504a0f04a785e52030777bd0b0f1231de4954b5a92fbdaf4c43c574e5fbce00cfe6d5abefec7f3a105cecb2f2e94efe620898bdbf9cdc7
-
Filesize
5.2MB
MD59e16079b3f6ce32a9e62e7b4ed031e9d
SHA1bd3dd1ae2508b9681eead9b6855acbde80989785
SHA2560d99d5d0dc6e66634a55760b4fbc00febe8e59fd6d265e2b0c53b14c3ee0cf6b
SHA512179bd0e028dde69bab5478b1450b669cb7a7ac63668f370d91d7b63fd14e3fad0a7ce2e03a5805a03764ad6a696486d42445fc3e2569418bcd0d9b9fe156cd94
-
Filesize
5.2MB
MD5f16365f62993a65ab946e3f093f92b0f
SHA1513235a72f9a851de4d4385bb7ded96fa4582166
SHA25600f9519ec2b7f62fff58444f26dfc9cc8aa9589428d779c0b137daedc7f726fe
SHA512ebe0bdb7d99f751c7af33075c4bd82ca537842922cf0ed09e600888649a45b8ddee427a71cb8a6276f88b2dba3cd903e2de078d2487d4d0fe2afe69292d7e5c4
-
Filesize
5.2MB
MD569bcecac8690590b1ae6e4d8fbd4ddd2
SHA1be4ee85223ef3fe1bd8b22ffbc88cb99efd783d3
SHA256cc720dda53960f67d61670b76bf7b1295ecb90199b0930cc012e56192390e611
SHA51290320d4d4c5a6f0d0e973a5cbdd3c514b422a5c594d468bf6a1b1b017ec1e5f8b8f32df0668f0345dca3910105945287f127dba02fc664d41731684ed7a05c05
-
Filesize
5.2MB
MD538865d571df1888788c3cd365be95a96
SHA17db4de6920127dd94f399c15feacbdc6c6f47493
SHA256089ddd91489e89a50784b6299b7a84660c209baf7ac16fd5f2d9a00c12851f7d
SHA5123c20293892717c1b59ac3d692152243a85cb456e27af92c84ae3cd4372d90f150ab9593d165aebaa0568ad0519b3ebad3c9c534768a95b026a23605fdf5b6d96
-
Filesize
5.2MB
MD5780b59fbaa143ec5737b28d9c676d868
SHA1eea2e7c7b39353923f3e47b5b4b9c8b8e311d8e3
SHA256060b06e9842896ba4f9561b2e35eef06ab9f36ce796ac3ec5020f05911e0f035
SHA51270b52f5d6d5a515ef8d6492a76a4487bb76baafa7177532139b273479783e7c859c5907c4e1c2dff411314f16e9b7ee3496df973ee2b9a2fd29cdfadb99d106a
-
Filesize
5.2MB
MD5838b60e1baebdf366f46d8f90ba5c33e
SHA14a93c1944ce620a71472771c0c2239816e8b2ac8
SHA256965cb7998b0d9c9a14fbe92c0fc1b05fa46d7aff71fe41b17ad06f6bf3131354
SHA51218cb70434dd210c9f67c86cc9792af7386082d7c9782dc271bb29282c9f977a06077418f5eecf9a4b1c159c570bc2b6c63f5e7336aa0be60a72e2b6d8877ef20
-
Filesize
5.2MB
MD5bd195dfa51fef086ad2699f8ef2082d3
SHA174c36fa823f8f20eb41233bbbaebabddb60b28e5
SHA256a02e7461863c897142a31458326c58c6c38e5ff08ebe874384baaf3e3aff91fa
SHA5121c7c73a5876a4fcedfbaa44e1a88053ef48e1e503031de74d69b0deb243fe9ec2da069dc1846fb277ef70cc41a2163353d1aabc023baf8fda06dbe66492af692
-
Filesize
5.2MB
MD57abfa6c8629f6f3abf848e4ad2267909
SHA1cae09597d7acbfbc8b972394abe1003e6b7ac836
SHA256ff9d545e06b3d83ffa1b454732e32470f9b6d9c474a16db77d6a122f8f7a5d1b
SHA5129fe01cfce903228f1336c43575a901d8c9dedff243829403c6737949b72d57b2b29c8d0261f1b73db4804c2032360a6fc7dba224a6f446e738230395fa6e53c1
-
Filesize
5.2MB
MD5f0792a066bbb2ad3345ee03e426c131d
SHA152635bc6c5c3bf8f39b503eb9fba9d6339a1e8fb
SHA2562444f5cab751f9d52e24174b11232bbd5a64e35958d0cdd32bf3ef3c7aff9449
SHA51295b796f06ab80f48dd581d4c11c97156274b5eff9c60bc6ea6062b4f96720c1ac6266b9eebe8864df40bf6b66e1929d79d31a0e5e5cd67a0c6b2c0ef6d1d747a
-
Filesize
5.2MB
MD50ead14bd0e3624fbab8d4451a614ec1b
SHA15ad39803193b31834602ca3e038cb7650a3deb02
SHA2565e199756825c4ab85497103d77be7fd78f50137e55fc985cfcbc1c16c955f1fc
SHA512c641daf9ac10f30b39c6f2c7bedfb8c0e7a48df3120da229696ce77e040bf10d91e1909f5ec8aae9ee41c7647b0f637498cd042993c90ff5cfc3ac5d4c9fa039
-
Filesize
5.2MB
MD506796a4c7b75a6a77d52dd6c08e7ab98
SHA1eaa11391a16a9fc161b964528e79c483080137d0
SHA256bc8d6f339828b13c013c6898b588be8dc51892a1b2d05ce44f52badd5120c3c9
SHA51250af591342605c40b8288bea58684f183571e8020192bd80d0262e852f75bd8cf3cdeb2c1f8a34b3fa48dddd5c66d55543cec07580a52031fd8d6bdef8bccb6c
-
Filesize
5.2MB
MD554f74d696adf274bd2fdb769efec51c8
SHA134e8f66c180104d42fcff35160af60a54442cc45
SHA2566590aa8668138ff8d32375364e2e1830816b6ae00135f0bfb96a303f16290a33
SHA512611e7172fb6b09bd87e1424d0e054fbccc79db3a2755608da2fc825b03970f527a0f772bb90545af26c2fab3c2d05d2a2dd4f6116f922e03f30ca6d3cbd5c7bf
-
Filesize
5.2MB
MD5e1c420e0d0d0339f6ab4b43187a0bd47
SHA162304ae7758a801650bdc4d2f9cd0c01a406264b
SHA256f26bac1208d6dd5d0259a57b045889742f7aacee54b2d6219c510a17ef8dd77b
SHA512d9711379e786ec8cd54babbfba81d9e908df4cf14e061f5178fe8f4ed94b1902ee5d08bac020163523afdbf26d9b1e94a1f40c225913b501fcb45587f5c050a7
-
Filesize
5.2MB
MD57855dd5a33f7ad4723a0548c6047104d
SHA1b743f1990c8f87a65b0d1816c36288f3c35b6b51
SHA2560e34e128eb005e8c27491b37458f7073d3565f2f444f92ea7cb4506525847f6b
SHA5122643b92f06f0396146c3bea208ccd1c5450ce495962cc20177981e46afc8a8b452dd382aa9616cdd883a85e9a98403d8bb009e71ec91b5d0e8e7af296c290038
-
Filesize
5.2MB
MD516e636daebfd2e5bc386de640c32a9ac
SHA1570c83da5a335ef87281460a0df3f1a2e49867cc
SHA256bac7fc45d415ab080839530deeec10bbfd1854ae4be82c6685d8132b2d95cd75
SHA512f38563c08b808b9e0f0eb50404d4a75841e84b8cc2f529a49f65bf52be21e92550db1c29514a1dacbd2f5e71fb0b2dc932795886c88eab966f18b35d17dc29cd
-
Filesize
5.2MB
MD5f0f596a3a2c065c48309dad4757c7ba0
SHA18250e5961ec0f2990d06dda3bcf757a3f6bce029
SHA2564235441ce5d915789501e593d7e63e36eb4ca1cc99e1a53a4eb516cdcaca3aa2
SHA512b1ba8ac38bb9cae5f96a9ad385cda2336420a818f66088dc5eb0c67ad0189b1bc1a26b3cdd16e0bf057c8256aab42933d50e12aeda6f1c4e7ee56f0e8184a19c
-
Filesize
5.2MB
MD52dbbeae13dd0e09943148d1ad9959a57
SHA16dd4b4cbc0feba07ed21a9fcd0fa84c8f6e34a12
SHA2568c6715c49ae5d2b6302b669e73615af7c6a7a4c4879d363683de7eb0d8775b36
SHA512feee48feb531f9f8cd983da2086ece201defa041522d09fd2729c7d3141b0b305b049695c5047a4ccb978f929b2d02c4b5be911176e742861d8b0bd1f0c39908
-
Filesize
5.2MB
MD54981453496952490952b45c0742f464e
SHA11f45184071be522b119ff617d4e87d427a18b5d0
SHA256ad6c5ddf10de58b9f131d83871a1ea000d0e04e94bed81225c5b738722a3d5ff
SHA512fd9fbaa7426428dac8973926ed91790ab4c7b9ef772029418b678b6228257a9f68d155c84e5ac8cf481ae2cc11d6dabd0216580dce000e5845c57581da3069e5
-
Filesize
5.2MB
MD5665b01f96bbdda83f4dfa9196dc656c9
SHA1de61bcb3b4fcfad7a162f300859f08507cdc6ba5
SHA2562b96830fcf106a1986eaf94d177bd448a171963eaca8a3757892b92e684e2b25
SHA512b5937ce97f2dbcba44dfd7c8f8ed2458d5a5a7406b8b376fd29ca2796567e696b083432eb82f54d778961d17455b2526184a898b73a41f1dfe0eb4a45632d994
-
Filesize
5.2MB
MD53842541def1b004ce4bd581afa852c26
SHA10e975bf66d413b4e2effb6f3c4979b305295de4e
SHA256eb0d27bcdc48a6e4d8630029c234aae32294d19e193098c6cdd6cb3ba6557805
SHA512c072b6a39d94c5f110e374b3d9e010cbb929f988e52c1adc7693a60e9bc48430748dc7ad5613fd4332bd417ff64f819dc797a4ca3d66f47ff69c38011ab45367