Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 21:30
Behavioral task
behavioral1
Sample
2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240704-en
General
-
Target
2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
e5f04693fd21e6635a071e3ace024253
-
SHA1
f0673324551b62e00266e0cc48ab559ca0609b81
-
SHA256
0adc7117f2115f32df945e44ab2af9cabb5465db10904fd2fbe16ed472cbe7cb
-
SHA512
ae9f5323c88d9aa3b9eb47bec276dc2a7d3ec58827e75295f5da8183bf212cbcac2775cbaace71599349d0f23aaad107b9a2e7eb3877140dec4c0b287d6b1806
-
SSDEEP
49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lN:RWWBibj56utgpPFotBER/mQ32lUx
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00090000000233d9-5.dat cobalt_reflective_dll behavioral2/files/0x000700000002343d-12.dat cobalt_reflective_dll behavioral2/files/0x000700000002343f-26.dat cobalt_reflective_dll behavioral2/files/0x0007000000023442-65.dat cobalt_reflective_dll behavioral2/files/0x0007000000023448-86.dat cobalt_reflective_dll behavioral2/files/0x000700000002344b-84.dat cobalt_reflective_dll behavioral2/files/0x000700000002344e-119.dat cobalt_reflective_dll behavioral2/files/0x000700000002344d-115.dat cobalt_reflective_dll behavioral2/files/0x000800000002343a-113.dat cobalt_reflective_dll behavioral2/files/0x000700000002344c-111.dat cobalt_reflective_dll behavioral2/files/0x000700000002344a-99.dat cobalt_reflective_dll behavioral2/files/0x0007000000023449-97.dat cobalt_reflective_dll behavioral2/files/0x0007000000023447-79.dat cobalt_reflective_dll behavioral2/files/0x0007000000023446-77.dat cobalt_reflective_dll behavioral2/files/0x0007000000023445-71.dat cobalt_reflective_dll behavioral2/files/0x0007000000023444-62.dat cobalt_reflective_dll behavioral2/files/0x0007000000023443-59.dat cobalt_reflective_dll behavioral2/files/0x0007000000023441-50.dat cobalt_reflective_dll behavioral2/files/0x0007000000023440-38.dat cobalt_reflective_dll behavioral2/files/0x000700000002343e-35.dat cobalt_reflective_dll behavioral2/files/0x0008000000023439-14.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/3472-56-0x00007FF738370000-0x00007FF7386C1000-memory.dmp xmrig behavioral2/memory/3056-105-0x00007FF75D5C0000-0x00007FF75D911000-memory.dmp xmrig behavioral2/memory/3828-110-0x00007FF6B8B80000-0x00007FF6B8ED1000-memory.dmp xmrig behavioral2/memory/1832-120-0x00007FF6A2B90000-0x00007FF6A2EE1000-memory.dmp xmrig behavioral2/memory/4216-125-0x00007FF7A4670000-0x00007FF7A49C1000-memory.dmp xmrig behavioral2/memory/2232-127-0x00007FF67BEC0000-0x00007FF67C211000-memory.dmp xmrig behavioral2/memory/624-126-0x00007FF6A62F0000-0x00007FF6A6641000-memory.dmp xmrig behavioral2/memory/2528-124-0x00007FF7A3020000-0x00007FF7A3371000-memory.dmp xmrig behavioral2/memory/4940-123-0x00007FF6A13A0000-0x00007FF6A16F1000-memory.dmp xmrig behavioral2/memory/1172-122-0x00007FF6B03F0000-0x00007FF6B0741000-memory.dmp xmrig behavioral2/memory/4928-118-0x00007FF685390000-0x00007FF6856E1000-memory.dmp xmrig behavioral2/memory/1116-109-0x00007FF6504C0000-0x00007FF650811000-memory.dmp xmrig behavioral2/memory/2988-95-0x00007FF783AA0000-0x00007FF783DF1000-memory.dmp xmrig behavioral2/memory/1328-68-0x00007FF6C4A30000-0x00007FF6C4D81000-memory.dmp xmrig behavioral2/memory/3852-30-0x00007FF7290F0000-0x00007FF729441000-memory.dmp xmrig behavioral2/memory/1332-133-0x00007FF741900000-0x00007FF741C51000-memory.dmp xmrig behavioral2/memory/3784-147-0x00007FF708590000-0x00007FF7088E1000-memory.dmp xmrig behavioral2/memory/1456-139-0x00007FF6DD2A0000-0x00007FF6DD5F1000-memory.dmp xmrig behavioral2/memory/3416-138-0x00007FF7C2870000-0x00007FF7C2BC1000-memory.dmp xmrig behavioral2/memory/2872-131-0x00007FF617B90000-0x00007FF617EE1000-memory.dmp xmrig behavioral2/memory/1540-129-0x00007FF6F3100000-0x00007FF6F3451000-memory.dmp xmrig behavioral2/memory/1512-128-0x00007FF727890000-0x00007FF727BE1000-memory.dmp xmrig behavioral2/memory/1512-150-0x00007FF727890000-0x00007FF727BE1000-memory.dmp xmrig behavioral2/memory/1512-172-0x00007FF727890000-0x00007FF727BE1000-memory.dmp xmrig behavioral2/memory/3852-220-0x00007FF7290F0000-0x00007FF729441000-memory.dmp xmrig behavioral2/memory/1540-218-0x00007FF6F3100000-0x00007FF6F3451000-memory.dmp xmrig behavioral2/memory/2872-222-0x00007FF617B90000-0x00007FF617EE1000-memory.dmp xmrig behavioral2/memory/3472-226-0x00007FF738370000-0x00007FF7386C1000-memory.dmp xmrig behavioral2/memory/1172-230-0x00007FF6B03F0000-0x00007FF6B0741000-memory.dmp xmrig behavioral2/memory/1332-228-0x00007FF741900000-0x00007FF741C51000-memory.dmp xmrig behavioral2/memory/1328-236-0x00007FF6C4A30000-0x00007FF6C4D81000-memory.dmp xmrig behavioral2/memory/3416-234-0x00007FF7C2870000-0x00007FF7C2BC1000-memory.dmp xmrig behavioral2/memory/4216-240-0x00007FF7A4670000-0x00007FF7A49C1000-memory.dmp xmrig behavioral2/memory/1456-238-0x00007FF6DD2A0000-0x00007FF6DD5F1000-memory.dmp xmrig behavioral2/memory/3056-246-0x00007FF75D5C0000-0x00007FF75D911000-memory.dmp xmrig behavioral2/memory/1116-248-0x00007FF6504C0000-0x00007FF650811000-memory.dmp xmrig behavioral2/memory/3828-250-0x00007FF6B8B80000-0x00007FF6B8ED1000-memory.dmp xmrig behavioral2/memory/4928-256-0x00007FF685390000-0x00007FF6856E1000-memory.dmp xmrig behavioral2/memory/3784-254-0x00007FF708590000-0x00007FF7088E1000-memory.dmp xmrig behavioral2/memory/2232-258-0x00007FF67BEC0000-0x00007FF67C211000-memory.dmp xmrig behavioral2/memory/624-252-0x00007FF6A62F0000-0x00007FF6A6641000-memory.dmp xmrig behavioral2/memory/2528-244-0x00007FF7A3020000-0x00007FF7A3371000-memory.dmp xmrig behavioral2/memory/2988-242-0x00007FF783AA0000-0x00007FF783DF1000-memory.dmp xmrig behavioral2/memory/4940-233-0x00007FF6A13A0000-0x00007FF6A16F1000-memory.dmp xmrig behavioral2/memory/1832-224-0x00007FF6A2B90000-0x00007FF6A2EE1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 1540 VmdFlFw.exe 3852 HrWpwrh.exe 2872 LcfYgCA.exe 1832 fhSZPqD.exe 1332 FEWJGIU.exe 3472 FusaauG.exe 1172 JLKdRTp.exe 4940 mgojWoo.exe 3416 RAwdVxY.exe 1328 GKigUoY.exe 1456 vITKEXM.exe 2528 knZtTmh.exe 4216 xirjJCy.exe 2988 IAecJVM.exe 3056 XahukFI.exe 1116 VJiWsku.exe 3828 mLlRibA.exe 624 OvXjdPI.exe 3784 NvWXGFj.exe 4928 JlMsOKj.exe 2232 NMUuMfE.exe -
resource yara_rule behavioral2/memory/1512-0-0x00007FF727890000-0x00007FF727BE1000-memory.dmp upx behavioral2/files/0x00090000000233d9-5.dat upx behavioral2/memory/1540-7-0x00007FF6F3100000-0x00007FF6F3451000-memory.dmp upx behavioral2/files/0x000700000002343d-12.dat upx behavioral2/files/0x000700000002343f-26.dat upx behavioral2/memory/3472-56-0x00007FF738370000-0x00007FF7386C1000-memory.dmp upx behavioral2/files/0x0007000000023442-65.dat upx behavioral2/files/0x0007000000023448-86.dat upx behavioral2/files/0x000700000002344b-84.dat upx behavioral2/memory/3056-105-0x00007FF75D5C0000-0x00007FF75D911000-memory.dmp upx behavioral2/memory/3828-110-0x00007FF6B8B80000-0x00007FF6B8ED1000-memory.dmp upx behavioral2/memory/3784-117-0x00007FF708590000-0x00007FF7088E1000-memory.dmp upx behavioral2/memory/1832-120-0x00007FF6A2B90000-0x00007FF6A2EE1000-memory.dmp upx behavioral2/memory/4216-125-0x00007FF7A4670000-0x00007FF7A49C1000-memory.dmp upx behavioral2/memory/2232-127-0x00007FF67BEC0000-0x00007FF67C211000-memory.dmp upx behavioral2/memory/624-126-0x00007FF6A62F0000-0x00007FF6A6641000-memory.dmp upx behavioral2/memory/2528-124-0x00007FF7A3020000-0x00007FF7A3371000-memory.dmp upx behavioral2/memory/4940-123-0x00007FF6A13A0000-0x00007FF6A16F1000-memory.dmp upx behavioral2/memory/1172-122-0x00007FF6B03F0000-0x00007FF6B0741000-memory.dmp upx behavioral2/files/0x000700000002344e-119.dat upx behavioral2/memory/4928-118-0x00007FF685390000-0x00007FF6856E1000-memory.dmp upx behavioral2/files/0x000700000002344d-115.dat upx behavioral2/files/0x000800000002343a-113.dat upx behavioral2/files/0x000700000002344c-111.dat upx behavioral2/memory/1116-109-0x00007FF6504C0000-0x00007FF650811000-memory.dmp upx behavioral2/files/0x000700000002344a-99.dat upx behavioral2/files/0x0007000000023449-97.dat upx behavioral2/memory/2988-95-0x00007FF783AA0000-0x00007FF783DF1000-memory.dmp upx behavioral2/memory/1456-91-0x00007FF6DD2A0000-0x00007FF6DD5F1000-memory.dmp upx behavioral2/files/0x0007000000023447-79.dat upx behavioral2/files/0x0007000000023446-77.dat upx behavioral2/files/0x0007000000023445-71.dat upx behavioral2/memory/1328-68-0x00007FF6C4A30000-0x00007FF6C4D81000-memory.dmp upx behavioral2/files/0x0007000000023444-62.dat upx behavioral2/memory/3416-57-0x00007FF7C2870000-0x00007FF7C2BC1000-memory.dmp upx behavioral2/files/0x0007000000023443-59.dat upx behavioral2/files/0x0007000000023441-50.dat upx behavioral2/memory/1332-41-0x00007FF741900000-0x00007FF741C51000-memory.dmp upx behavioral2/files/0x0007000000023440-38.dat upx behavioral2/files/0x000700000002343e-35.dat upx behavioral2/memory/3852-30-0x00007FF7290F0000-0x00007FF729441000-memory.dmp upx behavioral2/memory/2872-17-0x00007FF617B90000-0x00007FF617EE1000-memory.dmp upx behavioral2/files/0x0008000000023439-14.dat upx behavioral2/memory/1332-133-0x00007FF741900000-0x00007FF741C51000-memory.dmp upx behavioral2/memory/3784-147-0x00007FF708590000-0x00007FF7088E1000-memory.dmp upx behavioral2/memory/1456-139-0x00007FF6DD2A0000-0x00007FF6DD5F1000-memory.dmp upx behavioral2/memory/3416-138-0x00007FF7C2870000-0x00007FF7C2BC1000-memory.dmp upx behavioral2/memory/2872-131-0x00007FF617B90000-0x00007FF617EE1000-memory.dmp upx behavioral2/memory/1540-129-0x00007FF6F3100000-0x00007FF6F3451000-memory.dmp upx behavioral2/memory/1512-128-0x00007FF727890000-0x00007FF727BE1000-memory.dmp upx behavioral2/memory/1512-150-0x00007FF727890000-0x00007FF727BE1000-memory.dmp upx behavioral2/memory/1512-172-0x00007FF727890000-0x00007FF727BE1000-memory.dmp upx behavioral2/memory/3852-220-0x00007FF7290F0000-0x00007FF729441000-memory.dmp upx behavioral2/memory/1540-218-0x00007FF6F3100000-0x00007FF6F3451000-memory.dmp upx behavioral2/memory/2872-222-0x00007FF617B90000-0x00007FF617EE1000-memory.dmp upx behavioral2/memory/3472-226-0x00007FF738370000-0x00007FF7386C1000-memory.dmp upx behavioral2/memory/1172-230-0x00007FF6B03F0000-0x00007FF6B0741000-memory.dmp upx behavioral2/memory/1332-228-0x00007FF741900000-0x00007FF741C51000-memory.dmp upx behavioral2/memory/1328-236-0x00007FF6C4A30000-0x00007FF6C4D81000-memory.dmp upx behavioral2/memory/3416-234-0x00007FF7C2870000-0x00007FF7C2BC1000-memory.dmp upx behavioral2/memory/4216-240-0x00007FF7A4670000-0x00007FF7A49C1000-memory.dmp upx behavioral2/memory/1456-238-0x00007FF6DD2A0000-0x00007FF6DD5F1000-memory.dmp upx behavioral2/memory/3056-246-0x00007FF75D5C0000-0x00007FF75D911000-memory.dmp upx behavioral2/memory/1116-248-0x00007FF6504C0000-0x00007FF650811000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\JLKdRTp.exe 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mgojWoo.exe 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vITKEXM.exe 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VJiWsku.exe 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LcfYgCA.exe 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GKigUoY.exe 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\IAecJVM.exe 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NvWXGFj.exe 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NMUuMfE.exe 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FusaauG.exe 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HrWpwrh.exe 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fhSZPqD.exe 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FEWJGIU.exe 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RAwdVxY.exe 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\OvXjdPI.exe 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VmdFlFw.exe 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xirjJCy.exe 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XahukFI.exe 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mLlRibA.exe 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JlMsOKj.exe 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\knZtTmh.exe 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1512 wrote to memory of 1540 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 1512 wrote to memory of 1540 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 1512 wrote to memory of 3852 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 1512 wrote to memory of 3852 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 1512 wrote to memory of 2872 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 1512 wrote to memory of 2872 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 1512 wrote to memory of 1832 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 1512 wrote to memory of 1832 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 1512 wrote to memory of 1332 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 1512 wrote to memory of 1332 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 1512 wrote to memory of 3472 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 1512 wrote to memory of 3472 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 1512 wrote to memory of 1172 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 1512 wrote to memory of 1172 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 1512 wrote to memory of 1328 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 1512 wrote to memory of 1328 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 1512 wrote to memory of 4940 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 1512 wrote to memory of 4940 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 1512 wrote to memory of 3416 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 1512 wrote to memory of 3416 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 1512 wrote to memory of 1456 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 1512 wrote to memory of 1456 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 1512 wrote to memory of 2528 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 1512 wrote to memory of 2528 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 1512 wrote to memory of 4216 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 1512 wrote to memory of 4216 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 1512 wrote to memory of 2988 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 1512 wrote to memory of 2988 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 1512 wrote to memory of 3056 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 1512 wrote to memory of 3056 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 1512 wrote to memory of 1116 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 1512 wrote to memory of 1116 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 1512 wrote to memory of 3828 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 1512 wrote to memory of 3828 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 1512 wrote to memory of 624 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 1512 wrote to memory of 624 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 1512 wrote to memory of 3784 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 1512 wrote to memory of 3784 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 1512 wrote to memory of 4928 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 1512 wrote to memory of 4928 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 1512 wrote to memory of 2232 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 1512 wrote to memory of 2232 1512 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\System\VmdFlFw.exeC:\Windows\System\VmdFlFw.exe2⤵
- Executes dropped EXE
PID:1540
-
-
C:\Windows\System\HrWpwrh.exeC:\Windows\System\HrWpwrh.exe2⤵
- Executes dropped EXE
PID:3852
-
-
C:\Windows\System\LcfYgCA.exeC:\Windows\System\LcfYgCA.exe2⤵
- Executes dropped EXE
PID:2872
-
-
C:\Windows\System\fhSZPqD.exeC:\Windows\System\fhSZPqD.exe2⤵
- Executes dropped EXE
PID:1832
-
-
C:\Windows\System\FEWJGIU.exeC:\Windows\System\FEWJGIU.exe2⤵
- Executes dropped EXE
PID:1332
-
-
C:\Windows\System\FusaauG.exeC:\Windows\System\FusaauG.exe2⤵
- Executes dropped EXE
PID:3472
-
-
C:\Windows\System\JLKdRTp.exeC:\Windows\System\JLKdRTp.exe2⤵
- Executes dropped EXE
PID:1172
-
-
C:\Windows\System\GKigUoY.exeC:\Windows\System\GKigUoY.exe2⤵
- Executes dropped EXE
PID:1328
-
-
C:\Windows\System\mgojWoo.exeC:\Windows\System\mgojWoo.exe2⤵
- Executes dropped EXE
PID:4940
-
-
C:\Windows\System\RAwdVxY.exeC:\Windows\System\RAwdVxY.exe2⤵
- Executes dropped EXE
PID:3416
-
-
C:\Windows\System\vITKEXM.exeC:\Windows\System\vITKEXM.exe2⤵
- Executes dropped EXE
PID:1456
-
-
C:\Windows\System\knZtTmh.exeC:\Windows\System\knZtTmh.exe2⤵
- Executes dropped EXE
PID:2528
-
-
C:\Windows\System\xirjJCy.exeC:\Windows\System\xirjJCy.exe2⤵
- Executes dropped EXE
PID:4216
-
-
C:\Windows\System\IAecJVM.exeC:\Windows\System\IAecJVM.exe2⤵
- Executes dropped EXE
PID:2988
-
-
C:\Windows\System\XahukFI.exeC:\Windows\System\XahukFI.exe2⤵
- Executes dropped EXE
PID:3056
-
-
C:\Windows\System\VJiWsku.exeC:\Windows\System\VJiWsku.exe2⤵
- Executes dropped EXE
PID:1116
-
-
C:\Windows\System\mLlRibA.exeC:\Windows\System\mLlRibA.exe2⤵
- Executes dropped EXE
PID:3828
-
-
C:\Windows\System\OvXjdPI.exeC:\Windows\System\OvXjdPI.exe2⤵
- Executes dropped EXE
PID:624
-
-
C:\Windows\System\NvWXGFj.exeC:\Windows\System\NvWXGFj.exe2⤵
- Executes dropped EXE
PID:3784
-
-
C:\Windows\System\JlMsOKj.exeC:\Windows\System\JlMsOKj.exe2⤵
- Executes dropped EXE
PID:4928
-
-
C:\Windows\System\NMUuMfE.exeC:\Windows\System\NMUuMfE.exe2⤵
- Executes dropped EXE
PID:2232
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD541ca8e0732e7c0d78290e3715e5c52f0
SHA13096e54046ac2d9acaec96599fbb909510fe9892
SHA256d79363cc9f9ed64ef2e906e6c5d80be4655000f76d800d37df574eadb8453086
SHA512fff1f822b7e7abb85e0240e9dde200794cbde6bd1c21c6d52ac44aebb69c751288b5933edbe21578c76ac821f3a65573cedc12e9a85fa433f74d4366d68d868f
-
Filesize
5.2MB
MD569d932b847c376e0da53da84ad12ff2d
SHA1d00eef3b0aee808b4f3446315cdd8812f25ad2cf
SHA2561062e5b02b8f4159a897b31380058e66c5ba2abbf4706dc5e7d3d70e7d1f42bf
SHA512d79213b7a725dd7903ff0532a594c5af37b3f13fc34913a822ad369c84c90d7cfcefbeca0ccca8a5add450d824e63522ef3569e0a49dd7a8d3b17f19bc34c748
-
Filesize
5.2MB
MD5eeada16a851550b8f82abedd22f3adf3
SHA1b95c946e9ccc2278c8925a83495653fa09ceba7f
SHA25670cbfc601f3c526d7fcf83984935ab42762d350f4d9634af70842eeccf5ae76c
SHA512abf5d1fe4139fde66a9e8f76c4eda9e39e9475d187b47f23c8e4239a5fc0e180c0a4dc8d15ba5fe6a4048e41b6ade939998732c349566872db643be41f89f55e
-
Filesize
5.2MB
MD525cc1ac540e3231c6518299feba1a70c
SHA1b397974a43411f779a49a9fc42f4d9848a5e541c
SHA2561a1d290fc4b8bbda5ce792a53d112ee3c6e4aa0af78d00f2bac987cc182cb1b0
SHA5125ea90645fd6b7a1e4a7544437352dd6860c4d022264ad87652c0710cd75cfbd5f3a20500d5620f22ff17e7a6890cff79837893325ea589b2ee3f31e2093d83d0
-
Filesize
5.2MB
MD57bce583462bb86869a9eb5c3f3c81385
SHA1080a3ba8e08a042e9fe3137968ac75cca4ef6ac6
SHA25680ef5c3f3b29b64b396f5ba63fb2207b0baf0498d587ae134de72601bc9842c9
SHA5124496312d364fb4a2263330821f891951ca478897299b82c7dc6056d368911a7fe3567cda952f3d981e7baa08c6d7ebf242e8a5a478f685b5e01d9a9082aa36e5
-
Filesize
5.2MB
MD5d40ed6926b3e62c87ea7b5408640a458
SHA10512cdb2136ed0826d8e6f66c9783de6ec0b6a28
SHA256a2fe3580715e94b1d5ea7829a2f8f61d9d023516d1e9984fe4a1e721af3e4f18
SHA512a294261c1a4211933fcf16ae6372f1dde5fa7b779e75b9098fb3db77406cd97de173d19bc58ec755191aaf0a03036cde3eaeb4117e3cac75d78cb8835d050ae9
-
Filesize
5.2MB
MD538299120715a385b11ff2b441ac94c34
SHA1cb6b810e1dc4abb31c3f86239cb76eb7c405fa78
SHA256fd7db49b8aed37225d52820de5b512177d8812ccf011f405e21eff3106a06d02
SHA5122a953562b009945658508c5aa1113ae36de21604a98b7b384aee1a5cc26d528a1340e4fffdb46e1d5a0839a8141d459872c1662f13d38f6d7331772576a743e5
-
Filesize
5.2MB
MD55ced0a8d5a36cf93c36f7f55fbe22a2e
SHA1616946d8f3fcbcfbff3dc4bb8316cd885f0b08fc
SHA256f65d41d9778dba3219ccb5477109e87bf1e8f479d6f3a653d18d357fdfcf7a27
SHA512b2a712fd04a2df8c6f1a11877969b21031d05dd8f0c964e452d026b394ff635b45357aa697c18381630393bf2ede8548674d150957b35984d37d3b4765de8270
-
Filesize
5.2MB
MD5efadf0eccba382c4e9094b72b18f8f48
SHA1a472c0851e395adb7616a5bd4c178cad531fad7b
SHA256b0987761d3aa52ff44bfa29f96064bb0feac4da2defcf065e8a43411af42d01c
SHA512e632afb8c9baeb6a5299c496dcf328c639610c52c8c0ee88e3e6fc20dd2561729ec768439d73850328da8e16dd6d3b168345d7acc4a0c282c21ebddec4ce07a6
-
Filesize
5.2MB
MD59f4913d2e2415595d9c3f9a8a22bb720
SHA191b1b8183dc19d15ebd6ff2d20542ed0784695f1
SHA2567266ee624b202358b17d9b4797757a8fe3d6941f7cb7d66c1aec94e59df61d05
SHA512a9a6893152bd29620fc512bf1f26f931471b18254c04a6d923176947d4e031d4cd9d8c690e2047e522b100ae5f86197399aebf8c390003c5bd10097b780fdd92
-
Filesize
5.2MB
MD510e7df477027bf68f1a468fe70febdd8
SHA1af20b1dfc023850eab422ba15bc19da1b9d056ca
SHA2568d086fe4f58d06dfa51ffcc8bc3fabfaad3c48fad69d65ec1f016adadb1d62bf
SHA5125acbb80520002023a9c229f718ad31cba744f257a5c6101331f88e407b61fa42ed5e8a361716425d81c40131d4980012893f49e897b2d289178489c9a4e105ef
-
Filesize
5.2MB
MD550cc22e30d665a73370e728273662789
SHA1578da1e64581e2ffe045754df4162e74186ee89e
SHA256aec5a674320abca9a23940559cc960d80627a70f534392106735abba46403c21
SHA512b82ba2d5be48ca9e4ecfae216c36bbc8e36f5ae36b46b0bf93c38b3ccdf7309e5a9de22c47cbbdee561934bc5ed718001ee6e8907f279b38fbc446e9f5aa964c
-
Filesize
5.2MB
MD5db9ffe93446c853c3be1572b0a8d5084
SHA1ba4abfa60d888a758340e6999efa452df6840074
SHA2566b6bc82223e578c1f23b1afd92c16b246b8b19b2d31a7fc82aad5909bd5a146f
SHA5121536c8d7edc42d22be8e3404e5e45244a5c5cf6c809056fb9ac548690a46fd4733cb398eb5e8de544d8fc56255abac21e577467e2db3ca4275417f67ed7cf129
-
Filesize
5.2MB
MD51d6ae61b79dd29d5cf64691019b8c7da
SHA1575b0f0a1981a58861f16a9279baee6c8f76ae26
SHA256a7a81865df788d335566c26cae8ee899dbeb8884b3bf27a2f8eac53c7dec0438
SHA51270167183794cc173656bbb08f0ed7cc242032056af1eb872e3b954169fe564a10f91d0760279795b2436374452a78a4b21cae17fdc64ce6016c4d978d2c1b6fe
-
Filesize
5.2MB
MD5a0d97fe6451043292b9259a57799bf34
SHA19d0b8c24d6126f66b11b38d71512639e0f1740d0
SHA256ea6ec688cdcc4b48efedd010148504dfeeb4bd6be342c9aae0bbe08e4f0a05fe
SHA512d44160ea6a75dfa8c1cd9987796cea302cb44fb33fd7ad7568d1d114b345fa82da00efbf6d8e6edaa885b597e6e9a14ceac9bf46d465832590f0d3dafa3807ee
-
Filesize
5.2MB
MD5a8e67751c413192c1961bf08fe7533a3
SHA1734bb165fb08566185b21d8a17113d285fb8215b
SHA2562c63a1a26a3764f64647548dfd4b5ab092048bc981a70f47446cddc953268676
SHA5128f1f137744de36b3fab2de25003267f1460114bd701fb3a4a999272249367251749f91361bccb45cff9748f2c104be74e54117dc8136f66aee424d205b8480a2
-
Filesize
5.2MB
MD5b2fd54ce73bec966a961bce56da5e916
SHA151c032a0459123f829a1ec0d5e3ecab200909a8c
SHA256a6b5a0c8c926c9d91499e6317ed3b1b1f14283a661897b006bc79e9b1aa6c79d
SHA51251cd36b54705209ec71a5f56e29bd44cd64d1cdeef204aa82fe97ff8d8086f6a495fe5874aa87a458dd76ef17a9dcee4916f55259c82f05e8365a0e922c8eac8
-
Filesize
5.2MB
MD5ca57eacd498740f27fef40ad6497c330
SHA14e88f704d4f01b5b07dd468065463c6a40b95186
SHA256c0f865974e137791b125108b7e157dfb3ad7fb5ae6f8a23828210ba128aa9ec6
SHA5124ec66a2e7e121eb863200999588de081f3c965abfc4a8023549ffefe60297b408a88098955e4c4a92844478c9fa22934b0a73bc9e2102d2efdde629869064b78
-
Filesize
5.2MB
MD562ae09efdc59a8cf07e84cae618d3dc4
SHA1951d0aee29a45b07ebd03aecbbb32fac2d846a23
SHA2560e90418e17eef8a57decc59c67c1b09200d8d4673091d4feb8c53d44380c4127
SHA51208c4334fb85ae77e9f88f07504c45b27b97676b98b9def96c99be380104b68052d20311b53e42d947c4a0963b744a8a2d22c5ada844874a9d1ccba95497eb4a3
-
Filesize
5.2MB
MD54e79c915ed1ff2761a711edb2721decd
SHA189530eea95bc256ebe999f1a369e88781dc0e77c
SHA256ce3d0828dea500ad5a4a88ae22a412abb250f599318ea0818f73047d4549e1f4
SHA5125134f27bec137b0f54ce0ec3abdbc8d652af60f976f6d43cce1e8cd30d452f9146f45d60abcf908c3047fcebd55285509918c940dfcbe574a2a021c5c97d7a2d
-
Filesize
5.2MB
MD59efdf32e581bf42cb82dcae58fce83d7
SHA1e2e128674a80a74e484601341728a16e360f25e2
SHA256270adea835bb370ba56f8c6e1fee25e270b427fef1345a8b1987eaef399df0d2
SHA51291fac3c8829fe0fc1ff56672116a51661137f61ca2766adc2b9b01c76af1ea939402ea392d4e38a5dadabafa92b0dc55fffff7bb20f030d156f93e7039dede5a