Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 21:11
Behavioral task
behavioral1
Sample
2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240705-en
General
-
Target
2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
87b61319968f7d15ebfa7ff2b9a69e11
-
SHA1
bab34f070ef718f990e5ac26040250dcf7579532
-
SHA256
b6d478b326a90461758c16bb85576639a741f7b9be17c7eed8e54438b06183ed
-
SHA512
7ea26a859f7b1a1e06288eaf8704a5a741577820d451016f9ef8bff06062b5df0d7229520c828c78e59b4349c841cb09ee0120695c5d02647938474bc24afa34
-
SSDEEP
49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l8:RWWBibj56utgpPFotBER/mQ32lUI
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00090000000233ba-5.dat cobalt_reflective_dll behavioral2/files/0x0007000000023426-9.dat cobalt_reflective_dll behavioral2/files/0x0007000000023425-14.dat cobalt_reflective_dll behavioral2/files/0x0007000000023428-31.dat cobalt_reflective_dll behavioral2/files/0x0007000000023427-22.dat cobalt_reflective_dll behavioral2/files/0x0007000000023429-44.dat cobalt_reflective_dll behavioral2/files/0x000700000002342d-62.dat cobalt_reflective_dll behavioral2/files/0x000700000002342e-74.dat cobalt_reflective_dll behavioral2/files/0x0007000000023431-85.dat cobalt_reflective_dll behavioral2/files/0x0007000000023430-83.dat cobalt_reflective_dll behavioral2/files/0x000700000002342f-68.dat cobalt_reflective_dll behavioral2/files/0x000700000002342c-60.dat cobalt_reflective_dll behavioral2/files/0x000700000002342b-57.dat cobalt_reflective_dll behavioral2/files/0x000700000002342a-58.dat cobalt_reflective_dll behavioral2/files/0x0007000000023432-89.dat cobalt_reflective_dll behavioral2/files/0x0008000000023422-95.dat cobalt_reflective_dll behavioral2/files/0x0007000000023434-100.dat cobalt_reflective_dll behavioral2/files/0x0007000000023435-105.dat cobalt_reflective_dll behavioral2/files/0x0007000000023436-114.dat cobalt_reflective_dll behavioral2/files/0x0007000000023437-120.dat cobalt_reflective_dll behavioral2/files/0x0007000000023438-133.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/3244-79-0x00007FF603790000-0x00007FF603AE1000-memory.dmp xmrig behavioral2/memory/4872-80-0x00007FF7A9440000-0x00007FF7A9791000-memory.dmp xmrig behavioral2/memory/2184-78-0x00007FF61D990000-0x00007FF61DCE1000-memory.dmp xmrig behavioral2/memory/3144-77-0x00007FF70C700000-0x00007FF70CA51000-memory.dmp xmrig behavioral2/memory/1960-117-0x00007FF6ED6F0000-0x00007FF6EDA41000-memory.dmp xmrig behavioral2/memory/3868-116-0x00007FF6142F0000-0x00007FF614641000-memory.dmp xmrig behavioral2/memory/4708-121-0x00007FF62D480000-0x00007FF62D7D1000-memory.dmp xmrig behavioral2/memory/4640-127-0x00007FF616750000-0x00007FF616AA1000-memory.dmp xmrig behavioral2/memory/2064-130-0x00007FF783160000-0x00007FF7834B1000-memory.dmp xmrig behavioral2/memory/2644-129-0x00007FF6BF7D0000-0x00007FF6BFB21000-memory.dmp xmrig behavioral2/memory/4596-126-0x00007FF7111A0000-0x00007FF7114F1000-memory.dmp xmrig behavioral2/memory/940-125-0x00007FF6C1CA0000-0x00007FF6C1FF1000-memory.dmp xmrig behavioral2/memory/3868-135-0x00007FF6142F0000-0x00007FF614641000-memory.dmp xmrig behavioral2/memory/2900-139-0x00007FF754F90000-0x00007FF7552E1000-memory.dmp xmrig behavioral2/memory/4304-144-0x00007FF798060000-0x00007FF7983B1000-memory.dmp xmrig behavioral2/memory/3936-150-0x00007FF6AE260000-0x00007FF6AE5B1000-memory.dmp xmrig behavioral2/memory/2204-148-0x00007FF7EC5F0000-0x00007FF7EC941000-memory.dmp xmrig behavioral2/memory/2432-149-0x00007FF654110000-0x00007FF654461000-memory.dmp xmrig behavioral2/memory/4908-153-0x00007FF716F90000-0x00007FF7172E1000-memory.dmp xmrig behavioral2/memory/4308-155-0x00007FF628F90000-0x00007FF6292E1000-memory.dmp xmrig behavioral2/memory/4216-152-0x00007FF6FBFB0000-0x00007FF6FC301000-memory.dmp xmrig behavioral2/memory/348-151-0x00007FF6E1C00000-0x00007FF6E1F51000-memory.dmp xmrig behavioral2/memory/3868-156-0x00007FF6142F0000-0x00007FF614641000-memory.dmp xmrig behavioral2/memory/400-172-0x00007FF708BD0000-0x00007FF708F21000-memory.dmp xmrig behavioral2/memory/4708-208-0x00007FF62D480000-0x00007FF62D7D1000-memory.dmp xmrig behavioral2/memory/940-210-0x00007FF6C1CA0000-0x00007FF6C1FF1000-memory.dmp xmrig behavioral2/memory/4596-212-0x00007FF7111A0000-0x00007FF7114F1000-memory.dmp xmrig behavioral2/memory/3144-214-0x00007FF70C700000-0x00007FF70CA51000-memory.dmp xmrig behavioral2/memory/4640-216-0x00007FF616750000-0x00007FF616AA1000-memory.dmp xmrig behavioral2/memory/2900-218-0x00007FF754F90000-0x00007FF7552E1000-memory.dmp xmrig behavioral2/memory/2644-222-0x00007FF6BF7D0000-0x00007FF6BFB21000-memory.dmp xmrig behavioral2/memory/4304-226-0x00007FF798060000-0x00007FF7983B1000-memory.dmp xmrig behavioral2/memory/3244-225-0x00007FF603790000-0x00007FF603AE1000-memory.dmp xmrig behavioral2/memory/2184-221-0x00007FF61D990000-0x00007FF61DCE1000-memory.dmp xmrig behavioral2/memory/2064-234-0x00007FF783160000-0x00007FF7834B1000-memory.dmp xmrig behavioral2/memory/4872-232-0x00007FF7A9440000-0x00007FF7A9791000-memory.dmp xmrig behavioral2/memory/2204-231-0x00007FF7EC5F0000-0x00007FF7EC941000-memory.dmp xmrig behavioral2/memory/2432-229-0x00007FF654110000-0x00007FF654461000-memory.dmp xmrig behavioral2/memory/3936-237-0x00007FF6AE260000-0x00007FF6AE5B1000-memory.dmp xmrig behavioral2/memory/348-239-0x00007FF6E1C00000-0x00007FF6E1F51000-memory.dmp xmrig behavioral2/memory/4908-241-0x00007FF716F90000-0x00007FF7172E1000-memory.dmp xmrig behavioral2/memory/4216-243-0x00007FF6FBFB0000-0x00007FF6FC301000-memory.dmp xmrig behavioral2/memory/1960-247-0x00007FF6ED6F0000-0x00007FF6EDA41000-memory.dmp xmrig behavioral2/memory/4308-249-0x00007FF628F90000-0x00007FF6292E1000-memory.dmp xmrig behavioral2/memory/400-251-0x00007FF708BD0000-0x00007FF708F21000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4708 kfXPvyL.exe 940 mkYqGZj.exe 4596 KagAAKl.exe 2900 JrKSElV.exe 3144 BDsAFdC.exe 4640 XJTnvme.exe 2184 UFoxNzv.exe 4304 GQVbFzX.exe 2644 QBrwvjS.exe 3244 FWgBVWg.exe 2064 qUAHtzo.exe 4872 dGwktad.exe 2204 jIppHbK.exe 2432 xvbLKLx.exe 3936 lqDgbBq.exe 348 BTtJgEq.exe 4216 RQdTfSJ.exe 4908 JYFgDFR.exe 1960 iTFEtzG.exe 4308 SRwbKdR.exe 400 ztLOoNs.exe -
resource yara_rule behavioral2/memory/3868-0-0x00007FF6142F0000-0x00007FF614641000-memory.dmp upx behavioral2/files/0x00090000000233ba-5.dat upx behavioral2/files/0x0007000000023426-9.dat upx behavioral2/files/0x0007000000023425-14.dat upx behavioral2/files/0x0007000000023428-31.dat upx behavioral2/files/0x0007000000023427-22.dat upx behavioral2/files/0x0007000000023429-44.dat upx behavioral2/files/0x000700000002342d-62.dat upx behavioral2/files/0x000700000002342e-74.dat upx behavioral2/memory/3244-79-0x00007FF603790000-0x00007FF603AE1000-memory.dmp upx behavioral2/memory/2204-82-0x00007FF7EC5F0000-0x00007FF7EC941000-memory.dmp upx behavioral2/files/0x0007000000023431-85.dat upx behavioral2/files/0x0007000000023430-83.dat upx behavioral2/memory/2432-81-0x00007FF654110000-0x00007FF654461000-memory.dmp upx behavioral2/memory/4872-80-0x00007FF7A9440000-0x00007FF7A9791000-memory.dmp upx behavioral2/memory/2184-78-0x00007FF61D990000-0x00007FF61DCE1000-memory.dmp upx behavioral2/memory/3144-77-0x00007FF70C700000-0x00007FF70CA51000-memory.dmp upx behavioral2/memory/2064-70-0x00007FF783160000-0x00007FF7834B1000-memory.dmp upx behavioral2/files/0x000700000002342f-68.dat upx behavioral2/files/0x000700000002342c-60.dat upx behavioral2/files/0x000700000002342b-57.dat upx behavioral2/memory/2644-55-0x00007FF6BF7D0000-0x00007FF6BFB21000-memory.dmp upx behavioral2/files/0x000700000002342a-58.dat upx behavioral2/memory/4304-50-0x00007FF798060000-0x00007FF7983B1000-memory.dmp upx behavioral2/memory/4640-48-0x00007FF616750000-0x00007FF616AA1000-memory.dmp upx behavioral2/memory/2900-38-0x00007FF754F90000-0x00007FF7552E1000-memory.dmp upx behavioral2/memory/4596-35-0x00007FF7111A0000-0x00007FF7114F1000-memory.dmp upx behavioral2/memory/940-18-0x00007FF6C1CA0000-0x00007FF6C1FF1000-memory.dmp upx behavioral2/memory/4708-6-0x00007FF62D480000-0x00007FF62D7D1000-memory.dmp upx behavioral2/files/0x0007000000023432-89.dat upx behavioral2/memory/348-96-0x00007FF6E1C00000-0x00007FF6E1F51000-memory.dmp upx behavioral2/files/0x0008000000023422-95.dat upx behavioral2/files/0x0007000000023434-100.dat upx behavioral2/files/0x0007000000023435-105.dat upx behavioral2/memory/4216-102-0x00007FF6FBFB0000-0x00007FF6FC301000-memory.dmp upx behavioral2/memory/4908-106-0x00007FF716F90000-0x00007FF7172E1000-memory.dmp upx behavioral2/memory/3936-90-0x00007FF6AE260000-0x00007FF6AE5B1000-memory.dmp upx behavioral2/files/0x0007000000023436-114.dat upx behavioral2/memory/1960-117-0x00007FF6ED6F0000-0x00007FF6EDA41000-memory.dmp upx behavioral2/memory/3868-116-0x00007FF6142F0000-0x00007FF614641000-memory.dmp upx behavioral2/files/0x0007000000023437-120.dat upx behavioral2/memory/4708-121-0x00007FF62D480000-0x00007FF62D7D1000-memory.dmp upx behavioral2/memory/4640-127-0x00007FF616750000-0x00007FF616AA1000-memory.dmp upx behavioral2/memory/400-131-0x00007FF708BD0000-0x00007FF708F21000-memory.dmp upx behavioral2/memory/2064-130-0x00007FF783160000-0x00007FF7834B1000-memory.dmp upx behavioral2/files/0x0007000000023438-133.dat upx behavioral2/memory/2644-129-0x00007FF6BF7D0000-0x00007FF6BFB21000-memory.dmp upx behavioral2/memory/4596-126-0x00007FF7111A0000-0x00007FF7114F1000-memory.dmp upx behavioral2/memory/940-125-0x00007FF6C1CA0000-0x00007FF6C1FF1000-memory.dmp upx behavioral2/memory/4308-124-0x00007FF628F90000-0x00007FF6292E1000-memory.dmp upx behavioral2/memory/3868-135-0x00007FF6142F0000-0x00007FF614641000-memory.dmp upx behavioral2/memory/2900-139-0x00007FF754F90000-0x00007FF7552E1000-memory.dmp upx behavioral2/memory/4304-144-0x00007FF798060000-0x00007FF7983B1000-memory.dmp upx behavioral2/memory/3936-150-0x00007FF6AE260000-0x00007FF6AE5B1000-memory.dmp upx behavioral2/memory/2204-148-0x00007FF7EC5F0000-0x00007FF7EC941000-memory.dmp upx behavioral2/memory/2432-149-0x00007FF654110000-0x00007FF654461000-memory.dmp upx behavioral2/memory/4908-153-0x00007FF716F90000-0x00007FF7172E1000-memory.dmp upx behavioral2/memory/4308-155-0x00007FF628F90000-0x00007FF6292E1000-memory.dmp upx behavioral2/memory/4216-152-0x00007FF6FBFB0000-0x00007FF6FC301000-memory.dmp upx behavioral2/memory/348-151-0x00007FF6E1C00000-0x00007FF6E1F51000-memory.dmp upx behavioral2/memory/3868-156-0x00007FF6142F0000-0x00007FF614641000-memory.dmp upx behavioral2/memory/400-172-0x00007FF708BD0000-0x00007FF708F21000-memory.dmp upx behavioral2/memory/4708-208-0x00007FF62D480000-0x00007FF62D7D1000-memory.dmp upx behavioral2/memory/940-210-0x00007FF6C1CA0000-0x00007FF6C1FF1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\kfXPvyL.exe 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mkYqGZj.exe 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BDsAFdC.exe 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FWgBVWg.exe 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dGwktad.exe 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\iTFEtzG.exe 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QBrwvjS.exe 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\UFoxNzv.exe 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GQVbFzX.exe 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qUAHtzo.exe 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xvbLKLx.exe 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SRwbKdR.exe 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ztLOoNs.exe 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JrKSElV.exe 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XJTnvme.exe 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jIppHbK.exe 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lqDgbBq.exe 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RQdTfSJ.exe 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KagAAKl.exe 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BTtJgEq.exe 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JYFgDFR.exe 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3868 wrote to memory of 4708 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 3868 wrote to memory of 4708 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 3868 wrote to memory of 940 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3868 wrote to memory of 940 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3868 wrote to memory of 4596 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3868 wrote to memory of 4596 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3868 wrote to memory of 2900 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3868 wrote to memory of 2900 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3868 wrote to memory of 3144 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3868 wrote to memory of 3144 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3868 wrote to memory of 4640 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3868 wrote to memory of 4640 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3868 wrote to memory of 2644 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3868 wrote to memory of 2644 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3868 wrote to memory of 2184 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3868 wrote to memory of 2184 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3868 wrote to memory of 4304 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3868 wrote to memory of 4304 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3868 wrote to memory of 3244 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3868 wrote to memory of 3244 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3868 wrote to memory of 2064 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3868 wrote to memory of 2064 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3868 wrote to memory of 4872 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3868 wrote to memory of 4872 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3868 wrote to memory of 2204 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3868 wrote to memory of 2204 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3868 wrote to memory of 2432 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3868 wrote to memory of 2432 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3868 wrote to memory of 3936 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3868 wrote to memory of 3936 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3868 wrote to memory of 348 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3868 wrote to memory of 348 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3868 wrote to memory of 4216 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3868 wrote to memory of 4216 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3868 wrote to memory of 4908 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3868 wrote to memory of 4908 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3868 wrote to memory of 1960 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3868 wrote to memory of 1960 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3868 wrote to memory of 4308 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3868 wrote to memory of 4308 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3868 wrote to memory of 400 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 3868 wrote to memory of 400 3868 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\System\kfXPvyL.exeC:\Windows\System\kfXPvyL.exe2⤵
- Executes dropped EXE
PID:4708
-
-
C:\Windows\System\mkYqGZj.exeC:\Windows\System\mkYqGZj.exe2⤵
- Executes dropped EXE
PID:940
-
-
C:\Windows\System\KagAAKl.exeC:\Windows\System\KagAAKl.exe2⤵
- Executes dropped EXE
PID:4596
-
-
C:\Windows\System\JrKSElV.exeC:\Windows\System\JrKSElV.exe2⤵
- Executes dropped EXE
PID:2900
-
-
C:\Windows\System\BDsAFdC.exeC:\Windows\System\BDsAFdC.exe2⤵
- Executes dropped EXE
PID:3144
-
-
C:\Windows\System\XJTnvme.exeC:\Windows\System\XJTnvme.exe2⤵
- Executes dropped EXE
PID:4640
-
-
C:\Windows\System\QBrwvjS.exeC:\Windows\System\QBrwvjS.exe2⤵
- Executes dropped EXE
PID:2644
-
-
C:\Windows\System\UFoxNzv.exeC:\Windows\System\UFoxNzv.exe2⤵
- Executes dropped EXE
PID:2184
-
-
C:\Windows\System\GQVbFzX.exeC:\Windows\System\GQVbFzX.exe2⤵
- Executes dropped EXE
PID:4304
-
-
C:\Windows\System\FWgBVWg.exeC:\Windows\System\FWgBVWg.exe2⤵
- Executes dropped EXE
PID:3244
-
-
C:\Windows\System\qUAHtzo.exeC:\Windows\System\qUAHtzo.exe2⤵
- Executes dropped EXE
PID:2064
-
-
C:\Windows\System\dGwktad.exeC:\Windows\System\dGwktad.exe2⤵
- Executes dropped EXE
PID:4872
-
-
C:\Windows\System\jIppHbK.exeC:\Windows\System\jIppHbK.exe2⤵
- Executes dropped EXE
PID:2204
-
-
C:\Windows\System\xvbLKLx.exeC:\Windows\System\xvbLKLx.exe2⤵
- Executes dropped EXE
PID:2432
-
-
C:\Windows\System\lqDgbBq.exeC:\Windows\System\lqDgbBq.exe2⤵
- Executes dropped EXE
PID:3936
-
-
C:\Windows\System\BTtJgEq.exeC:\Windows\System\BTtJgEq.exe2⤵
- Executes dropped EXE
PID:348
-
-
C:\Windows\System\RQdTfSJ.exeC:\Windows\System\RQdTfSJ.exe2⤵
- Executes dropped EXE
PID:4216
-
-
C:\Windows\System\JYFgDFR.exeC:\Windows\System\JYFgDFR.exe2⤵
- Executes dropped EXE
PID:4908
-
-
C:\Windows\System\iTFEtzG.exeC:\Windows\System\iTFEtzG.exe2⤵
- Executes dropped EXE
PID:1960
-
-
C:\Windows\System\SRwbKdR.exeC:\Windows\System\SRwbKdR.exe2⤵
- Executes dropped EXE
PID:4308
-
-
C:\Windows\System\ztLOoNs.exeC:\Windows\System\ztLOoNs.exe2⤵
- Executes dropped EXE
PID:400
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5189f52ed8d3766a7656a8fc6e8e69124
SHA16c0945aa78643efbc66f646018d07336d56ddc51
SHA2561f01341150a4e567240356556aa09bb8d5a8411c39b6ab901d1be947c8399d4a
SHA512a268e813f30fe1cc73a98a47dda4deb8bcb4da12ce436cc9832bc5131f7ff69ad15e3105d5ae64b8ed0585babb56b415f2c6f1b59464ed429ae3426c275cfae3
-
Filesize
5.2MB
MD5594645a1e8923c25ccf48f91302821ca
SHA11ae37f573324e5a90dea2809596a522faeb67c9e
SHA2567f54475af91c63ab73cf52ae81bb03252fa27fc7de1fccb67eb4c43eb0579527
SHA5129f51fe5c6be2e4a47e545ae774939c9e77a0c08a093648893a37f024a37ff9524f0ba10000651584787dba571f2cf95b5659957eae7703343ce781b405853b2f
-
Filesize
5.2MB
MD5238e7df5668f23fe87fefdda770d0e28
SHA13203473fbcd2a7e17b7c728c3349c236e14ff372
SHA256df26e8b50ac4f4370bdb606a86c0e35995cd5a0e63cc8af79e9c802119d0a7c8
SHA51271886ae1e6fb36e834833c4319b24fc80c680351a3d50e379bccf5b23920409cb8eaf8fc8df401c9601f69c9f72131e344d0f795c1f31462e4909b69ecced59a
-
Filesize
5.2MB
MD5a2bf11a6bda8987cb7417b811ddca03e
SHA1d3e08048cf7352b5d2bfe8833826a35280ce7057
SHA256d76525d545d2eea9f78aa9ca5c4d6a046d8f9f18ea161421f18b1934c626051a
SHA51216fc5decb273dcae8c184c02f28d5b0489d4515f9a9d1182abf2d59001c0c4d3ab7a5faae7c7aaa7747cf71adc83979457b0941818e03cbb391e3e64e71b54c2
-
Filesize
5.2MB
MD5fe5514b7ab83937d01539b5ae752c0a3
SHA1481bdd7cc2999415852406ec3aafb96075e0b19c
SHA2569422d20927cb4444ff020f1a78824a4629c905ba7549b89be90f6fd2aa8c6a25
SHA512d7763c2244c61e1d9defa33e852ae7ad6c66891a74ad4f5e9bee520dff2e99ef5515cb58a47f112902d41d2c6dc96e41ef7f540bb36137fa7dde2d455dc60eeb
-
Filesize
5.2MB
MD5ba321372c240c2ef09b94b630288b714
SHA1ff4121b73787434b4d43806281c0107c5e62f5c8
SHA2569f814bb6dad7102e465a3acd63367c13241d1383e6e38bfa4dfc7fb01c48bb5e
SHA51274fc0957dd8c6a03acf788dc3cc5533ee3357315647d75ea25e6eb7582714a97bc6f1ce8004d8517566cdb8427400df38e5cafb0890d0a983ff0802066befceb
-
Filesize
5.2MB
MD58b87def767d515762073a3c65a348b76
SHA171f976ab7113346667941b8c799ab66d46de4f45
SHA2567dd087187718e4e177816af1730efa22c8774aa7e1c4c3765cbf8173174ac1eb
SHA512c127730f4bb5727b5a3fb41828240cb67333517ac2da1e85989141f456f3550a33d56193737ea67a027b03072551ab94b211333e8b167408358775922b1d7f71
-
Filesize
5.2MB
MD538942547cbf8051397efbab7f2705682
SHA13c03bcaba809ca38ce75ce878abbb2f84c6bfa8d
SHA256d9c5a4335217e212d95a8db0852ea2ec9d70fcb670743f7d4085e3847b17a886
SHA512f75182e1150a5a77c331076f5846cbf6b1ba387d9769f157c8a72c78107583060fa0f01ec10dbbee54ac1d55675d62c2edc16e921684860590e29bb4ec60d1f0
-
Filesize
5.2MB
MD5ebdeecef29860a22e7f0dde85ddbd030
SHA1148308b838f9d1791401ac73d03b1b41bb47075c
SHA256fcebbc676e023ac34b992d549f2bdbbd0ea72726c84da750a26accdaf8d2af36
SHA5129a79a07b772ce1cb7ec92a8e140ff417b7d6ab3f72ee1a8de03df9ecb308a78f936a82544cefc0a5ae215893ba411450d5ba31a5eea99c1daf6ce4c4d7ae03fe
-
Filesize
5.2MB
MD511dd75ccc4c96697281b8651e3c23906
SHA196e7c04c37b3f306e7ea81acaf4cb31f5bf904f3
SHA256b6fc5b72b2b6cdc23f61c7db18aff691665356633e30446bcb6fd1b27624d34a
SHA5120b3f95a04bc18e5818efa0f0280cb1b8d5deb5ce2e7adeb50d83cd66122aab25ad8734fc7b751ed3518598c10bf47a18dc021c621178d6e40ae33103a279b9bb
-
Filesize
5.2MB
MD546c77bf00fd7b82d957a9fef3fbab9b2
SHA1fedac4481a1b77a1320804329b9f6ea504084c0b
SHA256aee3fea143046ac6a0945ea7bcba54caa71446e8d0fda76054a094aeea086dcb
SHA512ff08a2ccdc8765a4391f02b54eff6770bd741680670dbf6c0499b638a2e4c7a5f5401de00804f749d5795be6bf4f666ed58a6ec69751558d0a72315bca7e309f
-
Filesize
5.2MB
MD5db6f763cef2261907f99135798348671
SHA1d8432bbdfe7b92bccee8b88c8fec77ec75ca457c
SHA256277f40304cab5bfe3316a1e20fcc33e46adba6441c66c0ff2fdd37b9b49cd0b1
SHA512c6530d6869ed3247da504a5769fafb7cc2eb6fec4f054e2123fa8145423a5885b801646adf736367d1288f103253d1dc0f271a3a5086d182bc522664c6b18ad0
-
Filesize
5.2MB
MD5b4e8e587cc1dc73b6c6eb4248d00f031
SHA161e1fe84d9558d16117159d0b1b9e7e86160e352
SHA25676672c4494743b1bf07ecd65b20fb95080781f4734a8129bfe3c785fabff3925
SHA512521ada4cbd44ffbcde5c2d4a5240eebfbece534ed2b0ad79c7b0078d6c685310da7f4c0fc157a2f485244d146867e416dce39b1ebca8eb879447a500d115f698
-
Filesize
5.2MB
MD54890d90ed2e99539c0d2dc64b1cc4007
SHA1851e806c838c29cc7600bb2e6c617bed09fa43b8
SHA256bbd6013fe726d4b0abdfeef9332c89d94b6320232411b3c7a9a23d3836da5fd6
SHA51288469e896efd3a228a5fc731bc13c9472b8611ea85b73858bd39b732cdf970f01e80597b0fda7eaad96a4c737ddb145abe0d05280964e500c8384e5a4bc45236
-
Filesize
5.2MB
MD5c10b5f1fd59969c5a407ee04a37d7019
SHA1abaa4cb1b7303703a9545fdccdeabdbc680fa62e
SHA25685ee31a130214de04eda00f6c232d7f8ac4518e36a6c0cfc5f8e4007c4075f4d
SHA512f21f82344d928f57edf2bbfa6d8d9bf989ae20b4ce0a30e6c1f035a4b5ff30384dc122ff91437c1efc16115c8c9e4d02d3d01403e287baa0d7acd0497cc7a80e
-
Filesize
5.2MB
MD5367695ff64d62a3397a32207b8c3a3c4
SHA1f71d9935c5850639a416a0352ac4ae76525b029f
SHA256d84c0eba0129d8090a762b98b55531032f982020e2ff3b2c430885f5d8324c0f
SHA5126ab32a80c94549b61bd4bf9974bd840ec7b5f6ba9247f5756175e6a8f9d34079d8892c3bbb1bb0e7d81a3e0cfca4f279161aa7c59e426fd45ae9aa7c9c622228
-
Filesize
5.2MB
MD57f26e83ea5c0a8e6c2ff6a1040ba28be
SHA14999127c74acdc6861e6f7187264c1736e25208d
SHA256794e5be904664dfc4b78eb6e7a4d68b10ed03fec343a854d75fd2c01c2c733cd
SHA5124d5979267cfd5259adfc13f7dd0eb08aca62e1ef953fa4d893475ca99b9b50d5dec4d9a1aed1f206503c5e3992b2f47c7b54207bdf176f472b60d61d5324a4b2
-
Filesize
5.2MB
MD53da5c520a8846cef60134beb8c424b62
SHA1c818da4af630ce3e87ebc680a5deb5babb24405c
SHA25688af0c574bc57e830e029a696e0b9abf3d04fe9ead8be161643cd9d6dd0659b4
SHA5128ccce6030a4976697049192093e35023c33a3fd26d2fa5355e65b9346ca1e213d3915023c1325d5c03e6ea874d907e2a0ef695dd1a25e8064c8b826e335bebe1
-
Filesize
5.2MB
MD53871422ad1d817c576bc0c2fb9d1358b
SHA13b9557f303cb84e7aa421fcfd2c0acd8745a43be
SHA25657815be41c3ed69d746b3d130180977e72e8cb52947d1fa4f3f401be9e3bb97a
SHA512e416fafd4c9bebecf40b327abad3f97542840446b1fb012a013a9b73279fbfed4b656a6dc7b8636ac2253e560bd665c82a95bbd7302a68638daca56dcb26b989
-
Filesize
5.2MB
MD50a42f4e3fb331b7eba12b2a61c8bbade
SHA1f3fa5c4d06b8f0576948e6c70b99566d47208c4b
SHA256a32e71cad19e99a2b7ce639a580d1ec72bc37bff88fee5d9f5e4959bae9901b0
SHA5127b35e324a335f9f214b5900f20c8555bcbd2a8b421d4b97502f197acdb2fea516029846a576f1cd1e3d7446306cd70fc6a8dded5b0c130556b595d842e361aec
-
Filesize
5.2MB
MD507f4648e0e12551e4ce701dfbddb8f11
SHA135905ca6d3fe0a84d606e74ed8a69eabc5d224a2
SHA2564f507d9d841c3d60d28460a4a6890659a48671e01d142b5fbb6430cb8b3d9d71
SHA512c4577b071f217fdeba480b98a4bf5f7996655c3b391e7f85ea4951db0ac8cc22742cc747b6a45fed83563a6f8e28b5d0d2568d1de383e88d1c7ac8459936742b