Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 21:17
Behavioral task
behavioral1
Sample
2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240729-en
General
-
Target
2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
9ff9f5813a6443ed0b267ca38cca4f01
-
SHA1
c0cf2b505e510e23e697a2a97878957a9a91cef0
-
SHA256
0f6de8be043a6917c54b10570817dc04902e02d0d3694de38a69bfe7f8e548f9
-
SHA512
86844612fdd07f0928a11fa8b7dc2770c4e4c451baf22fed9fe134ad2e361c843dc8ac52c47a8c6339bb3141de858a23ca6a92490c705f96221722bf738f1635
-
SSDEEP
49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lI:RWWBibj56utgpPFotBER/mQ32lUM
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00080000000234fa-4.dat cobalt_reflective_dll behavioral2/files/0x0007000000023500-17.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ff-16.dat cobalt_reflective_dll behavioral2/files/0x00070000000234fe-18.dat cobalt_reflective_dll behavioral2/files/0x0007000000023502-35.dat cobalt_reflective_dll behavioral2/files/0x0007000000023504-43.dat cobalt_reflective_dll behavioral2/files/0x0007000000023506-64.dat cobalt_reflective_dll behavioral2/files/0x0007000000023507-67.dat cobalt_reflective_dll behavioral2/files/0x0007000000023505-48.dat cobalt_reflective_dll behavioral2/files/0x0007000000023501-44.dat cobalt_reflective_dll behavioral2/files/0x0007000000023503-53.dat cobalt_reflective_dll behavioral2/files/0x0007000000023508-70.dat cobalt_reflective_dll behavioral2/files/0x00080000000234fb-78.dat cobalt_reflective_dll behavioral2/files/0x0007000000023509-82.dat cobalt_reflective_dll behavioral2/files/0x000700000002350a-93.dat cobalt_reflective_dll behavioral2/files/0x000700000002350b-104.dat cobalt_reflective_dll behavioral2/files/0x000700000002350c-103.dat cobalt_reflective_dll behavioral2/files/0x000700000002350e-113.dat cobalt_reflective_dll behavioral2/files/0x000700000002350d-121.dat cobalt_reflective_dll behavioral2/files/0x000700000002350f-125.dat cobalt_reflective_dll behavioral2/files/0x0007000000023510-131.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 46 IoCs
resource yara_rule behavioral2/memory/632-14-0x00007FF621570000-0x00007FF6218C1000-memory.dmp xmrig behavioral2/memory/2072-52-0x00007FF6DA000000-0x00007FF6DA351000-memory.dmp xmrig behavioral2/memory/2856-33-0x00007FF6C5D00000-0x00007FF6C6051000-memory.dmp xmrig behavioral2/memory/2656-26-0x00007FF6BEF50000-0x00007FF6BF2A1000-memory.dmp xmrig behavioral2/memory/3692-25-0x00007FF6D13B0000-0x00007FF6D1701000-memory.dmp xmrig behavioral2/memory/3624-74-0x00007FF6EFA80000-0x00007FF6EFDD1000-memory.dmp xmrig behavioral2/memory/4728-130-0x00007FF73FA70000-0x00007FF73FDC1000-memory.dmp xmrig behavioral2/memory/4596-129-0x00007FF63DC00000-0x00007FF63DF51000-memory.dmp xmrig behavioral2/memory/3692-117-0x00007FF6D13B0000-0x00007FF6D1701000-memory.dmp xmrig behavioral2/memory/2568-109-0x00007FF7D3000000-0x00007FF7D3351000-memory.dmp xmrig behavioral2/memory/1272-100-0x00007FF7D4560000-0x00007FF7D48B1000-memory.dmp xmrig behavioral2/memory/2716-92-0x00007FF7CB310000-0x00007FF7CB661000-memory.dmp xmrig behavioral2/memory/4436-84-0x00007FF70D7E0000-0x00007FF70DB31000-memory.dmp xmrig behavioral2/memory/2716-133-0x00007FF7CB310000-0x00007FF7CB661000-memory.dmp xmrig behavioral2/memory/3912-141-0x00007FF607AB0000-0x00007FF607E01000-memory.dmp xmrig behavioral2/memory/1884-144-0x00007FF7C8510000-0x00007FF7C8861000-memory.dmp xmrig behavioral2/memory/1908-143-0x00007FF7D6FC0000-0x00007FF7D7311000-memory.dmp xmrig behavioral2/memory/3188-150-0x00007FF67A5D0000-0x00007FF67A921000-memory.dmp xmrig behavioral2/memory/4980-153-0x00007FF6957D0000-0x00007FF695B21000-memory.dmp xmrig behavioral2/memory/1424-154-0x00007FF6B8F90000-0x00007FF6B92E1000-memory.dmp xmrig behavioral2/memory/1240-152-0x00007FF7DA470000-0x00007FF7DA7C1000-memory.dmp xmrig behavioral2/memory/432-151-0x00007FF688370000-0x00007FF6886C1000-memory.dmp xmrig behavioral2/memory/1136-149-0x00007FF6DDF60000-0x00007FF6DE2B1000-memory.dmp xmrig behavioral2/memory/4332-147-0x00007FF68E4D0000-0x00007FF68E821000-memory.dmp xmrig behavioral2/memory/2716-155-0x00007FF7CB310000-0x00007FF7CB661000-memory.dmp xmrig behavioral2/memory/632-213-0x00007FF621570000-0x00007FF6218C1000-memory.dmp xmrig behavioral2/memory/2856-215-0x00007FF6C5D00000-0x00007FF6C6051000-memory.dmp xmrig behavioral2/memory/2656-217-0x00007FF6BEF50000-0x00007FF6BF2A1000-memory.dmp xmrig behavioral2/memory/3692-219-0x00007FF6D13B0000-0x00007FF6D1701000-memory.dmp xmrig behavioral2/memory/2568-223-0x00007FF7D3000000-0x00007FF7D3351000-memory.dmp xmrig behavioral2/memory/4728-222-0x00007FF73FA70000-0x00007FF73FDC1000-memory.dmp xmrig behavioral2/memory/4596-225-0x00007FF63DC00000-0x00007FF63DF51000-memory.dmp xmrig behavioral2/memory/2072-227-0x00007FF6DA000000-0x00007FF6DA351000-memory.dmp xmrig behavioral2/memory/1908-230-0x00007FF7D6FC0000-0x00007FF7D7311000-memory.dmp xmrig behavioral2/memory/1884-233-0x00007FF7C8510000-0x00007FF7C8861000-memory.dmp xmrig behavioral2/memory/3912-232-0x00007FF607AB0000-0x00007FF607E01000-memory.dmp xmrig behavioral2/memory/3624-244-0x00007FF6EFA80000-0x00007FF6EFDD1000-memory.dmp xmrig behavioral2/memory/4436-246-0x00007FF70D7E0000-0x00007FF70DB31000-memory.dmp xmrig behavioral2/memory/4332-248-0x00007FF68E4D0000-0x00007FF68E821000-memory.dmp xmrig behavioral2/memory/1272-250-0x00007FF7D4560000-0x00007FF7D48B1000-memory.dmp xmrig behavioral2/memory/1136-252-0x00007FF6DDF60000-0x00007FF6DE2B1000-memory.dmp xmrig behavioral2/memory/1240-255-0x00007FF7DA470000-0x00007FF7DA7C1000-memory.dmp xmrig behavioral2/memory/432-256-0x00007FF688370000-0x00007FF6886C1000-memory.dmp xmrig behavioral2/memory/4980-261-0x00007FF6957D0000-0x00007FF695B21000-memory.dmp xmrig behavioral2/memory/3188-259-0x00007FF67A5D0000-0x00007FF67A921000-memory.dmp xmrig behavioral2/memory/1424-262-0x00007FF6B8F90000-0x00007FF6B92E1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 632 ZXhiCpP.exe 3692 VIiGlaC.exe 2656 cRqwOKv.exe 2856 XWzxZPF.exe 2568 UBOEikY.exe 4728 WhGwPnk.exe 4596 nPtyOku.exe 3912 BZvuogp.exe 2072 zihzlEw.exe 1908 XGNBgCJ.exe 1884 eEWYUQO.exe 3624 WjpmFfy.exe 4436 DQCjHaw.exe 4332 EqTqaMf.exe 1272 kwdMlSa.exe 1136 oLFcfrZ.exe 3188 iNFYkjH.exe 432 TORkLJq.exe 4980 VZYFMFO.exe 1240 fbUIqHV.exe 1424 hsUYbZh.exe -
resource yara_rule behavioral2/memory/2716-0-0x00007FF7CB310000-0x00007FF7CB661000-memory.dmp upx behavioral2/files/0x00080000000234fa-4.dat upx behavioral2/files/0x0007000000023500-17.dat upx behavioral2/files/0x00070000000234ff-16.dat upx behavioral2/files/0x00070000000234fe-18.dat upx behavioral2/memory/632-14-0x00007FF621570000-0x00007FF6218C1000-memory.dmp upx behavioral2/files/0x0007000000023502-35.dat upx behavioral2/files/0x0007000000023504-43.dat upx behavioral2/memory/2072-52-0x00007FF6DA000000-0x00007FF6DA351000-memory.dmp upx behavioral2/files/0x0007000000023506-64.dat upx behavioral2/files/0x0007000000023507-67.dat upx behavioral2/memory/1884-66-0x00007FF7C8510000-0x00007FF7C8861000-memory.dmp upx behavioral2/memory/1908-63-0x00007FF7D6FC0000-0x00007FF7D7311000-memory.dmp upx behavioral2/memory/3912-59-0x00007FF607AB0000-0x00007FF607E01000-memory.dmp upx behavioral2/memory/4728-51-0x00007FF73FA70000-0x00007FF73FDC1000-memory.dmp upx behavioral2/files/0x0007000000023505-48.dat upx behavioral2/files/0x0007000000023501-44.dat upx behavioral2/files/0x0007000000023503-53.dat upx behavioral2/memory/4596-39-0x00007FF63DC00000-0x00007FF63DF51000-memory.dmp upx behavioral2/memory/2568-34-0x00007FF7D3000000-0x00007FF7D3351000-memory.dmp upx behavioral2/memory/2856-33-0x00007FF6C5D00000-0x00007FF6C6051000-memory.dmp upx behavioral2/memory/2656-26-0x00007FF6BEF50000-0x00007FF6BF2A1000-memory.dmp upx behavioral2/memory/3692-25-0x00007FF6D13B0000-0x00007FF6D1701000-memory.dmp upx behavioral2/files/0x0007000000023508-70.dat upx behavioral2/memory/3624-74-0x00007FF6EFA80000-0x00007FF6EFDD1000-memory.dmp upx behavioral2/files/0x00080000000234fb-78.dat upx behavioral2/files/0x0007000000023509-82.dat upx behavioral2/files/0x000700000002350a-93.dat upx behavioral2/files/0x000700000002350b-104.dat upx behavioral2/files/0x000700000002350c-103.dat upx behavioral2/files/0x000700000002350e-113.dat upx behavioral2/files/0x000700000002350d-121.dat upx behavioral2/files/0x000700000002350f-125.dat upx behavioral2/memory/4728-130-0x00007FF73FA70000-0x00007FF73FDC1000-memory.dmp upx behavioral2/files/0x0007000000023510-131.dat upx behavioral2/memory/4596-129-0x00007FF63DC00000-0x00007FF63DF51000-memory.dmp upx behavioral2/memory/1424-128-0x00007FF6B8F90000-0x00007FF6B92E1000-memory.dmp upx behavioral2/memory/4980-124-0x00007FF6957D0000-0x00007FF695B21000-memory.dmp upx behavioral2/memory/3188-123-0x00007FF67A5D0000-0x00007FF67A921000-memory.dmp upx behavioral2/memory/3692-117-0x00007FF6D13B0000-0x00007FF6D1701000-memory.dmp upx behavioral2/memory/1240-115-0x00007FF7DA470000-0x00007FF7DA7C1000-memory.dmp upx behavioral2/memory/432-114-0x00007FF688370000-0x00007FF6886C1000-memory.dmp upx behavioral2/memory/2568-109-0x00007FF7D3000000-0x00007FF7D3351000-memory.dmp upx behavioral2/memory/1136-107-0x00007FF6DDF60000-0x00007FF6DE2B1000-memory.dmp upx behavioral2/memory/1272-100-0x00007FF7D4560000-0x00007FF7D48B1000-memory.dmp upx behavioral2/memory/4332-88-0x00007FF68E4D0000-0x00007FF68E821000-memory.dmp upx behavioral2/memory/2716-92-0x00007FF7CB310000-0x00007FF7CB661000-memory.dmp upx behavioral2/memory/4436-84-0x00007FF70D7E0000-0x00007FF70DB31000-memory.dmp upx behavioral2/memory/2716-133-0x00007FF7CB310000-0x00007FF7CB661000-memory.dmp upx behavioral2/memory/3912-141-0x00007FF607AB0000-0x00007FF607E01000-memory.dmp upx behavioral2/memory/1884-144-0x00007FF7C8510000-0x00007FF7C8861000-memory.dmp upx behavioral2/memory/1908-143-0x00007FF7D6FC0000-0x00007FF7D7311000-memory.dmp upx behavioral2/memory/3188-150-0x00007FF67A5D0000-0x00007FF67A921000-memory.dmp upx behavioral2/memory/4980-153-0x00007FF6957D0000-0x00007FF695B21000-memory.dmp upx behavioral2/memory/1424-154-0x00007FF6B8F90000-0x00007FF6B92E1000-memory.dmp upx behavioral2/memory/1240-152-0x00007FF7DA470000-0x00007FF7DA7C1000-memory.dmp upx behavioral2/memory/432-151-0x00007FF688370000-0x00007FF6886C1000-memory.dmp upx behavioral2/memory/1136-149-0x00007FF6DDF60000-0x00007FF6DE2B1000-memory.dmp upx behavioral2/memory/4332-147-0x00007FF68E4D0000-0x00007FF68E821000-memory.dmp upx behavioral2/memory/2716-155-0x00007FF7CB310000-0x00007FF7CB661000-memory.dmp upx behavioral2/memory/632-213-0x00007FF621570000-0x00007FF6218C1000-memory.dmp upx behavioral2/memory/2856-215-0x00007FF6C5D00000-0x00007FF6C6051000-memory.dmp upx behavioral2/memory/2656-217-0x00007FF6BEF50000-0x00007FF6BF2A1000-memory.dmp upx behavioral2/memory/3692-219-0x00007FF6D13B0000-0x00007FF6D1701000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\TORkLJq.exe 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XWzxZPF.exe 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WhGwPnk.exe 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nPtyOku.exe 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zihzlEw.exe 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\eEWYUQO.exe 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WjpmFfy.exe 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kwdMlSa.exe 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZXhiCpP.exe 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VZYFMFO.exe 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hsUYbZh.exe 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fbUIqHV.exe 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cRqwOKv.exe 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BZvuogp.exe 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DQCjHaw.exe 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\iNFYkjH.exe 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VIiGlaC.exe 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XGNBgCJ.exe 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EqTqaMf.exe 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\oLFcfrZ.exe 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\UBOEikY.exe 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2716 wrote to memory of 632 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2716 wrote to memory of 632 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2716 wrote to memory of 3692 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2716 wrote to memory of 3692 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2716 wrote to memory of 2656 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2716 wrote to memory of 2656 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2716 wrote to memory of 2856 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2716 wrote to memory of 2856 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2716 wrote to memory of 2568 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2716 wrote to memory of 2568 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2716 wrote to memory of 4728 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2716 wrote to memory of 4728 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2716 wrote to memory of 4596 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2716 wrote to memory of 4596 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2716 wrote to memory of 3912 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2716 wrote to memory of 3912 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2716 wrote to memory of 2072 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2716 wrote to memory of 2072 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2716 wrote to memory of 1908 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2716 wrote to memory of 1908 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2716 wrote to memory of 1884 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2716 wrote to memory of 1884 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2716 wrote to memory of 3624 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2716 wrote to memory of 3624 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2716 wrote to memory of 4436 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2716 wrote to memory of 4436 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2716 wrote to memory of 4332 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2716 wrote to memory of 4332 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2716 wrote to memory of 1272 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2716 wrote to memory of 1272 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2716 wrote to memory of 1136 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2716 wrote to memory of 1136 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2716 wrote to memory of 3188 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2716 wrote to memory of 3188 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2716 wrote to memory of 432 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2716 wrote to memory of 432 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2716 wrote to memory of 1240 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2716 wrote to memory of 1240 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2716 wrote to memory of 4980 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 2716 wrote to memory of 4980 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 2716 wrote to memory of 1424 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 2716 wrote to memory of 1424 2716 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\System\ZXhiCpP.exeC:\Windows\System\ZXhiCpP.exe2⤵
- Executes dropped EXE
PID:632
-
-
C:\Windows\System\VIiGlaC.exeC:\Windows\System\VIiGlaC.exe2⤵
- Executes dropped EXE
PID:3692
-
-
C:\Windows\System\cRqwOKv.exeC:\Windows\System\cRqwOKv.exe2⤵
- Executes dropped EXE
PID:2656
-
-
C:\Windows\System\XWzxZPF.exeC:\Windows\System\XWzxZPF.exe2⤵
- Executes dropped EXE
PID:2856
-
-
C:\Windows\System\UBOEikY.exeC:\Windows\System\UBOEikY.exe2⤵
- Executes dropped EXE
PID:2568
-
-
C:\Windows\System\WhGwPnk.exeC:\Windows\System\WhGwPnk.exe2⤵
- Executes dropped EXE
PID:4728
-
-
C:\Windows\System\nPtyOku.exeC:\Windows\System\nPtyOku.exe2⤵
- Executes dropped EXE
PID:4596
-
-
C:\Windows\System\BZvuogp.exeC:\Windows\System\BZvuogp.exe2⤵
- Executes dropped EXE
PID:3912
-
-
C:\Windows\System\zihzlEw.exeC:\Windows\System\zihzlEw.exe2⤵
- Executes dropped EXE
PID:2072
-
-
C:\Windows\System\XGNBgCJ.exeC:\Windows\System\XGNBgCJ.exe2⤵
- Executes dropped EXE
PID:1908
-
-
C:\Windows\System\eEWYUQO.exeC:\Windows\System\eEWYUQO.exe2⤵
- Executes dropped EXE
PID:1884
-
-
C:\Windows\System\WjpmFfy.exeC:\Windows\System\WjpmFfy.exe2⤵
- Executes dropped EXE
PID:3624
-
-
C:\Windows\System\DQCjHaw.exeC:\Windows\System\DQCjHaw.exe2⤵
- Executes dropped EXE
PID:4436
-
-
C:\Windows\System\EqTqaMf.exeC:\Windows\System\EqTqaMf.exe2⤵
- Executes dropped EXE
PID:4332
-
-
C:\Windows\System\kwdMlSa.exeC:\Windows\System\kwdMlSa.exe2⤵
- Executes dropped EXE
PID:1272
-
-
C:\Windows\System\oLFcfrZ.exeC:\Windows\System\oLFcfrZ.exe2⤵
- Executes dropped EXE
PID:1136
-
-
C:\Windows\System\iNFYkjH.exeC:\Windows\System\iNFYkjH.exe2⤵
- Executes dropped EXE
PID:3188
-
-
C:\Windows\System\TORkLJq.exeC:\Windows\System\TORkLJq.exe2⤵
- Executes dropped EXE
PID:432
-
-
C:\Windows\System\fbUIqHV.exeC:\Windows\System\fbUIqHV.exe2⤵
- Executes dropped EXE
PID:1240
-
-
C:\Windows\System\VZYFMFO.exeC:\Windows\System\VZYFMFO.exe2⤵
- Executes dropped EXE
PID:4980
-
-
C:\Windows\System\hsUYbZh.exeC:\Windows\System\hsUYbZh.exe2⤵
- Executes dropped EXE
PID:1424
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD54c527477bf319bc89104f687fa6b3bd4
SHA16685ec616a8d9e6cb3e5edbefeaec00b21a8a3e4
SHA25646a42010d6c4f70f1cb40cdf5d401348d27e452dabf4ea855e0fade613b60a8c
SHA512bf8f9e321787db9c03ee7632d631d11b4a0965ef6dc2610f9329f17304327cb9e437c9c88d2fe74c562ea31a1f01b0d33482b86709b1a23d4d229117a11c751e
-
Filesize
5.2MB
MD5e995c9f11d1e3bcaa80d7369c5fcb323
SHA17a26eb5921ec06faf0b7b80b652ae78f2cbb08ec
SHA256b1581254b13949a888f31d3db13e8bd813ff02bd4ae76675104e7e7a66fda29d
SHA5121d7dced79e5dfc226ce38229962c651a680b5cef4a7201a9919d0ab54dbfc67e56e22a7b0e51fbc39b98f40f9c3eac97527adad89775ff1989192f609cb43290
-
Filesize
5.2MB
MD5906e67c051a83a42b12ca6ca03f52a82
SHA1687169b65f5b9f10cdb1800a10faf60b266760c2
SHA2562ce95b423e71ee96174432fd03b9c050edf1b6cca002899a9660b43c1fbb21e4
SHA51214387ee3f121b56bccb4916ab6cbb01b6a162f28b405568bded39f5da810ab5f2379193e671037d0cdb080494766a21d4b991047fa6d3616e5f4cc4f4799d39e
-
Filesize
5.2MB
MD51c064bb59121d75fcae75c59bddd5743
SHA15620c719216b0b5aa1b7e427c4fc53fd9d1f609f
SHA256fa09a8f80cfca351ff76d28c2c780dc568691c0006c6dcd46e32561a4fd33181
SHA5125c70b4ff7049d78c6e9bceeaf0da11e03438afa1d8a78565a09a094730c6749fd943411328637e5e4ab314b2b9bbd1b41969d94d85bdab5180c6d455da7f7983
-
Filesize
5.2MB
MD5eb5d3066783f9577914449fcfbb06d9c
SHA184f57d3acb889c7fa9fed5b4f35ed2330a9cead5
SHA256c00f25a961d71372e5a0272566d794742cef449855191e82f283445bcd4d7e38
SHA512f9ddb7c88e6030006fd64d0b1fbdf24d2365b7d3fed2c430a1bf5496228f967a74dd60b71235d21a34d147128ea8252922c980fe2f710bc054d2ce620491d23b
-
Filesize
5.2MB
MD53ba83b26052061c242528266363943bd
SHA162793415b389f03521974037c38805144bc5e773
SHA256eb4143279f8215cf57ac0f4ba6987046b2bb5d4d4e57005cc5df578ecd9751d1
SHA5123799c0b690a8af4200492b13a827507e02e78f9aa93863cb1e19291a95824745b3526deab1f5c6fddb41691cc6318bcf4e754313c3e7ddaedbee048d71870f58
-
Filesize
5.2MB
MD57be6034d75d7b9380c12ba76466aa3dd
SHA1ecdf32913e89342da5e7334ba4b94353df646ffe
SHA2561c89ef45febb2e48ab70c222066cad3b177b30e37b7feaabc925559ed9c41ebb
SHA512ad1fea4c3f3ad79914da3bd8c9adbc60a40a37a1ace8fe2bacab18acbc8b87de867f6d826ca47359d5e372916750ff2c2ce8fcf272a4a809d200020fc932a224
-
Filesize
5.2MB
MD5208196b210c11667ca08a6608612d6fe
SHA1912c3ef7dfab6d701226dfe03e35142c36f78854
SHA2560680e02263a565b4f40061e4f8284c2e1b67bb3309d50bc8f665a4c53ba7e7cc
SHA512a07f18219f45e22d4343f76f10a76b3d1294d51535e355d35de8792751706e1cd660525f8564a0d5d007fed91c848aadc5fdecfc3e483292f19cc19d69a6a867
-
Filesize
5.2MB
MD548fb63eadd62445a13508161368f0ca4
SHA152f3a34368574c9d220988040bb034cd06f73815
SHA256749d59654b8925696e5d7ea146cfc72aa9f8245a21eba21e0bbe062f536bceb3
SHA512377cda7440e7cf8b0e56bb4bdfec869a77984f535f24d79ad9889ad0bdeaa9720ce749267d8e62ba3ef320643687a11c8067082387d608908f75ade0e2e08ff9
-
Filesize
5.2MB
MD591462f5cdca58729398f7a8696e51ddb
SHA13927bd1780eea79069fad0317989f9bf88173ee2
SHA2564dc710672fae5b5e06c6e7edd6aeac6200512c957329dae0a8e539f40162e87b
SHA512682f2e10194b216b6dbc5df03daff9007fb18800cc88428bfed70d095c4680be17a3c061c6701cb1e514fbc43c461e823d0958d5d30cdc6e13279484e4f479d2
-
Filesize
5.2MB
MD5b3a1311b2d026a9988c8d383884babac
SHA10f8ad4c4d32a7c887a25771f756da9c86145fea0
SHA25660b05058d9e9704a36269762fdefc2e0301efd7650b5023da330d2a0acc99036
SHA512779769cd27c6b54d0e6d9733a79fda18de1483d32230e878fbad2d0f2402f1bc53742def2fb9d9791954c69defce85d992c8dad42e6b85e2960e6dfd43cd8315
-
Filesize
5.2MB
MD5042bfa12392a9b3172c6eb7676a6524c
SHA1ccebe52cd3569b08948c9a9b0c05e6ab2ad52dc0
SHA256473da72da83367923d0b9914f4116520d16290eaef2139b830d568e48ca21612
SHA5120aa48a4f211a601febcfe460a15cad199befe81f05d9e6a269985980b8de64f6b2bcd940e4ed936b96578d4af5d2e429c6e0a6334adaeac23db1571723fb0b76
-
Filesize
5.2MB
MD5c5dc0b89b932b6bfdb368f7ace7041f4
SHA16639a54da8451fdb827ab278e13ec92dbc665a1e
SHA256c09b69a85647cb35a6419d934b03cf76fdcfabe441ed016c297a79786bd91d3a
SHA51217279a702fb7b2641c79bebc4637211f0d1fbda95c05f36a622454897491b5bc64c8bcad63d252ee4a1277600bd432d2af44dda18f4ea5dc5dc805b0b1d84ea8
-
Filesize
5.2MB
MD5e1dfd5d6d39ea443fb451f7661e3e9aa
SHA1b8d32fa3062156b6fb42f0fdf797d0c70c8577e4
SHA256bb5abab78ac002c583d3ee76bd412cad82145fc8fae307879bac6ae244131097
SHA5126fe6953d98af2e5c07671d2222c1e0a217e81d879545d3242911e2ea4fabd1950a260028f26177971c3a75aa226a247d897346f68b8293e4dcd4adec634f4dee
-
Filesize
5.2MB
MD5da0f4ab5c56abc9fddcb91da366a3d8e
SHA1253f61a5fcf71e99b23ee928ddbc8b3b4b62a713
SHA256b28413e8d5e9c31b07d9251526ada307547d673e3f8c14f75346543cee58219a
SHA5128412782fc5b4298b349a2f35aed1155200e7b136aafe88020ecf0318fc7e1df142b45f3fe5882fa3388739f93b9fd0e7ddbc013f1c8f6dc1767509ab2666e1a6
-
Filesize
5.2MB
MD53c522bf0848f2222a21af2153263533d
SHA1b7a682c799f2cc5bf951a170656b7c2587df1d62
SHA256efdde5d41be9cde81d27ec750bc7cfda8cf3b6ab5bfbe5b782be6a95b1bb1ae8
SHA51252be7155d31750ef787c186d334cb50354961043bb390257b843000868fa67f10728ef434034a995eadca31bb8e31a0b0cd3c4910e3af7badcf4e9b43c124a0b
-
Filesize
5.2MB
MD57d8e9cf88f1f546706ae4a0eb015c447
SHA1518c11caaa36523208dad129a45545ba3862293e
SHA2566abbe1dfec7e9c4ee4f0e1f841f5e3fb849d2b9188c5f06986100d74969af49d
SHA51232a3270f4b8fbd6f9eb75cd5c593aeb4657027f25ab859a723677980d53a20cf4c36bb56c96f754312980435f62e6c5252b78cc9832566aa2bbffc1e8c79add8
-
Filesize
5.2MB
MD533f1fc723dda1ff857a9276b460b9d4c
SHA1e008d1ab515ef7b139ece723afd4d1d05724d0d0
SHA256472b783d851a8ed7cbb75df6b663d5f5e72db00f4f9345bd7d7b56517e4b059a
SHA5122dbc7cbe520ed3ae51b8221cf9a28b3d62805711cf01b35dbda8a48ecc09ebcefb50ff74511ee57852abe748d3987c98185d98d239e976da08594f523ef3b30f
-
Filesize
5.2MB
MD533afb174aa583cbb72bf9339093c4048
SHA19bef3995de00b1f77b2b706680a5763254b3cffb
SHA256a922e8609c2b44a16c53f3298e01990beab49f3d8e384e929b3fc639a0194a95
SHA51239071c4ef8fe8a4de5e1ac12ebea924a7aac072d01be4b37943274049e740d6dfeae062cd9701bce521d2343764759996a33662334eb2db46aa2f7c6a5736128
-
Filesize
5.2MB
MD5fad115af8f2eb97e4c1072fb5e688add
SHA1bac15faaed299769e655253c78da87b8233b602b
SHA256808879bd356ce9764f4f3534f3915ee78c0fbc90ec53a821ff2cfb6d5c468680
SHA512af9529dd44450e2d5444eba438558a0085a0ac4aca3bfbb15c9f5ba66b7ec3b59485f8df688fb371d26dfb1cfbe0e1c5873fb24728746d3f5ca7dcdefa866648
-
Filesize
5.2MB
MD54da2b0a5675c6a76591accec32363c46
SHA17c072b476b0ac2b2e7f2e588c9eb5bb8be3de513
SHA25655c717c1ee400481ceeb5c4f88abf986f71a7b476049bb19104baa9d520ec791
SHA5127392ea1da9a70e013315937f1aa83c1d42af8a861f85d90da4f7eca745607036d810c0e33279394ed3b908808161e0c43b35e543f898d412f73e51ef1045bf88