Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 21:20
Behavioral task
behavioral1
Sample
2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240729-en
General
-
Target
2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
aee166a4d3f20d04a52bda276a93e292
-
SHA1
faa79e770d7fddcfab812e7ea9a48a042f76c371
-
SHA256
f9890e500017842ef38ae3a3c923e7cef669f9a2a495f127e0b708e0629a8639
-
SHA512
8abcf9cfd725c71b1a552313091534511526a32bef669ca6fb1fdddd48621b05892d58084d66d81520dbc68c7897fcd3644c843d12f532cd002356b584de42e1
-
SSDEEP
49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lZ:RWWBibj56utgpPFotBER/mQ32lUl
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00080000000234da-4.dat cobalt_reflective_dll behavioral2/files/0x00070000000234de-15.dat cobalt_reflective_dll behavioral2/files/0x00070000000234df-17.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e0-22.dat cobalt_reflective_dll behavioral2/files/0x00080000000234db-28.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e1-35.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e3-43.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e5-50.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e6-65.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e9-76.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ec-95.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ef-106.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f0-113.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f1-116.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ee-104.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ed-100.dat cobalt_reflective_dll behavioral2/files/0x00070000000234eb-90.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ea-85.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e8-74.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e7-66.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e4-53.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 46 IoCs
resource yara_rule behavioral2/memory/3580-10-0x00007FF7E1770000-0x00007FF7E1AC1000-memory.dmp xmrig behavioral2/memory/700-26-0x00007FF610B30000-0x00007FF610E81000-memory.dmp xmrig behavioral2/memory/3660-62-0x00007FF7D59E0000-0x00007FF7D5D31000-memory.dmp xmrig behavioral2/memory/5036-59-0x00007FF68AD20000-0x00007FF68B071000-memory.dmp xmrig behavioral2/memory/212-48-0x00007FF63EBF0000-0x00007FF63EF41000-memory.dmp xmrig behavioral2/memory/1524-118-0x00007FF6AF950000-0x00007FF6AFCA1000-memory.dmp xmrig behavioral2/memory/552-119-0x00007FF6EC160000-0x00007FF6EC4B1000-memory.dmp xmrig behavioral2/memory/2520-121-0x00007FF734660000-0x00007FF7349B1000-memory.dmp xmrig behavioral2/memory/1544-123-0x00007FF7232A0000-0x00007FF7235F1000-memory.dmp xmrig behavioral2/memory/1668-125-0x00007FF75CC30000-0x00007FF75CF81000-memory.dmp xmrig behavioral2/memory/4528-126-0x00007FF68A040000-0x00007FF68A391000-memory.dmp xmrig behavioral2/memory/2424-127-0x00007FF602420000-0x00007FF602771000-memory.dmp xmrig behavioral2/memory/1220-128-0x00007FF64D590000-0x00007FF64D8E1000-memory.dmp xmrig behavioral2/memory/1984-124-0x00007FF7134E0000-0x00007FF713831000-memory.dmp xmrig behavioral2/memory/4776-122-0x00007FF6D5E60000-0x00007FF6D61B1000-memory.dmp xmrig behavioral2/memory/4352-120-0x00007FF774500000-0x00007FF774851000-memory.dmp xmrig behavioral2/memory/3616-131-0x00007FF6DD2F0000-0x00007FF6DD641000-memory.dmp xmrig behavioral2/memory/1964-139-0x00007FF69C630000-0x00007FF69C981000-memory.dmp xmrig behavioral2/memory/2596-140-0x00007FF7C97C0000-0x00007FF7C9B11000-memory.dmp xmrig behavioral2/memory/2616-135-0x00007FF6C0C30000-0x00007FF6C0F81000-memory.dmp xmrig behavioral2/memory/4308-132-0x00007FF7636A0000-0x00007FF7639F1000-memory.dmp xmrig behavioral2/memory/940-134-0x00007FF6B5780000-0x00007FF6B5AD1000-memory.dmp xmrig behavioral2/memory/700-133-0x00007FF610B30000-0x00007FF610E81000-memory.dmp xmrig behavioral2/memory/1524-129-0x00007FF6AF950000-0x00007FF6AFCA1000-memory.dmp xmrig behavioral2/memory/1524-151-0x00007FF6AF950000-0x00007FF6AFCA1000-memory.dmp xmrig behavioral2/memory/3580-201-0x00007FF7E1770000-0x00007FF7E1AC1000-memory.dmp xmrig behavioral2/memory/3616-203-0x00007FF6DD2F0000-0x00007FF6DD641000-memory.dmp xmrig behavioral2/memory/4308-205-0x00007FF7636A0000-0x00007FF7639F1000-memory.dmp xmrig behavioral2/memory/700-207-0x00007FF610B30000-0x00007FF610E81000-memory.dmp xmrig behavioral2/memory/940-209-0x00007FF6B5780000-0x00007FF6B5AD1000-memory.dmp xmrig behavioral2/memory/2616-211-0x00007FF6C0C30000-0x00007FF6C0F81000-memory.dmp xmrig behavioral2/memory/212-213-0x00007FF63EBF0000-0x00007FF63EF41000-memory.dmp xmrig behavioral2/memory/5036-215-0x00007FF68AD20000-0x00007FF68B071000-memory.dmp xmrig behavioral2/memory/3660-217-0x00007FF7D59E0000-0x00007FF7D5D31000-memory.dmp xmrig behavioral2/memory/1964-219-0x00007FF69C630000-0x00007FF69C981000-memory.dmp xmrig behavioral2/memory/2596-221-0x00007FF7C97C0000-0x00007FF7C9B11000-memory.dmp xmrig behavioral2/memory/552-223-0x00007FF6EC160000-0x00007FF6EC4B1000-memory.dmp xmrig behavioral2/memory/4352-234-0x00007FF774500000-0x00007FF774851000-memory.dmp xmrig behavioral2/memory/4776-237-0x00007FF6D5E60000-0x00007FF6D61B1000-memory.dmp xmrig behavioral2/memory/2520-238-0x00007FF734660000-0x00007FF7349B1000-memory.dmp xmrig behavioral2/memory/1544-240-0x00007FF7232A0000-0x00007FF7235F1000-memory.dmp xmrig behavioral2/memory/1984-242-0x00007FF7134E0000-0x00007FF713831000-memory.dmp xmrig behavioral2/memory/1668-244-0x00007FF75CC30000-0x00007FF75CF81000-memory.dmp xmrig behavioral2/memory/4528-246-0x00007FF68A040000-0x00007FF68A391000-memory.dmp xmrig behavioral2/memory/2424-248-0x00007FF602420000-0x00007FF602771000-memory.dmp xmrig behavioral2/memory/1220-250-0x00007FF64D590000-0x00007FF64D8E1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 3580 GeRfKai.exe 3616 dRmwEMh.exe 4308 ULdznCs.exe 700 dXGJXTL.exe 940 IckSQUC.exe 2616 MPdSaTH.exe 212 ZNYNOPl.exe 5036 NPyFZyV.exe 3660 UcZnKeH.exe 1964 EnFnRcm.exe 2596 HTpLswk.exe 552 PIpYAUh.exe 4352 jtRAhuA.exe 2520 ZsMnLOK.exe 4776 CoCuPRC.exe 1544 SGKBQxP.exe 1984 xsvjtSP.exe 1668 XbWtZIj.exe 4528 iEUDqYt.exe 2424 uqXRXLe.exe 1220 iRrXsjQ.exe -
resource yara_rule behavioral2/memory/1524-0-0x00007FF6AF950000-0x00007FF6AFCA1000-memory.dmp upx behavioral2/files/0x00080000000234da-4.dat upx behavioral2/files/0x00070000000234de-15.dat upx behavioral2/files/0x00070000000234df-17.dat upx behavioral2/memory/4308-18-0x00007FF7636A0000-0x00007FF7639F1000-memory.dmp upx behavioral2/memory/3616-14-0x00007FF6DD2F0000-0x00007FF6DD641000-memory.dmp upx behavioral2/memory/3580-10-0x00007FF7E1770000-0x00007FF7E1AC1000-memory.dmp upx behavioral2/files/0x00070000000234e0-22.dat upx behavioral2/memory/700-26-0x00007FF610B30000-0x00007FF610E81000-memory.dmp upx behavioral2/files/0x00080000000234db-28.dat upx behavioral2/files/0x00070000000234e1-35.dat upx behavioral2/memory/2616-36-0x00007FF6C0C30000-0x00007FF6C0F81000-memory.dmp upx behavioral2/files/0x00070000000234e3-43.dat upx behavioral2/files/0x00070000000234e5-50.dat upx behavioral2/memory/3660-62-0x00007FF7D59E0000-0x00007FF7D5D31000-memory.dmp upx behavioral2/files/0x00070000000234e6-65.dat upx behavioral2/files/0x00070000000234e9-76.dat upx behavioral2/files/0x00070000000234ec-95.dat upx behavioral2/files/0x00070000000234ef-106.dat upx behavioral2/files/0x00070000000234f0-113.dat upx behavioral2/files/0x00070000000234f1-116.dat upx behavioral2/files/0x00070000000234ee-104.dat upx behavioral2/files/0x00070000000234ed-100.dat upx behavioral2/files/0x00070000000234eb-90.dat upx behavioral2/files/0x00070000000234ea-85.dat upx behavioral2/files/0x00070000000234e8-74.dat upx behavioral2/files/0x00070000000234e7-66.dat upx behavioral2/memory/1964-64-0x00007FF69C630000-0x00007FF69C981000-memory.dmp upx behavioral2/memory/2596-63-0x00007FF7C97C0000-0x00007FF7C9B11000-memory.dmp upx behavioral2/memory/5036-59-0x00007FF68AD20000-0x00007FF68B071000-memory.dmp upx behavioral2/files/0x00070000000234e4-53.dat upx behavioral2/memory/212-48-0x00007FF63EBF0000-0x00007FF63EF41000-memory.dmp upx behavioral2/memory/940-32-0x00007FF6B5780000-0x00007FF6B5AD1000-memory.dmp upx behavioral2/memory/1524-118-0x00007FF6AF950000-0x00007FF6AFCA1000-memory.dmp upx behavioral2/memory/552-119-0x00007FF6EC160000-0x00007FF6EC4B1000-memory.dmp upx behavioral2/memory/2520-121-0x00007FF734660000-0x00007FF7349B1000-memory.dmp upx behavioral2/memory/1544-123-0x00007FF7232A0000-0x00007FF7235F1000-memory.dmp upx behavioral2/memory/1668-125-0x00007FF75CC30000-0x00007FF75CF81000-memory.dmp upx behavioral2/memory/4528-126-0x00007FF68A040000-0x00007FF68A391000-memory.dmp upx behavioral2/memory/2424-127-0x00007FF602420000-0x00007FF602771000-memory.dmp upx behavioral2/memory/1220-128-0x00007FF64D590000-0x00007FF64D8E1000-memory.dmp upx behavioral2/memory/1984-124-0x00007FF7134E0000-0x00007FF713831000-memory.dmp upx behavioral2/memory/4776-122-0x00007FF6D5E60000-0x00007FF6D61B1000-memory.dmp upx behavioral2/memory/4352-120-0x00007FF774500000-0x00007FF774851000-memory.dmp upx behavioral2/memory/3616-131-0x00007FF6DD2F0000-0x00007FF6DD641000-memory.dmp upx behavioral2/memory/1964-139-0x00007FF69C630000-0x00007FF69C981000-memory.dmp upx behavioral2/memory/2596-140-0x00007FF7C97C0000-0x00007FF7C9B11000-memory.dmp upx behavioral2/memory/2616-135-0x00007FF6C0C30000-0x00007FF6C0F81000-memory.dmp upx behavioral2/memory/4308-132-0x00007FF7636A0000-0x00007FF7639F1000-memory.dmp upx behavioral2/memory/940-134-0x00007FF6B5780000-0x00007FF6B5AD1000-memory.dmp upx behavioral2/memory/700-133-0x00007FF610B30000-0x00007FF610E81000-memory.dmp upx behavioral2/memory/1524-129-0x00007FF6AF950000-0x00007FF6AFCA1000-memory.dmp upx behavioral2/memory/1524-151-0x00007FF6AF950000-0x00007FF6AFCA1000-memory.dmp upx behavioral2/memory/3580-201-0x00007FF7E1770000-0x00007FF7E1AC1000-memory.dmp upx behavioral2/memory/3616-203-0x00007FF6DD2F0000-0x00007FF6DD641000-memory.dmp upx behavioral2/memory/4308-205-0x00007FF7636A0000-0x00007FF7639F1000-memory.dmp upx behavioral2/memory/700-207-0x00007FF610B30000-0x00007FF610E81000-memory.dmp upx behavioral2/memory/940-209-0x00007FF6B5780000-0x00007FF6B5AD1000-memory.dmp upx behavioral2/memory/2616-211-0x00007FF6C0C30000-0x00007FF6C0F81000-memory.dmp upx behavioral2/memory/212-213-0x00007FF63EBF0000-0x00007FF63EF41000-memory.dmp upx behavioral2/memory/5036-215-0x00007FF68AD20000-0x00007FF68B071000-memory.dmp upx behavioral2/memory/3660-217-0x00007FF7D59E0000-0x00007FF7D5D31000-memory.dmp upx behavioral2/memory/1964-219-0x00007FF69C630000-0x00007FF69C981000-memory.dmp upx behavioral2/memory/2596-221-0x00007FF7C97C0000-0x00007FF7C9B11000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\ULdznCs.exe 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NPyFZyV.exe 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EnFnRcm.exe 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZsMnLOK.exe 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CoCuPRC.exe 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xsvjtSP.exe 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZNYNOPl.exe 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PIpYAUh.exe 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SGKBQxP.exe 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uqXRXLe.exe 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\iRrXsjQ.exe 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GeRfKai.exe 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dRmwEMh.exe 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MPdSaTH.exe 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HTpLswk.exe 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dXGJXTL.exe 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\IckSQUC.exe 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\UcZnKeH.exe 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jtRAhuA.exe 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XbWtZIj.exe 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\iEUDqYt.exe 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1524 wrote to memory of 3580 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 1524 wrote to memory of 3580 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 1524 wrote to memory of 3616 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 1524 wrote to memory of 3616 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 1524 wrote to memory of 4308 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 1524 wrote to memory of 4308 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 1524 wrote to memory of 700 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 1524 wrote to memory of 700 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 1524 wrote to memory of 940 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 1524 wrote to memory of 940 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 1524 wrote to memory of 2616 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 1524 wrote to memory of 2616 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 1524 wrote to memory of 212 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 1524 wrote to memory of 212 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 1524 wrote to memory of 5036 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 1524 wrote to memory of 5036 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 1524 wrote to memory of 3660 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 1524 wrote to memory of 3660 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 1524 wrote to memory of 1964 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 1524 wrote to memory of 1964 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 1524 wrote to memory of 2596 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 1524 wrote to memory of 2596 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 1524 wrote to memory of 552 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 1524 wrote to memory of 552 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 1524 wrote to memory of 4352 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 1524 wrote to memory of 4352 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 1524 wrote to memory of 2520 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 1524 wrote to memory of 2520 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 1524 wrote to memory of 4776 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 1524 wrote to memory of 4776 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 1524 wrote to memory of 1544 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 1524 wrote to memory of 1544 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 1524 wrote to memory of 1984 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 1524 wrote to memory of 1984 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 1524 wrote to memory of 1668 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 1524 wrote to memory of 1668 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 1524 wrote to memory of 4528 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 1524 wrote to memory of 4528 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 1524 wrote to memory of 2424 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 1524 wrote to memory of 2424 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 1524 wrote to memory of 1220 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 1524 wrote to memory of 1220 1524 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\System\GeRfKai.exeC:\Windows\System\GeRfKai.exe2⤵
- Executes dropped EXE
PID:3580
-
-
C:\Windows\System\dRmwEMh.exeC:\Windows\System\dRmwEMh.exe2⤵
- Executes dropped EXE
PID:3616
-
-
C:\Windows\System\ULdznCs.exeC:\Windows\System\ULdznCs.exe2⤵
- Executes dropped EXE
PID:4308
-
-
C:\Windows\System\dXGJXTL.exeC:\Windows\System\dXGJXTL.exe2⤵
- Executes dropped EXE
PID:700
-
-
C:\Windows\System\IckSQUC.exeC:\Windows\System\IckSQUC.exe2⤵
- Executes dropped EXE
PID:940
-
-
C:\Windows\System\MPdSaTH.exeC:\Windows\System\MPdSaTH.exe2⤵
- Executes dropped EXE
PID:2616
-
-
C:\Windows\System\ZNYNOPl.exeC:\Windows\System\ZNYNOPl.exe2⤵
- Executes dropped EXE
PID:212
-
-
C:\Windows\System\NPyFZyV.exeC:\Windows\System\NPyFZyV.exe2⤵
- Executes dropped EXE
PID:5036
-
-
C:\Windows\System\UcZnKeH.exeC:\Windows\System\UcZnKeH.exe2⤵
- Executes dropped EXE
PID:3660
-
-
C:\Windows\System\EnFnRcm.exeC:\Windows\System\EnFnRcm.exe2⤵
- Executes dropped EXE
PID:1964
-
-
C:\Windows\System\HTpLswk.exeC:\Windows\System\HTpLswk.exe2⤵
- Executes dropped EXE
PID:2596
-
-
C:\Windows\System\PIpYAUh.exeC:\Windows\System\PIpYAUh.exe2⤵
- Executes dropped EXE
PID:552
-
-
C:\Windows\System\jtRAhuA.exeC:\Windows\System\jtRAhuA.exe2⤵
- Executes dropped EXE
PID:4352
-
-
C:\Windows\System\ZsMnLOK.exeC:\Windows\System\ZsMnLOK.exe2⤵
- Executes dropped EXE
PID:2520
-
-
C:\Windows\System\CoCuPRC.exeC:\Windows\System\CoCuPRC.exe2⤵
- Executes dropped EXE
PID:4776
-
-
C:\Windows\System\SGKBQxP.exeC:\Windows\System\SGKBQxP.exe2⤵
- Executes dropped EXE
PID:1544
-
-
C:\Windows\System\xsvjtSP.exeC:\Windows\System\xsvjtSP.exe2⤵
- Executes dropped EXE
PID:1984
-
-
C:\Windows\System\XbWtZIj.exeC:\Windows\System\XbWtZIj.exe2⤵
- Executes dropped EXE
PID:1668
-
-
C:\Windows\System\iEUDqYt.exeC:\Windows\System\iEUDqYt.exe2⤵
- Executes dropped EXE
PID:4528
-
-
C:\Windows\System\uqXRXLe.exeC:\Windows\System\uqXRXLe.exe2⤵
- Executes dropped EXE
PID:2424
-
-
C:\Windows\System\iRrXsjQ.exeC:\Windows\System\iRrXsjQ.exe2⤵
- Executes dropped EXE
PID:1220
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5952142da55992aa04ed8f832f997562b
SHA194832f3545ef4bf9005fe99d19d35dcde0c52f94
SHA2563bb98dde345c262ddcaf30f72279629a3018dd15d6a385066106d6225b22ca85
SHA512c313d237cf6408aad8bb80333171d628637a1301bb0a5489dabcd9e256d2fb58a919f2410df927f7c817148a975d2bc107d8c6b74f61ba30e5d8f9db62594714
-
Filesize
5.2MB
MD5ceca01e106325a83d2d73bb25c1e9a93
SHA157937f85d1f1bccf3496dd8255bd3f1a5d2a6ba0
SHA25683773df13be2758e9e870995a1e4e56af00a696ac26fce20ab0ba552e32bdd6f
SHA5120d75a241b3a98d45de24bb90f2d9508c4ae7fad58f0664d4fe512323c4a8071e7880dd8fad17ef037f01f4e4c2c1fc5abddd220dff43c0a6df53db6dd5822d74
-
Filesize
5.2MB
MD5c7f3586d6af7e4010a67ee03d67045e4
SHA1ed1109a303d5b9194117d6e16c8ac3d27c4fa630
SHA2561be8404d91340715ee49c7a6ef4ef25599f25ee4ef0376aab40c6b2882012869
SHA512129e750b47a00d48ec175b0630483a14f93031524585b2d65bb3153aa038b723c7c1645075cb199233b21075d7e2d04d96a3893515ad8710a4646884ca211474
-
Filesize
5.2MB
MD5999c596113074ae064169392f2a637a5
SHA1137e38d28ee22f50ece5cf71bea9f06bd7365279
SHA2566b70417c3bd520c9403d5e172f6d4ce8031700cd0eb527411112deee62e7e188
SHA5121558c4d02e21e4f7645faa20c6eb684aea627ba570ab6b452ac0d3b017715730d26d5492be0eca2367516bca76a1a658801b3c9a5d85991acf1b369462f206b3
-
Filesize
5.2MB
MD51367a15755d6e43918e70e0f4c15ef4f
SHA1d65c792fef1fd812da760846c503ed32715fc533
SHA2566761d4c2e10b3e3d8196c98fd2da09e9d0bec10a97e7ec6542a7e54fdb5fe24e
SHA512d3bc8d8f4f07c1a0dc9ef3c6df2dddd7a60a52f345884d329a53bb860cd9caf43abb5189183be6214c4710de1767b4f95a131abb89a5474a2ede04e34fc52537
-
Filesize
5.2MB
MD5f151da0a97a451943d718269520e440b
SHA1cf07d53f953d01d106fc8f6ec6c2322db9a200ff
SHA2561fb40df585d9ce8721c87b8d50fdc95b89061a6d092890b5616961779c47cfbd
SHA512b9c322c4b75230d860fc07185206ed86b29d5365e9f85a7ceba1d494c84d721c864d24ac6c6493f24b26b273575c30af38a977d6f22ba6e90bc52574418dcba0
-
Filesize
5.2MB
MD547c46c269809f095bd24ed8d245f562c
SHA176cda4e171ee6e5e18f3ef96374d7026d0410c2c
SHA2563d319822201bbaaa4ae26487eb33fd634c001e9e7d2328e9e3c9ce3815b010ce
SHA51202383278be66f6b362da8242837c431c012d77a716718392b5b8b00a04270838741ff32d85a74044a51d9c6c24b7e47d533cb2db6ac3a7b1bdc75f5919882b8a
-
Filesize
5.2MB
MD5eec773a7465593c4a06b1ba0104584f2
SHA191b92361f296ea70eb6a8db1b5f67548ca829d86
SHA256f299fb16a0869fd6158fc1e5b28920dc997f0c3e0b8af03d80d66a9f4a8f06fa
SHA512eb7d53ab260fff26a837dcfd016bd65284c6238cfcfd131c8fa6c5918f7eee85d8d0a9b6ab1c86a19739ff460e04f4aa974a880ee30c53966fba683449eaf37a
-
Filesize
5.2MB
MD59e8eb90900835727255c7756c991e64f
SHA1857f69d37889ff6e6ed84bf5a186eff4c5238b0f
SHA256e29bef41c6ab98fa9de5d9516b0387b42eaf753bc7ef2d873cc56503a9618c71
SHA512e69295361df45bb443d708339e7d802f0db72758c907f89162cb632721d9da529e839e5194bb2e76025b9868a3e8850752de80643d279ccf718df73a7128a81d
-
Filesize
5.2MB
MD5e9ddbd3b173f16495104b4dead9064b5
SHA1281c42728c49014b8dcd8abb18a7c61594cbbbb3
SHA256fcf16246175303d56b957ccc2105ddb20475d84d2859e3aea11118120c4ca367
SHA512cddb356908d5f5ceca08ea8f599d44edaf0ca4288f298c13272743c07138927936b97f2140b306ef00d47a9afa698f2fe2c78d49fbc423b8a8451ac3268b4ccf
-
Filesize
5.2MB
MD589ae92b19aff807545131ae2b9a2b9b0
SHA10cfc4667d8df3b99edddb0e230ff20706f26e7f1
SHA25610bc8f4f54cacdd85891faa47f34d2a2ad216500a9ff0f6227f73960ff451491
SHA512e21cf774d3288a392c47f8074a608939869159cb70442c1e9ebeabbd3fa3ab6c8bf37c411a12b1acf7e60b9f01629bd197259ebb40152cd280abad963176e36f
-
Filesize
5.2MB
MD506a5e241366585e6e393169111844e7c
SHA1d57a4edec53fed441342bb33d2d741fd81b36294
SHA2561735d453f7276d1cc08e2a1c77c88663c3d009f070161d94054f1c1cd2aa8a8c
SHA512569a6a2e817d84d07ae385c081ae76e91ebc0d6cd3ea868cfaa46cf3b3898bb03a115b096dbfdba82477d707d5add3a0726d363f1fd41a06d525e1261d169e39
-
Filesize
5.2MB
MD5f4841cf6dd2a6f658d2bc322dcdc8f20
SHA14b5b884b46e1a58644a1473abc8643615531efef
SHA2569cd2bafb1f3f305f8b8acd57ea36eba006e052169b812c73c5cdae4e0f5a6ac5
SHA512c046e3418c0300108b55a031840f50cb648dde7c8ea5c57165d0c8c28da61bfafda69b0f1fc1d3ba66152e9bf69bfd9cb0555fd27178d341616589e1461b5e5f
-
Filesize
5.2MB
MD5695544269052ed22acf0ee9fccaf3d0f
SHA1288397003cdfde7975117f5f55e4c53521a7458c
SHA256ed72af5d6c6674e42f8e9e8c986814a5e468b5b7cf77321f497affc8c48a9243
SHA5120c169282b1049aa70d7fa8a67cc217efd9ff4b1fbcccbde048b828e27afbbad2a2530138a2e8eefa7364ee6309b36ba5c73e1d08a0db27748110999acfd7f26d
-
Filesize
5.2MB
MD592221ac15b3856556a5ef80cce30c606
SHA1046fb53a3b3b01ccb12652936c46eaf35d6417fb
SHA256ee65784aabee2752aafb64b2ad6e7d372d94669688a7d37815416ce8f9dccde6
SHA512f6105f2b31737f058ddb9060343fad703b4b2e0463ca4a95029d82384ae3a9ae5eb5f3f83fe2dc4660fe98c5ca3ea1e1869959b74ceecfbcc2c2c04de6911438
-
Filesize
5.2MB
MD5450d4a99720c66784dbf3b6fd2424e81
SHA1f9c82a6c1c83483cf6da8b4a260c4db7afa91d77
SHA256267f4f5abbca18536fcee49a184fc41f691ba39fe4d62e53f1d6840174bee7a4
SHA512beef506e0bd7271645873d7481d62f2d86fe3cfd1c5961d98b1bb42cc51dd322c27c652eb05576c819430077a22cfc6b41d223d2f0008dd40bacb2b4cdf5c561
-
Filesize
5.2MB
MD5c33ae0c0e4325b8596d5a3d96691576c
SHA13822512ee13291439fa1a8536170a5a3f7b46223
SHA256949025fd45edfcfa8dcae819a3947b313ec179e9f0c89e93b30832a825a3115b
SHA5124aac0743c7b2070152bdabb96e774279dfb8de0bc11d4f77670021f09d321f0b6c3486142685952699b78780968517a84dd6d03a0299c30000fdfc72efe47e77
-
Filesize
5.2MB
MD5c60e8ba3eda2f03152232f8837daca19
SHA14681a53e91c80438535bb3302d03b9d647edc36f
SHA256d385387f3a1aadb639faa1bed64e73b0d5f72fd21d8b77afaf57526a09f9063f
SHA512fad59278480fa09819d682140ad82492435f2f4c096eb907c6807cd377aa716ae8dee9a21adb18bf94489e7dd12cabec73d43f3d39cb898c12e01412fc4b53db
-
Filesize
5.2MB
MD5d58329924b9171598f35b175c7b0033e
SHA1dcb108e24d3edd24b61c9ffd352a9c65f659be91
SHA256abf4a20ec89fcea698310697a061d77e0344cf6e95be7e98bc383998f1b13c8e
SHA512cf9a2b0c73e7d81c0d8cbefbfe09561b5e9c818b0a8fc5523867ecc7f0f17e6de0c73ccff585bc82ee87f294055d5d8f8801222966fbe280e3ced2451b950aba
-
Filesize
5.2MB
MD524a19a10b69d9b2f3c58860899c1e2d8
SHA13c48a06c905c4d9a6174bab6abc0ecfb164b2084
SHA25625089ac22fbf365000a2176b497eedac8d1da1c46988f8d4852bb152df9aa92e
SHA5127db53982e6b5ea37f50c725ed921fe2ffe2ce7ba35466dd02a26661e507dd73b1f88ce3840564b7f245716fdc66230c4043dd7fb6bd05c530ca4ae55a787e83f
-
Filesize
5.2MB
MD52eb2bb366f80e68410d1b1ef8eb1ddbe
SHA1891f3fd2fe0cd24bcc8200d6f55d78491e66e362
SHA2566233fcbf7eb3434492b43639df9be3b3bea305b356ca9a63c69a3de57451a1a3
SHA51208864067d282d71e8ef2acd83be8ef77688486298a0269141e59dc3f539a485d500b3c1b22e5cdb1fb77ec93e704db1522041afcb99169dbdff9d03a6dbd58ce