Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 21:23
Behavioral task
behavioral1
Sample
2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240704-en
General
-
Target
2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
c14b07d3350ec258e473a3fb3054c675
-
SHA1
a3bf539c632b3345244738a60e6bdeab74c79a0a
-
SHA256
614233b5e50372848f77dbeea5484975f0933abeb96124801397c2918ab477a9
-
SHA512
e0892fe2624c531ca54cb814f86ab8387b228247efa41fe31288c0570c07141fd1557b2b2bbbcd0163f48afc84e1609902382ebdbcc4e0eb577e99af30f556b0
-
SSDEEP
49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lU:RWWBibj56utgpPFotBER/mQ32lUQ
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00080000000234ca-4.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ce-12.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d0-20.dat cobalt_reflective_dll behavioral2/files/0x00070000000234cf-22.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d1-28.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d2-35.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d3-41.dat cobalt_reflective_dll behavioral2/files/0x00080000000234cb-46.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d4-53.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d5-60.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d6-66.dat cobalt_reflective_dll behavioral2/files/0x00070000000234da-87.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d9-81.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d7-73.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e0-106.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e1-115.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e2-125.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e3-122.dat cobalt_reflective_dll behavioral2/files/0x00070000000234df-123.dat cobalt_reflective_dll behavioral2/files/0x00070000000234de-111.dat cobalt_reflective_dll behavioral2/files/0x00070000000234db-92.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 46 IoCs
resource yara_rule behavioral2/memory/4228-44-0x00007FF64CA90000-0x00007FF64CDE1000-memory.dmp xmrig behavioral2/memory/2228-50-0x00007FF6DAC70000-0x00007FF6DAFC1000-memory.dmp xmrig behavioral2/memory/5104-75-0x00007FF65CDE0000-0x00007FF65D131000-memory.dmp xmrig behavioral2/memory/4920-76-0x00007FF674FD0000-0x00007FF675321000-memory.dmp xmrig behavioral2/memory/828-85-0x00007FF60B7E0000-0x00007FF60BB31000-memory.dmp xmrig behavioral2/memory/2648-64-0x00007FF695220000-0x00007FF695571000-memory.dmp xmrig behavioral2/memory/4376-103-0x00007FF6F1970000-0x00007FF6F1CC1000-memory.dmp xmrig behavioral2/memory/2140-131-0x00007FF6D2C10000-0x00007FF6D2F61000-memory.dmp xmrig behavioral2/memory/2228-134-0x00007FF6DAC70000-0x00007FF6DAFC1000-memory.dmp xmrig behavioral2/memory/972-129-0x00007FF7B3EE0000-0x00007FF7B4231000-memory.dmp xmrig behavioral2/memory/4756-116-0x00007FF76C330000-0x00007FF76C681000-memory.dmp xmrig behavioral2/memory/1600-101-0x00007FF79B140000-0x00007FF79B491000-memory.dmp xmrig behavioral2/memory/1976-97-0x00007FF7B98E0000-0x00007FF7B9C31000-memory.dmp xmrig behavioral2/memory/1040-96-0x00007FF61DC60000-0x00007FF61DFB1000-memory.dmp xmrig behavioral2/memory/5104-136-0x00007FF65CDE0000-0x00007FF65D131000-memory.dmp xmrig behavioral2/memory/4172-148-0x00007FF661970000-0x00007FF661CC1000-memory.dmp xmrig behavioral2/memory/4740-150-0x00007FF7C9470000-0x00007FF7C97C1000-memory.dmp xmrig behavioral2/memory/5116-149-0x00007FF769C40000-0x00007FF769F91000-memory.dmp xmrig behavioral2/memory/1192-145-0x00007FF600E50000-0x00007FF6011A1000-memory.dmp xmrig behavioral2/memory/4696-153-0x00007FF770D40000-0x00007FF771091000-memory.dmp xmrig behavioral2/memory/3280-156-0x00007FF642B70000-0x00007FF642EC1000-memory.dmp xmrig behavioral2/memory/3964-154-0x00007FF6588D0000-0x00007FF658C21000-memory.dmp xmrig behavioral2/memory/2420-155-0x00007FF692910000-0x00007FF692C61000-memory.dmp xmrig behavioral2/memory/212-152-0x00007FF6566E0000-0x00007FF656A31000-memory.dmp xmrig behavioral2/memory/5104-158-0x00007FF65CDE0000-0x00007FF65D131000-memory.dmp xmrig behavioral2/memory/828-203-0x00007FF60B7E0000-0x00007FF60BB31000-memory.dmp xmrig behavioral2/memory/1040-205-0x00007FF61DC60000-0x00007FF61DFB1000-memory.dmp xmrig behavioral2/memory/4376-208-0x00007FF6F1970000-0x00007FF6F1CC1000-memory.dmp xmrig behavioral2/memory/1600-209-0x00007FF79B140000-0x00007FF79B491000-memory.dmp xmrig behavioral2/memory/4756-216-0x00007FF76C330000-0x00007FF76C681000-memory.dmp xmrig behavioral2/memory/972-218-0x00007FF7B3EE0000-0x00007FF7B4231000-memory.dmp xmrig behavioral2/memory/4228-220-0x00007FF64CA90000-0x00007FF64CDE1000-memory.dmp xmrig behavioral2/memory/2228-222-0x00007FF6DAC70000-0x00007FF6DAFC1000-memory.dmp xmrig behavioral2/memory/1192-224-0x00007FF600E50000-0x00007FF6011A1000-memory.dmp xmrig behavioral2/memory/2648-226-0x00007FF695220000-0x00007FF695571000-memory.dmp xmrig behavioral2/memory/4920-228-0x00007FF674FD0000-0x00007FF675321000-memory.dmp xmrig behavioral2/memory/4172-230-0x00007FF661970000-0x00007FF661CC1000-memory.dmp xmrig behavioral2/memory/5116-232-0x00007FF769C40000-0x00007FF769F91000-memory.dmp xmrig behavioral2/memory/4740-234-0x00007FF7C9470000-0x00007FF7C97C1000-memory.dmp xmrig behavioral2/memory/1976-237-0x00007FF7B98E0000-0x00007FF7B9C31000-memory.dmp xmrig behavioral2/memory/212-239-0x00007FF6566E0000-0x00007FF656A31000-memory.dmp xmrig behavioral2/memory/3964-241-0x00007FF6588D0000-0x00007FF658C21000-memory.dmp xmrig behavioral2/memory/2140-243-0x00007FF6D2C10000-0x00007FF6D2F61000-memory.dmp xmrig behavioral2/memory/4696-245-0x00007FF770D40000-0x00007FF771091000-memory.dmp xmrig behavioral2/memory/2420-247-0x00007FF692910000-0x00007FF692C61000-memory.dmp xmrig behavioral2/memory/3280-250-0x00007FF642B70000-0x00007FF642EC1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 828 OzrORBx.exe 1040 wGoHHIM.exe 1600 EebEoVM.exe 4376 jzDjCMs.exe 4756 iijXHPa.exe 972 ukjSniC.exe 4228 bzOVeAk.exe 2228 rXFmJUz.exe 1192 ZnWfJaP.exe 2648 QCiVaYK.exe 4920 dBqIuaf.exe 4172 nigEBMX.exe 5116 gZMNeRC.exe 4740 LIRLenV.exe 1976 bDgwqLh.exe 212 WGImGiN.exe 4696 DlkOXGs.exe 3964 giHwwJu.exe 2420 WowAWxd.exe 2140 aRELhyd.exe 3280 fgZHZhF.exe -
resource yara_rule behavioral2/memory/5104-0-0x00007FF65CDE0000-0x00007FF65D131000-memory.dmp upx behavioral2/files/0x00080000000234ca-4.dat upx behavioral2/memory/828-10-0x00007FF60B7E0000-0x00007FF60BB31000-memory.dmp upx behavioral2/files/0x00070000000234ce-12.dat upx behavioral2/files/0x00070000000234d0-20.dat upx behavioral2/memory/4376-23-0x00007FF6F1970000-0x00007FF6F1CC1000-memory.dmp upx behavioral2/files/0x00070000000234cf-22.dat upx behavioral2/memory/1600-21-0x00007FF79B140000-0x00007FF79B491000-memory.dmp upx behavioral2/memory/1040-16-0x00007FF61DC60000-0x00007FF61DFB1000-memory.dmp upx behavioral2/files/0x00070000000234d1-28.dat upx behavioral2/files/0x00070000000234d2-35.dat upx behavioral2/memory/4756-31-0x00007FF76C330000-0x00007FF76C681000-memory.dmp upx behavioral2/memory/972-37-0x00007FF7B3EE0000-0x00007FF7B4231000-memory.dmp upx behavioral2/files/0x00070000000234d3-41.dat upx behavioral2/memory/4228-44-0x00007FF64CA90000-0x00007FF64CDE1000-memory.dmp upx behavioral2/files/0x00080000000234cb-46.dat upx behavioral2/memory/2228-50-0x00007FF6DAC70000-0x00007FF6DAFC1000-memory.dmp upx behavioral2/files/0x00070000000234d4-53.dat upx behavioral2/memory/1192-56-0x00007FF600E50000-0x00007FF6011A1000-memory.dmp upx behavioral2/files/0x00070000000234d5-60.dat upx behavioral2/files/0x00070000000234d6-66.dat upx behavioral2/memory/5104-75-0x00007FF65CDE0000-0x00007FF65D131000-memory.dmp upx behavioral2/memory/4920-76-0x00007FF674FD0000-0x00007FF675321000-memory.dmp upx behavioral2/memory/828-85-0x00007FF60B7E0000-0x00007FF60BB31000-memory.dmp upx behavioral2/files/0x00070000000234da-87.dat upx behavioral2/memory/4740-86-0x00007FF7C9470000-0x00007FF7C97C1000-memory.dmp upx behavioral2/memory/5116-84-0x00007FF769C40000-0x00007FF769F91000-memory.dmp upx behavioral2/files/0x00070000000234d9-81.dat upx behavioral2/memory/4172-79-0x00007FF661970000-0x00007FF661CC1000-memory.dmp upx behavioral2/files/0x00070000000234d7-73.dat upx behavioral2/memory/2648-64-0x00007FF695220000-0x00007FF695571000-memory.dmp upx behavioral2/memory/4376-103-0x00007FF6F1970000-0x00007FF6F1CC1000-memory.dmp upx behavioral2/files/0x00070000000234e0-106.dat upx behavioral2/files/0x00070000000234e1-115.dat upx behavioral2/memory/3964-110-0x00007FF6588D0000-0x00007FF658C21000-memory.dmp upx behavioral2/memory/212-109-0x00007FF6566E0000-0x00007FF656A31000-memory.dmp upx behavioral2/files/0x00070000000234e2-125.dat upx behavioral2/memory/2140-131-0x00007FF6D2C10000-0x00007FF6D2F61000-memory.dmp upx behavioral2/memory/2228-134-0x00007FF6DAC70000-0x00007FF6DAFC1000-memory.dmp upx behavioral2/memory/3280-133-0x00007FF642B70000-0x00007FF642EC1000-memory.dmp upx behavioral2/memory/972-129-0x00007FF7B3EE0000-0x00007FF7B4231000-memory.dmp upx behavioral2/memory/2420-128-0x00007FF692910000-0x00007FF692C61000-memory.dmp upx behavioral2/files/0x00070000000234e3-122.dat upx behavioral2/memory/4696-120-0x00007FF770D40000-0x00007FF771091000-memory.dmp upx behavioral2/files/0x00070000000234df-123.dat upx behavioral2/memory/4756-116-0x00007FF76C330000-0x00007FF76C681000-memory.dmp upx behavioral2/files/0x00070000000234de-111.dat upx behavioral2/memory/1600-101-0x00007FF79B140000-0x00007FF79B491000-memory.dmp upx behavioral2/memory/1976-97-0x00007FF7B98E0000-0x00007FF7B9C31000-memory.dmp upx behavioral2/memory/1040-96-0x00007FF61DC60000-0x00007FF61DFB1000-memory.dmp upx behavioral2/files/0x00070000000234db-92.dat upx behavioral2/memory/5104-136-0x00007FF65CDE0000-0x00007FF65D131000-memory.dmp upx behavioral2/memory/4172-148-0x00007FF661970000-0x00007FF661CC1000-memory.dmp upx behavioral2/memory/4740-150-0x00007FF7C9470000-0x00007FF7C97C1000-memory.dmp upx behavioral2/memory/5116-149-0x00007FF769C40000-0x00007FF769F91000-memory.dmp upx behavioral2/memory/1192-145-0x00007FF600E50000-0x00007FF6011A1000-memory.dmp upx behavioral2/memory/4696-153-0x00007FF770D40000-0x00007FF771091000-memory.dmp upx behavioral2/memory/3280-156-0x00007FF642B70000-0x00007FF642EC1000-memory.dmp upx behavioral2/memory/3964-154-0x00007FF6588D0000-0x00007FF658C21000-memory.dmp upx behavioral2/memory/2420-155-0x00007FF692910000-0x00007FF692C61000-memory.dmp upx behavioral2/memory/212-152-0x00007FF6566E0000-0x00007FF656A31000-memory.dmp upx behavioral2/memory/5104-158-0x00007FF65CDE0000-0x00007FF65D131000-memory.dmp upx behavioral2/memory/828-203-0x00007FF60B7E0000-0x00007FF60BB31000-memory.dmp upx behavioral2/memory/1040-205-0x00007FF61DC60000-0x00007FF61DFB1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\gZMNeRC.exe 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LIRLenV.exe 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\giHwwJu.exe 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\OzrORBx.exe 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rXFmJUz.exe 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZnWfJaP.exe 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dBqIuaf.exe 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bDgwqLh.exe 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\wGoHHIM.exe 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EebEoVM.exe 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\iijXHPa.exe 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bzOVeAk.exe 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WowAWxd.exe 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ukjSniC.exe 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QCiVaYK.exe 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WGImGiN.exe 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DlkOXGs.exe 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jzDjCMs.exe 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nigEBMX.exe 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fgZHZhF.exe 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\aRELhyd.exe 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 5104 wrote to memory of 828 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 5104 wrote to memory of 828 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 5104 wrote to memory of 1040 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 5104 wrote to memory of 1040 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 5104 wrote to memory of 1600 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 5104 wrote to memory of 1600 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 5104 wrote to memory of 4376 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 5104 wrote to memory of 4376 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 5104 wrote to memory of 4756 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 5104 wrote to memory of 4756 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 5104 wrote to memory of 972 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 5104 wrote to memory of 972 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 5104 wrote to memory of 4228 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 5104 wrote to memory of 4228 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 5104 wrote to memory of 2228 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 5104 wrote to memory of 2228 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 5104 wrote to memory of 1192 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 5104 wrote to memory of 1192 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 5104 wrote to memory of 2648 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 5104 wrote to memory of 2648 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 5104 wrote to memory of 4920 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 5104 wrote to memory of 4920 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 5104 wrote to memory of 4172 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 5104 wrote to memory of 4172 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 5104 wrote to memory of 5116 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 5104 wrote to memory of 5116 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 5104 wrote to memory of 4740 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 5104 wrote to memory of 4740 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 5104 wrote to memory of 1976 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 5104 wrote to memory of 1976 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 5104 wrote to memory of 212 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 5104 wrote to memory of 212 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 5104 wrote to memory of 4696 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 5104 wrote to memory of 4696 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 5104 wrote to memory of 3964 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 5104 wrote to memory of 3964 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 5104 wrote to memory of 2420 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 5104 wrote to memory of 2420 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 5104 wrote to memory of 3280 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 5104 wrote to memory of 3280 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 5104 wrote to memory of 2140 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 5104 wrote to memory of 2140 5104 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\System\OzrORBx.exeC:\Windows\System\OzrORBx.exe2⤵
- Executes dropped EXE
PID:828
-
-
C:\Windows\System\wGoHHIM.exeC:\Windows\System\wGoHHIM.exe2⤵
- Executes dropped EXE
PID:1040
-
-
C:\Windows\System\EebEoVM.exeC:\Windows\System\EebEoVM.exe2⤵
- Executes dropped EXE
PID:1600
-
-
C:\Windows\System\jzDjCMs.exeC:\Windows\System\jzDjCMs.exe2⤵
- Executes dropped EXE
PID:4376
-
-
C:\Windows\System\iijXHPa.exeC:\Windows\System\iijXHPa.exe2⤵
- Executes dropped EXE
PID:4756
-
-
C:\Windows\System\ukjSniC.exeC:\Windows\System\ukjSniC.exe2⤵
- Executes dropped EXE
PID:972
-
-
C:\Windows\System\bzOVeAk.exeC:\Windows\System\bzOVeAk.exe2⤵
- Executes dropped EXE
PID:4228
-
-
C:\Windows\System\rXFmJUz.exeC:\Windows\System\rXFmJUz.exe2⤵
- Executes dropped EXE
PID:2228
-
-
C:\Windows\System\ZnWfJaP.exeC:\Windows\System\ZnWfJaP.exe2⤵
- Executes dropped EXE
PID:1192
-
-
C:\Windows\System\QCiVaYK.exeC:\Windows\System\QCiVaYK.exe2⤵
- Executes dropped EXE
PID:2648
-
-
C:\Windows\System\dBqIuaf.exeC:\Windows\System\dBqIuaf.exe2⤵
- Executes dropped EXE
PID:4920
-
-
C:\Windows\System\nigEBMX.exeC:\Windows\System\nigEBMX.exe2⤵
- Executes dropped EXE
PID:4172
-
-
C:\Windows\System\gZMNeRC.exeC:\Windows\System\gZMNeRC.exe2⤵
- Executes dropped EXE
PID:5116
-
-
C:\Windows\System\LIRLenV.exeC:\Windows\System\LIRLenV.exe2⤵
- Executes dropped EXE
PID:4740
-
-
C:\Windows\System\bDgwqLh.exeC:\Windows\System\bDgwqLh.exe2⤵
- Executes dropped EXE
PID:1976
-
-
C:\Windows\System\WGImGiN.exeC:\Windows\System\WGImGiN.exe2⤵
- Executes dropped EXE
PID:212
-
-
C:\Windows\System\DlkOXGs.exeC:\Windows\System\DlkOXGs.exe2⤵
- Executes dropped EXE
PID:4696
-
-
C:\Windows\System\giHwwJu.exeC:\Windows\System\giHwwJu.exe2⤵
- Executes dropped EXE
PID:3964
-
-
C:\Windows\System\WowAWxd.exeC:\Windows\System\WowAWxd.exe2⤵
- Executes dropped EXE
PID:2420
-
-
C:\Windows\System\fgZHZhF.exeC:\Windows\System\fgZHZhF.exe2⤵
- Executes dropped EXE
PID:3280
-
-
C:\Windows\System\aRELhyd.exeC:\Windows\System\aRELhyd.exe2⤵
- Executes dropped EXE
PID:2140
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD59db71973617b98f3b3cdd8825dbaafed
SHA1b8fd64c158430227f76d48e74d14d64f414503d0
SHA2567d920f1cf1e87b54a1e3a09e70d4479bd9adcc8e4e0879879a9710a0ba1d5e20
SHA51254bc10133957dfbbef1c87c1d02e6964c2a775f8488bcd2121f696262e3f550334ec4f2dc848ce7294884ff22c2346fefa0da22ffefb570656398397470f1475
-
Filesize
5.2MB
MD535007a25bca19ef42d037ba9a134d790
SHA1222033eee7fca0ad79c66aafd3faf84381d63173
SHA256f737ec262257a18db47d5d8c333744afcc9fcf32c30075c66106a7db5d231c1d
SHA512ebae774c144ca95ddf59299ea1354e83d2467919c10cce7b32341df5e5892d0f17c41cbec5ff91fa97cf24ac5bf6b441b8bd3bf63161198818f6b9afc1ac19b5
-
Filesize
5.2MB
MD578fe256792bf3c16d59e25164c8087cd
SHA1a4565614c453ca26355bcc15b95fef5a1965d83e
SHA2564a7ef8803bd0400f94fa4ab58d7cc216d7ce843ef12d18a4bb5fe9d1cd6c8d13
SHA512298a84abadfbfaac377c51ae313b80a1ff6a78b8891a605cb88161c1a86f91000ef3d279494a95cfed1f93c5303070c768214f3e319c712e16d692ad754eecc3
-
Filesize
5.2MB
MD59b0f98f21605468f44710db0e742fdb3
SHA1a08cecd4b68a42da0d8ef77663f417ed32930d31
SHA2564ccd7c79c81303d1255e8c4395f4fc573e70b91ed5becf6b7aaf9454fa377358
SHA512b11da14ca240b8b3feda03c4ce72712f8d4d640f66d0b9c3f580ded3ab69e42dbf66ed5c96d5be97a11ba13ea8a5adecb329932738ea58bad0a4f62e1284b3ef
-
Filesize
5.2MB
MD5b93f9bf1b7ef4f16eae6c2d95456a5d8
SHA1ac715d3711ec4b0559934d79a1cf82af98e74042
SHA25697094005b6d3035eeb6b2cee010bf010ebd6f97a1048b0ef03341792da08e7ab
SHA51242159a045dfc8fd782ee52e538b60bd4630ec6b0813e0342befcba8fe62f40fddaad9ff7113b0999387c16e92ec78716b405e6b463ac952f09e4cece9f74e8a1
-
Filesize
5.2MB
MD54ccee419168d7581b32eb04cdbc1dfc8
SHA1860a90e93a9dad42599dc90f3cd06100fd8f6a6a
SHA25658e240139a9bf738d8f708b8beade02752f57d28f124203d7c05a82fc5594ca6
SHA512ba118dd6befc4e8ee30e24aca9624d121b48fa9f29acab969b29c892a7e82b9326f18b1b171cebe97c74224479f54558b05de556668f4ef57ba2250dd6b5d1c3
-
Filesize
5.2MB
MD55ae619ec26ca88146b65bc48337316cf
SHA113be319a7822110e7a5067f68368a15e82a891a1
SHA256b851542825f65c49697b228208cfe8ff9b0efd2b3a5304886b7dcc92287d429a
SHA5126eba1a6797d1a24af7ff40446f04c4ca7b4d8492fb926bff1bef94ac3992a8fa06a033c62349a93a858d2ecef06df3b9c0f2ebe1670462cd5f562015a557e921
-
Filesize
5.2MB
MD5c352140102b37b84979e0b91cd1b6c42
SHA11b7f3a51682dbc1f8e221b98b4a75be2a30668b3
SHA2561d0614c6ca711f41f55980e3d3bb432ca6dead6732136ae6d26c6e4b82cf5cb1
SHA512800f4e2f69f52304a84dc35126bd1f0a76e46fa081ad4acdf544591e40e9ba5b17fc80ee053d1c599915b909f203c6a92ff29c9849379954129ea09b5d48a659
-
Filesize
5.2MB
MD5c498c7318980e84f97bea0ce36c95349
SHA1d61615e7d9a24235854075f3f1f4d7382ff89e83
SHA256a0df93fe3735811fc037f750132ae04ef70b6fc58aea6526eca7499b6d92a8da
SHA5121b2f911043d69b20cc194be167fd00bf28213ed7d2154fbb01327ed58d6d4f4e1575151569d1d021d19bcb470bf0369d2c10a4a098fab55bd6c63bd7b6af0e71
-
Filesize
5.2MB
MD51c5375807dad036f6cc803a38d4e88a5
SHA13d637b80e98d6a5539e3093abafb53799e5c23a3
SHA256bc8c2ab89c4d547d5dee5509758f991c17f75e0443452e5e03bd79510790a6cc
SHA512d306a6cd45793bc35b2819c55fb76db31346aeb06a57f484100259813d8494ad9cb28563f0a04dfe81895db34a1a2ae33ae3bd9602e1b588994d03d27d3f8919
-
Filesize
5.2MB
MD5ef1e9146fdb568a8a533a8bbc0394cc4
SHA1668db20e9163b27875db2e2dee2a59dba552286c
SHA2565bb20dd852ed7c830ece9cb333084d4484b168be47e50637e98c3267c49406dd
SHA512f4b280675772ccaaaaa07d3cc9edd7658e7c7ba5457a382b9b00f3f6494928cd6380e3ca66a5454f5e9168c2f9d86c1487a244e161624b24075e153c87ab28e1
-
Filesize
5.2MB
MD56d508af3e9cbdb100b99058a61aa5471
SHA172b1a3e29b098ffd4f3921142db778b51a724471
SHA25619604a49580c5eb1310a8970b09fc3febbafa6785a199c7d84fd8d7c8989384e
SHA512abbdb291821e361496c4e8884cef9be98c788d331556bbdcdedd9a40b0fdaa15cfe02c34c2f32c5a54649a006450eb8cc11041bae14c8e8bdc0f2469a54af210
-
Filesize
5.2MB
MD544aad26b5511cc29c55f6bba327ffdf4
SHA16fdc98c90d87dca5f89da6723f8ec55f5687470d
SHA256d95ae8f75c7a66a22b6509ab019f11980d67af44eb5226fc853761a9300127af
SHA512555ebff71b5a5783bf3b5dde7aaad0a4fc1645ebbd0199927ffd00eb1c2fbf3894e1cb7b0ef94c148c8deb8d85aa18fa49f001e36900c8f15fbbc4f91ddc4bf0
-
Filesize
5.2MB
MD580ea1cb707401f718ad38f239c569648
SHA14b8aabaf10e6858e758b915f6d015d3a1b23268b
SHA2560747c86f6ae9b0ecd8fa4a47c4843e413b8a004a649c8ad0540d4edc9c30b99d
SHA512ac8c24e9d2e1bdd6db62d646fa6b52e57be594b16ef9bc4f1228fbafd5bd8dd78589dccfd705b4484e35021fcb8081f5ebcddfd3577f01eec09695f62532241d
-
Filesize
5.2MB
MD52e9e251cd3c6abe1d28fc21857a4307e
SHA173173d5206e53071021593dd8ee5dd578406a7a8
SHA25675f7e5d01758c21fd21a45d145579c4cc3b4d6bd105e988249e537411718ea1f
SHA5121c998c590b8173024ee6729238e5fdbfa6befc17c2186663cc73f6b207fd6a3a9e91bcb8679e7cebbaa55c6270d744c541bcf5fc979d036197c8abb5869ed5d2
-
Filesize
5.2MB
MD5ff10b15414efe70d269f09e3c17e44e9
SHA15655a8448aa7e986ec90894b6dd7eb8bf096119f
SHA25643eea3c4b1ad952dbbb599c8f64fde4c106a229401edbbd0673efb6c057946a7
SHA51223380b66ac055dd704410dc3266016ec38b4ffa0f815ccbed75cfc4cbb8938c130d78fe4be07188fc3edf77e937c25d58927e45a742c8b56d5d6abcee6202959
-
Filesize
5.2MB
MD5b526fbfcc1547bd7020c9b53f8e4b4db
SHA175c858a0f02e08fd6b2992dff307bf8b1fbb5348
SHA25640e3ef47f33ee16356bd2a51477a3cd35cb2dd441f2af853aa13154a4d508ec1
SHA512b0be21b2ad0e268441abbf555b884d66eb590a104b5df2d9edac0f8c7982b1a46607214443d61aef06ad90764d4965b86e46e37af2d04ef1ad7ac189ad04b4fb
-
Filesize
5.2MB
MD54e96412b35a44abe68f1f700c3a10847
SHA144d7ec31a2a5b95e33103a5c5de46b5c95993622
SHA25640eafebdb0999106498825151a0345771c0b9b43ebe9ab41a7c1c2ba243c691d
SHA512f89f4216eda2d61e87a6e2060396a9f6f7415b9696e6026856bdeefc5abde74f4268d0b762650dd0dd2885a33cbce4b497d5b72f5b7ce7def0460a37f1f011a0
-
Filesize
5.2MB
MD5fac4c6a8805acee762781f27bfd37395
SHA1c9b4c2c4f065d0673124523d4c42febf42d93d02
SHA256737e629de8c8c3f983ea53b3d75cf9b74fe97b50836dcd362ec2116e2344da9b
SHA512485f368aa9d261d5559351e5e5741cfa95feb6192998bea2dbea17a7f63573e346b7cc8c303d1e25b548371b89035045d8e6bc2b2bb7e84d342768b0c8aa354a
-
Filesize
5.2MB
MD5c114200f7db4a78956a4bdcee5e3aaee
SHA1e89c85bf54f9489a4d15af0f1cbfd1cb993f9bd4
SHA256e279ce39ba10fd0f824140759fe16fed0673adbfc03e9c7e9ca4f9a62a290e4a
SHA51213c2cbd18fdec8beb041da358c4c77f5a5de5826a12c954737c627696451ce66ff2f49a65f722796e2b042646f4a5adfeed9d6474d3269ff82cd50f3bf839860
-
Filesize
5.2MB
MD5fd5fe0f088f7044ecee704be88ea928d
SHA1c2db757af03b14f0f20c1a412b54748f81992f47
SHA25614c320bae32d780af64e3df6e3bc83b8e9aec075592052218f57aae592aae9cc
SHA512a9c92fdd5fb1a9c51a85dd43ffcc023e20e1548ddb1da602e8444e597114fc6066724e06d166175ce8df0b27867c458e56c72378be1bf73e82465b8260adacd2