Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 20:52
Behavioral task
behavioral1
Sample
2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240704-en
General
-
Target
2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
2cbc36328c79a498ba643d329b0e8c7d
-
SHA1
a3b9d3adcb1e30f07fd30e4f4382f7473e6d7fde
-
SHA256
72133dda07b1d5344bb6caee1e0c8c44b7eb50dc28be603deae0c41367d7c68b
-
SHA512
7250f073e6447af9e2b8b1949845223def034ce655daa3781882c15ffe15c5b227ca43ad5f01d4a9d47f5e64bf561189381c0a5b5d85e7e1922f3cdbf6cad1bd
-
SSDEEP
49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lv:RWWBibj56utgpPFotBER/mQ32lU7
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0008000000023463-4.dat cobalt_reflective_dll behavioral2/files/0x0007000000023467-10.dat cobalt_reflective_dll behavioral2/files/0x0007000000023469-20.dat cobalt_reflective_dll behavioral2/files/0x000700000002346a-27.dat cobalt_reflective_dll behavioral2/files/0x000700000002346e-64.dat cobalt_reflective_dll behavioral2/files/0x0007000000023474-86.dat cobalt_reflective_dll behavioral2/files/0x0007000000023473-92.dat cobalt_reflective_dll behavioral2/files/0x0007000000023475-104.dat cobalt_reflective_dll behavioral2/files/0x0008000000023464-102.dat cobalt_reflective_dll behavioral2/files/0x0007000000023472-83.dat cobalt_reflective_dll behavioral2/files/0x000700000002346f-77.dat cobalt_reflective_dll behavioral2/files/0x0007000000023471-73.dat cobalt_reflective_dll behavioral2/files/0x0007000000023470-71.dat cobalt_reflective_dll behavioral2/files/0x000700000002346d-51.dat cobalt_reflective_dll behavioral2/files/0x000700000002346c-42.dat cobalt_reflective_dll behavioral2/files/0x000700000002346b-41.dat cobalt_reflective_dll behavioral2/files/0x0007000000023468-19.dat cobalt_reflective_dll behavioral2/files/0x0007000000023476-108.dat cobalt_reflective_dll behavioral2/files/0x0007000000023479-115.dat cobalt_reflective_dll behavioral2/files/0x000700000002347a-124.dat cobalt_reflective_dll behavioral2/files/0x000700000002347c-126.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 46 IoCs
resource yara_rule behavioral2/memory/2164-8-0x00007FF751A00000-0x00007FF751D51000-memory.dmp xmrig behavioral2/memory/4788-18-0x00007FF7F99A0000-0x00007FF7F9CF1000-memory.dmp xmrig behavioral2/memory/1448-28-0x00007FF6B2300000-0x00007FF6B2651000-memory.dmp xmrig behavioral2/memory/1132-46-0x00007FF66B730000-0x00007FF66BA81000-memory.dmp xmrig behavioral2/memory/4548-97-0x00007FF61C8B0000-0x00007FF61CC01000-memory.dmp xmrig behavioral2/memory/3020-76-0x00007FF6DD6E0000-0x00007FF6DDA31000-memory.dmp xmrig behavioral2/memory/4408-62-0x00007FF630E80000-0x00007FF6311D1000-memory.dmp xmrig behavioral2/memory/2164-109-0x00007FF751A00000-0x00007FF751D51000-memory.dmp xmrig behavioral2/memory/3276-117-0x00007FF6B2560000-0x00007FF6B28B1000-memory.dmp xmrig behavioral2/memory/3044-120-0x00007FF6B2880000-0x00007FF6B2BD1000-memory.dmp xmrig behavioral2/memory/3892-129-0x00007FF7D9870000-0x00007FF7D9BC1000-memory.dmp xmrig behavioral2/memory/836-128-0x00007FF646010000-0x00007FF646361000-memory.dmp xmrig behavioral2/memory/768-130-0x00007FF774970000-0x00007FF774CC1000-memory.dmp xmrig behavioral2/memory/1540-132-0x00007FF640500000-0x00007FF640851000-memory.dmp xmrig behavioral2/memory/4152-131-0x00007FF6A79E0000-0x00007FF6A7D31000-memory.dmp xmrig behavioral2/memory/4548-133-0x00007FF61C8B0000-0x00007FF61CC01000-memory.dmp xmrig behavioral2/memory/1596-143-0x00007FF6C5210000-0x00007FF6C5561000-memory.dmp xmrig behavioral2/memory/4764-147-0x00007FF66C530000-0x00007FF66C881000-memory.dmp xmrig behavioral2/memory/1604-150-0x00007FF76AAE0000-0x00007FF76AE31000-memory.dmp xmrig behavioral2/memory/2028-149-0x00007FF69FD40000-0x00007FF6A0091000-memory.dmp xmrig behavioral2/memory/3256-148-0x00007FF71A490000-0x00007FF71A7E1000-memory.dmp xmrig behavioral2/memory/4492-146-0x00007FF666040000-0x00007FF666391000-memory.dmp xmrig behavioral2/memory/4512-145-0x00007FF793580000-0x00007FF7938D1000-memory.dmp xmrig behavioral2/memory/800-142-0x00007FF609DB0000-0x00007FF60A101000-memory.dmp xmrig behavioral2/memory/4548-155-0x00007FF61C8B0000-0x00007FF61CC01000-memory.dmp xmrig behavioral2/memory/2164-201-0x00007FF751A00000-0x00007FF751D51000-memory.dmp xmrig behavioral2/memory/4788-203-0x00007FF7F99A0000-0x00007FF7F9CF1000-memory.dmp xmrig behavioral2/memory/1448-205-0x00007FF6B2300000-0x00007FF6B2651000-memory.dmp xmrig behavioral2/memory/836-207-0x00007FF646010000-0x00007FF646361000-memory.dmp xmrig behavioral2/memory/1132-211-0x00007FF66B730000-0x00007FF66BA81000-memory.dmp xmrig behavioral2/memory/4408-210-0x00007FF630E80000-0x00007FF6311D1000-memory.dmp xmrig behavioral2/memory/800-214-0x00007FF609DB0000-0x00007FF60A101000-memory.dmp xmrig behavioral2/memory/3892-217-0x00007FF7D9870000-0x00007FF7D9BC1000-memory.dmp xmrig behavioral2/memory/768-216-0x00007FF774970000-0x00007FF774CC1000-memory.dmp xmrig behavioral2/memory/4492-220-0x00007FF666040000-0x00007FF666391000-memory.dmp xmrig behavioral2/memory/3020-225-0x00007FF6DD6E0000-0x00007FF6DDA31000-memory.dmp xmrig behavioral2/memory/4512-224-0x00007FF793580000-0x00007FF7938D1000-memory.dmp xmrig behavioral2/memory/1596-222-0x00007FF6C5210000-0x00007FF6C5561000-memory.dmp xmrig behavioral2/memory/2028-232-0x00007FF69FD40000-0x00007FF6A0091000-memory.dmp xmrig behavioral2/memory/3256-233-0x00007FF71A490000-0x00007FF71A7E1000-memory.dmp xmrig behavioral2/memory/1604-230-0x00007FF76AAE0000-0x00007FF76AE31000-memory.dmp xmrig behavioral2/memory/4764-228-0x00007FF66C530000-0x00007FF66C881000-memory.dmp xmrig behavioral2/memory/3276-236-0x00007FF6B2560000-0x00007FF6B28B1000-memory.dmp xmrig behavioral2/memory/3044-238-0x00007FF6B2880000-0x00007FF6B2BD1000-memory.dmp xmrig behavioral2/memory/4152-240-0x00007FF6A79E0000-0x00007FF6A7D31000-memory.dmp xmrig behavioral2/memory/1540-242-0x00007FF640500000-0x00007FF640851000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2164 vggzEfU.exe 4788 XMWdxEg.exe 1448 vseJgKb.exe 836 NAgHgem.exe 3892 bLQvdey.exe 4408 wbvRmXr.exe 1132 CDMQFqw.exe 768 SaOUnxN.exe 800 PLhUzSF.exe 3020 JizhngT.exe 1596 HelVvxt.exe 4512 mclAoPu.exe 4492 okbDsto.exe 4764 Qzaylvk.exe 3256 tpZQRTB.exe 2028 RlWwhAf.exe 1604 ilTRwuh.exe 3276 Bhneiar.exe 3044 KUsDZSM.exe 4152 SDVVOkp.exe 1540 dMfpiNW.exe -
resource yara_rule behavioral2/memory/4548-0-0x00007FF61C8B0000-0x00007FF61CC01000-memory.dmp upx behavioral2/files/0x0008000000023463-4.dat upx behavioral2/memory/2164-8-0x00007FF751A00000-0x00007FF751D51000-memory.dmp upx behavioral2/files/0x0007000000023467-10.dat upx behavioral2/memory/4788-18-0x00007FF7F99A0000-0x00007FF7F9CF1000-memory.dmp upx behavioral2/files/0x0007000000023469-20.dat upx behavioral2/files/0x000700000002346a-27.dat upx behavioral2/memory/1448-28-0x00007FF6B2300000-0x00007FF6B2651000-memory.dmp upx behavioral2/memory/1132-46-0x00007FF66B730000-0x00007FF66BA81000-memory.dmp upx behavioral2/memory/768-56-0x00007FF774970000-0x00007FF774CC1000-memory.dmp upx behavioral2/files/0x000700000002346e-64.dat upx behavioral2/memory/4512-69-0x00007FF793580000-0x00007FF7938D1000-memory.dmp upx behavioral2/files/0x0007000000023474-86.dat upx behavioral2/files/0x0007000000023473-92.dat upx behavioral2/memory/1604-100-0x00007FF76AAE0000-0x00007FF76AE31000-memory.dmp upx behavioral2/files/0x0007000000023475-104.dat upx behavioral2/files/0x0008000000023464-102.dat upx behavioral2/memory/2028-101-0x00007FF69FD40000-0x00007FF6A0091000-memory.dmp upx behavioral2/memory/4548-97-0x00007FF61C8B0000-0x00007FF61CC01000-memory.dmp upx behavioral2/memory/3256-96-0x00007FF71A490000-0x00007FF71A7E1000-memory.dmp upx behavioral2/memory/4764-89-0x00007FF66C530000-0x00007FF66C881000-memory.dmp upx behavioral2/memory/4492-85-0x00007FF666040000-0x00007FF666391000-memory.dmp upx behavioral2/files/0x0007000000023472-83.dat upx behavioral2/files/0x000700000002346f-77.dat upx behavioral2/memory/3020-76-0x00007FF6DD6E0000-0x00007FF6DDA31000-memory.dmp upx behavioral2/files/0x0007000000023471-73.dat upx behavioral2/memory/1596-68-0x00007FF6C5210000-0x00007FF6C5561000-memory.dmp upx behavioral2/files/0x0007000000023470-71.dat upx behavioral2/memory/800-63-0x00007FF609DB0000-0x00007FF60A101000-memory.dmp upx behavioral2/memory/4408-62-0x00007FF630E80000-0x00007FF6311D1000-memory.dmp upx behavioral2/files/0x000700000002346d-51.dat upx behavioral2/memory/3892-45-0x00007FF7D9870000-0x00007FF7D9BC1000-memory.dmp upx behavioral2/files/0x000700000002346c-42.dat upx behavioral2/files/0x000700000002346b-41.dat upx behavioral2/memory/836-32-0x00007FF646010000-0x00007FF646361000-memory.dmp upx behavioral2/files/0x0007000000023468-19.dat upx behavioral2/files/0x0007000000023476-108.dat upx behavioral2/files/0x0007000000023479-115.dat upx behavioral2/memory/2164-109-0x00007FF751A00000-0x00007FF751D51000-memory.dmp upx behavioral2/memory/3276-117-0x00007FF6B2560000-0x00007FF6B28B1000-memory.dmp upx behavioral2/memory/3044-120-0x00007FF6B2880000-0x00007FF6B2BD1000-memory.dmp upx behavioral2/files/0x000700000002347a-124.dat upx behavioral2/files/0x000700000002347c-126.dat upx behavioral2/memory/3892-129-0x00007FF7D9870000-0x00007FF7D9BC1000-memory.dmp upx behavioral2/memory/836-128-0x00007FF646010000-0x00007FF646361000-memory.dmp upx behavioral2/memory/768-130-0x00007FF774970000-0x00007FF774CC1000-memory.dmp upx behavioral2/memory/1540-132-0x00007FF640500000-0x00007FF640851000-memory.dmp upx behavioral2/memory/4152-131-0x00007FF6A79E0000-0x00007FF6A7D31000-memory.dmp upx behavioral2/memory/4548-133-0x00007FF61C8B0000-0x00007FF61CC01000-memory.dmp upx behavioral2/memory/1596-143-0x00007FF6C5210000-0x00007FF6C5561000-memory.dmp upx behavioral2/memory/4764-147-0x00007FF66C530000-0x00007FF66C881000-memory.dmp upx behavioral2/memory/1604-150-0x00007FF76AAE0000-0x00007FF76AE31000-memory.dmp upx behavioral2/memory/2028-149-0x00007FF69FD40000-0x00007FF6A0091000-memory.dmp upx behavioral2/memory/3256-148-0x00007FF71A490000-0x00007FF71A7E1000-memory.dmp upx behavioral2/memory/4492-146-0x00007FF666040000-0x00007FF666391000-memory.dmp upx behavioral2/memory/4512-145-0x00007FF793580000-0x00007FF7938D1000-memory.dmp upx behavioral2/memory/800-142-0x00007FF609DB0000-0x00007FF60A101000-memory.dmp upx behavioral2/memory/4548-155-0x00007FF61C8B0000-0x00007FF61CC01000-memory.dmp upx behavioral2/memory/2164-201-0x00007FF751A00000-0x00007FF751D51000-memory.dmp upx behavioral2/memory/4788-203-0x00007FF7F99A0000-0x00007FF7F9CF1000-memory.dmp upx behavioral2/memory/1448-205-0x00007FF6B2300000-0x00007FF6B2651000-memory.dmp upx behavioral2/memory/836-207-0x00007FF646010000-0x00007FF646361000-memory.dmp upx behavioral2/memory/1132-211-0x00007FF66B730000-0x00007FF66BA81000-memory.dmp upx behavioral2/memory/4408-210-0x00007FF630E80000-0x00007FF6311D1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\RlWwhAf.exe 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KUsDZSM.exe 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XMWdxEg.exe 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vseJgKb.exe 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CDMQFqw.exe 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\wbvRmXr.exe 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SaOUnxN.exe 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mclAoPu.exe 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\okbDsto.exe 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\tpZQRTB.exe 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\Bhneiar.exe 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SDVVOkp.exe 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dMfpiNW.exe 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vggzEfU.exe 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NAgHgem.exe 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bLQvdey.exe 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HelVvxt.exe 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JizhngT.exe 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\Qzaylvk.exe 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PLhUzSF.exe 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ilTRwuh.exe 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4548 wrote to memory of 2164 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4548 wrote to memory of 2164 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4548 wrote to memory of 4788 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4548 wrote to memory of 4788 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4548 wrote to memory of 1448 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4548 wrote to memory of 1448 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4548 wrote to memory of 836 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4548 wrote to memory of 836 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4548 wrote to memory of 3892 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4548 wrote to memory of 3892 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4548 wrote to memory of 1132 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4548 wrote to memory of 1132 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4548 wrote to memory of 4408 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4548 wrote to memory of 4408 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4548 wrote to memory of 768 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4548 wrote to memory of 768 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4548 wrote to memory of 800 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4548 wrote to memory of 800 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4548 wrote to memory of 1596 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4548 wrote to memory of 1596 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4548 wrote to memory of 3020 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4548 wrote to memory of 3020 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4548 wrote to memory of 4512 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4548 wrote to memory of 4512 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4548 wrote to memory of 4492 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4548 wrote to memory of 4492 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4548 wrote to memory of 4764 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4548 wrote to memory of 4764 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4548 wrote to memory of 3256 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4548 wrote to memory of 3256 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4548 wrote to memory of 2028 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4548 wrote to memory of 2028 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4548 wrote to memory of 1604 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4548 wrote to memory of 1604 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4548 wrote to memory of 3276 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4548 wrote to memory of 3276 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4548 wrote to memory of 3044 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 4548 wrote to memory of 3044 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 4548 wrote to memory of 4152 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 4548 wrote to memory of 4152 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 4548 wrote to memory of 1540 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 110 PID 4548 wrote to memory of 1540 4548 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\System\vggzEfU.exeC:\Windows\System\vggzEfU.exe2⤵
- Executes dropped EXE
PID:2164
-
-
C:\Windows\System\XMWdxEg.exeC:\Windows\System\XMWdxEg.exe2⤵
- Executes dropped EXE
PID:4788
-
-
C:\Windows\System\vseJgKb.exeC:\Windows\System\vseJgKb.exe2⤵
- Executes dropped EXE
PID:1448
-
-
C:\Windows\System\NAgHgem.exeC:\Windows\System\NAgHgem.exe2⤵
- Executes dropped EXE
PID:836
-
-
C:\Windows\System\bLQvdey.exeC:\Windows\System\bLQvdey.exe2⤵
- Executes dropped EXE
PID:3892
-
-
C:\Windows\System\CDMQFqw.exeC:\Windows\System\CDMQFqw.exe2⤵
- Executes dropped EXE
PID:1132
-
-
C:\Windows\System\wbvRmXr.exeC:\Windows\System\wbvRmXr.exe2⤵
- Executes dropped EXE
PID:4408
-
-
C:\Windows\System\SaOUnxN.exeC:\Windows\System\SaOUnxN.exe2⤵
- Executes dropped EXE
PID:768
-
-
C:\Windows\System\PLhUzSF.exeC:\Windows\System\PLhUzSF.exe2⤵
- Executes dropped EXE
PID:800
-
-
C:\Windows\System\HelVvxt.exeC:\Windows\System\HelVvxt.exe2⤵
- Executes dropped EXE
PID:1596
-
-
C:\Windows\System\JizhngT.exeC:\Windows\System\JizhngT.exe2⤵
- Executes dropped EXE
PID:3020
-
-
C:\Windows\System\mclAoPu.exeC:\Windows\System\mclAoPu.exe2⤵
- Executes dropped EXE
PID:4512
-
-
C:\Windows\System\okbDsto.exeC:\Windows\System\okbDsto.exe2⤵
- Executes dropped EXE
PID:4492
-
-
C:\Windows\System\Qzaylvk.exeC:\Windows\System\Qzaylvk.exe2⤵
- Executes dropped EXE
PID:4764
-
-
C:\Windows\System\tpZQRTB.exeC:\Windows\System\tpZQRTB.exe2⤵
- Executes dropped EXE
PID:3256
-
-
C:\Windows\System\RlWwhAf.exeC:\Windows\System\RlWwhAf.exe2⤵
- Executes dropped EXE
PID:2028
-
-
C:\Windows\System\ilTRwuh.exeC:\Windows\System\ilTRwuh.exe2⤵
- Executes dropped EXE
PID:1604
-
-
C:\Windows\System\Bhneiar.exeC:\Windows\System\Bhneiar.exe2⤵
- Executes dropped EXE
PID:3276
-
-
C:\Windows\System\KUsDZSM.exeC:\Windows\System\KUsDZSM.exe2⤵
- Executes dropped EXE
PID:3044
-
-
C:\Windows\System\SDVVOkp.exeC:\Windows\System\SDVVOkp.exe2⤵
- Executes dropped EXE
PID:4152
-
-
C:\Windows\System\dMfpiNW.exeC:\Windows\System\dMfpiNW.exe2⤵
- Executes dropped EXE
PID:1540
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5425b1b42e61982d1e92521cefc7e4aea
SHA1e15015fdc4906b18b37150bbecdad9b878d28040
SHA256099c3232a42f5fd7a32491d7b037ca90c82b1b2de1ab2b30d92db045661899f0
SHA5127447ff7daf802f54394f95a1912dfdab36c96457ded55277c1e79aa9e882886469a7cfc6cbdd2c05f26d635c14100e588ac686962e047133b31ba926944719a0
-
Filesize
5.2MB
MD579f5d0f0e9d8904648acd41fd223ac49
SHA158ad732378798add09f6321685ce4effcc8d19e0
SHA256b6c7164585c47be123136ff603458e835407f64414a3648eaa1caaca370fe44a
SHA512b83eddba859308d0ca0ab129dd88b111f936451498633aa2e8941ceeb8f298965769bcbdc9b47fc4fb77a88992f208e51d734445a8b33df193416ae08d29dbc3
-
Filesize
5.2MB
MD58bcffcf26c28e8b88abf4be8f257291b
SHA19d1c3c1c9de470a625fd66998d5e364f871814fc
SHA256283dc24c08b405f7655c8b8c1247bf5c19d4ba44ed6fe213edf35f2ab613b10c
SHA512b39c17c5f62fb9491cd87ecd1130f55454719b8da3b41eafd49001d9ad0d72e901e2de201819c343f2eb79337268c713513bd3a2ec0c13ff5bd4849d2fa6b16c
-
Filesize
5.2MB
MD5a023e9574dc0b6dc558b191ec6c5a675
SHA173f205cd7d6c6452fa869c328f0cb1a54783770b
SHA25691280fd3d25ab882717547e0db04b071a39a0592218827be4c529f9743d9389a
SHA512297c1754beb15800f1d5efcb4bec8279d9189871046132ed331d46bb63bbf8296d26888d6065adf5f850d0588b8e8ec875c488900d0585521323f6131f66e43b
-
Filesize
5.2MB
MD52103b2d482b9a2102fbe342fcf2dc346
SHA1802ba6b8711af4ce32c1dfcf93c8dd264b99e3c3
SHA2565641d2cddc51160446b5161cd836abf2d378721fba82ffa84b9c17c74f5fc024
SHA5127a1cbd23462d1f86e8cbf32b29d7bbaf9ebaa79971db570fc977741bdf53a137aaad48cc64b401bd533438949179cdfcfdc7245c2c0d08dfe327908019a5f1fc
-
Filesize
5.2MB
MD5452b3599df9b2a58cb75497bafcce364
SHA1a16f18f58811e674d72e3e31e45e19cf21f85d9a
SHA25622794e2e6bb0f2de1d0d0660cbcc8b3ebe85e063828c4279c2b945654bed8751
SHA5127f855beec0887e0c9fbae5e0e8d2daad0e938c5d872f5f31ee220a5ab43c42a1d00e1b1cd9dac46a9889eb337e338a862a39309ed985e72bee45e96c748269b3
-
Filesize
5.2MB
MD59f22adb652ca7e509577479551a33b27
SHA1b848f518ed2773268f7d4dec8f723f65b83d3fd9
SHA256ee6c824831e8fb2cdd09e9cd3aee991241726fee314e4f2af0f02c7b0b2e3628
SHA512ec48e1321c342796e8230bb5f321d633d3afd504d52ddc3cb4d8f21f4b09e28591589ce8f54cbcbc563178bc796c97bc5a34c28a7c3d81e638f09bec979a65ca
-
Filesize
5.2MB
MD5d17b39a11f719cfa3f5b776abf93622c
SHA1782231a344b5bf63fa903f6b9195223263609e95
SHA256d020f29e55f3072f20cc0856b04aa7dcbf27af0512449a5d99e062b78fdb66ca
SHA5120d5d2bc9b1a84888816329efe63a8e9b94d146b22640c1cb2e8979c4c270c554f08baeec7d8da40676accdfc099bea6b748c494a134abbb57844bb8982e945c6
-
Filesize
5.2MB
MD5940daf91e823e4b4c99887ed2c7b1044
SHA1ace6dc2b325663664b450190986276b4b6b76f40
SHA256113aac504f6e860ff0e07ba38b93650d7d66878ce58ac414db68cfd0483e43ad
SHA512e9dd70a990eb07649dbf7dd154a70fd303451c1e74ade038f3053466292542f07bd2d401d2374b67e695c80bf66fef910b7e8dc9418e3f52f8cbde037974ce6a
-
Filesize
5.2MB
MD5db0d057db7440a672ff9f06f573decd4
SHA1ff2260a3657180dd43cb2a64631ff3f709deaedc
SHA256e64daf65538bdc557c035bf78b3755be18e5a40b3a1f76689bc01cc189e9a4a1
SHA512cbd95e0ae9a22e34cc1886115679978dc6b692cbe600292d42599d801a0c520fdde1be60ba6e0335a7074991347dfa47fb8df96410fd8d82e052b7e3bbcf5af3
-
Filesize
5.2MB
MD58445f115208c14231d5ea458a88ee6d7
SHA1357062b76c410942ad409b6f92254bdc7c7b2e17
SHA256e58d1fc3a957552ba5be71bb0fa68de6c0a3e5360461ec911ffcc314b1203d38
SHA5127500cd1d39f5c4a8870704ec8600953218d50062018abc81afb63e89dd0cc4a0de67960f2ae942d756763738eeb363ed6fe3fc995b937771813b8b40ef0cf160
-
Filesize
5.2MB
MD5a4766afe38d3a6e0492102aba49f3f96
SHA141c80dac61b629cf7cf9707f227ce113b888f572
SHA256b86c82d87e035a7e6fb2b59cbda743ef43ea58f956dbfdf54466fa8ee2a92e25
SHA512c73c280297ed0901f136ee0d64319005ef9e793f31422220e00a3979e3d4c3567006c8ad7cfc51c7acc332bc058b747745527baf4fe6edbce4326981d7406072
-
Filesize
5.2MB
MD58e717d8990f440d4af09afb416dde7f7
SHA1082fcf8926c47cb955bbed27756da5b1572b7424
SHA2566c1f202bb45f20e505b25a76c6809baf90bcf2c950d5d9f4597b2db1ecbe1c2b
SHA512b16162dbe5d862ea4c49994d1cfe79eb00ed049c0d49e49f8af161ef139c4e8170d7186c5e99d095834f755f17da8d3f936ace54c4020d955841a9071b4a48ec
-
Filesize
5.2MB
MD5bb58815587f4526f0a888a53d90fa884
SHA1b0976959f3f0ff49d2066b8eef471080a9aacffb
SHA256a26d926fa22b636852c05a2043e426ec86cf48c331a7b2ec79f842cc7e3f3b8c
SHA5121f5225c795c40d89d2c4f17a890993b8774af06d21abeeedc764fe8a5806673ee64b03995b403346c6103bd5cc4bb33b2e5f45eb5e64b279403c0e841e1bb747
-
Filesize
5.2MB
MD579fe620657f6a782f670af214cb88175
SHA146a823c9f9d71eca473b30e53ed342b851aa7aff
SHA256ef03c98a579517e6cbd1a249ef63ece7ea493194af3a980e8be20605e053b84a
SHA512dbd6368d6c296c5000c4f1281c7849e8349e7a8ae98cca6eaf85433e46137d85629d957fcaca17559e2a273e0e796286b02cbaf0e66492c824148063d6eb163d
-
Filesize
5.2MB
MD5e5b7e680c1b6f482ecfa4c52e3a099f0
SHA1e11bd106346b5824be1df42186b5f0b64e291b4d
SHA256e00dfd0723595ccd100586764d233c829e2253acd84e0c1a07fc4209b397565c
SHA512f5b01f2baddff03dbdbf55d4fdaa9d8e557bb2ca98cae828a1bc9d86a86db5ebb5dddf3a25b4c21a30a4ddc25820155b5c79a1f6807a986cf0130c82f59cceb3
-
Filesize
5.2MB
MD5be79bb72b307ab96a7cac44341b8a535
SHA1805fd33fe670bfd8bbb12eaf42901e7605e445b1
SHA256114cde461a6e09e923f7c217ad5665879d7bda871455408e01d50fbe63882c7f
SHA512dda784c23317fb24bb558770aa8362928b04352a97933ea98242573922f5132f599d404afb09570805d6c29642d0a12972f76f3609a7f0a4194cd2bc9580f97c
-
Filesize
5.2MB
MD5d7c9883133883601b074e9516a03c56b
SHA1290ac4a7f0c4c144d4f961de695f2857685a808a
SHA2566b76c89433e0166f91b49493f24d981a822b98d2543fd7a9fb6e25584125c6c2
SHA512dd867962843de05a5ad1ea23c42f019065e0fe2a582fb21ca2ef47b8aadaf4bc4b3b34bb372e5dba5da4d618e5df875eac87b8480482d2abc977fb1bd93c7d4a
-
Filesize
5.2MB
MD5112f2175076c158e6e24f92935648b57
SHA1cbcf4426163dcbe08a7370fc7d93c5a6d777cc93
SHA25663ee820123e7601f385ee8e9989e98d3dfcd957bf9dd8807f16e2543005b47a0
SHA51212d2af16a9725131bf22a4b91ea6607d3807df05f0fe401131d81929797849929005681ec2fbfb813c9884a5f50b6bba4e9ac8c5e85436be80c18d1b5a8f6ec0
-
Filesize
5.2MB
MD5f836b41e4084350dbb189a49658dde50
SHA1c38d8c34ef5f3227049fb856730fcd00cba05dfd
SHA2566aa945672a09f16a97669e40815e4ed2114845218eea7c87f2ec314f997f4912
SHA51220a97ed14fa9025c1366ed847d76fe08c3b7793f928215fb262532f17814947f224c2e69b884a7c8b7e7911d3af9377a2d8420bb33ffe75a5acabc55eff29a19
-
Filesize
5.2MB
MD55494db551da7d46346d6323e6e9a28d2
SHA1fc091e071e6df9d0489273a3c0a847b15d254904
SHA256df1f44d9facd2eee88d6f626b3ceb9f73ab5de30dfa294cd5bebccaee0f95561
SHA5122a92a1175b99e279af838dee92d0727e694ad4991d0755d27c65caf5b5e86dec97dfe02ff72d9ad91857b01f0ea54b2c10a6127159e16369acaccb300b411759