Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
31s -
max time network
32s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 20:55
Behavioral task
behavioral1
Sample
2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240729-en
Errors
General
-
Target
2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
4165a1f06aee4e58abb87ffc03f02c42
-
SHA1
65da93e59b66c6f1e6ffb591dedab453640bed0e
-
SHA256
d0c628c771aec61d6cd406500e726f820420d5a03b399318b3877ed88b80e4eb
-
SHA512
f73bace7fa1a6e7768452c1d6d7201d875ae3b540c511a21d208cd7e828f27e66752b4070f6c32cd4ea98433b058fbe07ab1d21e9686cecbf6d46c6989d8d2fe
-
SSDEEP
49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l3:RWWBibj56utgpPFotBER/mQ32lUj
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0008000000023458-4.dat cobalt_reflective_dll behavioral2/files/0x000700000002345c-12.dat cobalt_reflective_dll behavioral2/files/0x000700000002345d-11.dat cobalt_reflective_dll behavioral2/files/0x000700000002345e-22.dat cobalt_reflective_dll behavioral2/files/0x000700000002345f-27.dat cobalt_reflective_dll behavioral2/files/0x0007000000023460-35.dat cobalt_reflective_dll behavioral2/files/0x0008000000023459-42.dat cobalt_reflective_dll behavioral2/files/0x0007000000023462-46.dat cobalt_reflective_dll behavioral2/files/0x0007000000023463-51.dat cobalt_reflective_dll behavioral2/files/0x0007000000023464-58.dat cobalt_reflective_dll behavioral2/files/0x0007000000023465-64.dat cobalt_reflective_dll behavioral2/files/0x0007000000023466-72.dat cobalt_reflective_dll behavioral2/files/0x0007000000023467-77.dat cobalt_reflective_dll behavioral2/files/0x0007000000023468-86.dat cobalt_reflective_dll behavioral2/files/0x000700000002346b-92.dat cobalt_reflective_dll behavioral2/files/0x0008000000023469-117.dat cobalt_reflective_dll behavioral2/files/0x0007000000023470-125.dat cobalt_reflective_dll behavioral2/files/0x000700000002346f-127.dat cobalt_reflective_dll behavioral2/files/0x000700000002346e-119.dat cobalt_reflective_dll behavioral2/files/0x000800000002346d-109.dat cobalt_reflective_dll behavioral2/files/0x000700000002346c-101.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 25 IoCs
resource yara_rule behavioral2/memory/1216-14-0x00007FF680F20000-0x00007FF681271000-memory.dmp xmrig behavioral2/memory/4364-32-0x00007FF618C30000-0x00007FF618F81000-memory.dmp xmrig behavioral2/memory/2556-31-0x00007FF63E5C0000-0x00007FF63E911000-memory.dmp xmrig behavioral2/memory/3080-47-0x00007FF746820000-0x00007FF746B71000-memory.dmp xmrig behavioral2/memory/1468-61-0x00007FF672500000-0x00007FF672851000-memory.dmp xmrig behavioral2/memory/1872-68-0x00007FF6F8190000-0x00007FF6F84E1000-memory.dmp xmrig behavioral2/memory/4412-71-0x00007FF67ABF0000-0x00007FF67AF41000-memory.dmp xmrig behavioral2/memory/1840-78-0x00007FF63AC50000-0x00007FF63AFA1000-memory.dmp xmrig behavioral2/memory/392-82-0x00007FF7DDBF0000-0x00007FF7DDF41000-memory.dmp xmrig behavioral2/memory/4960-75-0x00007FF62A6D0000-0x00007FF62AA21000-memory.dmp xmrig behavioral2/memory/232-91-0x00007FF688DB0000-0x00007FF689101000-memory.dmp xmrig behavioral2/memory/3236-89-0x00007FF6E8D60000-0x00007FF6E90B1000-memory.dmp xmrig behavioral2/memory/5020-131-0x00007FF637E70000-0x00007FF6381C1000-memory.dmp xmrig behavioral2/memory/2072-129-0x00007FF7EF5E0000-0x00007FF7EF931000-memory.dmp xmrig behavioral2/memory/2148-124-0x00007FF7BF890000-0x00007FF7BFBE1000-memory.dmp xmrig behavioral2/memory/2720-123-0x00007FF61F270000-0x00007FF61F5C1000-memory.dmp xmrig behavioral2/memory/944-107-0x00007FF7B6F20000-0x00007FF7B7271000-memory.dmp xmrig behavioral2/memory/1872-134-0x00007FF6F8190000-0x00007FF6F84E1000-memory.dmp xmrig behavioral2/memory/1840-145-0x00007FF63AC50000-0x00007FF63AFA1000-memory.dmp xmrig behavioral2/memory/2236-152-0x00007FF7E7140000-0x00007FF7E7491000-memory.dmp xmrig behavioral2/memory/1656-154-0x00007FF703C20000-0x00007FF703F71000-memory.dmp xmrig behavioral2/memory/3256-156-0x00007FF7C3BC0000-0x00007FF7C3F11000-memory.dmp xmrig behavioral2/memory/3156-155-0x00007FF755720000-0x00007FF755A71000-memory.dmp xmrig behavioral2/memory/1816-150-0x00007FF7F3EC0000-0x00007FF7F4211000-memory.dmp xmrig behavioral2/memory/1872-157-0x00007FF6F8190000-0x00007FF6F84E1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4960 vTqXGQb.exe 1216 FanvDaJ.exe 3236 aXRONmd.exe 2556 mWlmsRJ.exe 4364 CwhINWF.exe 2720 EzpwROt.exe 3080 vzSydhR.exe 2072 jRBDmyz.exe 5020 geZEGgN.exe 1468 tpjBBiC.exe 4412 GCKFVpn.exe 1840 vHjBwxY.exe 392 IpNxCBF.exe 232 WcIsxNn.exe 1816 mLKmvBO.exe 944 APLPRgZ.exe 2236 vtgBWIZ.exe 2148 QONRLJy.exe 1656 pMPjjwx.exe 3156 DpCCfRP.exe 3256 kykyyiV.exe -
resource yara_rule behavioral2/memory/1872-0-0x00007FF6F8190000-0x00007FF6F84E1000-memory.dmp upx behavioral2/files/0x0008000000023458-4.dat upx behavioral2/memory/4960-7-0x00007FF62A6D0000-0x00007FF62AA21000-memory.dmp upx behavioral2/files/0x000700000002345c-12.dat upx behavioral2/files/0x000700000002345d-11.dat upx behavioral2/memory/1216-14-0x00007FF680F20000-0x00007FF681271000-memory.dmp upx behavioral2/memory/3236-18-0x00007FF6E8D60000-0x00007FF6E90B1000-memory.dmp upx behavioral2/files/0x000700000002345e-22.dat upx behavioral2/files/0x000700000002345f-27.dat upx behavioral2/memory/4364-32-0x00007FF618C30000-0x00007FF618F81000-memory.dmp upx behavioral2/memory/2556-31-0x00007FF63E5C0000-0x00007FF63E911000-memory.dmp upx behavioral2/files/0x0007000000023460-35.dat upx behavioral2/files/0x0008000000023459-42.dat upx behavioral2/files/0x0007000000023462-46.dat upx behavioral2/files/0x0007000000023463-51.dat upx behavioral2/files/0x0007000000023464-58.dat upx behavioral2/memory/5020-53-0x00007FF637E70000-0x00007FF6381C1000-memory.dmp upx behavioral2/memory/2072-50-0x00007FF7EF5E0000-0x00007FF7EF931000-memory.dmp upx behavioral2/memory/3080-47-0x00007FF746820000-0x00007FF746B71000-memory.dmp upx behavioral2/memory/2720-36-0x00007FF61F270000-0x00007FF61F5C1000-memory.dmp upx behavioral2/memory/1468-61-0x00007FF672500000-0x00007FF672851000-memory.dmp upx behavioral2/files/0x0007000000023465-64.dat upx behavioral2/memory/1872-68-0x00007FF6F8190000-0x00007FF6F84E1000-memory.dmp upx behavioral2/files/0x0007000000023466-72.dat upx behavioral2/memory/4412-71-0x00007FF67ABF0000-0x00007FF67AF41000-memory.dmp upx behavioral2/memory/1840-78-0x00007FF63AC50000-0x00007FF63AFA1000-memory.dmp upx behavioral2/memory/392-82-0x00007FF7DDBF0000-0x00007FF7DDF41000-memory.dmp upx behavioral2/files/0x0007000000023467-77.dat upx behavioral2/memory/4960-75-0x00007FF62A6D0000-0x00007FF62AA21000-memory.dmp upx behavioral2/files/0x0007000000023468-86.dat upx behavioral2/files/0x000700000002346b-92.dat upx behavioral2/memory/232-91-0x00007FF688DB0000-0x00007FF689101000-memory.dmp upx behavioral2/memory/3236-89-0x00007FF6E8D60000-0x00007FF6E90B1000-memory.dmp upx behavioral2/memory/1816-95-0x00007FF7F3EC0000-0x00007FF7F4211000-memory.dmp upx behavioral2/files/0x0008000000023469-117.dat upx behavioral2/files/0x0007000000023470-125.dat upx behavioral2/files/0x000700000002346f-127.dat upx behavioral2/memory/3156-126-0x00007FF755720000-0x00007FF755A71000-memory.dmp upx behavioral2/memory/3256-130-0x00007FF7C3BC0000-0x00007FF7C3F11000-memory.dmp upx behavioral2/memory/5020-131-0x00007FF637E70000-0x00007FF6381C1000-memory.dmp upx behavioral2/memory/2072-129-0x00007FF7EF5E0000-0x00007FF7EF931000-memory.dmp upx behavioral2/memory/2148-124-0x00007FF7BF890000-0x00007FF7BFBE1000-memory.dmp upx behavioral2/memory/2720-123-0x00007FF61F270000-0x00007FF61F5C1000-memory.dmp upx behavioral2/files/0x000700000002346e-119.dat upx behavioral2/memory/1656-116-0x00007FF703C20000-0x00007FF703F71000-memory.dmp upx behavioral2/memory/2236-113-0x00007FF7E7140000-0x00007FF7E7491000-memory.dmp upx behavioral2/files/0x000800000002346d-109.dat upx behavioral2/memory/944-107-0x00007FF7B6F20000-0x00007FF7B7271000-memory.dmp upx behavioral2/files/0x000700000002346c-101.dat upx behavioral2/memory/1872-134-0x00007FF6F8190000-0x00007FF6F84E1000-memory.dmp upx behavioral2/memory/1840-145-0x00007FF63AC50000-0x00007FF63AFA1000-memory.dmp upx behavioral2/memory/2236-152-0x00007FF7E7140000-0x00007FF7E7491000-memory.dmp upx behavioral2/memory/1656-154-0x00007FF703C20000-0x00007FF703F71000-memory.dmp upx behavioral2/memory/3256-156-0x00007FF7C3BC0000-0x00007FF7C3F11000-memory.dmp upx behavioral2/memory/3156-155-0x00007FF755720000-0x00007FF755A71000-memory.dmp upx behavioral2/memory/1816-150-0x00007FF7F3EC0000-0x00007FF7F4211000-memory.dmp upx behavioral2/memory/1872-157-0x00007FF6F8190000-0x00007FF6F84E1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\geZEGgN.exe 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GCKFVpn.exe 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vHjBwxY.exe 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\aXRONmd.exe 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mWlmsRJ.exe 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\IpNxCBF.exe 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mLKmvBO.exe 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\APLPRgZ.exe 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QONRLJy.exe 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\pMPjjwx.exe 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DpCCfRP.exe 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vTqXGQb.exe 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kykyyiV.exe 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CwhINWF.exe 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EzpwROt.exe 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jRBDmyz.exe 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\tpjBBiC.exe 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FanvDaJ.exe 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WcIsxNn.exe 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vtgBWIZ.exe 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vzSydhR.exe 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1872 wrote to memory of 4960 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 1872 wrote to memory of 4960 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 1872 wrote to memory of 1216 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 1872 wrote to memory of 1216 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 1872 wrote to memory of 3236 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 1872 wrote to memory of 3236 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 1872 wrote to memory of 2556 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 1872 wrote to memory of 2556 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 1872 wrote to memory of 4364 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 1872 wrote to memory of 4364 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 1872 wrote to memory of 2720 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 1872 wrote to memory of 2720 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 1872 wrote to memory of 3080 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 1872 wrote to memory of 3080 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 1872 wrote to memory of 2072 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 1872 wrote to memory of 2072 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 1872 wrote to memory of 5020 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 1872 wrote to memory of 5020 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 1872 wrote to memory of 1468 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 1872 wrote to memory of 1468 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 1872 wrote to memory of 4412 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 1872 wrote to memory of 4412 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 1872 wrote to memory of 1840 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 1872 wrote to memory of 1840 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 1872 wrote to memory of 392 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 1872 wrote to memory of 392 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 1872 wrote to memory of 232 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 1872 wrote to memory of 232 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 1872 wrote to memory of 1816 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 1872 wrote to memory of 1816 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 1872 wrote to memory of 944 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 1872 wrote to memory of 944 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 1872 wrote to memory of 2236 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 1872 wrote to memory of 2236 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 1872 wrote to memory of 2148 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 1872 wrote to memory of 2148 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 1872 wrote to memory of 1656 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 1872 wrote to memory of 1656 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 1872 wrote to memory of 3156 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 1872 wrote to memory of 3156 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 1872 wrote to memory of 3256 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 110 PID 1872 wrote to memory of 3256 1872 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\System\vTqXGQb.exeC:\Windows\System\vTqXGQb.exe2⤵
- Executes dropped EXE
PID:4960
-
-
C:\Windows\System\FanvDaJ.exeC:\Windows\System\FanvDaJ.exe2⤵
- Executes dropped EXE
PID:1216
-
-
C:\Windows\System\aXRONmd.exeC:\Windows\System\aXRONmd.exe2⤵
- Executes dropped EXE
PID:3236
-
-
C:\Windows\System\mWlmsRJ.exeC:\Windows\System\mWlmsRJ.exe2⤵
- Executes dropped EXE
PID:2556
-
-
C:\Windows\System\CwhINWF.exeC:\Windows\System\CwhINWF.exe2⤵
- Executes dropped EXE
PID:4364
-
-
C:\Windows\System\EzpwROt.exeC:\Windows\System\EzpwROt.exe2⤵
- Executes dropped EXE
PID:2720
-
-
C:\Windows\System\vzSydhR.exeC:\Windows\System\vzSydhR.exe2⤵
- Executes dropped EXE
PID:3080
-
-
C:\Windows\System\jRBDmyz.exeC:\Windows\System\jRBDmyz.exe2⤵
- Executes dropped EXE
PID:2072
-
-
C:\Windows\System\geZEGgN.exeC:\Windows\System\geZEGgN.exe2⤵
- Executes dropped EXE
PID:5020
-
-
C:\Windows\System\tpjBBiC.exeC:\Windows\System\tpjBBiC.exe2⤵
- Executes dropped EXE
PID:1468
-
-
C:\Windows\System\GCKFVpn.exeC:\Windows\System\GCKFVpn.exe2⤵
- Executes dropped EXE
PID:4412
-
-
C:\Windows\System\vHjBwxY.exeC:\Windows\System\vHjBwxY.exe2⤵
- Executes dropped EXE
PID:1840
-
-
C:\Windows\System\IpNxCBF.exeC:\Windows\System\IpNxCBF.exe2⤵
- Executes dropped EXE
PID:392
-
-
C:\Windows\System\WcIsxNn.exeC:\Windows\System\WcIsxNn.exe2⤵
- Executes dropped EXE
PID:232
-
-
C:\Windows\System\mLKmvBO.exeC:\Windows\System\mLKmvBO.exe2⤵
- Executes dropped EXE
PID:1816
-
-
C:\Windows\System\APLPRgZ.exeC:\Windows\System\APLPRgZ.exe2⤵
- Executes dropped EXE
PID:944
-
-
C:\Windows\System\vtgBWIZ.exeC:\Windows\System\vtgBWIZ.exe2⤵
- Executes dropped EXE
PID:2236
-
-
C:\Windows\System\QONRLJy.exeC:\Windows\System\QONRLJy.exe2⤵
- Executes dropped EXE
PID:2148
-
-
C:\Windows\System\pMPjjwx.exeC:\Windows\System\pMPjjwx.exe2⤵
- Executes dropped EXE
PID:1656
-
-
C:\Windows\System\DpCCfRP.exeC:\Windows\System\DpCCfRP.exe2⤵
- Executes dropped EXE
PID:3156
-
-
C:\Windows\System\kykyyiV.exeC:\Windows\System\kykyyiV.exe2⤵
- Executes dropped EXE
PID:3256
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD548cbbe39c13647a41d8687861f06dcd6
SHA181565e7be40cf86e9a2e38f9d103330e01892f17
SHA25629bf270609967bdd35371443e839b4664e42f1a1f8ecfd4ff03befae4f682da4
SHA51256a8f473f869331262d9cba3fe31c7e2876139b9c6f7e3024b0635adf1e341e480ead53645a5f4b3d4fe2892d8db2d038762771f1f7771f7994f407e2204d100
-
Filesize
5.2MB
MD5db8dc286d8d5770a838334d037630040
SHA16c7d8c15a5fb8a837f72125cf0c62a41553d7d67
SHA2569bd557e7563864d4d05cc69eea59f3154c82e81d109ff5f40e09455add6fe3c2
SHA512498b49f2d6971ca2dd87f0bde72caee942046683af5337eb42f48414b0f8b143a283b3541f39ce8dc0beb064abecb8f448c4a3f89093c2b72400755f6a88f803
-
Filesize
5.2MB
MD59d49674b72a9cdbc99dd536e71715ceb
SHA179cc4b92dd2ce3a694c1f4496925e624af4d486b
SHA25629920fefc3bec4426f83f5c66bce3138d102a14859c7d0ceaa5fe0c9fa29a97d
SHA512f1fc452d0f3ceeab1b5e44eaf95f5bf7e655b127187c0ff6d5b3afa51370a729b29805115b67748ed2412a23a91f727ce31b041671d75b8f6e8cba9895cb7556
-
Filesize
5.2MB
MD53b7befce63e335f3f87b1c92a1b630a9
SHA18d65da27af509d15e0940afa1dd3f0fa90ce6397
SHA2569575d637551a3f893f6a2ed988c271e27048abcf02d0e47a4a547585c4337818
SHA51227db4e0e970740e64eb7642dbfc600c957afc0edef761373e06f42e429c6c3c3036a76600a95d771fa8c9505868ff5abf64e66c7825a93792c11ff44dc5c67b0
-
Filesize
5.2MB
MD5b90e27e4704f0c6407924656e2147547
SHA1004ce32e4814ea9976690466d7453cefb4ace448
SHA256438a3f965c63c97edcc2149acff138e5768ba3f4c6986becd3e84ab230a15842
SHA5121ee87671dc7db70f37b2700ed8a48812a82e100f36e16dc024efb59f04f0e1657dab001e72c6352fb3ab90681dc5fef93044428898f31f8dc282e39a5b0f4f5b
-
Filesize
5.2MB
MD58db233dacc21a92f17c5121a26d70133
SHA1abe681cd129e3a1e863419ea2e0f6279351e7a72
SHA256be22c373812f972b9cebffcc1c184069a695df4134a87f67aacde3a1aedd97b0
SHA51203cdf44cf14f29470b4f85f63acf93c719f9b647526b3a2e98f13a11c85f056b1eab93b90644174bb349a2ebb883db30388effaeea533be5a423e227d2ee5f46
-
Filesize
5.2MB
MD5e6851fc9c0d72b8004dcfbcbbf5a1b6e
SHA10a4a63bab37bee67dd47fba96ac5ef9b8cc60abf
SHA256772bd8865dbeab000bd06bd55462c5a7b3f5398341c546067f15bebd2de0ea69
SHA512170cfb2920d4a7b94762db4bf89e15c586d7ff58efd903e9b864f0103b3a29ab12988805de9c6902acdb5231304e90767760c91e00dafa97b51eb83d31fc1fb1
-
Filesize
5.2MB
MD5ae9793edfa37ebc7850bd9fc46304e2b
SHA1c06e1e94ea8031544a0e2e429f3dc93bcb7e2a82
SHA256b7f3cf15bbf375009d27dae80d9ed2683f51c5ea6b7642938c33063b21b97108
SHA51244724d92b8e5e222ea27ec47a9c68af79fdce5f447f8c49859fd929d5008c2426130c2013fd4611aa414503d13b99a54a2e21d5daca084f0be539274e5f57225
-
Filesize
5.2MB
MD54170c99e32e4d648409ff8688030c77e
SHA13e63598c0f5449371851d558731a3de6844b0a01
SHA2565564c2b3d293beaa68cf08d76a61c4fc3d4dd2e969569332e5b4f682a4d6c25d
SHA512995835e1eee16b35d68546c6e6c3ade0c3e76ca6c0d2381e0de48f65e659fd030e17c0b3aa5e019d12cefc7e1fdd91dbe5af8ac6fe44da822fe89f408f946d91
-
Filesize
5.2MB
MD51de9c2cbcac67f5dcbe2f93b225d2487
SHA1b44beb2c7bc888b47caee7f4de9f4c8b4e9fe21f
SHA256ba15fb8ede40a32641db55824e9d44f38c1ac29553b031f7e9d3b72f61c7ed1a
SHA5123eb73f935f8d59fb93fd72f7771132f837d13a227eaecfe3b03c5577ec67d472207f1c9e18555293a19ae1982d697e74bda2475a49f557fc60e57012c76a690e
-
Filesize
5.2MB
MD510aa5fbe514507899a97c17a35faa530
SHA157a16a0aee11fdf0e99341eab2a933768ca9a131
SHA2565912d43f45a673de7df8054454ce70d5cb0ba0f1d4e911195b025efcfe411b0d
SHA5124ebfe58f38978230e2403dfe78d33b3181744d553face28ef47cfe27a9bca2359450c6c1f5cda206ce5da288c2d3a089a092790073496378a36d6386c6898b12
-
Filesize
5.2MB
MD50358b1380434d9f26190aa593e719c16
SHA16eff36a8859258ea86e2571610d5eeb37a819f23
SHA256fca93d6e67d461efabb90d71eb0c598a335cd2254f552cee2a7382a96d3581b9
SHA512ffedec55f8589c1fb94625ef1c0ef9457bfe049c317fe9a6d74bdcad45801439dd7483041ae12c64033f0594b33190ef478170721d4802e039d6c89b6defe066
-
Filesize
5.2MB
MD55920368aba0670a62ce1dfe89e499d96
SHA1a210c8be90f0b25d62086d431736b967f288aeef
SHA256e6ccd58376dfaa99f0156014ba1e7c68e5819829c3f98004f061cd18c5309280
SHA51249cf2c69891094717d5a8e1bc0cf40f91a5664036be65fe0abb9b2263de443fcb726bdc39f9089872baedd588c8611b7ad28dc35b9969820329def5284a819ac
-
Filesize
5.2MB
MD5c75b192bc3e40a1f2455a78ead9eb71f
SHA1136500a04860253a09b5a00556c42fbd207c87b8
SHA256e118b5813b4306968d998ed171e47673c212fa7d0ec1f05f3a09964d951c27ce
SHA5127ea4f0f87c734945e547e02212c3bea46322dbd28c8f23598d0e0de03744fdf9764d39855aede7b881fe130dbf43f8d9a5aaf164f72a54a4c834c35a4be7096a
-
Filesize
5.2MB
MD54ebc0e3723c7d3094725b43a9de46f08
SHA1a3364163214ffc3f0444244aaa282f570f1f4061
SHA256cf01b50583a7a593adbbaa7a83751b9bf4d7d522322219672243b7b61a960fab
SHA512ac942ea122ab1b0702868605a4c3a39a67d5d91a91105e8fad3f9df59e4d879d745587d516d16382b586420c4015f76b9e4e853f0099516eb8e07fd1f3b1305d
-
Filesize
5.2MB
MD54e818245729209739fb53c76882d30a4
SHA1addcbac835c88fc498740e9ec6985de91828f99d
SHA2560e0c2713bbecd266815c4b020583ed924d47f9dea3a194cdcb4efcc0762baf99
SHA512ef01dee57e0fb489a0867cbdd84f3227956e3116452ba6885ef06f253969618b2660d023771a65244005fa3310e51e6fdf935e5f5fd0df36907da851b03f5193
-
Filesize
5.2MB
MD5291d0b4b18ea97d19cc984a2f4d2af4d
SHA1908e530019b4d45ee7e66645e591df4b4e334067
SHA2561df4bec4f33ad1f5007bbb825f41308923474acb183c2bfb20dcb03c9444d180
SHA5129c154a9a3159e61490e5477a6682b9b40df3c3f7c37b55040b70675c73e0e9f654ed4c87db9957836ce07572a82b3efbd6ef18cb2902f096d3a36f511cca191d
-
Filesize
5.2MB
MD59f62c65f3a0df91eb61c1a906c4b1dde
SHA1a3f884f886e0b8182dfe8f2daecf6f5a60df0fae
SHA256daff8093786638d7a7bba31baf2390cd62b6290e471dda2dd7a8874279ccf995
SHA512594570459c15b1fba0f171fba6f5ba7c2b9af1ae63a6997921cc378a5751d88ea922869988a5969ddfab8df5095e78164020d74184459339738308872836a728
-
Filesize
5.2MB
MD547ed28fd87d628ac4324c404bc899db9
SHA1585f23131f1f337cbb1afa3f89d05df66b0cc42b
SHA256424e9c2cc22121adca9a2764838cfe968ac1d94bbfe1a176d9c6282351de6518
SHA512897b2f24724375cedb2713c2990f61196bb8d9fb304ed4879b24984e504bd3c3dfa7adb90b9090fc1696c9f9c3d9b2b36faa358a39533e463824d7e233c345a6
-
Filesize
5.2MB
MD5f567412264d27756ea3b9ca7df12e6d2
SHA153ba3c7087cc7a7184a3393f2b85f1a4a9da1d7c
SHA256a63c4654060b107082fb21fff2b04b8f6d23e4a4bf4ec0c47d91b2e90ec484ce
SHA512298c2817aaea85c7b4f2f13bc46d2c5b12c06232bd404726aafeda1e3f49d832725b3a1796b4815c95dc84272918d39e4404b6502a4fe693cafafc41e72466a1
-
Filesize
5.2MB
MD5024cc7e932a68ca2b300446649bc60eb
SHA17f1f987e504258d8f6858a77739481381f8609b7
SHA256c725239d6970e2715f1b2897b9f1b0f4e52023bb303429386cb2e21778da6996
SHA512889be61650dc7e164ecb64cada129b33159724c281da89f2fd4d978356f4767603da22265d4702304bfe93192345758a0e3ac6762f1101a3a7439e26879d2433