Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 20:57
Behavioral task
behavioral1
Sample
2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240704-en
General
-
Target
2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
4a884931dd6fed9f9908150d6f769d91
-
SHA1
e2f9524d84dfbe92ce2ad83f9a675b93d24c1fcc
-
SHA256
d99377a546391844c7a4e9917b86ee6d316fceaee76a6ee7cfda39786332d387
-
SHA512
9ddeab9318bae2180f86f36721a9cf1c398ba43e5d712b63175b652e904e788a52d53773ff5883fb599fb96dc8ef63f54836635523e83b7dfbae794a538f1035
-
SSDEEP
49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lH:RWWBibj56utgpPFotBER/mQ32lUz
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00080000000234dc-4.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e0-11.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e1-9.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e3-34.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e6-42.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e8-49.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e9-57.dat cobalt_reflective_dll behavioral2/files/0x00070000000234eb-67.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ea-77.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e7-56.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e5-45.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e4-32.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e2-21.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ec-83.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f0-107.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ef-102.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ee-95.dat cobalt_reflective_dll behavioral2/files/0x00080000000234dd-89.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f1-113.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f3-126.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f2-122.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/3584-27-0x00007FF737DB0000-0x00007FF738101000-memory.dmp xmrig behavioral2/memory/3676-72-0x00007FF6E9100000-0x00007FF6E9451000-memory.dmp xmrig behavioral2/memory/1628-71-0x00007FF639FB0000-0x00007FF63A301000-memory.dmp xmrig behavioral2/memory/4580-69-0x00007FF753F90000-0x00007FF7542E1000-memory.dmp xmrig behavioral2/memory/1060-68-0x00007FF603710000-0x00007FF603A61000-memory.dmp xmrig behavioral2/memory/1820-61-0x00007FF7493B0000-0x00007FF749701000-memory.dmp xmrig behavioral2/memory/3992-55-0x00007FF7E8810000-0x00007FF7E8B61000-memory.dmp xmrig behavioral2/memory/3996-40-0x00007FF6B8BE0000-0x00007FF6B8F31000-memory.dmp xmrig behavioral2/memory/1916-88-0x00007FF626CA0000-0x00007FF626FF1000-memory.dmp xmrig behavioral2/memory/3424-92-0x00007FF7BCAD0000-0x00007FF7BCE21000-memory.dmp xmrig behavioral2/memory/1908-106-0x00007FF62DD30000-0x00007FF62E081000-memory.dmp xmrig behavioral2/memory/3392-100-0x00007FF6741F0000-0x00007FF674541000-memory.dmp xmrig behavioral2/memory/4568-114-0x00007FF674800000-0x00007FF674B51000-memory.dmp xmrig behavioral2/memory/1992-120-0x00007FF680000000-0x00007FF680351000-memory.dmp xmrig behavioral2/memory/4320-129-0x00007FF6A6250000-0x00007FF6A65A1000-memory.dmp xmrig behavioral2/memory/1872-130-0x00007FF60FD80000-0x00007FF6100D1000-memory.dmp xmrig behavioral2/memory/4568-131-0x00007FF674800000-0x00007FF674B51000-memory.dmp xmrig behavioral2/memory/4028-144-0x00007FF783090000-0x00007FF7833E1000-memory.dmp xmrig behavioral2/memory/4088-142-0x00007FF7DCA10000-0x00007FF7DCD61000-memory.dmp xmrig behavioral2/memory/2384-143-0x00007FF732AA0000-0x00007FF732DF1000-memory.dmp xmrig behavioral2/memory/1744-149-0x00007FF78F140000-0x00007FF78F491000-memory.dmp xmrig behavioral2/memory/4732-150-0x00007FF7ECAC0000-0x00007FF7ECE11000-memory.dmp xmrig behavioral2/memory/5060-151-0x00007FF75E890000-0x00007FF75EBE1000-memory.dmp xmrig behavioral2/memory/4568-153-0x00007FF674800000-0x00007FF674B51000-memory.dmp xmrig behavioral2/memory/1992-199-0x00007FF680000000-0x00007FF680351000-memory.dmp xmrig behavioral2/memory/4320-201-0x00007FF6A6250000-0x00007FF6A65A1000-memory.dmp xmrig behavioral2/memory/3584-203-0x00007FF737DB0000-0x00007FF738101000-memory.dmp xmrig behavioral2/memory/3996-205-0x00007FF6B8BE0000-0x00007FF6B8F31000-memory.dmp xmrig behavioral2/memory/1628-207-0x00007FF639FB0000-0x00007FF63A301000-memory.dmp xmrig behavioral2/memory/3992-209-0x00007FF7E8810000-0x00007FF7E8B61000-memory.dmp xmrig behavioral2/memory/3676-211-0x00007FF6E9100000-0x00007FF6E9451000-memory.dmp xmrig behavioral2/memory/1820-213-0x00007FF7493B0000-0x00007FF749701000-memory.dmp xmrig behavioral2/memory/1060-215-0x00007FF603710000-0x00007FF603A61000-memory.dmp xmrig behavioral2/memory/4580-217-0x00007FF753F90000-0x00007FF7542E1000-memory.dmp xmrig behavioral2/memory/4088-223-0x00007FF7DCA10000-0x00007FF7DCD61000-memory.dmp xmrig behavioral2/memory/2384-221-0x00007FF732AA0000-0x00007FF732DF1000-memory.dmp xmrig behavioral2/memory/4028-220-0x00007FF783090000-0x00007FF7833E1000-memory.dmp xmrig behavioral2/memory/1916-226-0x00007FF626CA0000-0x00007FF626FF1000-memory.dmp xmrig behavioral2/memory/3424-228-0x00007FF7BCAD0000-0x00007FF7BCE21000-memory.dmp xmrig behavioral2/memory/3392-230-0x00007FF6741F0000-0x00007FF674541000-memory.dmp xmrig behavioral2/memory/1908-232-0x00007FF62DD30000-0x00007FF62E081000-memory.dmp xmrig behavioral2/memory/1744-234-0x00007FF78F140000-0x00007FF78F491000-memory.dmp xmrig behavioral2/memory/5060-240-0x00007FF75E890000-0x00007FF75EBE1000-memory.dmp xmrig behavioral2/memory/4732-241-0x00007FF7ECAC0000-0x00007FF7ECE11000-memory.dmp xmrig behavioral2/memory/1872-243-0x00007FF60FD80000-0x00007FF6100D1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 1992 ucepLGH.exe 4320 TeLaRry.exe 3584 FPKYiFG.exe 3996 HvgjWlZ.exe 1628 yxxPYkv.exe 3992 HFJOcBy.exe 1820 IRzMzvw.exe 3676 GJkbsDS.exe 1060 ojPQsed.exe 4580 lJqciEY.exe 4088 vBUAOmk.exe 2384 dPyoZip.exe 4028 KgUEVIr.exe 1916 QTqeJRQ.exe 3424 cHTaDpl.exe 3392 WaREuyW.exe 1908 AKIJWdM.exe 1744 sAvbqqn.exe 4732 SizUtPe.exe 5060 eVFSZEo.exe 1872 QassaPW.exe -
resource yara_rule behavioral2/memory/4568-0-0x00007FF674800000-0x00007FF674B51000-memory.dmp upx behavioral2/files/0x00080000000234dc-4.dat upx behavioral2/memory/1992-10-0x00007FF680000000-0x00007FF680351000-memory.dmp upx behavioral2/files/0x00070000000234e0-11.dat upx behavioral2/files/0x00070000000234e1-9.dat upx behavioral2/memory/3584-27-0x00007FF737DB0000-0x00007FF738101000-memory.dmp upx behavioral2/files/0x00070000000234e3-34.dat upx behavioral2/files/0x00070000000234e6-42.dat upx behavioral2/files/0x00070000000234e8-49.dat upx behavioral2/files/0x00070000000234e9-57.dat upx behavioral2/files/0x00070000000234eb-67.dat upx behavioral2/memory/4028-70-0x00007FF783090000-0x00007FF7833E1000-memory.dmp upx behavioral2/memory/3676-72-0x00007FF6E9100000-0x00007FF6E9451000-memory.dmp upx behavioral2/memory/2384-76-0x00007FF732AA0000-0x00007FF732DF1000-memory.dmp upx behavioral2/files/0x00070000000234ea-77.dat upx behavioral2/memory/4088-73-0x00007FF7DCA10000-0x00007FF7DCD61000-memory.dmp upx behavioral2/memory/1628-71-0x00007FF639FB0000-0x00007FF63A301000-memory.dmp upx behavioral2/memory/4580-69-0x00007FF753F90000-0x00007FF7542E1000-memory.dmp upx behavioral2/memory/1060-68-0x00007FF603710000-0x00007FF603A61000-memory.dmp upx behavioral2/memory/1820-61-0x00007FF7493B0000-0x00007FF749701000-memory.dmp upx behavioral2/files/0x00070000000234e7-56.dat upx behavioral2/memory/3992-55-0x00007FF7E8810000-0x00007FF7E8B61000-memory.dmp upx behavioral2/files/0x00070000000234e5-45.dat upx behavioral2/memory/3996-40-0x00007FF6B8BE0000-0x00007FF6B8F31000-memory.dmp upx behavioral2/files/0x00070000000234e4-32.dat upx behavioral2/files/0x00070000000234e2-21.dat upx behavioral2/memory/4320-14-0x00007FF6A6250000-0x00007FF6A65A1000-memory.dmp upx behavioral2/files/0x00070000000234ec-83.dat upx behavioral2/memory/1916-88-0x00007FF626CA0000-0x00007FF626FF1000-memory.dmp upx behavioral2/memory/3424-92-0x00007FF7BCAD0000-0x00007FF7BCE21000-memory.dmp upx behavioral2/files/0x00070000000234f0-107.dat upx behavioral2/memory/1744-108-0x00007FF78F140000-0x00007FF78F491000-memory.dmp upx behavioral2/memory/1908-106-0x00007FF62DD30000-0x00007FF62E081000-memory.dmp upx behavioral2/files/0x00070000000234ef-102.dat upx behavioral2/memory/3392-100-0x00007FF6741F0000-0x00007FF674541000-memory.dmp upx behavioral2/files/0x00070000000234ee-95.dat upx behavioral2/files/0x00080000000234dd-89.dat upx behavioral2/files/0x00070000000234f1-113.dat upx behavioral2/memory/4568-114-0x00007FF674800000-0x00007FF674B51000-memory.dmp upx behavioral2/memory/4732-118-0x00007FF7ECAC0000-0x00007FF7ECE11000-memory.dmp upx behavioral2/files/0x00070000000234f3-126.dat upx behavioral2/memory/5060-125-0x00007FF75E890000-0x00007FF75EBE1000-memory.dmp upx behavioral2/files/0x00070000000234f2-122.dat upx behavioral2/memory/1992-120-0x00007FF680000000-0x00007FF680351000-memory.dmp upx behavioral2/memory/4320-129-0x00007FF6A6250000-0x00007FF6A65A1000-memory.dmp upx behavioral2/memory/1872-130-0x00007FF60FD80000-0x00007FF6100D1000-memory.dmp upx behavioral2/memory/4568-131-0x00007FF674800000-0x00007FF674B51000-memory.dmp upx behavioral2/memory/4028-144-0x00007FF783090000-0x00007FF7833E1000-memory.dmp upx behavioral2/memory/4088-142-0x00007FF7DCA10000-0x00007FF7DCD61000-memory.dmp upx behavioral2/memory/2384-143-0x00007FF732AA0000-0x00007FF732DF1000-memory.dmp upx behavioral2/memory/1744-149-0x00007FF78F140000-0x00007FF78F491000-memory.dmp upx behavioral2/memory/4732-150-0x00007FF7ECAC0000-0x00007FF7ECE11000-memory.dmp upx behavioral2/memory/5060-151-0x00007FF75E890000-0x00007FF75EBE1000-memory.dmp upx behavioral2/memory/4568-153-0x00007FF674800000-0x00007FF674B51000-memory.dmp upx behavioral2/memory/1992-199-0x00007FF680000000-0x00007FF680351000-memory.dmp upx behavioral2/memory/4320-201-0x00007FF6A6250000-0x00007FF6A65A1000-memory.dmp upx behavioral2/memory/3584-203-0x00007FF737DB0000-0x00007FF738101000-memory.dmp upx behavioral2/memory/3996-205-0x00007FF6B8BE0000-0x00007FF6B8F31000-memory.dmp upx behavioral2/memory/1628-207-0x00007FF639FB0000-0x00007FF63A301000-memory.dmp upx behavioral2/memory/3992-209-0x00007FF7E8810000-0x00007FF7E8B61000-memory.dmp upx behavioral2/memory/3676-211-0x00007FF6E9100000-0x00007FF6E9451000-memory.dmp upx behavioral2/memory/1820-213-0x00007FF7493B0000-0x00007FF749701000-memory.dmp upx behavioral2/memory/1060-215-0x00007FF603710000-0x00007FF603A61000-memory.dmp upx behavioral2/memory/4580-217-0x00007FF753F90000-0x00007FF7542E1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\IRzMzvw.exe 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lJqciEY.exe 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WaREuyW.exe 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AKIJWdM.exe 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\sAvbqqn.exe 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QassaPW.exe 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ucepLGH.exe 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GJkbsDS.exe 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KgUEVIr.exe 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cHTaDpl.exe 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SizUtPe.exe 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TeLaRry.exe 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HFJOcBy.exe 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\eVFSZEo.exe 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HvgjWlZ.exe 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yxxPYkv.exe 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ojPQsed.exe 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vBUAOmk.exe 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dPyoZip.exe 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QTqeJRQ.exe 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FPKYiFG.exe 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4568 wrote to memory of 1992 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4568 wrote to memory of 1992 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4568 wrote to memory of 4320 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4568 wrote to memory of 4320 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4568 wrote to memory of 3996 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4568 wrote to memory of 3996 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4568 wrote to memory of 3584 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4568 wrote to memory of 3584 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4568 wrote to memory of 3992 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4568 wrote to memory of 3992 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4568 wrote to memory of 1628 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4568 wrote to memory of 1628 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4568 wrote to memory of 1820 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4568 wrote to memory of 1820 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4568 wrote to memory of 3676 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4568 wrote to memory of 3676 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4568 wrote to memory of 1060 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4568 wrote to memory of 1060 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4568 wrote to memory of 4580 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4568 wrote to memory of 4580 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4568 wrote to memory of 4088 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4568 wrote to memory of 4088 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4568 wrote to memory of 2384 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4568 wrote to memory of 2384 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4568 wrote to memory of 4028 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4568 wrote to memory of 4028 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4568 wrote to memory of 1916 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4568 wrote to memory of 1916 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4568 wrote to memory of 3424 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4568 wrote to memory of 3424 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4568 wrote to memory of 3392 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4568 wrote to memory of 3392 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4568 wrote to memory of 1908 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4568 wrote to memory of 1908 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4568 wrote to memory of 1744 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4568 wrote to memory of 1744 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4568 wrote to memory of 4732 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4568 wrote to memory of 4732 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4568 wrote to memory of 5060 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 4568 wrote to memory of 5060 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 4568 wrote to memory of 1872 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 4568 wrote to memory of 1872 4568 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\System\ucepLGH.exeC:\Windows\System\ucepLGH.exe2⤵
- Executes dropped EXE
PID:1992
-
-
C:\Windows\System\TeLaRry.exeC:\Windows\System\TeLaRry.exe2⤵
- Executes dropped EXE
PID:4320
-
-
C:\Windows\System\HvgjWlZ.exeC:\Windows\System\HvgjWlZ.exe2⤵
- Executes dropped EXE
PID:3996
-
-
C:\Windows\System\FPKYiFG.exeC:\Windows\System\FPKYiFG.exe2⤵
- Executes dropped EXE
PID:3584
-
-
C:\Windows\System\HFJOcBy.exeC:\Windows\System\HFJOcBy.exe2⤵
- Executes dropped EXE
PID:3992
-
-
C:\Windows\System\yxxPYkv.exeC:\Windows\System\yxxPYkv.exe2⤵
- Executes dropped EXE
PID:1628
-
-
C:\Windows\System\IRzMzvw.exeC:\Windows\System\IRzMzvw.exe2⤵
- Executes dropped EXE
PID:1820
-
-
C:\Windows\System\GJkbsDS.exeC:\Windows\System\GJkbsDS.exe2⤵
- Executes dropped EXE
PID:3676
-
-
C:\Windows\System\ojPQsed.exeC:\Windows\System\ojPQsed.exe2⤵
- Executes dropped EXE
PID:1060
-
-
C:\Windows\System\lJqciEY.exeC:\Windows\System\lJqciEY.exe2⤵
- Executes dropped EXE
PID:4580
-
-
C:\Windows\System\vBUAOmk.exeC:\Windows\System\vBUAOmk.exe2⤵
- Executes dropped EXE
PID:4088
-
-
C:\Windows\System\dPyoZip.exeC:\Windows\System\dPyoZip.exe2⤵
- Executes dropped EXE
PID:2384
-
-
C:\Windows\System\KgUEVIr.exeC:\Windows\System\KgUEVIr.exe2⤵
- Executes dropped EXE
PID:4028
-
-
C:\Windows\System\QTqeJRQ.exeC:\Windows\System\QTqeJRQ.exe2⤵
- Executes dropped EXE
PID:1916
-
-
C:\Windows\System\cHTaDpl.exeC:\Windows\System\cHTaDpl.exe2⤵
- Executes dropped EXE
PID:3424
-
-
C:\Windows\System\WaREuyW.exeC:\Windows\System\WaREuyW.exe2⤵
- Executes dropped EXE
PID:3392
-
-
C:\Windows\System\AKIJWdM.exeC:\Windows\System\AKIJWdM.exe2⤵
- Executes dropped EXE
PID:1908
-
-
C:\Windows\System\sAvbqqn.exeC:\Windows\System\sAvbqqn.exe2⤵
- Executes dropped EXE
PID:1744
-
-
C:\Windows\System\SizUtPe.exeC:\Windows\System\SizUtPe.exe2⤵
- Executes dropped EXE
PID:4732
-
-
C:\Windows\System\eVFSZEo.exeC:\Windows\System\eVFSZEo.exe2⤵
- Executes dropped EXE
PID:5060
-
-
C:\Windows\System\QassaPW.exeC:\Windows\System\QassaPW.exe2⤵
- Executes dropped EXE
PID:1872
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5e894d852fb9d070fefdc7eacd24f70f7
SHA125c807db2b0b6a9b1b822d237ae23efded667cb5
SHA2562e230815330166623b700af7a1b01fb708c7ca102e5e77c90dd02326308919fe
SHA51223cf61ea88d4323e2cdde069bc5c2809e0bfe9d6daef32047908209496417ab57618887a573a0d158ce640c9b61897995fa97ae6af8597e0d189074d7fbd714b
-
Filesize
5.2MB
MD5dfe7bbca6284020e335b43ecffad0616
SHA1616d39910cecf8d284ae8085bf4393f8f95dc902
SHA2569832da0d946656be7fa17e46e0f62ab5eb04540c7fd632d7ca837ba41052bfe1
SHA512e8d28ef36b2993df118a4ac34cbb611695564b4659032d3e2035e4022b649ac9a85d105cc418aa641a3d8ff119b19df8f60a7db62210a63df9d569a9a51764c2
-
Filesize
5.2MB
MD5797c00102e63de7e15cd278f967c5780
SHA1d294e2a32a31805f25d7dcfb065e1c8a12de02e5
SHA2564c3853c17a3da21202e2a58ba21ce2b4c7ef03e464d823bbd711605c8307d84f
SHA5128297449362066576a5affe7ffe2117ea6d953e2760f911bd891b2975038094465c7bd1855c8d5a23d3b668a825b05ab2051559bbce1c74e7ab37e19523d06f3c
-
Filesize
5.2MB
MD5367d96f8cdf1074063ec586c7624725b
SHA104358aa1a17d724c330bf0bc9d69176069d7e31d
SHA2564ba7412607bacd1c313fdf4a27be60bb7b966dd426322e6f83ad1e443228934b
SHA5127601a7f6f4da996b12cd8b4fed8d774b43b8380ddd76cd465a8bf79862cec2ca3a877a9df1b19e35af9499a028b504d205d92d169082f204bf8163d7cc2f576d
-
Filesize
5.2MB
MD5f41f1cb33b0d2f29ee0c834edcc58342
SHA1325ebf79d67675a83a0ba77c74789d1c5bd7d215
SHA256e685c26d3c366299fab874f51d88f1e455109a710e67a032161a2bc524b04faa
SHA51266dab37ca7933f5df9edf74b6b98174a8ebc8565ab3a8f0e68a29dba1022f77fced5dc019fb649b37a64a7a565647892bb017c5aa25d0f952ddacd388caa27f4
-
Filesize
5.2MB
MD5ab93677cff382852eecd16ede0590a1a
SHA141d8522d70f796e74b231a9366172790e5022e88
SHA2561befaa94c22dfb7fe9072c046d5d16f6cee4ff9b574d1e37874d1c4e61a1ee34
SHA5124b6061d6098cf25dd0b9770dedd216c0ce9c3c901c1524933daf077ef99ef30ba5cb9a91e3bad29d5494f6295abc1cdaf53b200f64f69d90ff06b359f12616d2
-
Filesize
5.2MB
MD5bbc3fe288bc7a6721f6e02919f0b7ee3
SHA1161b600a37b8e882a179f2c2b26408097d322976
SHA2564c234ade1298299e216d6f7fc93637fa0bb9e63dea1ea224310db4dd31db685c
SHA512bb7d8476fe66400bd19b67f706ab1f346fae6e9715005e67760ccc578785f906cde1bbe5fb1f526c662619c463a1015f6bd2f769580a24d92d6b56d871dd4de5
-
Filesize
5.2MB
MD5b8b40266eb14bd925dddbad3067c1bbb
SHA1babb11bf0384bc39b8e8f305af65c2bd9c031b4e
SHA256d0f31ba30580ec7b682d35f68b01a772b84c83140b0f2f9ab8a0ed1ab26f55d0
SHA5122224b0396ddfe1e1daee709aadbe456eff155c28149c27aaaeaa4e4971a435ab9e96df0c08a9940334e8cc387c05ad62e7c5cbec82dabe53717220072bbbec05
-
Filesize
5.2MB
MD5c3981bdae4ebf0c3c3603b1091669bea
SHA1917cd9d2aeb010c1c1b3ed6eccca947acb7a0e0f
SHA2561a95dcccb87c522c00407fbedf9dd35306c203c922096b571f72c476d8271ac2
SHA512e96bc48829d236f25c9e8e2289ffda70563f7cab1167384619e863f5890466b5d859d63d7b02a63d70257c6da7c8de07a4083d425c20c246f4b85a30eaff7e8d
-
Filesize
5.2MB
MD59c1abb27934197f8ef835521e7723685
SHA1450e06b37a46a1f7612e33c5fb135af2e1ab1229
SHA256a365e5fc29452a5e4dba8a51118d8a7f8a25ee19dfbaa8c6bea40b11028d0527
SHA512909e30b472f6f00d982f76ae46d96c3cedd1ea2302f030c9641e80bec29053faabee2a62e6b2c036068a6c7ef7043a0f9bda2a8538ad527c9f774f22ffc0073c
-
Filesize
5.2MB
MD5791dae4703ddf0d6d3298f9c834aaa54
SHA1bac122d64e283fa1bd581b5980ff428f03ea6d45
SHA2561f3951a16daac4f573034b2f80cb1a15192f8acbee9244bfc738cdea59daf7d9
SHA512b8c87422b98df116fbc8326780375321d819e29260d151c9fbabd96c4a5ce617a4764e2c6390c95ca8b8b832737e1e42caff020f9c43fefc070de3ec31afc56a
-
Filesize
5.2MB
MD51725c6e02294f9906609eeee99347c49
SHA138df0a3f6ab3975dd84973a76b98ceb1e2340bf7
SHA256a31be254d1b23a2e99f6c3ef032a5416591f9b0fcb06f9de821d82f659eda550
SHA5126b5d4e5784384403ef7368fe70e276a3be1cae4265604444be17fca8ec3629a5044bbbd022e121bf25c2179ddd14ae6edf13ddc1f70097173e3e81f114079dd0
-
Filesize
5.2MB
MD564b58a0f51a0556cd68293af5bfa3b04
SHA1b48f5ac291ef025eb6bf1ba6367c2ad4adcdf9e1
SHA25666aaaad7451906515186e91ac836faffb3d9254137000e20bdd6e2a627cbe5c7
SHA51205974d0b61f2991c4d6e647fbf21b0d498c294e9b84499068a204627a179da018f06bd91dfba6deba95d0ae6bd4408304c47082a283340dcfe99d7d06aa3e733
-
Filesize
5.2MB
MD5ee4f689de6e0bb120608f89c340f2994
SHA172e01ccfb62ee3bd70df843e91a944f6e3fd91b7
SHA256bc2c9c6ccde69bcf8ccd9de19e6462653c23f2a47afccc11891a42fef70b84e6
SHA512486ead7942a25eedd814438e24bcf085b1fee9344fae0cc70d8673b94985e9ca008aaf72487f37a54d705122115e1db9c6bc5e5548200d0caf50e190e4bbe764
-
Filesize
5.2MB
MD566c0162e01e7bb4c1cb1adb12fc45ea7
SHA12ae3497dcd05d7b4c04e743b97b1699eb8197efd
SHA256f73e51136c3b5f4cb3ce973ee4800946d57806d2dee5d74214ad7f22e696146a
SHA512e47ab24da87a693d7b648144698240904fee186fcf1bcd1dbc42678b40e82abe8f1ee4ee9350526172030f75c855fa06b9d37e477a7e25f1ffcb324fa0ae2737
-
Filesize
5.2MB
MD5cc30d6f70115cfb76b96a65a16aec28d
SHA135bc1e124148ad37648157088953804369299e07
SHA256fa3e0cf902792cec40630fa2f8d70481b34bb7aae8616f61256fa3363942bc91
SHA512c6b820d5d03c2e27c5a8038a719afb2bab106a64e8454162713ad8565492849e833f96afd1874d3832bd48dff6aa0bd8e59a8942ae1f7353ef81f40b15d6d99c
-
Filesize
5.2MB
MD594ee4aeff3fe88acd8312b2bc4af99cf
SHA189e8b3cef367817239c75f9b9b33b2c5eb53d51e
SHA25626fa5200b72b99ffd57716347b4d17b5e099a1c9fc64743366f7632eb513407f
SHA5128024feb8827872e8725639140213052dd62a0ea07644fd76bcae4995be4e7abc6322e0abaf70fd467d3e07c9895e8df325a8ad65973e71d355a0f037028cf859
-
Filesize
5.2MB
MD55abea4fa4c2cf5cefe9d7e61453c8e7f
SHA1134e0c55732133ec6e28c50752e7fc0e32b5ba03
SHA256e96cba568eb13ed46045de5ed7856aef977f3b984815ff24ecd8911528b93a97
SHA512a60bdce39543e8ab9cf83e4d1c814d8e0ab45108f3c21d275b013bfb3322894814dd0749e169ccccbdf768113be6cb77216a712d2de4a558a743d25dbe707a19
-
Filesize
5.2MB
MD5a53000776c5f7f84224f16405f6ff133
SHA11c919ed1db253fa8fa3819b283bdbbc2de066722
SHA2566b400e224d0fba22f661d20311c2c9dcef388f89ee0a4cea02fcb3d23dc548b3
SHA512be9dcca89c836fae8a78676a0ad8a2e3ad315d30b78d9d7eac50bd94f505494ace13ae965e81131cc698c8b27ea3d92fa20fd017b4a15e95b82bc2a1eddc7d3b
-
Filesize
5.2MB
MD59910fde93c99ebadc1bf10076aee8c88
SHA1070e544ed8a0e8e88001a4d5c3c9992d1472e6dd
SHA2561b88efceb452417231911e765909a6a595683b09a6bbf0c8febd9d3a05066bc0
SHA512c35c97bb8fcfae00249d7e3e3a2c14dda588c6abd199aef0b834889c6dd12b6c152bc7d6b49891f10dc92bf7286252b26e56933274ab92f6b2f040fbff89234e
-
Filesize
5.2MB
MD51d47127291429e52c1a82171f060c18d
SHA1498eefeafb56f840e92b893cd16a4f97f647b9ed
SHA2565d0c3e92e4489f2f2cc6d883c362213ae942923f2fe432b097034f9ee2d072c1
SHA512907e33aa872373cb3c5bf75722722df7dd1764dd61d786b64d40c29bbd396b8c899a39bf70d15659699d025ade521b951d93070751617cad7492c605a42749e5