Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 21:03
Behavioral task
behavioral1
Sample
2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240704-en
General
-
Target
2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
537bcd684bf14b9f43763d7339027e18
-
SHA1
2921775900797383d11c3fb3fadcc66786265acc
-
SHA256
82c38c205750229efeabc721f140d7431d9a30f6ec32ab849229e62b1a7fb563
-
SHA512
08166afc67c9fdc35342c1f8a6741eefea732dfd1a2332465e46fa77cabe85c5a4802dc3aafb8d846f57c9bb4180c2e2d56386d6e98e65954fcc2d24162aff3c
-
SSDEEP
49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lK:RWWBibj56utgpPFotBER/mQ32lU+
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00080000000234ed-6.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f2-11.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f1-12.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f3-23.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f4-28.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f5-34.dat cobalt_reflective_dll behavioral2/files/0x00080000000234ee-42.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f7-47.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f8-52.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f9-57.dat cobalt_reflective_dll behavioral2/files/0x00070000000234fa-65.dat cobalt_reflective_dll behavioral2/files/0x00070000000234fb-73.dat cobalt_reflective_dll behavioral2/files/0x00070000000234fd-88.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ff-95.dat cobalt_reflective_dll behavioral2/files/0x00070000000234fe-96.dat cobalt_reflective_dll behavioral2/files/0x00070000000234fc-83.dat cobalt_reflective_dll behavioral2/files/0x0009000000023426-118.dat cobalt_reflective_dll behavioral2/files/0x0008000000023501-125.dat cobalt_reflective_dll behavioral2/files/0x000300000001692d-114.dat cobalt_reflective_dll behavioral2/files/0x0007000000023500-106.dat cobalt_reflective_dll behavioral2/files/0x0008000000023503-129.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 46 IoCs
resource yara_rule behavioral2/memory/1332-26-0x00007FF7FE500000-0x00007FF7FE851000-memory.dmp xmrig behavioral2/memory/1796-32-0x00007FF7075E0000-0x00007FF707931000-memory.dmp xmrig behavioral2/memory/3384-50-0x00007FF738310000-0x00007FF738661000-memory.dmp xmrig behavioral2/memory/3472-60-0x00007FF789310000-0x00007FF789661000-memory.dmp xmrig behavioral2/memory/3784-53-0x00007FF6B8EA0000-0x00007FF6B91F1000-memory.dmp xmrig behavioral2/memory/396-69-0x00007FF799990000-0x00007FF799CE1000-memory.dmp xmrig behavioral2/memory/4828-81-0x00007FF6511E0000-0x00007FF651531000-memory.dmp xmrig behavioral2/memory/3428-80-0x00007FF609FA0000-0x00007FF60A2F1000-memory.dmp xmrig behavioral2/memory/4784-98-0x00007FF67A300000-0x00007FF67A651000-memory.dmp xmrig behavioral2/memory/3664-99-0x00007FF713200000-0x00007FF713551000-memory.dmp xmrig behavioral2/memory/4020-76-0x00007FF7CE2B0000-0x00007FF7CE601000-memory.dmp xmrig behavioral2/memory/4340-70-0x00007FF6EC3C0000-0x00007FF6EC711000-memory.dmp xmrig behavioral2/memory/1052-112-0x00007FF6A0760000-0x00007FF6A0AB1000-memory.dmp xmrig behavioral2/memory/1968-123-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp xmrig behavioral2/memory/5044-110-0x00007FF6D10C0000-0x00007FF6D1411000-memory.dmp xmrig behavioral2/memory/1580-128-0x00007FF7CAC30000-0x00007FF7CAF81000-memory.dmp xmrig behavioral2/memory/4916-131-0x00007FF6E7650000-0x00007FF6E79A1000-memory.dmp xmrig behavioral2/memory/1020-133-0x00007FF68D2A0000-0x00007FF68D5F1000-memory.dmp xmrig behavioral2/memory/3564-141-0x00007FF7B6ED0000-0x00007FF7B7221000-memory.dmp xmrig behavioral2/memory/3472-134-0x00007FF789310000-0x00007FF789661000-memory.dmp xmrig behavioral2/memory/800-148-0x00007FF6A0DF0000-0x00007FF6A1141000-memory.dmp xmrig behavioral2/memory/1180-151-0x00007FF69A660000-0x00007FF69A9B1000-memory.dmp xmrig behavioral2/memory/3484-153-0x00007FF635160000-0x00007FF6354B1000-memory.dmp xmrig behavioral2/memory/1020-156-0x00007FF68D2A0000-0x00007FF68D5F1000-memory.dmp xmrig behavioral2/memory/3472-157-0x00007FF789310000-0x00007FF789661000-memory.dmp xmrig behavioral2/memory/396-202-0x00007FF799990000-0x00007FF799CE1000-memory.dmp xmrig behavioral2/memory/4020-204-0x00007FF7CE2B0000-0x00007FF7CE601000-memory.dmp xmrig behavioral2/memory/4828-206-0x00007FF6511E0000-0x00007FF651531000-memory.dmp xmrig behavioral2/memory/1332-208-0x00007FF7FE500000-0x00007FF7FE851000-memory.dmp xmrig behavioral2/memory/1796-210-0x00007FF7075E0000-0x00007FF707931000-memory.dmp xmrig behavioral2/memory/5044-219-0x00007FF6D10C0000-0x00007FF6D1411000-memory.dmp xmrig behavioral2/memory/3784-223-0x00007FF6B8EA0000-0x00007FF6B91F1000-memory.dmp xmrig behavioral2/memory/3384-222-0x00007FF738310000-0x00007FF738661000-memory.dmp xmrig behavioral2/memory/4916-225-0x00007FF6E7650000-0x00007FF6E79A1000-memory.dmp xmrig behavioral2/memory/3564-227-0x00007FF7B6ED0000-0x00007FF7B7221000-memory.dmp xmrig behavioral2/memory/4340-229-0x00007FF6EC3C0000-0x00007FF6EC711000-memory.dmp xmrig behavioral2/memory/3428-231-0x00007FF609FA0000-0x00007FF60A2F1000-memory.dmp xmrig behavioral2/memory/800-233-0x00007FF6A0DF0000-0x00007FF6A1141000-memory.dmp xmrig behavioral2/memory/4784-235-0x00007FF67A300000-0x00007FF67A651000-memory.dmp xmrig behavioral2/memory/3664-237-0x00007FF713200000-0x00007FF713551000-memory.dmp xmrig behavioral2/memory/1180-241-0x00007FF69A660000-0x00007FF69A9B1000-memory.dmp xmrig behavioral2/memory/1052-243-0x00007FF6A0760000-0x00007FF6A0AB1000-memory.dmp xmrig behavioral2/memory/3484-249-0x00007FF635160000-0x00007FF6354B1000-memory.dmp xmrig behavioral2/memory/1968-251-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp xmrig behavioral2/memory/1580-253-0x00007FF7CAC30000-0x00007FF7CAF81000-memory.dmp xmrig behavioral2/memory/1020-255-0x00007FF68D2A0000-0x00007FF68D5F1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 396 mwQBlli.exe 4020 HLLbpQx.exe 4828 TzrWMHt.exe 1332 szkVpee.exe 1796 uejUWFu.exe 5044 YKMRSVa.exe 3384 FmRUHBn.exe 3784 PXnPKtx.exe 4916 QZvLFSq.exe 3564 xgcGkfC.exe 4340 HZUBkjv.exe 3428 lglwBpx.exe 800 lyCtNEr.exe 4784 rymeSXV.exe 3664 KuHIDxc.exe 1180 NsJakZE.exe 1052 uitjfVl.exe 3484 CQQobPF.exe 1968 CUbQPYM.exe 1580 LNoGiUj.exe 1020 NtlBozk.exe -
resource yara_rule behavioral2/memory/3472-0-0x00007FF789310000-0x00007FF789661000-memory.dmp upx behavioral2/files/0x00080000000234ed-6.dat upx behavioral2/memory/396-8-0x00007FF799990000-0x00007FF799CE1000-memory.dmp upx behavioral2/files/0x00070000000234f2-11.dat upx behavioral2/files/0x00070000000234f1-12.dat upx behavioral2/memory/4828-19-0x00007FF6511E0000-0x00007FF651531000-memory.dmp upx behavioral2/memory/4020-14-0x00007FF7CE2B0000-0x00007FF7CE601000-memory.dmp upx behavioral2/files/0x00070000000234f3-23.dat upx behavioral2/files/0x00070000000234f4-28.dat upx behavioral2/memory/1332-26-0x00007FF7FE500000-0x00007FF7FE851000-memory.dmp upx behavioral2/memory/1796-32-0x00007FF7075E0000-0x00007FF707931000-memory.dmp upx behavioral2/files/0x00070000000234f5-34.dat upx behavioral2/files/0x00080000000234ee-42.dat upx behavioral2/files/0x00070000000234f7-47.dat upx behavioral2/memory/3384-50-0x00007FF738310000-0x00007FF738661000-memory.dmp upx behavioral2/files/0x00070000000234f8-52.dat upx behavioral2/memory/4916-56-0x00007FF6E7650000-0x00007FF6E79A1000-memory.dmp upx behavioral2/files/0x00070000000234f9-57.dat upx behavioral2/files/0x00070000000234fa-65.dat upx behavioral2/memory/3564-64-0x00007FF7B6ED0000-0x00007FF7B7221000-memory.dmp upx behavioral2/memory/3472-60-0x00007FF789310000-0x00007FF789661000-memory.dmp upx behavioral2/memory/3784-53-0x00007FF6B8EA0000-0x00007FF6B91F1000-memory.dmp upx behavioral2/memory/5044-36-0x00007FF6D10C0000-0x00007FF6D1411000-memory.dmp upx behavioral2/memory/396-69-0x00007FF799990000-0x00007FF799CE1000-memory.dmp upx behavioral2/files/0x00070000000234fb-73.dat upx behavioral2/memory/4828-81-0x00007FF6511E0000-0x00007FF651531000-memory.dmp upx behavioral2/memory/3428-80-0x00007FF609FA0000-0x00007FF60A2F1000-memory.dmp upx behavioral2/files/0x00070000000234fd-88.dat upx behavioral2/files/0x00070000000234ff-95.dat upx behavioral2/files/0x00070000000234fe-96.dat upx behavioral2/memory/4784-98-0x00007FF67A300000-0x00007FF67A651000-memory.dmp upx behavioral2/memory/1180-100-0x00007FF69A660000-0x00007FF69A9B1000-memory.dmp upx behavioral2/memory/3664-99-0x00007FF713200000-0x00007FF713551000-memory.dmp upx behavioral2/files/0x00070000000234fc-83.dat upx behavioral2/memory/800-82-0x00007FF6A0DF0000-0x00007FF6A1141000-memory.dmp upx behavioral2/memory/4020-76-0x00007FF7CE2B0000-0x00007FF7CE601000-memory.dmp upx behavioral2/memory/4340-70-0x00007FF6EC3C0000-0x00007FF6EC711000-memory.dmp upx behavioral2/memory/1052-112-0x00007FF6A0760000-0x00007FF6A0AB1000-memory.dmp upx behavioral2/files/0x0009000000023426-118.dat upx behavioral2/files/0x0008000000023501-125.dat upx behavioral2/memory/1968-123-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp upx behavioral2/files/0x000300000001692d-114.dat upx behavioral2/memory/3484-113-0x00007FF635160000-0x00007FF6354B1000-memory.dmp upx behavioral2/memory/5044-110-0x00007FF6D10C0000-0x00007FF6D1411000-memory.dmp upx behavioral2/files/0x0007000000023500-106.dat upx behavioral2/files/0x0008000000023503-129.dat upx behavioral2/memory/1580-128-0x00007FF7CAC30000-0x00007FF7CAF81000-memory.dmp upx behavioral2/memory/4916-131-0x00007FF6E7650000-0x00007FF6E79A1000-memory.dmp upx behavioral2/memory/1020-133-0x00007FF68D2A0000-0x00007FF68D5F1000-memory.dmp upx behavioral2/memory/3564-141-0x00007FF7B6ED0000-0x00007FF7B7221000-memory.dmp upx behavioral2/memory/3472-134-0x00007FF789310000-0x00007FF789661000-memory.dmp upx behavioral2/memory/800-148-0x00007FF6A0DF0000-0x00007FF6A1141000-memory.dmp upx behavioral2/memory/1180-151-0x00007FF69A660000-0x00007FF69A9B1000-memory.dmp upx behavioral2/memory/3484-153-0x00007FF635160000-0x00007FF6354B1000-memory.dmp upx behavioral2/memory/1020-156-0x00007FF68D2A0000-0x00007FF68D5F1000-memory.dmp upx behavioral2/memory/3472-157-0x00007FF789310000-0x00007FF789661000-memory.dmp upx behavioral2/memory/396-202-0x00007FF799990000-0x00007FF799CE1000-memory.dmp upx behavioral2/memory/4020-204-0x00007FF7CE2B0000-0x00007FF7CE601000-memory.dmp upx behavioral2/memory/4828-206-0x00007FF6511E0000-0x00007FF651531000-memory.dmp upx behavioral2/memory/1332-208-0x00007FF7FE500000-0x00007FF7FE851000-memory.dmp upx behavioral2/memory/1796-210-0x00007FF7075E0000-0x00007FF707931000-memory.dmp upx behavioral2/memory/5044-219-0x00007FF6D10C0000-0x00007FF6D1411000-memory.dmp upx behavioral2/memory/3784-223-0x00007FF6B8EA0000-0x00007FF6B91F1000-memory.dmp upx behavioral2/memory/3384-222-0x00007FF738310000-0x00007FF738661000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\lglwBpx.exe 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rymeSXV.exe 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NtlBozk.exe 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mwQBlli.exe 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FmRUHBn.exe 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PXnPKtx.exe 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xgcGkfC.exe 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NsJakZE.exe 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LNoGiUj.exe 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HLLbpQx.exe 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YKMRSVa.exe 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QZvLFSq.exe 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HZUBkjv.exe 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uitjfVl.exe 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CUbQPYM.exe 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TzrWMHt.exe 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\szkVpee.exe 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uejUWFu.exe 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lyCtNEr.exe 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KuHIDxc.exe 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CQQobPF.exe 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3472 wrote to memory of 396 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3472 wrote to memory of 396 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3472 wrote to memory of 4020 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3472 wrote to memory of 4020 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3472 wrote to memory of 4828 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3472 wrote to memory of 4828 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3472 wrote to memory of 1332 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3472 wrote to memory of 1332 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3472 wrote to memory of 1796 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3472 wrote to memory of 1796 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3472 wrote to memory of 5044 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3472 wrote to memory of 5044 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3472 wrote to memory of 3384 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3472 wrote to memory of 3384 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3472 wrote to memory of 3784 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3472 wrote to memory of 3784 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3472 wrote to memory of 4916 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3472 wrote to memory of 4916 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3472 wrote to memory of 3564 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3472 wrote to memory of 3564 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3472 wrote to memory of 4340 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3472 wrote to memory of 4340 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3472 wrote to memory of 3428 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3472 wrote to memory of 3428 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3472 wrote to memory of 800 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3472 wrote to memory of 800 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3472 wrote to memory of 4784 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3472 wrote to memory of 4784 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3472 wrote to memory of 3664 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3472 wrote to memory of 3664 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3472 wrote to memory of 1180 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3472 wrote to memory of 1180 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3472 wrote to memory of 1052 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3472 wrote to memory of 1052 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3472 wrote to memory of 3484 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3472 wrote to memory of 3484 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3472 wrote to memory of 1968 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3472 wrote to memory of 1968 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3472 wrote to memory of 1580 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 3472 wrote to memory of 1580 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 3472 wrote to memory of 1020 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 3472 wrote to memory of 1020 3472 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\System\mwQBlli.exeC:\Windows\System\mwQBlli.exe2⤵
- Executes dropped EXE
PID:396
-
-
C:\Windows\System\HLLbpQx.exeC:\Windows\System\HLLbpQx.exe2⤵
- Executes dropped EXE
PID:4020
-
-
C:\Windows\System\TzrWMHt.exeC:\Windows\System\TzrWMHt.exe2⤵
- Executes dropped EXE
PID:4828
-
-
C:\Windows\System\szkVpee.exeC:\Windows\System\szkVpee.exe2⤵
- Executes dropped EXE
PID:1332
-
-
C:\Windows\System\uejUWFu.exeC:\Windows\System\uejUWFu.exe2⤵
- Executes dropped EXE
PID:1796
-
-
C:\Windows\System\YKMRSVa.exeC:\Windows\System\YKMRSVa.exe2⤵
- Executes dropped EXE
PID:5044
-
-
C:\Windows\System\FmRUHBn.exeC:\Windows\System\FmRUHBn.exe2⤵
- Executes dropped EXE
PID:3384
-
-
C:\Windows\System\PXnPKtx.exeC:\Windows\System\PXnPKtx.exe2⤵
- Executes dropped EXE
PID:3784
-
-
C:\Windows\System\QZvLFSq.exeC:\Windows\System\QZvLFSq.exe2⤵
- Executes dropped EXE
PID:4916
-
-
C:\Windows\System\xgcGkfC.exeC:\Windows\System\xgcGkfC.exe2⤵
- Executes dropped EXE
PID:3564
-
-
C:\Windows\System\HZUBkjv.exeC:\Windows\System\HZUBkjv.exe2⤵
- Executes dropped EXE
PID:4340
-
-
C:\Windows\System\lglwBpx.exeC:\Windows\System\lglwBpx.exe2⤵
- Executes dropped EXE
PID:3428
-
-
C:\Windows\System\lyCtNEr.exeC:\Windows\System\lyCtNEr.exe2⤵
- Executes dropped EXE
PID:800
-
-
C:\Windows\System\rymeSXV.exeC:\Windows\System\rymeSXV.exe2⤵
- Executes dropped EXE
PID:4784
-
-
C:\Windows\System\KuHIDxc.exeC:\Windows\System\KuHIDxc.exe2⤵
- Executes dropped EXE
PID:3664
-
-
C:\Windows\System\NsJakZE.exeC:\Windows\System\NsJakZE.exe2⤵
- Executes dropped EXE
PID:1180
-
-
C:\Windows\System\uitjfVl.exeC:\Windows\System\uitjfVl.exe2⤵
- Executes dropped EXE
PID:1052
-
-
C:\Windows\System\CQQobPF.exeC:\Windows\System\CQQobPF.exe2⤵
- Executes dropped EXE
PID:3484
-
-
C:\Windows\System\CUbQPYM.exeC:\Windows\System\CUbQPYM.exe2⤵
- Executes dropped EXE
PID:1968
-
-
C:\Windows\System\LNoGiUj.exeC:\Windows\System\LNoGiUj.exe2⤵
- Executes dropped EXE
PID:1580
-
-
C:\Windows\System\NtlBozk.exeC:\Windows\System\NtlBozk.exe2⤵
- Executes dropped EXE
PID:1020
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5b301bb4158fab377d259b776a2543b11
SHA112788b2238c70b65048f7d4f9cb918b077d23e86
SHA256092fb1ee974765f83d389f949edd9be3dce3a8839661542756cd430cc28fff66
SHA512fde3ea220333a2b5a02da33187f6654acb179e43c108913b4c9f0b52cb124c961b09cc7249420ab5ff2551d56771ea88b62e4801a2092e05c645f13258ba7098
-
Filesize
5.2MB
MD59c8dd8b3b712f366070dc5b74f325fba
SHA1d53ef0adbcd18e495c2ea4edb481e14811e8ddb1
SHA2563362a9da72722de43e4b190b0fc09619e2b86ad6a39277a2c28a9db38ef14a28
SHA512879cc9d3cb4e921fe595ed2ab416a15eaac53bc8d1ff090bf7ef01818d7320e3f8be5dc45196d981078807460bd40efcb6a62c682f8fc8495314fb65aa737d6c
-
Filesize
5.2MB
MD5cee7355e698c91f82c32d787db9ee749
SHA1dc685d194c447103989364345136728a31b95e78
SHA256ae203794201cd7d968b3b2629b863024e8977a23ef492ac21801838d258f589a
SHA512e02048a6802a8ac3eec9ab4abb85d1f9973b45f9cbcbe97c6f144f022a05b97e73e2cc105ab27dcf52c54e849dfe46ce9e6d7a48874aa6c3e9bcba5ff4b2e4de
-
Filesize
5.2MB
MD5595165e9cd769c4b9e79172efd28a759
SHA14cc2d8acd87fa677a697518b30d75eba981adb2b
SHA2567826daf96df272750b70f70b785375d34207d246e3c7d8d798ad04c3cf7050e2
SHA512479d9c0bf97ee3e562ab809a6059f4466fccb21708bd87bc67535958adbf05f6d975e651279045b4f4f0da7600c0c9f4176e5cd96620285fead14092fe09dc6e
-
Filesize
5.2MB
MD5e6c8a5f8d6034c8a1abe5229fae32870
SHA146812daddc1d02e19ae18f98769a8e57c740a608
SHA256bada0577397ad0bd0adc8f689a7d446752da81ccbf049e5e6147bc07cebaa51b
SHA512cc72902c8a2140b684d65338bb67448957e578622aaf45e079c1a2043f843f921087003437cddee53196d8e9bb09368dba5c96ca2e43b2ddb7b7ed6b57f66678
-
Filesize
5.2MB
MD54ef0004e81abc9144b64620ffc59d1e1
SHA1e12ffa820e7881030118881d0820dc96249685cd
SHA256326ea5c94c44128a497a1635ed200248966b4ceb065d38931a961cbba7ce1532
SHA512590e51662845c56f3d63217f4a6d661ea280f3b47d2aaf70a6f77649d4fc76b59cc16fc138c58531a2e529a244f3df1a7eca4cd5c2923f85089a0a68969fafa8
-
Filesize
5.2MB
MD5de5118013f0d7863309c9709ce5bb1f0
SHA18371b78d8ea53d4c8a612c941907c4ac6c3fb83b
SHA25621e252d5e32b8c3644b05d3ff61ef1dc7f30c9b282c6aa35748994103f8b6fca
SHA51257d715613b8c9717150c102b879a1adb5f2a5ac1fc3b9a043abb9154b2239c7ef788787ee6e4a89e5cd3affdd7833b04b2279d63665fe5c05ee568327facfbae
-
Filesize
5.2MB
MD5c540520ed43d90385598fb5991aed130
SHA1d8e0a7f1a39efb721563eab25a3c6024bf8ce034
SHA256e439904187958414ebf0a63f92b5d1567d0f085a2d3fb463cd385552caa9cd72
SHA512651e3ddcbc7b63dcf75de4667db769484bc77186820b152ea2fddf9a42fbc341567077079940b2516cfb600205975d0be2f76b8966a8ba44db66ce3b3b058bac
-
Filesize
5.2MB
MD5d231a9fdce2229dae78b77715a77e171
SHA18b786f15dcd1e4cdc10f9acb5bb6163fa7cc843d
SHA256d5008cf516da7da61826e89f0ca0c22081fa7ec46535e6e482ffa5cdc6ad5be8
SHA512c74b0c2fb43f03aa57794a95b6d13b0dc7a85084944bc8cd8bceefbe87da7a0bd5d267b9dd454fb5d6977fbe72ef29b16612ff220cc205f3c7c15ef08bd54b9d
-
Filesize
5.2MB
MD5aeedee60f6db31c36167b7282dbabbff
SHA147ba1b65ffefb58ab043f1a27adfe39b7e14d2f7
SHA256f23355b948b5fe16e9ae05dacd0f8d72f0be74d375c54251df9f6325a390fdef
SHA51245e420a4ed8ebb68dc9352c07920d5960a3e43bdaadd9345c269c048a058221d5aa75049e87333c3a2798823e0873fca72fa833f1d38698020431b1c9d5065db
-
Filesize
5.2MB
MD521fd2534ade111f221f8d68436d84755
SHA1eba680d07a7e73ed464c507f2fe002cbcd577dd8
SHA25615c2ed95e57cec8b143f10712ee37ad1f63d9b84f55d006c8437755b5cd744c8
SHA512830145554eb3f7a3476e8b0694c405913e1e56f697c06fab2d8bb2957a21914ddd8c65f6f8d51177fd4ff4887546a1ffdea2b2739635c87f43d3125b5c6e81a0
-
Filesize
5.2MB
MD5d4a0f75d8ee05fe4b6abf6b82fdb0df5
SHA1fff090ef6fc1c4364d1ea4cc405f8a411f910a36
SHA25653d6cf478642649a79b8b78886d018660202c5ca987c07492ff710d682c26173
SHA5127cec15f837134472b5b87342f3d83b794b1a0f316db80cd65db8bc02ab6a79e4e939c4525986c45888500d83b27353551f857c40f9045cac0378433cf8783f17
-
Filesize
5.2MB
MD5f84077c8b787cb34c2e07667d83dd5ec
SHA1cf02b1dd32d96fde41c7b37ae7e12ab852a6806e
SHA256035a29131aee24e9a0f00a986609bac30dbf547c7207ef699fd1cc47b6ca1948
SHA512de2807ee1ab9b212ebec28705c52c20801ef3ae912c61cfc90474c345eb95efbec137e98572a93233ab73f7f936d5714ede409dd6a40c2e89779e88a16c8c145
-
Filesize
5.2MB
MD5e2891f837b2e8fc5dcbf10241353d13f
SHA1671013a499a9b0a9f973ba69a6a66ee885e6c501
SHA256fd564742b07c46d08645ca772b0e9ec1e05e963f94e4aadad4f62091d5d806ff
SHA512b1d6392adb7ade9db05f1c62c7b79aa4a6d2f595481b9fe9249f8444f43f4c63ce3c31b70c3895fbc091291455dde5977e544ffcd0d5d48e690f35c0a66a0155
-
Filesize
5.2MB
MD5d35a30609466876de9543b1a90d23626
SHA1d254780ef546d5c4bb6e0040add335eed347f4f4
SHA25699ade9f1b3710a47fe2a662fb287bd4b922558c72e54fa1248a44538bc160509
SHA51258ba87a47cb4ff28543fef244bed837bdc731e913181d4eeac8fb747f65e6c67230a6e52ff67b0d0d77a955da25ae53f4204efe39d00933cea7489d21b06206b
-
Filesize
5.2MB
MD5f973c39cff17192d0ab0fb8bbc8f9f35
SHA112d2194b4be1c98e54297e47bb2ae702a6fd1b56
SHA2560e04a15986c1df4d9a169d6a9bd7fe5ab13fb78d3117132ae00cc6043bb406a4
SHA5124905b59d91f55a1d4671de18984100f71116f1fbead5473e4a99963885ba8a4226750013a57ddc7f2deb85fe9a2d1b8f2f89e36c452aae61e387a99efbbbc90a
-
Filesize
5.2MB
MD5bb0f5186687052df37f3b7912cf90d49
SHA1f776de2c5b5b5c8291060ef302d296b40442be22
SHA25650a8ba1ecc3a13701f4b7dd7712441d05b50ea7cfa0ee02d24eb751c4e08f22a
SHA512c1ed00c256eaf42280d12c27a32ccbf298034026e849d0e11d17162bf37cbb156d8b5c16dec2bb9fad0badc4b0cc46cbd3d524544a885db0584cdf36e080889a
-
Filesize
5.2MB
MD5c00d07a6eacae9664a33f016020e6d78
SHA128caf9ac2df36dc91852d9dffcd24bea4685ebe0
SHA256974c9039c0122cb8603d42dfc64a37dd61b405694a380ea00d5852bca9bce893
SHA5124f5f5e2128ebaabd0947b38e1339364364bb5244467dc2797842ee7599dfdf7c4175c660d3832aa0e2e43670ce387144f94cb9d7357476eb396a06b6c7fbd993
-
Filesize
5.2MB
MD5d9b9d4698130d0829d7b602524416afd
SHA10e0fd48e1cff5207a748977289698219ca285846
SHA2561db286300ecb11113d5b01e5a2ff7bb26f1db309d039b4195d0f303d8be0ca0d
SHA5128482870afcf5e031853671df3f940d7f025c67e3cd6e6b33f38d508e728c01e61de48fd8b65e84f7c79f50b31a8aabba5806fef4207a17c9854998d2d192f19a
-
Filesize
5.2MB
MD56b7b6492fd97a19da134d77e3e718452
SHA1c7f7e4b16a0b76c2113be6997522d004989236e9
SHA25630692b303d0a2099a73ba16743a8cdcd9b2bce97e3bba91fbdbbad47f8dbd2e1
SHA512f651c530576ddc0c0e191da85dc0a346b66e13dc73ce12a979e93f68f7bb5156691b31ae7f373d2dc7f78d97b75d06e462cfc129f01405e7e46c5c3051d1532d
-
Filesize
5.2MB
MD5210688f8c669bbbdd79b120cd0003bb6
SHA136bfe17971bbf7fb9a11dc07d2e74bb94c1f0470
SHA25623af2e466ce12e151219a075647ec05eddf8ed6049da4ee9067d40f00b22ee37
SHA512fffca7dd4234eff6f46ee71e46db4c49559029164fb8d2e970b83bb8c4674f85b7b4aa70bab72f540f5fdf7583883aa244c1e84dd50473432ae5599a97959058