Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 21:04
Behavioral task
behavioral1
Sample
2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240704-en
General
-
Target
2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
5bc627c80faf460469241d61a37ae05b
-
SHA1
09d335c2a20422d71e074b2141c240c459a66d94
-
SHA256
15d6830b17a879ee36eb4f14ea6e9597480679b897b0262a7c4b53f232b59fe5
-
SHA512
6439460d667f3b3e8510ad2754225bbfee1324a6cd429b7a77db40d896565ea255dba752b574aa87e3d7ff981b79be7f4dbaa5970aa558fced160c8a738b0f95
-
SSDEEP
49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l8:RWWBibj56utgpPFotBER/mQ32lUQ
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00070000000234cd-9.dat cobalt_reflective_dll behavioral2/files/0x00090000000234c9-11.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d0-44.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d3-50.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d7-70.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d5-82.dat cobalt_reflective_dll behavioral2/files/0x00070000000234da-100.dat cobalt_reflective_dll behavioral2/files/0x00070000000234db-108.dat cobalt_reflective_dll behavioral2/files/0x00070000000234dd-117.dat cobalt_reflective_dll behavioral2/files/0x00070000000234de-122.dat cobalt_reflective_dll behavioral2/files/0x00070000000234dc-115.dat cobalt_reflective_dll behavioral2/files/0x00090000000234ca-97.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d9-94.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d8-86.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d6-84.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d4-73.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d2-59.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d1-39.dat cobalt_reflective_dll behavioral2/files/0x00070000000234cf-30.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ce-23.dat cobalt_reflective_dll behavioral2/files/0x0009000000023472-6.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/100-104-0x00007FF781440000-0x00007FF781791000-memory.dmp xmrig behavioral2/memory/2208-103-0x00007FF765810000-0x00007FF765B61000-memory.dmp xmrig behavioral2/memory/4384-102-0x00007FF697820000-0x00007FF697B71000-memory.dmp xmrig behavioral2/memory/1620-99-0x00007FF6EC8D0000-0x00007FF6ECC21000-memory.dmp xmrig behavioral2/memory/3948-48-0x00007FF686450000-0x00007FF6867A1000-memory.dmp xmrig behavioral2/memory/4604-43-0x00007FF6FA2A0000-0x00007FF6FA5F1000-memory.dmp xmrig behavioral2/memory/1556-27-0x00007FF64B7D0000-0x00007FF64BB21000-memory.dmp xmrig behavioral2/memory/4148-126-0x00007FF68BEC0000-0x00007FF68C211000-memory.dmp xmrig behavioral2/memory/1004-127-0x00007FF7AB880000-0x00007FF7ABBD1000-memory.dmp xmrig behavioral2/memory/1500-125-0x00007FF6E11B0000-0x00007FF6E1501000-memory.dmp xmrig behavioral2/memory/4048-124-0x00007FF7620D0000-0x00007FF762421000-memory.dmp xmrig behavioral2/memory/1016-130-0x00007FF745C80000-0x00007FF745FD1000-memory.dmp xmrig behavioral2/memory/2388-131-0x00007FF7A4BF0000-0x00007FF7A4F41000-memory.dmp xmrig behavioral2/memory/1148-137-0x00007FF6AECB0000-0x00007FF6AF001000-memory.dmp xmrig behavioral2/memory/848-139-0x00007FF75EF90000-0x00007FF75F2E1000-memory.dmp xmrig behavioral2/memory/4540-144-0x00007FF7B83F0000-0x00007FF7B8741000-memory.dmp xmrig behavioral2/memory/3920-150-0x00007FF7E1700000-0x00007FF7E1A51000-memory.dmp xmrig behavioral2/memory/1576-142-0x00007FF7E8150000-0x00007FF7E84A1000-memory.dmp xmrig behavioral2/memory/228-140-0x00007FF7FD410000-0x00007FF7FD761000-memory.dmp xmrig behavioral2/memory/4116-136-0x00007FF719100000-0x00007FF719451000-memory.dmp xmrig behavioral2/memory/3972-134-0x00007FF62BAE0000-0x00007FF62BE31000-memory.dmp xmrig behavioral2/memory/528-129-0x00007FF6EE920000-0x00007FF6EEC71000-memory.dmp xmrig behavioral2/memory/3920-128-0x00007FF7E1700000-0x00007FF7E1A51000-memory.dmp xmrig behavioral2/memory/3920-151-0x00007FF7E1700000-0x00007FF7E1A51000-memory.dmp xmrig behavioral2/memory/528-196-0x00007FF6EE920000-0x00007FF6EEC71000-memory.dmp xmrig behavioral2/memory/1016-198-0x00007FF745C80000-0x00007FF745FD1000-memory.dmp xmrig behavioral2/memory/1556-200-0x00007FF64B7D0000-0x00007FF64BB21000-memory.dmp xmrig behavioral2/memory/4604-202-0x00007FF6FA2A0000-0x00007FF6FA5F1000-memory.dmp xmrig behavioral2/memory/2388-204-0x00007FF7A4BF0000-0x00007FF7A4F41000-memory.dmp xmrig behavioral2/memory/3948-206-0x00007FF686450000-0x00007FF6867A1000-memory.dmp xmrig behavioral2/memory/3972-208-0x00007FF62BAE0000-0x00007FF62BE31000-memory.dmp xmrig behavioral2/memory/4116-210-0x00007FF719100000-0x00007FF719451000-memory.dmp xmrig behavioral2/memory/1148-213-0x00007FF6AECB0000-0x00007FF6AF001000-memory.dmp xmrig behavioral2/memory/1620-218-0x00007FF6EC8D0000-0x00007FF6ECC21000-memory.dmp xmrig behavioral2/memory/848-217-0x00007FF75EF90000-0x00007FF75F2E1000-memory.dmp xmrig behavioral2/memory/1576-220-0x00007FF7E8150000-0x00007FF7E84A1000-memory.dmp xmrig behavioral2/memory/228-215-0x00007FF7FD410000-0x00007FF7FD761000-memory.dmp xmrig behavioral2/memory/4540-226-0x00007FF7B83F0000-0x00007FF7B8741000-memory.dmp xmrig behavioral2/memory/100-225-0x00007FF781440000-0x00007FF781791000-memory.dmp xmrig behavioral2/memory/2208-223-0x00007FF765810000-0x00007FF765B61000-memory.dmp xmrig behavioral2/memory/4384-228-0x00007FF697820000-0x00007FF697B71000-memory.dmp xmrig behavioral2/memory/4048-235-0x00007FF7620D0000-0x00007FF762421000-memory.dmp xmrig behavioral2/memory/4148-240-0x00007FF68BEC0000-0x00007FF68C211000-memory.dmp xmrig behavioral2/memory/1004-238-0x00007FF7AB880000-0x00007FF7ABBD1000-memory.dmp xmrig behavioral2/memory/1500-241-0x00007FF6E11B0000-0x00007FF6E1501000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 528 kjoDJsY.exe 1016 cdXEELh.exe 2388 MTJbPia.exe 1556 UDsFoBF.exe 4604 gMfLKvE.exe 3972 hhoTorv.exe 3948 xJZkNib.exe 4116 loeOZmw.exe 1148 yFxZYJB.exe 1620 VXlYSdL.exe 848 hPkWxET.exe 228 zfeijFF.exe 4384 NmcfGJR.exe 1576 QrabAth.exe 2208 qGILSdQ.exe 4540 YfeaYiC.exe 100 NigcuoQ.exe 4048 BNkecqp.exe 1500 WgCtzfs.exe 4148 bnBIfwz.exe 1004 utQZDxE.exe -
resource yara_rule behavioral2/memory/3920-0-0x00007FF7E1700000-0x00007FF7E1A51000-memory.dmp upx behavioral2/memory/528-8-0x00007FF6EE920000-0x00007FF6EEC71000-memory.dmp upx behavioral2/files/0x00070000000234cd-9.dat upx behavioral2/files/0x00090000000234c9-11.dat upx behavioral2/files/0x00070000000234d0-44.dat upx behavioral2/files/0x00070000000234d3-50.dat upx behavioral2/files/0x00070000000234d7-70.dat upx behavioral2/files/0x00070000000234d5-82.dat upx behavioral2/memory/1576-91-0x00007FF7E8150000-0x00007FF7E84A1000-memory.dmp upx behavioral2/memory/4540-96-0x00007FF7B83F0000-0x00007FF7B8741000-memory.dmp upx behavioral2/files/0x00070000000234da-100.dat upx behavioral2/files/0x00070000000234db-108.dat upx behavioral2/files/0x00070000000234dd-117.dat upx behavioral2/files/0x00070000000234de-122.dat upx behavioral2/files/0x00070000000234dc-115.dat upx behavioral2/memory/100-104-0x00007FF781440000-0x00007FF781791000-memory.dmp upx behavioral2/memory/2208-103-0x00007FF765810000-0x00007FF765B61000-memory.dmp upx behavioral2/memory/4384-102-0x00007FF697820000-0x00007FF697B71000-memory.dmp upx behavioral2/memory/1620-99-0x00007FF6EC8D0000-0x00007FF6ECC21000-memory.dmp upx behavioral2/files/0x00090000000234ca-97.dat upx behavioral2/files/0x00070000000234d9-94.dat upx behavioral2/files/0x00070000000234d8-86.dat upx behavioral2/files/0x00070000000234d6-84.dat upx behavioral2/memory/228-79-0x00007FF7FD410000-0x00007FF7FD761000-memory.dmp upx behavioral2/files/0x00070000000234d4-73.dat upx behavioral2/memory/848-78-0x00007FF75EF90000-0x00007FF75F2E1000-memory.dmp upx behavioral2/memory/1148-64-0x00007FF6AECB0000-0x00007FF6AF001000-memory.dmp upx behavioral2/files/0x00070000000234d2-59.dat upx behavioral2/memory/4116-51-0x00007FF719100000-0x00007FF719451000-memory.dmp upx behavioral2/memory/3948-48-0x00007FF686450000-0x00007FF6867A1000-memory.dmp upx behavioral2/memory/4604-43-0x00007FF6FA2A0000-0x00007FF6FA5F1000-memory.dmp upx behavioral2/files/0x00070000000234d1-39.dat upx behavioral2/memory/3972-35-0x00007FF62BAE0000-0x00007FF62BE31000-memory.dmp upx behavioral2/files/0x00070000000234cf-30.dat upx behavioral2/memory/1556-27-0x00007FF64B7D0000-0x00007FF64BB21000-memory.dmp upx behavioral2/memory/2388-24-0x00007FF7A4BF0000-0x00007FF7A4F41000-memory.dmp upx behavioral2/files/0x00070000000234ce-23.dat upx behavioral2/memory/1016-13-0x00007FF745C80000-0x00007FF745FD1000-memory.dmp upx behavioral2/files/0x0009000000023472-6.dat upx behavioral2/memory/4148-126-0x00007FF68BEC0000-0x00007FF68C211000-memory.dmp upx behavioral2/memory/1004-127-0x00007FF7AB880000-0x00007FF7ABBD1000-memory.dmp upx behavioral2/memory/1500-125-0x00007FF6E11B0000-0x00007FF6E1501000-memory.dmp upx behavioral2/memory/4048-124-0x00007FF7620D0000-0x00007FF762421000-memory.dmp upx behavioral2/memory/1016-130-0x00007FF745C80000-0x00007FF745FD1000-memory.dmp upx behavioral2/memory/2388-131-0x00007FF7A4BF0000-0x00007FF7A4F41000-memory.dmp upx behavioral2/memory/1148-137-0x00007FF6AECB0000-0x00007FF6AF001000-memory.dmp upx behavioral2/memory/848-139-0x00007FF75EF90000-0x00007FF75F2E1000-memory.dmp upx behavioral2/memory/4540-144-0x00007FF7B83F0000-0x00007FF7B8741000-memory.dmp upx behavioral2/memory/3920-150-0x00007FF7E1700000-0x00007FF7E1A51000-memory.dmp upx behavioral2/memory/1576-142-0x00007FF7E8150000-0x00007FF7E84A1000-memory.dmp upx behavioral2/memory/228-140-0x00007FF7FD410000-0x00007FF7FD761000-memory.dmp upx behavioral2/memory/4116-136-0x00007FF719100000-0x00007FF719451000-memory.dmp upx behavioral2/memory/3972-134-0x00007FF62BAE0000-0x00007FF62BE31000-memory.dmp upx behavioral2/memory/528-129-0x00007FF6EE920000-0x00007FF6EEC71000-memory.dmp upx behavioral2/memory/3920-128-0x00007FF7E1700000-0x00007FF7E1A51000-memory.dmp upx behavioral2/memory/3920-151-0x00007FF7E1700000-0x00007FF7E1A51000-memory.dmp upx behavioral2/memory/528-196-0x00007FF6EE920000-0x00007FF6EEC71000-memory.dmp upx behavioral2/memory/1016-198-0x00007FF745C80000-0x00007FF745FD1000-memory.dmp upx behavioral2/memory/1556-200-0x00007FF64B7D0000-0x00007FF64BB21000-memory.dmp upx behavioral2/memory/4604-202-0x00007FF6FA2A0000-0x00007FF6FA5F1000-memory.dmp upx behavioral2/memory/2388-204-0x00007FF7A4BF0000-0x00007FF7A4F41000-memory.dmp upx behavioral2/memory/3948-206-0x00007FF686450000-0x00007FF6867A1000-memory.dmp upx behavioral2/memory/3972-208-0x00007FF62BAE0000-0x00007FF62BE31000-memory.dmp upx behavioral2/memory/4116-210-0x00007FF719100000-0x00007FF719451000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\VXlYSdL.exe 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BNkecqp.exe 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WgCtzfs.exe 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bnBIfwz.exe 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\UDsFoBF.exe 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YfeaYiC.exe 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hPkWxET.exe 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NmcfGJR.exe 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QrabAth.exe 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kjoDJsY.exe 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cdXEELh.exe 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hhoTorv.exe 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xJZkNib.exe 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yFxZYJB.exe 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qGILSdQ.exe 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NigcuoQ.exe 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\utQZDxE.exe 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MTJbPia.exe 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gMfLKvE.exe 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\loeOZmw.exe 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zfeijFF.exe 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3920 wrote to memory of 528 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3920 wrote to memory of 528 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3920 wrote to memory of 1016 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3920 wrote to memory of 1016 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3920 wrote to memory of 2388 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3920 wrote to memory of 2388 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3920 wrote to memory of 1556 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3920 wrote to memory of 1556 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3920 wrote to memory of 4604 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3920 wrote to memory of 4604 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3920 wrote to memory of 3972 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3920 wrote to memory of 3972 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3920 wrote to memory of 3948 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3920 wrote to memory of 3948 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3920 wrote to memory of 4116 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3920 wrote to memory of 4116 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3920 wrote to memory of 1148 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3920 wrote to memory of 1148 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3920 wrote to memory of 1620 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3920 wrote to memory of 1620 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3920 wrote to memory of 848 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3920 wrote to memory of 848 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3920 wrote to memory of 228 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3920 wrote to memory of 228 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3920 wrote to memory of 4384 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3920 wrote to memory of 4384 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3920 wrote to memory of 1576 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3920 wrote to memory of 1576 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3920 wrote to memory of 2208 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3920 wrote to memory of 2208 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3920 wrote to memory of 4540 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3920 wrote to memory of 4540 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3920 wrote to memory of 100 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3920 wrote to memory of 100 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3920 wrote to memory of 4048 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3920 wrote to memory of 4048 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3920 wrote to memory of 1500 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3920 wrote to memory of 1500 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3920 wrote to memory of 4148 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3920 wrote to memory of 4148 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3920 wrote to memory of 1004 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3920 wrote to memory of 1004 3920 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\System\kjoDJsY.exeC:\Windows\System\kjoDJsY.exe2⤵
- Executes dropped EXE
PID:528
-
-
C:\Windows\System\cdXEELh.exeC:\Windows\System\cdXEELh.exe2⤵
- Executes dropped EXE
PID:1016
-
-
C:\Windows\System\MTJbPia.exeC:\Windows\System\MTJbPia.exe2⤵
- Executes dropped EXE
PID:2388
-
-
C:\Windows\System\UDsFoBF.exeC:\Windows\System\UDsFoBF.exe2⤵
- Executes dropped EXE
PID:1556
-
-
C:\Windows\System\gMfLKvE.exeC:\Windows\System\gMfLKvE.exe2⤵
- Executes dropped EXE
PID:4604
-
-
C:\Windows\System\hhoTorv.exeC:\Windows\System\hhoTorv.exe2⤵
- Executes dropped EXE
PID:3972
-
-
C:\Windows\System\xJZkNib.exeC:\Windows\System\xJZkNib.exe2⤵
- Executes dropped EXE
PID:3948
-
-
C:\Windows\System\loeOZmw.exeC:\Windows\System\loeOZmw.exe2⤵
- Executes dropped EXE
PID:4116
-
-
C:\Windows\System\yFxZYJB.exeC:\Windows\System\yFxZYJB.exe2⤵
- Executes dropped EXE
PID:1148
-
-
C:\Windows\System\VXlYSdL.exeC:\Windows\System\VXlYSdL.exe2⤵
- Executes dropped EXE
PID:1620
-
-
C:\Windows\System\hPkWxET.exeC:\Windows\System\hPkWxET.exe2⤵
- Executes dropped EXE
PID:848
-
-
C:\Windows\System\zfeijFF.exeC:\Windows\System\zfeijFF.exe2⤵
- Executes dropped EXE
PID:228
-
-
C:\Windows\System\NmcfGJR.exeC:\Windows\System\NmcfGJR.exe2⤵
- Executes dropped EXE
PID:4384
-
-
C:\Windows\System\QrabAth.exeC:\Windows\System\QrabAth.exe2⤵
- Executes dropped EXE
PID:1576
-
-
C:\Windows\System\qGILSdQ.exeC:\Windows\System\qGILSdQ.exe2⤵
- Executes dropped EXE
PID:2208
-
-
C:\Windows\System\YfeaYiC.exeC:\Windows\System\YfeaYiC.exe2⤵
- Executes dropped EXE
PID:4540
-
-
C:\Windows\System\NigcuoQ.exeC:\Windows\System\NigcuoQ.exe2⤵
- Executes dropped EXE
PID:100
-
-
C:\Windows\System\BNkecqp.exeC:\Windows\System\BNkecqp.exe2⤵
- Executes dropped EXE
PID:4048
-
-
C:\Windows\System\WgCtzfs.exeC:\Windows\System\WgCtzfs.exe2⤵
- Executes dropped EXE
PID:1500
-
-
C:\Windows\System\bnBIfwz.exeC:\Windows\System\bnBIfwz.exe2⤵
- Executes dropped EXE
PID:4148
-
-
C:\Windows\System\utQZDxE.exeC:\Windows\System\utQZDxE.exe2⤵
- Executes dropped EXE
PID:1004
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5b879d73df74303fa0429d8fd872dc68c
SHA10050e111d67f8f04a2ad0cf8c928db5f3800544a
SHA256eed07830050032b8d518aae5312e085638cc96dbbd8985069c96b4f900bceb1f
SHA5122070466077841c2d4b5a4186956f48aafe3c9ab1660496ebaf40fd882985d00f6a3881475bc85ead5a7cd7872d5d3f9cb7c3a1d36721dc7e2f0059d70c46d9db
-
Filesize
5.2MB
MD58e437ca2982b704f439eb6066a2f6256
SHA1bd8dd67d231ad3d24ddb5e705b9fb32a2ca19b50
SHA2565f3f3d62c8a6ad819611d92192897c7c8c23927c672a16aecb833570a477b332
SHA512db7cdbf66f9059a136b0fc259760e08cff417bd347a1b6027761d389f0829afdea01d15e2f0e4cbe5871b9f91e11f0e7c3a5d244fc07d1d07a062e02fd663a49
-
Filesize
5.2MB
MD5f83d4ab429cc3a7ed02dfeeeb9d0770f
SHA1e724482cf16fde1f9350e1c8f7ab474858a30770
SHA25630afc026e6a1f4f5085beefb313871beea2f66270590db3791c12ae9505bc94a
SHA5127aacbce5ef25dfa0c6a3a1f3a4625c38831e1eefb927e81b2881c8158f23153f864d2c8a03204b05b0ab1dc606dff619981e2b95e74aad690c18db0316a8797e
-
Filesize
5.2MB
MD5bc1a85e3d87d79c47dc945d61bc9e72c
SHA151946991883c05bd9060324106989d36c1765bb3
SHA25681c1f86ffc17e6065cbac2c045c88060583300beee541490a4075c7646ab6970
SHA512836f97bc7bbc7d891169d8c80c41307cb1a21b66b02c0f3a9625a2ec694ec5d212cf9cb018758b5f3feb6e63933f80e99d6deee79a7437f0c774778a5c225cdc
-
Filesize
5.2MB
MD57e43a3296d65461aa258f65529831b58
SHA1288c834bc4c5aa956a9ccd932c246a3f2d625108
SHA256fe97853e98c09de2719d6f1f0210d7f6775c071ed732d9bc7751faa178153512
SHA512d08559d41bd204ac38ca8488e0bd0404b3e43efeb80689624e12fe197f9154da1dd33247c40613cbfb8e73ca817ebddcf2bfa6386bf3b9cdf91bcb6db5d0a633
-
Filesize
5.2MB
MD57291ac4a140590c82eeb9404a2078a82
SHA1604e3dcc561152fffb94c451decc42119b500189
SHA256d70eefbe972348229d8cc89493be04a2dfd41b105589d0319c04864255b44e58
SHA512b9f6be1a6d993ff02ff87cf7c8e6b33938acb8b016f51aab328b3524489f2b3a7e679cbe0aae204e18ccb57ce3e04f7cd017375fb970b3c19b1a5bb5ef902698
-
Filesize
5.2MB
MD519777df9b6c6ad0be0b81b84f18a8e6d
SHA1e6beea9077b4e5f2c993af602108d61f3e83ada1
SHA2565bca855bdf8101528e62ff0c15ea84ed48f3fb33e8cabf4b8363efa9fa119418
SHA512f7494c6c39196b93f70bc4f2164691dd47b3b3339b13955bc03f8174b7076a7cc0104e4e582d9cd374262d61bf6d3068408f954e52d9616eff094d5650084c2f
-
Filesize
5.2MB
MD5e50d353df4ada4880a619f7d1f87217d
SHA1559d97533c43ac42da7d4863f8719e4e8f50e7f2
SHA25636cefa0fcfa63700a3b2d3886ec40d64f52046cee45446f280c14cd960cdbeb5
SHA51248691b5975481a8d9430dd3c16f218f794c72a2d7cd6c4d2639cc82aa09c78d2c2ed8656b3719a5dac7a5c50e4a69e3856d72b0e47d5b015383c9a4429088c44
-
Filesize
5.2MB
MD56fc8a76c4606f4e0c199162161ab6854
SHA142ff5e6e1f1178a29c3fe720c248170256f83d9a
SHA256ccbc6a74626567264f1bc84237621a994a248191018940efe1c82043a8a95c2a
SHA5125b35200c0391ab13626d1aecb801fddd00ea21cebfb2bb367c0d3c50cd4b5ca4cae1aebe317e729ffdf6866b78bd12c3dc406f1b46a0cac80660719dc51437e4
-
Filesize
5.2MB
MD5984ec1c7d7831beba4ccfb0ad1cf72b8
SHA19154cc40e8a0fa9a916988b00f8b99abb2f3652d
SHA25640d35216de7cac7f97cca60ddd6b448b285fb5bfdb2ce5cb2bdd080a1b509933
SHA512876ffd325d9876cf719987acfa058fe0c1d30d437fc6c9863dadd4ce80f94ca6b864af3858e239b3779ac4fe4328d407526ce960127c39f94b7874e71a759281
-
Filesize
5.2MB
MD5bd869351799d1cef85888dbc8c8187ce
SHA107347084e96351d191be0cea0d0ab4bc183963e2
SHA256c12433ab949eb8ff62ed3c230d0a9f13d2d81cffb3d9dcbed1588169d71e337e
SHA5124bc0eb581a26ee4f2845a78098615c080cd0863f2150ca6b0a56d225395af889287b5aa3f16c251ac43848441392800879441e064c3ade55b5d12ae9a842df0e
-
Filesize
5.2MB
MD5b02bd766152ac90996b419cf56322d0e
SHA12fcd538f57973ff279ed1b8b0bc89d3f82b4d356
SHA256310cfc7bde44f3da8f0dd10653d68749a26f7c3be9e7c9fbfc90bd0507200cb5
SHA51216520285639b1c8c020ca3fa777bdd1de0cdaa4d55d79eeb7a6844ba560a1a5fd8584b56bea47146667a741da510a1744d437d7bacfd3849884abbcefbc224e4
-
Filesize
5.2MB
MD5e54acdea613c89dd33f91f46e1022ed9
SHA1d21e4d3bc5590304fecaed426f5afc692d9ac71b
SHA256c821561057e49dc0245558e33d0dac5477cc92820e46c025925650de9976ef7d
SHA512f34ca1dcf67a6ef98b05d235929bf284008fcffdacdff11a9c3af6034f0bdd5cbe9eefdcf61bc2e909b5e7b921e127b87788de233cfda8f21037cd74a8422da4
-
Filesize
5.2MB
MD509e27e351afd51464124b1ad9735f0d1
SHA1cca2425a7a31fdcf18345b002d1fe4b0eec8b240
SHA256c0892aad7af0bcfac82e106b2929e7f49f1c3c5452953f3780b84e1bde227022
SHA512f419a9c1d5ac7e4a7a2d3caccae6791c2fe00673cbca54c8a78d669a8ba945395c6f1c667adc62780dc776a6579bf8d5914f98a1d93acf02af67230ac0a38088
-
Filesize
5.2MB
MD51dcf143d8abd965ed74c66c6879b881e
SHA19dc553fb0d0989084dc7843ede39360b3ffad0d3
SHA256e7becec63235324355e4eed45936b2b5bb9f989444b6ca5a0a48023a59b350f7
SHA5122e1ffb75779bdafa91b7c97da7ad34c27c44d4798f2a79df6759d2d3331d8c19df05749eb2ff4a38b492c688380e739dfd327da5a57c418d8c7d03a29c37a87d
-
Filesize
5.2MB
MD5529f4a038cdb4a12b53ddc6eeba61c85
SHA1529af4aecb5bd9b78d46b2afc9575ac30ff841d0
SHA2565cd820fa8ed9a5cfa3d7c9374a20e9d6d325dd5e1faa77315b8f135884c44e1c
SHA512ee8ddbe80e7544f2620ea564e789558fff23f73383e27f3ebbf9ed264a35af0f702ffac965c364b96d853ebf4be54ec9de67b9fc10843e8e44981a031975d74c
-
Filesize
5.2MB
MD5372b056158c2b35c571a2ffb8f660b65
SHA117c21a7c077eaa980212775011a6d1c801319560
SHA256edecfbb018b0035a50ebaba9c6262ac433561994979a99b639f37209f80c5642
SHA51268efa700b90b0a311833597e5829fd3bb5b6369fb4f852c3e4bdd864fde8a00cd29129971498d7268fc5650aa6fcd0128e5d495d35069219791a256174baf3a5
-
Filesize
5.2MB
MD5f292b33bac174da1ae30a66a4f1d89a5
SHA154809d7b0b9661a209312e966b67fb02f4615d0e
SHA256f1bdfb62164f790b964df5f64bebc897dd753707b438dc30895fc75f72f33e30
SHA51290ba7b1719f874f5f2ae942cf75196f861286a169a775efbd746eb5d88d3b4725706c8a14799b867fb21d09831f896c4198d33f0181b18a4930254f1816dbee1
-
Filesize
5.2MB
MD50fcd6d5054f75ca8bb83e31006edfb0e
SHA1d12d61a078f64f4b228754847e37e63197205cb6
SHA256ed598494c1d15f9240606172faab3f817c87e1a527af8fef9fe0ab5351f020d5
SHA5123725b73bd33003f6a0155cc0d059529010f7e9e0b71277cf072a70107c6ba01c6a24a9f1e97e7e871e951ec5a06fab16cbc34fd082ba98c327323ebb4ba51ddb
-
Filesize
5.2MB
MD552bbc5f741f3d86284f36f03b317c435
SHA1a04787aca5e710b8f017c8c8d46a17758dc7a324
SHA2562335d0beceacd22df07cac3a6b0ff009fb382fad14909ab338ba8693938aad3b
SHA51298c96ef0af80a09640f322ad5b544808e695c74b0b7e978c562d860ced82434a9e2dd5e16ce4f84c72b67f9173a1643f2af3d8d51b0105bb4dfe9b09c42ba3b1
-
Filesize
5.2MB
MD5da05abc8a2c2a0dd39d7c25c4a754f0d
SHA1d02c7241816b624c2264791c2be7f22afd32f09e
SHA2565b8e3f0cbc0b0b7ad3dbbc6b32efc45012c8bdb61ea44f0e52dc52bf4ba13524
SHA5122a638af7fb06ce837752391fff753a1dab4c75b203b4be257c91775df5cde4225d7b1be8b2a529b2dc4f9ad967f16935f0980f92c8636542cfb8ddee4c6e066a