Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 10:57
Behavioral task
behavioral1
Sample
2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240708-en
General
-
Target
2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
c0d0caf16015e4abc80ef880d1ee70a4
-
SHA1
04cd43a27aa30de9b7b2ed141904a2a70c018c97
-
SHA256
3069a6de07f662a26e2a3437fe52217c9a15adf04fe874cdb1400e2e02c424ff
-
SHA512
8e4c6bc6a967e529ba2619db3d20fd64cd07edc4db4a837e7ff74092db83d2f6c0809aeac189d9c2d3c2e0a8923b96a2366bcc6b1b00e158c7a44ba71ee76231
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l7:RWWBibf56utgpPFotBER/mQ32lUf
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000800000002345c-5.dat cobalt_reflective_dll behavioral2/files/0x0007000000023460-13.dat cobalt_reflective_dll behavioral2/files/0x0007000000023462-20.dat cobalt_reflective_dll behavioral2/files/0x0007000000023463-29.dat cobalt_reflective_dll behavioral2/files/0x0007000000023466-43.dat cobalt_reflective_dll behavioral2/files/0x0007000000023464-33.dat cobalt_reflective_dll behavioral2/files/0x0007000000023461-21.dat cobalt_reflective_dll behavioral2/files/0x0007000000023468-54.dat cobalt_reflective_dll behavioral2/files/0x000700000002346d-97.dat cobalt_reflective_dll behavioral2/files/0x000700000002346f-101.dat cobalt_reflective_dll behavioral2/files/0x000700000002346e-93.dat cobalt_reflective_dll behavioral2/files/0x000700000002346c-91.dat cobalt_reflective_dll behavioral2/files/0x000700000002346b-85.dat cobalt_reflective_dll behavioral2/files/0x000700000002346a-77.dat cobalt_reflective_dll behavioral2/files/0x0007000000023469-74.dat cobalt_reflective_dll behavioral2/files/0x0007000000023467-59.dat cobalt_reflective_dll behavioral2/files/0x0007000000023465-38.dat cobalt_reflective_dll behavioral2/files/0x0007000000023470-107.dat cobalt_reflective_dll behavioral2/files/0x0007000000023471-113.dat cobalt_reflective_dll behavioral2/files/0x0007000000023472-122.dat cobalt_reflective_dll behavioral2/files/0x0007000000023473-123.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/4204-17-0x00007FF613C70000-0x00007FF613FC1000-memory.dmp xmrig behavioral2/memory/1240-104-0x00007FF6C6200000-0x00007FF6C6551000-memory.dmp xmrig behavioral2/memory/4872-103-0x00007FF6AD170000-0x00007FF6AD4C1000-memory.dmp xmrig behavioral2/memory/1968-100-0x00007FF733220000-0x00007FF733571000-memory.dmp xmrig behavioral2/memory/1780-99-0x00007FF7EA1F0000-0x00007FF7EA541000-memory.dmp xmrig behavioral2/memory/4136-96-0x00007FF638E50000-0x00007FF6391A1000-memory.dmp xmrig behavioral2/memory/2792-46-0x00007FF6B2030000-0x00007FF6B2381000-memory.dmp xmrig behavioral2/memory/920-119-0x00007FF7146E0000-0x00007FF714A31000-memory.dmp xmrig behavioral2/memory/2652-126-0x00007FF672E60000-0x00007FF6731B1000-memory.dmp xmrig behavioral2/memory/1104-128-0x00007FF6F4920000-0x00007FF6F4C71000-memory.dmp xmrig behavioral2/memory/2652-129-0x00007FF672E60000-0x00007FF6731B1000-memory.dmp xmrig behavioral2/memory/2928-130-0x00007FF74B750000-0x00007FF74BAA1000-memory.dmp xmrig behavioral2/memory/3264-132-0x00007FF66A750000-0x00007FF66AAA1000-memory.dmp xmrig behavioral2/memory/2400-134-0x00007FF6BEE50000-0x00007FF6BF1A1000-memory.dmp xmrig behavioral2/memory/4496-145-0x00007FF65D920000-0x00007FF65DC71000-memory.dmp xmrig behavioral2/memory/2344-147-0x00007FF706CA0000-0x00007FF706FF1000-memory.dmp xmrig behavioral2/memory/1304-143-0x00007FF6DF340000-0x00007FF6DF691000-memory.dmp xmrig behavioral2/memory/1772-142-0x00007FF7F7500000-0x00007FF7F7851000-memory.dmp xmrig behavioral2/memory/4912-141-0x00007FF790210000-0x00007FF790561000-memory.dmp xmrig behavioral2/memory/4080-138-0x00007FF6DB150000-0x00007FF6DB4A1000-memory.dmp xmrig behavioral2/memory/4176-133-0x00007FF6C4260000-0x00007FF6C45B1000-memory.dmp xmrig behavioral2/memory/3412-139-0x00007FF629F80000-0x00007FF62A2D1000-memory.dmp xmrig behavioral2/memory/3420-149-0x00007FF6DA6B0000-0x00007FF6DAA01000-memory.dmp xmrig behavioral2/memory/2652-151-0x00007FF672E60000-0x00007FF6731B1000-memory.dmp xmrig behavioral2/memory/2928-213-0x00007FF74B750000-0x00007FF74BAA1000-memory.dmp xmrig behavioral2/memory/4204-215-0x00007FF613C70000-0x00007FF613FC1000-memory.dmp xmrig behavioral2/memory/3264-217-0x00007FF66A750000-0x00007FF66AAA1000-memory.dmp xmrig behavioral2/memory/4176-219-0x00007FF6C4260000-0x00007FF6C45B1000-memory.dmp xmrig behavioral2/memory/2792-221-0x00007FF6B2030000-0x00007FF6B2381000-memory.dmp xmrig behavioral2/memory/2400-223-0x00007FF6BEE50000-0x00007FF6BF1A1000-memory.dmp xmrig behavioral2/memory/4080-225-0x00007FF6DB150000-0x00007FF6DB4A1000-memory.dmp xmrig behavioral2/memory/4136-227-0x00007FF638E50000-0x00007FF6391A1000-memory.dmp xmrig behavioral2/memory/1780-229-0x00007FF7EA1F0000-0x00007FF7EA541000-memory.dmp xmrig behavioral2/memory/1968-239-0x00007FF733220000-0x00007FF733571000-memory.dmp xmrig behavioral2/memory/3412-238-0x00007FF629F80000-0x00007FF62A2D1000-memory.dmp xmrig behavioral2/memory/4912-235-0x00007FF790210000-0x00007FF790561000-memory.dmp xmrig behavioral2/memory/1772-234-0x00007FF7F7500000-0x00007FF7F7851000-memory.dmp xmrig behavioral2/memory/1304-241-0x00007FF6DF340000-0x00007FF6DF691000-memory.dmp xmrig behavioral2/memory/4496-243-0x00007FF65D920000-0x00007FF65DC71000-memory.dmp xmrig behavioral2/memory/4872-246-0x00007FF6AD170000-0x00007FF6AD4C1000-memory.dmp xmrig behavioral2/memory/1240-247-0x00007FF6C6200000-0x00007FF6C6551000-memory.dmp xmrig behavioral2/memory/2344-252-0x00007FF706CA0000-0x00007FF706FF1000-memory.dmp xmrig behavioral2/memory/920-254-0x00007FF7146E0000-0x00007FF714A31000-memory.dmp xmrig behavioral2/memory/3420-256-0x00007FF6DA6B0000-0x00007FF6DAA01000-memory.dmp xmrig behavioral2/memory/1104-258-0x00007FF6F4920000-0x00007FF6F4C71000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2928 oCNkWBE.exe 4204 BoVhDri.exe 3264 yupbCAE.exe 4176 dOsXKEK.exe 2400 uohQmpO.exe 4136 hSxugZd.exe 2792 STLQWwd.exe 1780 YUHkCbh.exe 4080 PExfcIp.exe 3412 lvDlcLe.exe 1968 jLGIUVH.exe 4912 fTnyuGT.exe 1772 lsnhxXi.exe 1304 MavRxau.exe 4872 gkarGgw.exe 4496 qusmDKR.exe 1240 BvaQCpT.exe 2344 RwWjnEp.exe 920 IDmWotI.exe 3420 MDapRlI.exe 1104 MKOdFkY.exe -
resource yara_rule behavioral2/memory/2652-0-0x00007FF672E60000-0x00007FF6731B1000-memory.dmp upx behavioral2/files/0x000800000002345c-5.dat upx behavioral2/files/0x0007000000023460-13.dat upx behavioral2/files/0x0007000000023462-20.dat upx behavioral2/files/0x0007000000023463-29.dat upx behavioral2/files/0x0007000000023466-43.dat upx behavioral2/files/0x0007000000023464-33.dat upx behavioral2/memory/4176-27-0x00007FF6C4260000-0x00007FF6C45B1000-memory.dmp upx behavioral2/memory/3264-22-0x00007FF66A750000-0x00007FF66AAA1000-memory.dmp upx behavioral2/files/0x0007000000023461-21.dat upx behavioral2/memory/4204-17-0x00007FF613C70000-0x00007FF613FC1000-memory.dmp upx behavioral2/files/0x0007000000023468-54.dat upx behavioral2/memory/1772-89-0x00007FF7F7500000-0x00007FF7F7851000-memory.dmp upx behavioral2/files/0x000700000002346d-97.dat upx behavioral2/files/0x000700000002346f-101.dat upx behavioral2/memory/1240-104-0x00007FF6C6200000-0x00007FF6C6551000-memory.dmp upx behavioral2/memory/4872-103-0x00007FF6AD170000-0x00007FF6AD4C1000-memory.dmp upx behavioral2/memory/1968-100-0x00007FF733220000-0x00007FF733571000-memory.dmp upx behavioral2/memory/1780-99-0x00007FF7EA1F0000-0x00007FF7EA541000-memory.dmp upx behavioral2/memory/4136-96-0x00007FF638E50000-0x00007FF6391A1000-memory.dmp upx behavioral2/memory/4496-95-0x00007FF65D920000-0x00007FF65DC71000-memory.dmp upx behavioral2/files/0x000700000002346e-93.dat upx behavioral2/files/0x000700000002346c-91.dat upx behavioral2/memory/1304-90-0x00007FF6DF340000-0x00007FF6DF691000-memory.dmp upx behavioral2/files/0x000700000002346b-85.dat upx behavioral2/memory/4912-82-0x00007FF790210000-0x00007FF790561000-memory.dmp upx behavioral2/files/0x000700000002346a-77.dat upx behavioral2/files/0x0007000000023469-74.dat upx behavioral2/memory/3412-72-0x00007FF629F80000-0x00007FF62A2D1000-memory.dmp upx behavioral2/memory/4080-56-0x00007FF6DB150000-0x00007FF6DB4A1000-memory.dmp upx behavioral2/files/0x0007000000023467-59.dat upx behavioral2/memory/2792-46-0x00007FF6B2030000-0x00007FF6B2381000-memory.dmp upx behavioral2/memory/2400-39-0x00007FF6BEE50000-0x00007FF6BF1A1000-memory.dmp upx behavioral2/files/0x0007000000023465-38.dat upx behavioral2/memory/2928-6-0x00007FF74B750000-0x00007FF74BAA1000-memory.dmp upx behavioral2/files/0x0007000000023470-107.dat upx behavioral2/memory/2344-108-0x00007FF706CA0000-0x00007FF706FF1000-memory.dmp upx behavioral2/files/0x0007000000023471-113.dat upx behavioral2/memory/920-119-0x00007FF7146E0000-0x00007FF714A31000-memory.dmp upx behavioral2/files/0x0007000000023472-122.dat upx behavioral2/files/0x0007000000023473-123.dat upx behavioral2/memory/3420-121-0x00007FF6DA6B0000-0x00007FF6DAA01000-memory.dmp upx behavioral2/memory/2652-126-0x00007FF672E60000-0x00007FF6731B1000-memory.dmp upx behavioral2/memory/1104-128-0x00007FF6F4920000-0x00007FF6F4C71000-memory.dmp upx behavioral2/memory/2652-129-0x00007FF672E60000-0x00007FF6731B1000-memory.dmp upx behavioral2/memory/2928-130-0x00007FF74B750000-0x00007FF74BAA1000-memory.dmp upx behavioral2/memory/3264-132-0x00007FF66A750000-0x00007FF66AAA1000-memory.dmp upx behavioral2/memory/2400-134-0x00007FF6BEE50000-0x00007FF6BF1A1000-memory.dmp upx behavioral2/memory/4496-145-0x00007FF65D920000-0x00007FF65DC71000-memory.dmp upx behavioral2/memory/2344-147-0x00007FF706CA0000-0x00007FF706FF1000-memory.dmp upx behavioral2/memory/1304-143-0x00007FF6DF340000-0x00007FF6DF691000-memory.dmp upx behavioral2/memory/1772-142-0x00007FF7F7500000-0x00007FF7F7851000-memory.dmp upx behavioral2/memory/4912-141-0x00007FF790210000-0x00007FF790561000-memory.dmp upx behavioral2/memory/4080-138-0x00007FF6DB150000-0x00007FF6DB4A1000-memory.dmp upx behavioral2/memory/4176-133-0x00007FF6C4260000-0x00007FF6C45B1000-memory.dmp upx behavioral2/memory/3412-139-0x00007FF629F80000-0x00007FF62A2D1000-memory.dmp upx behavioral2/memory/3420-149-0x00007FF6DA6B0000-0x00007FF6DAA01000-memory.dmp upx behavioral2/memory/2652-151-0x00007FF672E60000-0x00007FF6731B1000-memory.dmp upx behavioral2/memory/2928-213-0x00007FF74B750000-0x00007FF74BAA1000-memory.dmp upx behavioral2/memory/4204-215-0x00007FF613C70000-0x00007FF613FC1000-memory.dmp upx behavioral2/memory/3264-217-0x00007FF66A750000-0x00007FF66AAA1000-memory.dmp upx behavioral2/memory/4176-219-0x00007FF6C4260000-0x00007FF6C45B1000-memory.dmp upx behavioral2/memory/2792-221-0x00007FF6B2030000-0x00007FF6B2381000-memory.dmp upx behavioral2/memory/2400-223-0x00007FF6BEE50000-0x00007FF6BF1A1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\gkarGgw.exe 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BoVhDri.exe 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yupbCAE.exe 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dOsXKEK.exe 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uohQmpO.exe 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jLGIUVH.exe 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fTnyuGT.exe 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MavRxau.exe 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qusmDKR.exe 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\IDmWotI.exe 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MKOdFkY.exe 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hSxugZd.exe 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\STLQWwd.exe 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BvaQCpT.exe 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RwWjnEp.exe 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\oCNkWBE.exe 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YUHkCbh.exe 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PExfcIp.exe 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lvDlcLe.exe 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lsnhxXi.exe 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MDapRlI.exe 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2652 wrote to memory of 2928 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2652 wrote to memory of 2928 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2652 wrote to memory of 4204 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2652 wrote to memory of 4204 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2652 wrote to memory of 3264 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2652 wrote to memory of 3264 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2652 wrote to memory of 4176 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2652 wrote to memory of 4176 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2652 wrote to memory of 2400 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2652 wrote to memory of 2400 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2652 wrote to memory of 4136 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2652 wrote to memory of 4136 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2652 wrote to memory of 2792 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2652 wrote to memory of 2792 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2652 wrote to memory of 1780 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2652 wrote to memory of 1780 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2652 wrote to memory of 4080 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2652 wrote to memory of 4080 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2652 wrote to memory of 3412 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2652 wrote to memory of 3412 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2652 wrote to memory of 1968 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2652 wrote to memory of 1968 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2652 wrote to memory of 4912 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2652 wrote to memory of 4912 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2652 wrote to memory of 1772 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2652 wrote to memory of 1772 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2652 wrote to memory of 1304 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2652 wrote to memory of 1304 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2652 wrote to memory of 4872 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2652 wrote to memory of 4872 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2652 wrote to memory of 4496 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2652 wrote to memory of 4496 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2652 wrote to memory of 1240 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2652 wrote to memory of 1240 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2652 wrote to memory of 2344 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2652 wrote to memory of 2344 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2652 wrote to memory of 920 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 2652 wrote to memory of 920 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 2652 wrote to memory of 3420 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 2652 wrote to memory of 3420 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 2652 wrote to memory of 1104 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 110 PID 2652 wrote to memory of 1104 2652 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\System\oCNkWBE.exeC:\Windows\System\oCNkWBE.exe2⤵
- Executes dropped EXE
PID:2928
-
-
C:\Windows\System\BoVhDri.exeC:\Windows\System\BoVhDri.exe2⤵
- Executes dropped EXE
PID:4204
-
-
C:\Windows\System\yupbCAE.exeC:\Windows\System\yupbCAE.exe2⤵
- Executes dropped EXE
PID:3264
-
-
C:\Windows\System\dOsXKEK.exeC:\Windows\System\dOsXKEK.exe2⤵
- Executes dropped EXE
PID:4176
-
-
C:\Windows\System\uohQmpO.exeC:\Windows\System\uohQmpO.exe2⤵
- Executes dropped EXE
PID:2400
-
-
C:\Windows\System\hSxugZd.exeC:\Windows\System\hSxugZd.exe2⤵
- Executes dropped EXE
PID:4136
-
-
C:\Windows\System\STLQWwd.exeC:\Windows\System\STLQWwd.exe2⤵
- Executes dropped EXE
PID:2792
-
-
C:\Windows\System\YUHkCbh.exeC:\Windows\System\YUHkCbh.exe2⤵
- Executes dropped EXE
PID:1780
-
-
C:\Windows\System\PExfcIp.exeC:\Windows\System\PExfcIp.exe2⤵
- Executes dropped EXE
PID:4080
-
-
C:\Windows\System\lvDlcLe.exeC:\Windows\System\lvDlcLe.exe2⤵
- Executes dropped EXE
PID:3412
-
-
C:\Windows\System\jLGIUVH.exeC:\Windows\System\jLGIUVH.exe2⤵
- Executes dropped EXE
PID:1968
-
-
C:\Windows\System\fTnyuGT.exeC:\Windows\System\fTnyuGT.exe2⤵
- Executes dropped EXE
PID:4912
-
-
C:\Windows\System\lsnhxXi.exeC:\Windows\System\lsnhxXi.exe2⤵
- Executes dropped EXE
PID:1772
-
-
C:\Windows\System\MavRxau.exeC:\Windows\System\MavRxau.exe2⤵
- Executes dropped EXE
PID:1304
-
-
C:\Windows\System\gkarGgw.exeC:\Windows\System\gkarGgw.exe2⤵
- Executes dropped EXE
PID:4872
-
-
C:\Windows\System\qusmDKR.exeC:\Windows\System\qusmDKR.exe2⤵
- Executes dropped EXE
PID:4496
-
-
C:\Windows\System\BvaQCpT.exeC:\Windows\System\BvaQCpT.exe2⤵
- Executes dropped EXE
PID:1240
-
-
C:\Windows\System\RwWjnEp.exeC:\Windows\System\RwWjnEp.exe2⤵
- Executes dropped EXE
PID:2344
-
-
C:\Windows\System\IDmWotI.exeC:\Windows\System\IDmWotI.exe2⤵
- Executes dropped EXE
PID:920
-
-
C:\Windows\System\MDapRlI.exeC:\Windows\System\MDapRlI.exe2⤵
- Executes dropped EXE
PID:3420
-
-
C:\Windows\System\MKOdFkY.exeC:\Windows\System\MKOdFkY.exe2⤵
- Executes dropped EXE
PID:1104
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD59588c60723cd5a19e2f386e6d463bc4d
SHA1cd72d7ced8dc6060bdd83df971804e68697d3d4d
SHA256e06862f083e4b830ad1573e9c8bec5abb2a8be0bb6a88d75edf913b60a475539
SHA512a6c65d133ce7e62be419e566eab7a5cf794fc839d59aed402dc977bba350dd0b7f74ecdd7ca31b71db0f3a313449b805a1f0f280e1793e2350eb9825b20b97f4
-
Filesize
5.2MB
MD5cff43a34836b7deb0a9450661d432c6b
SHA10dda0f3bda87c93d1578ce718a5f1d6f7e064231
SHA256fb3c3d4b3775725b94d73222112fa6d4bb15434b30462da2dab1729f8c287663
SHA5127980c9c6498ae1c17cd9f47c0ca8b3b1ffe124da8d971d4915e15a9cd93de111dd7d5abd77294ff2383f36ef3b53da281f557c647063669f29b334615785815f
-
Filesize
5.2MB
MD54f31fd033c074032cfaddd137a64c17e
SHA1fcb356ee031352eccb294d16eebb04db2dbc9d59
SHA256b8f3d3f5ee2045f0b94f04b9fbb671df658bf04208645f6580a3585d442f296b
SHA512faaa9436cec1f0923a3108d2b8ea426785ecf74a5292f0022c01ffa3da34ee85f9f54feef961e8b62eb75046fba8e946e2880bfdbd6bf9559192f69457dd4217
-
Filesize
5.2MB
MD53d5ae9eddcf417760b9bdad29c397419
SHA1c8006fb53c6beb01003b8db85656ff2b1d521314
SHA25698127849c55aa25e96b340de2a26a17148273426d1e9e67311f20b19cbdaca1b
SHA512cb92db0393312c09114424289cce0a4c221a4beda723df7bde85b49e30c7759a5f25d4f034a3817e7dfb3f7bc688f1283de1d8a08a96a55016dbde987e057cec
-
Filesize
5.2MB
MD53e12fb64f3bdb280be5f2e63cb52b6ee
SHA1e575097103e34d9f6d3f6b2fba40c7e48ecad8ca
SHA25626ad7fa0574940d317e1dd55349f43a0a91a86c7acd7ecec94a9ea4ffc1edc3f
SHA512c8b4a91f3e18dd7e288d997b0ddca8fbf995bafda67b8627252b0cd97c379cbb814f5c7bd95ab3a9c673148d2833ce569e5f8083f1e76f7b34b8b9706576f1e5
-
Filesize
5.2MB
MD5fbba430ee614ae1ea720de4008c4d6ae
SHA199ed35ba92ff9dfe8428d837d91335cd15683269
SHA256ec00e2fb5727e27515760dbbd72c0a0a427569766e9e3bc9195c1bea25dcfba4
SHA5120a50d18429c0fa8c1ab548ee5fa87a8fa856d1cea926fafa5e365be99bea80cdae8932d58adfafa7f01fd98b71bed93b4ec891053d4a882166aca1649cf6a158
-
Filesize
5.2MB
MD5621cc33da360e86a9497d5595d71e533
SHA1b59eb3bc0c928e34569018210bc6e18997bda432
SHA256684483266e7238bdd142f6b8d888fcf5124d7f07b2094300bb0c58dd84e1b788
SHA51292fcc0d83db7b0eb0fdf3432544cc7de106c3e76c178585351f37d01988b84a30bb55caf35836b38564a2f6315cb6f0f24687a91963498f909854024f350b4aa
-
Filesize
5.2MB
MD5e71dd5ab1b964c586ac1698c492c6e9a
SHA11309f906e36b8f34b0267601f0183f31976502e1
SHA256d2b4256cf50cc2b56b106925f9174ea4b428fdd7c26df38134b69b86d006491b
SHA51236ef12dbe4af4bde5465917e558c4b87ca62d416c62526d2e391a37efe5fbab36f309caa4db1710bc432c93246e121f1168da509374d67bee5c18e8e435d20b1
-
Filesize
5.2MB
MD5327011fcfe514d40ff1e454436e0bd7a
SHA1bdae43883ac471347b5433b9cce4c1fa6f5ae91b
SHA256fc64847c3a7686c81cc0b2a07818985183daa7ca1c295d344a1566962d48a67c
SHA512462a39516b8c4471cf9ea18e45d083f4c9085012ce3af966be9d1a75fd220ed3f25e60f1d701a92689a021f5a392b50ee450fadf0fe4bdcfe84b546aa9190326
-
Filesize
5.2MB
MD5360dbc6759109bc1fe7f076d3fac7b62
SHA16fc8fc848b72b5647b94d61aee8bab097fb4331b
SHA2563c7434f9b56704b740009c451136e80e6d53f8c9bf4147da5d0cfd0598069cbe
SHA512bed5133186a608d5fc3a5357a2cc5b6e542c16b36de67235d8585d0e0d9eb3e01d7ff00ec57e68f96c791587c851b94b2fae44df300e566d0c8214223313f677
-
Filesize
5.2MB
MD5c999b7732f8fbff7d02367f05f103796
SHA1354063e3510a63314c7182fcb2aa4788521c9964
SHA256635f2c31df5f4df92e9cffbda002564816722629c13bf26295347d01d031b77f
SHA5128fb7f5029378f93ddc778febc68f0089688da58f9b9bbac1b0d19ef888adea8db6712d560ea08f42f67a5e5b6a1d1dd0430d2c8dab21e6f5455352e8de53e8c1
-
Filesize
5.2MB
MD5b5eab321dd9a4a88956cc63912b20932
SHA169df440eb07493f86fd347e19faa0ef0e12366d1
SHA25686f18a7e9344d1370b146b70714949f2e9b996a2b0f5f38da706fa8716fe6bcc
SHA512e8a20e5359dff7fd773c006023ff29313ac1149a1b7341e0ffd4e016cefd1b7e5e47b53b505fd5685578f65d53b9503f5744ef369ef0697ab6492c732bf233ee
-
Filesize
5.2MB
MD507e8f874917ac1d0486d33f0f3c8caf3
SHA1ef68f135d39e7f35e9f00bd2969fdf1df3cf665f
SHA256180eaaf2c3deaf05da661fc12a2b3d963261ccb4872e7d1a8b792e64555fc58f
SHA5120e84025ab4f066ce48462e26c294eef3ba1a2783c316c3d2d4a35daf0f321fb5cab027fe76a6a7f44eda402f5c3f888dea812c06f70ccaddd42a0913df08a20e
-
Filesize
5.2MB
MD5e64ccc306c451c4d1babbc252082a72d
SHA18e15c4f9496f81e59ff00ac8c8d3d2aeabe09b7f
SHA256f5e3f7ed6e2f3392239d076f8277d0a0a9f13b4ae031c398b3a0eaa11e9e45a0
SHA5121d53f3ebabdf267e7447327e4b00617adcbf360bf6703096bf2c03d1ad95d67583f4ebb93da108fca6a1a7b1d3844b23aaf3cb3496f78804ebed737dd2599911
-
Filesize
5.2MB
MD5f1e64619e336087f4fdeb8ff5682c759
SHA1d4bf22c46d1b930c8a9a13f564b5f5588cf4c14e
SHA2568ab0b81fbc094c6d41115c55b7ccaf410a079e7dce7c32fe27d01126f02865ae
SHA5128fd3b9bd57391c3fbf9b278d7d237ce62803b5e62718faa086d38231a26271ceceb0558bb1a63e89bcb7aa6653a7b2029443c375b0b408ddd02f07c5d09af0a9
-
Filesize
5.2MB
MD5fa02c02171a0b9b6babab30634008591
SHA14db2c96f526bcc7bb681403045f55e9023dfd8e8
SHA2562c7fd792999475dea7a32379e551c5092e3a5757d1015ebc62934daa117a64f5
SHA5124917a34d079f3b3afc1b8b4ba1005fc5a69814271ceb589b70b683cbba9df8052f627869777e72ea5e05f411b3e935ca2cbd5660ce1656090b7d908f71b1c9b8
-
Filesize
5.2MB
MD525e2cbab204914214a4d6fb05a6db36f
SHA10679ce06061424eda0d77109e64757fec474adb5
SHA256665a335a09179296953d1ad50103b9fdee31937aaa888afc8e9c73c0224dd5f5
SHA512122cf266ec4f5315884a46b91cc56204b8684d8b56429743fa3a402b6c0304c08bea250770415da89091805047acbab3c228edd2358fc0fe58cf2beef540f748
-
Filesize
5.2MB
MD506acda31d4318f5360a7eeb4f15a7a3f
SHA136afa86bc42fd46a910ebd2e03f05efd9aacff02
SHA256461d54d60d96c23400d2083926700a64b16a8911f660ea195fd90a5204653922
SHA512fc540a3ae7d26e71df3ea8fd8c9f6c05c4c5875bf1b5748afa9b53d83115c788ff4dfc53535cd1afe73624dcd9d8282ed7c9ec75eba9184b982969303ac22f76
-
Filesize
5.2MB
MD5b4f00d2a871c1becd258dd70818f6871
SHA1f7516e892a5eca9f79cc41792069500820180a1c
SHA256471d682f4b72e26a509fd3db67829818519ca4198c8364bccf2b568e38f4341c
SHA512f950601135a6b4914ed443c5761ffe395496d9bb8c79edffccb584ecea1386d0a7f7c3c177cce2b60bd890361c673aa38fd9b12b4ad9bcdfe3e1650e4eb8b776
-
Filesize
5.2MB
MD50fa76bcc972cc3b544db7272dd4bb194
SHA10744639e7647838b623d68bdb103db13f12a5a45
SHA256d150dfe98f58c1e0e5713026271a4d3b348bf1af649934142b50991d77ab0ee5
SHA512753a442f09e0cc41f6a649f08e1b2174f2127e3c5a0caf139f1e298fc870e4a5a2a503450c90015e6a74168f85ec2647cb8317a88e1fb80a8e3bccaefb3ad8db
-
Filesize
5.2MB
MD5d2d7e0aa27843c5005e0985bb3a92db9
SHA11c0020ef7d6f12f771f253952bd1a86da956bbd6
SHA2561421db8618ae7625151a17346a5e90af0f9dfcf1fec64dd37cc3047262754736
SHA51230de79cb922bac2d6f3dd081e3cf8a9ba4400d05aa698fd295714bec101f044f5b001ff8f505bf6f02bb13f600ce9ba7c706e85a5dd02a7d4a9832ee81cd200a