Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 11:00
Behavioral task
behavioral1
Sample
2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240708-en
General
-
Target
2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
d0b6a56ca169a924433de55a0cca097c
-
SHA1
4ae7c9fed720df27e264081ed269f628e8732669
-
SHA256
663e486d3adffcfcf63f008e7f6d79a5657b699393e770dbe7d86594800cfed8
-
SHA512
76abcc56ad7b305edd9e0ac432e573c9d77a0b7a8c6b4d8df7fbd9593f47a0dd5f83d351c8053faebb69aedf83045fbacc774f0661a19d2508ae8a286d6095d4
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lx:RWWBibf56utgpPFotBER/mQ32lUl
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0008000000023497-5.dat cobalt_reflective_dll behavioral2/files/0x00070000000234a0-26.dat cobalt_reflective_dll behavioral2/files/0x000700000002349e-21.dat cobalt_reflective_dll behavioral2/files/0x000800000002349a-15.dat cobalt_reflective_dll behavioral2/files/0x000700000002349f-27.dat cobalt_reflective_dll behavioral2/files/0x00070000000234a1-32.dat cobalt_reflective_dll behavioral2/files/0x00070000000234a3-46.dat cobalt_reflective_dll behavioral2/files/0x00070000000234a2-44.dat cobalt_reflective_dll behavioral2/files/0x00070000000234a6-56.dat cobalt_reflective_dll behavioral2/files/0x00070000000234a4-58.dat cobalt_reflective_dll behavioral2/files/0x000800000002349b-66.dat cobalt_reflective_dll behavioral2/files/0x00070000000234a8-72.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ac-93.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ab-97.dat cobalt_reflective_dll behavioral2/files/0x00070000000234b0-117.dat cobalt_reflective_dll behavioral2/files/0x00070000000234b1-124.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ad-128.dat cobalt_reflective_dll behavioral2/files/0x00070000000234af-126.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ae-120.dat cobalt_reflective_dll behavioral2/files/0x00070000000234aa-99.dat cobalt_reflective_dll behavioral2/files/0x00070000000234a9-86.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 46 IoCs
resource yara_rule behavioral2/memory/4936-39-0x00007FF6BAC40000-0x00007FF6BAF91000-memory.dmp xmrig behavioral2/memory/4588-54-0x00007FF735390000-0x00007FF7356E1000-memory.dmp xmrig behavioral2/memory/2188-50-0x00007FF7B7F70000-0x00007FF7B82C1000-memory.dmp xmrig behavioral2/memory/3316-68-0x00007FF737080000-0x00007FF7373D1000-memory.dmp xmrig behavioral2/memory/2692-71-0x00007FF724D30000-0x00007FF725081000-memory.dmp xmrig behavioral2/memory/1180-80-0x00007FF660320000-0x00007FF660671000-memory.dmp xmrig behavioral2/memory/4604-104-0x00007FF746160000-0x00007FF7464B1000-memory.dmp xmrig behavioral2/memory/4588-112-0x00007FF735390000-0x00007FF7356E1000-memory.dmp xmrig behavioral2/memory/1208-105-0x00007FF7C75D0000-0x00007FF7C7921000-memory.dmp xmrig behavioral2/memory/4700-94-0x00007FF797B70000-0x00007FF797EC1000-memory.dmp xmrig behavioral2/memory/3020-79-0x00007FF6E2E20000-0x00007FF6E3171000-memory.dmp xmrig behavioral2/memory/4340-77-0x00007FF7966D0000-0x00007FF796A21000-memory.dmp xmrig behavioral2/memory/4024-131-0x00007FF716CD0000-0x00007FF717021000-memory.dmp xmrig behavioral2/memory/3316-132-0x00007FF737080000-0x00007FF7373D1000-memory.dmp xmrig behavioral2/memory/2892-142-0x00007FF6F26F0000-0x00007FF6F2A41000-memory.dmp xmrig behavioral2/memory/1680-144-0x00007FF72CAE0000-0x00007FF72CE31000-memory.dmp xmrig behavioral2/memory/3428-145-0x00007FF72D640000-0x00007FF72D991000-memory.dmp xmrig behavioral2/memory/3968-143-0x00007FF789E40000-0x00007FF78A191000-memory.dmp xmrig behavioral2/memory/1388-141-0x00007FF736040000-0x00007FF736391000-memory.dmp xmrig behavioral2/memory/4496-149-0x00007FF72BD30000-0x00007FF72C081000-memory.dmp xmrig behavioral2/memory/812-153-0x00007FF771ED0000-0x00007FF772221000-memory.dmp xmrig behavioral2/memory/2820-150-0x00007FF6EA5D0000-0x00007FF6EA921000-memory.dmp xmrig behavioral2/memory/2940-148-0x00007FF7F6570000-0x00007FF7F68C1000-memory.dmp xmrig behavioral2/memory/1500-151-0x00007FF733BF0000-0x00007FF733F41000-memory.dmp xmrig behavioral2/memory/3316-157-0x00007FF737080000-0x00007FF7373D1000-memory.dmp xmrig behavioral2/memory/4340-211-0x00007FF7966D0000-0x00007FF796A21000-memory.dmp xmrig behavioral2/memory/3020-213-0x00007FF6E2E20000-0x00007FF6E3171000-memory.dmp xmrig behavioral2/memory/4700-215-0x00007FF797B70000-0x00007FF797EC1000-memory.dmp xmrig behavioral2/memory/4936-217-0x00007FF6BAC40000-0x00007FF6BAF91000-memory.dmp xmrig behavioral2/memory/4604-221-0x00007FF746160000-0x00007FF7464B1000-memory.dmp xmrig behavioral2/memory/2188-224-0x00007FF7B7F70000-0x00007FF7B82C1000-memory.dmp xmrig behavioral2/memory/1208-225-0x00007FF7C75D0000-0x00007FF7C7921000-memory.dmp xmrig behavioral2/memory/4588-227-0x00007FF735390000-0x00007FF7356E1000-memory.dmp xmrig behavioral2/memory/2892-229-0x00007FF6F26F0000-0x00007FF6F2A41000-memory.dmp xmrig behavioral2/memory/1388-231-0x00007FF736040000-0x00007FF736391000-memory.dmp xmrig behavioral2/memory/2692-241-0x00007FF724D30000-0x00007FF725081000-memory.dmp xmrig behavioral2/memory/1180-243-0x00007FF660320000-0x00007FF660671000-memory.dmp xmrig behavioral2/memory/2940-245-0x00007FF7F6570000-0x00007FF7F68C1000-memory.dmp xmrig behavioral2/memory/2820-247-0x00007FF6EA5D0000-0x00007FF6EA921000-memory.dmp xmrig behavioral2/memory/4496-249-0x00007FF72BD30000-0x00007FF72C081000-memory.dmp xmrig behavioral2/memory/1500-254-0x00007FF733BF0000-0x00007FF733F41000-memory.dmp xmrig behavioral2/memory/4024-256-0x00007FF716CD0000-0x00007FF717021000-memory.dmp xmrig behavioral2/memory/3428-259-0x00007FF72D640000-0x00007FF72D991000-memory.dmp xmrig behavioral2/memory/812-264-0x00007FF771ED0000-0x00007FF772221000-memory.dmp xmrig behavioral2/memory/3968-263-0x00007FF789E40000-0x00007FF78A191000-memory.dmp xmrig behavioral2/memory/1680-261-0x00007FF72CAE0000-0x00007FF72CE31000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4340 RDrPIHG.exe 3020 QZhKLGE.exe 4700 yLPirLN.exe 4604 oJmqUEE.exe 1208 zttRKXv.exe 4936 WqKphhj.exe 2188 LKVSTmT.exe 4588 ooAWzoG.exe 1388 rjASony.exe 2892 szVbeFR.exe 2692 GltztZE.exe 1180 yvaIpBh.exe 2940 ubYattX.exe 4496 RtjylDl.exe 2820 BmIJUKm.exe 1500 PcssotQ.exe 812 vPpejou.exe 3428 bTQzGuJ.exe 4024 yRudPDB.exe 3968 oiVgvxV.exe 1680 VzrNtfo.exe -
resource yara_rule behavioral2/memory/3316-0-0x00007FF737080000-0x00007FF7373D1000-memory.dmp upx behavioral2/files/0x0008000000023497-5.dat upx behavioral2/memory/4340-8-0x00007FF7966D0000-0x00007FF796A21000-memory.dmp upx behavioral2/memory/3020-18-0x00007FF6E2E20000-0x00007FF6E3171000-memory.dmp upx behavioral2/files/0x00070000000234a0-26.dat upx behavioral2/memory/4700-23-0x00007FF797B70000-0x00007FF797EC1000-memory.dmp upx behavioral2/files/0x000700000002349e-21.dat upx behavioral2/files/0x000800000002349a-15.dat upx behavioral2/files/0x000700000002349f-27.dat upx behavioral2/files/0x00070000000234a1-32.dat upx behavioral2/memory/4936-39-0x00007FF6BAC40000-0x00007FF6BAF91000-memory.dmp upx behavioral2/memory/1208-38-0x00007FF7C75D0000-0x00007FF7C7921000-memory.dmp upx behavioral2/memory/4604-35-0x00007FF746160000-0x00007FF7464B1000-memory.dmp upx behavioral2/files/0x00070000000234a3-46.dat upx behavioral2/files/0x00070000000234a2-44.dat upx behavioral2/memory/4588-54-0x00007FF735390000-0x00007FF7356E1000-memory.dmp upx behavioral2/files/0x00070000000234a6-56.dat upx behavioral2/memory/2892-57-0x00007FF6F26F0000-0x00007FF6F2A41000-memory.dmp upx behavioral2/files/0x00070000000234a4-58.dat upx behavioral2/memory/1388-55-0x00007FF736040000-0x00007FF736391000-memory.dmp upx behavioral2/memory/2188-50-0x00007FF7B7F70000-0x00007FF7B82C1000-memory.dmp upx behavioral2/files/0x000800000002349b-66.dat upx behavioral2/memory/3316-68-0x00007FF737080000-0x00007FF7373D1000-memory.dmp upx behavioral2/memory/2692-71-0x00007FF724D30000-0x00007FF725081000-memory.dmp upx behavioral2/files/0x00070000000234a8-72.dat upx behavioral2/memory/1180-80-0x00007FF660320000-0x00007FF660671000-memory.dmp upx behavioral2/files/0x00070000000234ac-93.dat upx behavioral2/files/0x00070000000234ab-97.dat upx behavioral2/memory/4604-104-0x00007FF746160000-0x00007FF7464B1000-memory.dmp upx behavioral2/files/0x00070000000234b0-117.dat upx behavioral2/files/0x00070000000234b1-124.dat upx behavioral2/memory/812-129-0x00007FF771ED0000-0x00007FF772221000-memory.dmp upx behavioral2/files/0x00070000000234ad-128.dat upx behavioral2/files/0x00070000000234af-126.dat upx behavioral2/files/0x00070000000234ae-120.dat upx behavioral2/memory/4588-112-0x00007FF735390000-0x00007FF7356E1000-memory.dmp upx behavioral2/memory/1208-105-0x00007FF7C75D0000-0x00007FF7C7921000-memory.dmp upx behavioral2/files/0x00070000000234aa-99.dat upx behavioral2/memory/2820-96-0x00007FF6EA5D0000-0x00007FF6EA921000-memory.dmp upx behavioral2/memory/1500-95-0x00007FF733BF0000-0x00007FF733F41000-memory.dmp upx behavioral2/memory/4700-94-0x00007FF797B70000-0x00007FF797EC1000-memory.dmp upx behavioral2/memory/4496-89-0x00007FF72BD30000-0x00007FF72C081000-memory.dmp upx behavioral2/memory/2940-87-0x00007FF7F6570000-0x00007FF7F68C1000-memory.dmp upx behavioral2/files/0x00070000000234a9-86.dat upx behavioral2/memory/3020-79-0x00007FF6E2E20000-0x00007FF6E3171000-memory.dmp upx behavioral2/memory/4340-77-0x00007FF7966D0000-0x00007FF796A21000-memory.dmp upx behavioral2/memory/4024-131-0x00007FF716CD0000-0x00007FF717021000-memory.dmp upx behavioral2/memory/3316-132-0x00007FF737080000-0x00007FF7373D1000-memory.dmp upx behavioral2/memory/2892-142-0x00007FF6F26F0000-0x00007FF6F2A41000-memory.dmp upx behavioral2/memory/1680-144-0x00007FF72CAE0000-0x00007FF72CE31000-memory.dmp upx behavioral2/memory/3428-145-0x00007FF72D640000-0x00007FF72D991000-memory.dmp upx behavioral2/memory/3968-143-0x00007FF789E40000-0x00007FF78A191000-memory.dmp upx behavioral2/memory/1388-141-0x00007FF736040000-0x00007FF736391000-memory.dmp upx behavioral2/memory/4496-149-0x00007FF72BD30000-0x00007FF72C081000-memory.dmp upx behavioral2/memory/812-153-0x00007FF771ED0000-0x00007FF772221000-memory.dmp upx behavioral2/memory/2820-150-0x00007FF6EA5D0000-0x00007FF6EA921000-memory.dmp upx behavioral2/memory/2940-148-0x00007FF7F6570000-0x00007FF7F68C1000-memory.dmp upx behavioral2/memory/1500-151-0x00007FF733BF0000-0x00007FF733F41000-memory.dmp upx behavioral2/memory/3316-157-0x00007FF737080000-0x00007FF7373D1000-memory.dmp upx behavioral2/memory/4340-211-0x00007FF7966D0000-0x00007FF796A21000-memory.dmp upx behavioral2/memory/3020-213-0x00007FF6E2E20000-0x00007FF6E3171000-memory.dmp upx behavioral2/memory/4700-215-0x00007FF797B70000-0x00007FF797EC1000-memory.dmp upx behavioral2/memory/4936-217-0x00007FF6BAC40000-0x00007FF6BAF91000-memory.dmp upx behavioral2/memory/4604-221-0x00007FF746160000-0x00007FF7464B1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\yvaIpBh.exe 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ubYattX.exe 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bTQzGuJ.exe 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QZhKLGE.exe 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WqKphhj.exe 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\szVbeFR.exe 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vPpejou.exe 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ooAWzoG.exe 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LKVSTmT.exe 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BmIJUKm.exe 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yRudPDB.exe 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RDrPIHG.exe 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GltztZE.exe 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\oJmqUEE.exe 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rjASony.exe 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RtjylDl.exe 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PcssotQ.exe 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\oiVgvxV.exe 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VzrNtfo.exe 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yLPirLN.exe 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zttRKXv.exe 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3316 wrote to memory of 4340 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3316 wrote to memory of 4340 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3316 wrote to memory of 3020 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3316 wrote to memory of 3020 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3316 wrote to memory of 4700 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3316 wrote to memory of 4700 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3316 wrote to memory of 1208 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3316 wrote to memory of 1208 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3316 wrote to memory of 4604 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3316 wrote to memory of 4604 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3316 wrote to memory of 4936 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3316 wrote to memory of 4936 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3316 wrote to memory of 4588 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3316 wrote to memory of 4588 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3316 wrote to memory of 2188 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3316 wrote to memory of 2188 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3316 wrote to memory of 1388 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3316 wrote to memory of 1388 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3316 wrote to memory of 2892 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3316 wrote to memory of 2892 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3316 wrote to memory of 2692 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3316 wrote to memory of 2692 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3316 wrote to memory of 1180 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3316 wrote to memory of 1180 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3316 wrote to memory of 2940 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3316 wrote to memory of 2940 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3316 wrote to memory of 4496 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3316 wrote to memory of 4496 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3316 wrote to memory of 2820 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3316 wrote to memory of 2820 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3316 wrote to memory of 1500 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3316 wrote to memory of 1500 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3316 wrote to memory of 4024 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3316 wrote to memory of 4024 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3316 wrote to memory of 812 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3316 wrote to memory of 812 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3316 wrote to memory of 3428 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3316 wrote to memory of 3428 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3316 wrote to memory of 3968 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3316 wrote to memory of 3968 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3316 wrote to memory of 1680 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3316 wrote to memory of 1680 3316 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\System\RDrPIHG.exeC:\Windows\System\RDrPIHG.exe2⤵
- Executes dropped EXE
PID:4340
-
-
C:\Windows\System\QZhKLGE.exeC:\Windows\System\QZhKLGE.exe2⤵
- Executes dropped EXE
PID:3020
-
-
C:\Windows\System\yLPirLN.exeC:\Windows\System\yLPirLN.exe2⤵
- Executes dropped EXE
PID:4700
-
-
C:\Windows\System\zttRKXv.exeC:\Windows\System\zttRKXv.exe2⤵
- Executes dropped EXE
PID:1208
-
-
C:\Windows\System\oJmqUEE.exeC:\Windows\System\oJmqUEE.exe2⤵
- Executes dropped EXE
PID:4604
-
-
C:\Windows\System\WqKphhj.exeC:\Windows\System\WqKphhj.exe2⤵
- Executes dropped EXE
PID:4936
-
-
C:\Windows\System\ooAWzoG.exeC:\Windows\System\ooAWzoG.exe2⤵
- Executes dropped EXE
PID:4588
-
-
C:\Windows\System\LKVSTmT.exeC:\Windows\System\LKVSTmT.exe2⤵
- Executes dropped EXE
PID:2188
-
-
C:\Windows\System\rjASony.exeC:\Windows\System\rjASony.exe2⤵
- Executes dropped EXE
PID:1388
-
-
C:\Windows\System\szVbeFR.exeC:\Windows\System\szVbeFR.exe2⤵
- Executes dropped EXE
PID:2892
-
-
C:\Windows\System\GltztZE.exeC:\Windows\System\GltztZE.exe2⤵
- Executes dropped EXE
PID:2692
-
-
C:\Windows\System\yvaIpBh.exeC:\Windows\System\yvaIpBh.exe2⤵
- Executes dropped EXE
PID:1180
-
-
C:\Windows\System\ubYattX.exeC:\Windows\System\ubYattX.exe2⤵
- Executes dropped EXE
PID:2940
-
-
C:\Windows\System\RtjylDl.exeC:\Windows\System\RtjylDl.exe2⤵
- Executes dropped EXE
PID:4496
-
-
C:\Windows\System\BmIJUKm.exeC:\Windows\System\BmIJUKm.exe2⤵
- Executes dropped EXE
PID:2820
-
-
C:\Windows\System\PcssotQ.exeC:\Windows\System\PcssotQ.exe2⤵
- Executes dropped EXE
PID:1500
-
-
C:\Windows\System\yRudPDB.exeC:\Windows\System\yRudPDB.exe2⤵
- Executes dropped EXE
PID:4024
-
-
C:\Windows\System\vPpejou.exeC:\Windows\System\vPpejou.exe2⤵
- Executes dropped EXE
PID:812
-
-
C:\Windows\System\bTQzGuJ.exeC:\Windows\System\bTQzGuJ.exe2⤵
- Executes dropped EXE
PID:3428
-
-
C:\Windows\System\oiVgvxV.exeC:\Windows\System\oiVgvxV.exe2⤵
- Executes dropped EXE
PID:3968
-
-
C:\Windows\System\VzrNtfo.exeC:\Windows\System\VzrNtfo.exe2⤵
- Executes dropped EXE
PID:1680
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5cd7ed7159eca816818ddb678c103dcbb
SHA1f018f81d9c388f0dad446b8b8d68fcf7720b4439
SHA256a4e802306cafb4db8c15ad16f155c954aeb33c572018c9318639ecb5c1c1f620
SHA512db331f34e3b302054045c8f2e5775fa62b702524b37761cf361d581bb0964bd246f7e6d6ddd96f36c93906aeddfaeb94d9015c7e46f1ba0ee53f4e50fa8d385f
-
Filesize
5.2MB
MD594ede26822b5b3a6e050f1bc44338d4b
SHA10cc9e78fd910891222ea4c3226e43532a6d7c2a6
SHA256c22a2965b288fd418ae4c588ca37732e0b07ce95acc8ed5c5f4edfaca2b50a60
SHA5129b178a320a2902822c3cc0420705eff67d3f90027dad6f4af71bc65f4ea010b4cb6e921ae95007cb2b44f967098d2fe120e737459e8d62db74bd6944a08b7c91
-
Filesize
5.2MB
MD5f7073ba9a6fecebe5cc12753c6a55957
SHA189039db3f61f8de1937374d214bc7b657c8328ae
SHA2560e0263f762271b943962a644de4113cd26868de047d83c08aca7389b8c6c8a85
SHA5127093ccfe217499097ec411d1cda03e3bdc1dd3a451fe312413c27fd1c190daf0430102cc4d95ba080a4e7ca368b3d098c195edffff892fb78f2b1b86a10b5352
-
Filesize
5.2MB
MD5b89867cd27dd89d18f07fae6bcfa5222
SHA1bbec310011d3dd38b865b789c9b625cb6dac9b21
SHA2567f6ae08901cb5003291e9f4b20f8039c921f8eb9488a6d21b9bb056126e8eab1
SHA5120d73008890b1179b52f0008382ff352ba977bee892b3a4d7f672f8ca38c4b16a8bc2f7225e118da148acf679d2e0ad9da4b31a6ead1fedaf6a77d5bc53f12709
-
Filesize
5.2MB
MD5d122d0750f0df2a8a3c962511dd51eaa
SHA1a5f869d7efa08437c238d8ac7c0f80fbeac462d7
SHA2562ccc129e8e2a9f24cadf92acb4f2d6947c98cd07e013e90f4bee5eeffcce3699
SHA5124a01470176a467bc3051fd3cdf3885f4599a86d2905ec7a0b4cf4b8a293dc51821eca1954cb53b46a9790aa9cd49431a0a373ea1fba1d81e24e84aa1b9abf83e
-
Filesize
5.2MB
MD5a8841e7e0f192a5a4ec4de636cd41dcc
SHA1e9b1c7d919ad963aa6fcf4b8c8157ce4da33c443
SHA2565042f9d745d601e5eae0565ee02de657011fc56a7900f319ab8a2eb118973115
SHA51253a2ae43a45682174fc7a66658c22d85c1ea1e1b8843b316c4972a9d96a2164b8cbb093a2afc8f8cc210bb1ec6ad4a6a20d67ae31a3b0a7f7561092f39bb7f0f
-
Filesize
5.2MB
MD5761e277c885a34657ccbe55914a75a09
SHA1b7a0051768567410642afc0762efa353bc0ff5cc
SHA2569c80c1a2ad355328c4aa943b3ee6c7b1062fdd5b0e61fc1bd29e7dad7519e07f
SHA512fd4704645527c6ba65f745eded9dcfb25dc6c4d6333e735c7fa087eb2939d0ecd1e0b2cdfded3b1651a892933f7a087698f63657de3ac9493c41ffb87c9f47a1
-
Filesize
5.2MB
MD57e0343856ac9827b2d68d2cc7dc0b977
SHA1fdb59f446ea82fb05e7208418251ef04450abd8a
SHA256452f54598755fae343d6460545db91ec0d9abedb658958a349315fb3ca718daa
SHA512699adf11b92080950f45de2291cab91bed48e1294570a2768db1932223c1fcc26e0eaf45e2d467caa92eef833b45fad8b5f62568e02ce5eb6cb18497e9a85b4c
-
Filesize
5.2MB
MD55dc4a25ed12a51c39716e8159299f572
SHA1e4f8308726a48f0cc6975237b15a62fd747ab588
SHA2569b93beefd6e818e31f7d8bdd8e19905673fdb78b55bfe9d59aab4cc6340ea162
SHA51207ce3a090ded1f19eadbbc463d88d65a7936894b5516a86c066b363a1dc08cde646b16c949d7ce1bfe8bb1db141f68f88b46cd6826d80a102e67e4cd8981923b
-
Filesize
5.2MB
MD5bef60f92efa033f2de87fa7292bbaadf
SHA1e7d50d6f8840cf02c9868bfcdbb0e68236e748c0
SHA2566ddd58b0cf3a203e63fa25851c2398d4046cccf85b2b71708410e05d6543595d
SHA512a48e63e9c52c2cc44fb5f91da29cba108c20e6d66b3dcf92c777b37ce7b3c2fef8f2382dbd150ec0ac434f63158f3feb1f9cb653d2c5620a37cf20763c1ed90e
-
Filesize
5.2MB
MD5911a83d9534c794dfeec9b5e301bfff3
SHA1895e1f206035109d5386b6de0a36000c03014851
SHA25637771b8c125dbc24e6acf283d41baf8c81ff15c516ab501cd9aecb7e44af8e24
SHA5120ffbb27c6111628313fd13555703b8398f1d9374b0839985ea5e5356776705cdd57fa104c1686aab80890a42fa509f32f2307becae3f3ad1cb25e8ca1d8fdfe4
-
Filesize
5.2MB
MD5c23edfc23d12f632b37f9b2cc241fdd2
SHA1066d387b03105e1e1ffd3bf58e8bfb6d4bcd50bf
SHA256a10e523d0fc04c1e059bc79147cc56a51a1e0e48ea8d6825883794c5c9599f36
SHA5123b365fe8400cb10856ddd610af1145527247d9b3211b82b60287e9a9dd17e2273021d0cc0ce96e38b0b5011c7298ff90ab72567b059998afbeef69c6423634f4
-
Filesize
5.2MB
MD58476a10bad893aad73edb6a2af5e18a1
SHA164192d6121606f33149a437647bd4924f9c882fc
SHA25600cebcb9b3f76af19abcb145bf75151b50b98644f093af6981542d20fe1110d6
SHA512ba7c6861b11a9c67f12fd6f10e7004daa9a86ad9e6e91bb67e0e583375ae42b170af824855a0e8ddd2616ba26221d5104cb9f71582ad6f517a15c2373563658c
-
Filesize
5.2MB
MD5442fc3a90090a3957c34c5affb0bb437
SHA1de69417a1011d41e1af9d179a4d99b4d642c1425
SHA256fed54ce439da5f05e7ad8a36e09215d246f4283b5aa8901d7fd134a45ca4f1a2
SHA512e6232cc6b44a2230d95e34cd09900f1a6ecdc8a60d641e45d5138beee9e120d83b095e4cc76fe7de995df7163682e9f69e18ef77f1bbd44f0454581dd26ceb5c
-
Filesize
5.2MB
MD5dad7b9a486c0fccc5ec4ca730a10631e
SHA1e317b57f910b97c64dd92e64446f4c42f30da7cb
SHA2560c47d804d159f84d1cc2838d0e848ba2bda423eaf9316718640f1fbec0c1e92a
SHA512bea0de541ed243b7e64b1f07c9e5dcb91240062df879285336cb15850e007adeb49437546030fe081bd96231d23ce101c7c29f6f732b2a542c5d0fa45ea9e001
-
Filesize
5.2MB
MD5b9923bce94e49319210703f3bcc07b88
SHA1ad45e5a32fd15ac179a88a75162777e1ff6b423b
SHA256a4c7001dcfde9ec6b8b1da0144d6be2dbf9b43782f554820b0837b36097a9c63
SHA5128333afdffe0ca018ed4f0a3e5cd509690464c54f0d81b26434e67560a96c62fbdb0918339562fbb343e10a73c2247cab8841419a9b1afee73b6933bf3487562f
-
Filesize
5.2MB
MD51bc42e4079d769bc40dfd895202a9c66
SHA10d8253cf60de1a8ff37bc78176ab0eeb8c86b0ae
SHA25620b0ef1a899b74047edc5ef20ee0526809bdf3044eaa8df0e60ff3df23d7d9a7
SHA51244d3e1ab823e11f51a6728720be09c9eb01aabe8959414372848aa780c634efe8a0637ab25345f9d7dfc5720fd15f863258c9a6f517dd8318fa0daf198afd059
-
Filesize
5.2MB
MD5f77686cc1293b0731898d78430f53f5c
SHA1573bcc8690488bde8b68e730e60d430f671b06d4
SHA256a8eff2795054055487921d9ebaffe2dd77ad53b44ca971576d751375488609b3
SHA512fb1aff3e98ef051a63ba10909b3c27d365746acd9936d96a0493d429da6d9e701553605c784219c389f6d98fda6b842a64075e151be9b8670137cd595db29f86
-
Filesize
5.2MB
MD5f1008295165c33711ac78817813e517d
SHA13cd603e5ed9e6f4d7356ba60b48130860cdc8d4b
SHA256b5f92d0dee40f3785faff5dd45a08e69177a44e0ed47fc6885093010aed3aa14
SHA512072fbcd808858e8d869840d76e59dfe91a6015aff5f563bf9a10e023ec63bf51a02446abb5850e14b8e31ef10a9d24a6a2fcab8aa01f0ab3d7645c3613e1750d
-
Filesize
5.2MB
MD5887ce42ee4ca6095ec831f286b673d37
SHA1c21d2fbf50d841b030178eb64dacdda04ce69dcf
SHA256464e0df29c157d8e5df673945a53e86d0351f0d14f6256ee7b0b64b48d95a9c7
SHA51251ef19f962ee2ffb65a44511a8d4c4ee2fe57c598b14ab7e277b47eb7ae1a0af365d9d87b64c3c7e428e7d2149ad9de8d8a96491bbaf7b2ff12b388119bbdfce
-
Filesize
5.2MB
MD5e42b937872904d4fb29d0891c242621f
SHA1887d7d5954a02bd482d008b7a750bd24c9d5750e
SHA256b2a6c1f0590b897bd9a46fd8017acd3bc78247c1aa286d8c08c2bf945dc1a45f
SHA512159d2de6ee819325832548254e702fccb1f46aac777209287eb9add776e884db5032ff632fecc27f4d2b4000258e19544c1ec5803a34de11d2021495284058ec