Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 11:01
Behavioral task
behavioral1
Sample
2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240705-en
General
-
Target
2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
ddd5e6f488edeb3eee9c165ac82416da
-
SHA1
0a164882faf9d0239927a201231b428e66c56033
-
SHA256
adbbbb5c503eeb2c46a67da165a78d102f44b56fdb868be6fc1dcea4cf773ed5
-
SHA512
c758a098dea939845229f4862865d402e04ab46b52ce3df80da45e42febe8dba414a7173faca734d452ae82bfc1bf6240ed4bc0ed31750a5ae880a60a8e02559
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ld:RWWBibf56utgpPFotBER/mQ32lUB
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0008000000023448-4.dat cobalt_reflective_dll behavioral2/files/0x000700000002344c-11.dat cobalt_reflective_dll behavioral2/files/0x000700000002344d-18.dat cobalt_reflective_dll behavioral2/files/0x000700000002344e-19.dat cobalt_reflective_dll behavioral2/files/0x0007000000023450-33.dat cobalt_reflective_dll behavioral2/files/0x0007000000023454-63.dat cobalt_reflective_dll behavioral2/files/0x0007000000023458-74.dat cobalt_reflective_dll behavioral2/files/0x000700000002345a-81.dat cobalt_reflective_dll behavioral2/files/0x000700000002345d-96.dat cobalt_reflective_dll behavioral2/files/0x000700000002345c-108.dat cobalt_reflective_dll behavioral2/files/0x000700000002345f-114.dat cobalt_reflective_dll behavioral2/files/0x000700000002345e-113.dat cobalt_reflective_dll behavioral2/files/0x000700000002345b-106.dat cobalt_reflective_dll behavioral2/files/0x0007000000023459-98.dat cobalt_reflective_dll behavioral2/files/0x0007000000023455-89.dat cobalt_reflective_dll behavioral2/files/0x0007000000023457-87.dat cobalt_reflective_dll behavioral2/files/0x0007000000023453-83.dat cobalt_reflective_dll behavioral2/files/0x0007000000023456-82.dat cobalt_reflective_dll behavioral2/files/0x0007000000023452-60.dat cobalt_reflective_dll behavioral2/files/0x0007000000023451-55.dat cobalt_reflective_dll behavioral2/files/0x000700000002344f-40.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 46 IoCs
resource yara_rule behavioral2/memory/1576-120-0x00007FF6C7BC0000-0x00007FF6C7F11000-memory.dmp xmrig behavioral2/memory/3464-124-0x00007FF7833F0000-0x00007FF783741000-memory.dmp xmrig behavioral2/memory/1828-123-0x00007FF750F40000-0x00007FF751291000-memory.dmp xmrig behavioral2/memory/2028-122-0x00007FF68A720000-0x00007FF68AA71000-memory.dmp xmrig behavioral2/memory/3508-121-0x00007FF779290000-0x00007FF7795E1000-memory.dmp xmrig behavioral2/memory/4436-119-0x00007FF613FB0000-0x00007FF614301000-memory.dmp xmrig behavioral2/memory/3828-118-0x00007FF7C3070000-0x00007FF7C33C1000-memory.dmp xmrig behavioral2/memory/3192-117-0x00007FF79A190000-0x00007FF79A4E1000-memory.dmp xmrig behavioral2/memory/228-116-0x00007FF68B810000-0x00007FF68BB61000-memory.dmp xmrig behavioral2/memory/1968-36-0x00007FF6E3B80000-0x00007FF6E3ED1000-memory.dmp xmrig behavioral2/memory/5100-133-0x00007FF604D80000-0x00007FF6050D1000-memory.dmp xmrig behavioral2/memory/3012-136-0x00007FF643460000-0x00007FF6437B1000-memory.dmp xmrig behavioral2/memory/2904-140-0x00007FF765660000-0x00007FF7659B1000-memory.dmp xmrig behavioral2/memory/3176-139-0x00007FF6D8890000-0x00007FF6D8BE1000-memory.dmp xmrig behavioral2/memory/2092-137-0x00007FF605F40000-0x00007FF606291000-memory.dmp xmrig behavioral2/memory/4976-134-0x00007FF6B5410000-0x00007FF6B5761000-memory.dmp xmrig behavioral2/memory/2680-132-0x00007FF7639D0000-0x00007FF763D21000-memory.dmp xmrig behavioral2/memory/2480-130-0x00007FF7EE8A0000-0x00007FF7EEBF1000-memory.dmp xmrig behavioral2/memory/3056-129-0x00007FF734180000-0x00007FF7344D1000-memory.dmp xmrig behavioral2/memory/2904-128-0x00007FF765660000-0x00007FF7659B1000-memory.dmp xmrig behavioral2/memory/3828-148-0x00007FF7C3070000-0x00007FF7C33C1000-memory.dmp xmrig behavioral2/memory/2524-149-0x00007FF6FFE60000-0x00007FF7001B1000-memory.dmp xmrig behavioral2/memory/5076-142-0x00007FF740A50000-0x00007FF740DA1000-memory.dmp xmrig behavioral2/memory/3768-144-0x00007FF69F0C0000-0x00007FF69F411000-memory.dmp xmrig behavioral2/memory/2904-151-0x00007FF765660000-0x00007FF7659B1000-memory.dmp xmrig behavioral2/memory/3056-199-0x00007FF734180000-0x00007FF7344D1000-memory.dmp xmrig behavioral2/memory/2480-220-0x00007FF7EE8A0000-0x00007FF7EEBF1000-memory.dmp xmrig behavioral2/memory/1968-222-0x00007FF6E3B80000-0x00007FF6E3ED1000-memory.dmp xmrig behavioral2/memory/2680-224-0x00007FF7639D0000-0x00007FF763D21000-memory.dmp xmrig behavioral2/memory/5100-226-0x00007FF604D80000-0x00007FF6050D1000-memory.dmp xmrig behavioral2/memory/4976-228-0x00007FF6B5410000-0x00007FF6B5761000-memory.dmp xmrig behavioral2/memory/1576-230-0x00007FF6C7BC0000-0x00007FF6C7F11000-memory.dmp xmrig behavioral2/memory/3508-232-0x00007FF779290000-0x00007FF7795E1000-memory.dmp xmrig behavioral2/memory/3012-234-0x00007FF643460000-0x00007FF6437B1000-memory.dmp xmrig behavioral2/memory/2028-237-0x00007FF68A720000-0x00007FF68AA71000-memory.dmp xmrig behavioral2/memory/2092-238-0x00007FF605F40000-0x00007FF606291000-memory.dmp xmrig behavioral2/memory/3768-245-0x00007FF69F0C0000-0x00007FF69F411000-memory.dmp xmrig behavioral2/memory/3176-246-0x00007FF6D8890000-0x00007FF6D8BE1000-memory.dmp xmrig behavioral2/memory/1828-250-0x00007FF750F40000-0x00007FF751291000-memory.dmp xmrig behavioral2/memory/5076-248-0x00007FF740A50000-0x00007FF740DA1000-memory.dmp xmrig behavioral2/memory/228-243-0x00007FF68B810000-0x00007FF68BB61000-memory.dmp xmrig behavioral2/memory/3192-241-0x00007FF79A190000-0x00007FF79A4E1000-memory.dmp xmrig behavioral2/memory/3464-252-0x00007FF7833F0000-0x00007FF783741000-memory.dmp xmrig behavioral2/memory/4436-254-0x00007FF613FB0000-0x00007FF614301000-memory.dmp xmrig behavioral2/memory/2524-256-0x00007FF6FFE60000-0x00007FF7001B1000-memory.dmp xmrig behavioral2/memory/3828-258-0x00007FF7C3070000-0x00007FF7C33C1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 3056 IOTMwSz.exe 2480 gzDRNXB.exe 1968 uQwhfUo.exe 2680 SwsfjSk.exe 5100 pgvyVBo.exe 4976 rSaVfql.exe 1576 lThwaNh.exe 3012 GtBUiZj.exe 2092 LqnJnEy.exe 3508 aurhctJ.exe 2028 jIhdwjV.exe 5076 SAOPNeu.exe 3176 hYviYFd.exe 1828 txMcfwV.exe 3768 UCZUgxk.exe 3464 uGkiiwM.exe 228 whRiMlQ.exe 3192 BweNqWy.exe 3828 TbLijzA.exe 2524 oWrGCQV.exe 4436 jljTLla.exe -
resource yara_rule behavioral2/memory/2904-0-0x00007FF765660000-0x00007FF7659B1000-memory.dmp upx behavioral2/files/0x0008000000023448-4.dat upx behavioral2/files/0x000700000002344c-11.dat upx behavioral2/files/0x000700000002344d-18.dat upx behavioral2/files/0x000700000002344e-19.dat upx behavioral2/files/0x0007000000023450-33.dat upx behavioral2/files/0x0007000000023454-63.dat upx behavioral2/memory/2092-71-0x00007FF605F40000-0x00007FF606291000-memory.dmp upx behavioral2/files/0x0007000000023458-74.dat upx behavioral2/files/0x000700000002345a-81.dat upx behavioral2/files/0x000700000002345d-96.dat upx behavioral2/files/0x000700000002345c-108.dat upx behavioral2/files/0x000700000002345f-114.dat upx behavioral2/memory/1576-120-0x00007FF6C7BC0000-0x00007FF6C7F11000-memory.dmp upx behavioral2/memory/2524-125-0x00007FF6FFE60000-0x00007FF7001B1000-memory.dmp upx behavioral2/memory/3464-124-0x00007FF7833F0000-0x00007FF783741000-memory.dmp upx behavioral2/memory/1828-123-0x00007FF750F40000-0x00007FF751291000-memory.dmp upx behavioral2/memory/2028-122-0x00007FF68A720000-0x00007FF68AA71000-memory.dmp upx behavioral2/memory/3508-121-0x00007FF779290000-0x00007FF7795E1000-memory.dmp upx behavioral2/memory/4436-119-0x00007FF613FB0000-0x00007FF614301000-memory.dmp upx behavioral2/memory/3828-118-0x00007FF7C3070000-0x00007FF7C33C1000-memory.dmp upx behavioral2/memory/3192-117-0x00007FF79A190000-0x00007FF79A4E1000-memory.dmp upx behavioral2/memory/228-116-0x00007FF68B810000-0x00007FF68BB61000-memory.dmp upx behavioral2/files/0x000700000002345e-113.dat upx behavioral2/files/0x000700000002345b-106.dat upx behavioral2/memory/3768-99-0x00007FF69F0C0000-0x00007FF69F411000-memory.dmp upx behavioral2/files/0x0007000000023459-98.dat upx behavioral2/memory/3176-95-0x00007FF6D8890000-0x00007FF6D8BE1000-memory.dmp upx behavioral2/files/0x0007000000023455-89.dat upx behavioral2/files/0x0007000000023457-87.dat upx behavioral2/files/0x0007000000023453-83.dat upx behavioral2/files/0x0007000000023456-82.dat upx behavioral2/memory/5076-79-0x00007FF740A50000-0x00007FF740DA1000-memory.dmp upx behavioral2/files/0x0007000000023452-60.dat upx behavioral2/memory/3012-57-0x00007FF643460000-0x00007FF6437B1000-memory.dmp upx behavioral2/files/0x0007000000023451-55.dat upx behavioral2/memory/4976-47-0x00007FF6B5410000-0x00007FF6B5761000-memory.dmp upx behavioral2/files/0x000700000002344f-40.dat upx behavioral2/memory/5100-37-0x00007FF604D80000-0x00007FF6050D1000-memory.dmp upx behavioral2/memory/1968-36-0x00007FF6E3B80000-0x00007FF6E3ED1000-memory.dmp upx behavioral2/memory/2680-28-0x00007FF7639D0000-0x00007FF763D21000-memory.dmp upx behavioral2/memory/2480-20-0x00007FF7EE8A0000-0x00007FF7EEBF1000-memory.dmp upx behavioral2/memory/3056-8-0x00007FF734180000-0x00007FF7344D1000-memory.dmp upx behavioral2/memory/5100-133-0x00007FF604D80000-0x00007FF6050D1000-memory.dmp upx behavioral2/memory/3012-136-0x00007FF643460000-0x00007FF6437B1000-memory.dmp upx behavioral2/memory/2904-140-0x00007FF765660000-0x00007FF7659B1000-memory.dmp upx behavioral2/memory/3176-139-0x00007FF6D8890000-0x00007FF6D8BE1000-memory.dmp upx behavioral2/memory/2092-137-0x00007FF605F40000-0x00007FF606291000-memory.dmp upx behavioral2/memory/4976-134-0x00007FF6B5410000-0x00007FF6B5761000-memory.dmp upx behavioral2/memory/2680-132-0x00007FF7639D0000-0x00007FF763D21000-memory.dmp upx behavioral2/memory/2480-130-0x00007FF7EE8A0000-0x00007FF7EEBF1000-memory.dmp upx behavioral2/memory/3056-129-0x00007FF734180000-0x00007FF7344D1000-memory.dmp upx behavioral2/memory/2904-128-0x00007FF765660000-0x00007FF7659B1000-memory.dmp upx behavioral2/memory/3828-148-0x00007FF7C3070000-0x00007FF7C33C1000-memory.dmp upx behavioral2/memory/2524-149-0x00007FF6FFE60000-0x00007FF7001B1000-memory.dmp upx behavioral2/memory/5076-142-0x00007FF740A50000-0x00007FF740DA1000-memory.dmp upx behavioral2/memory/3768-144-0x00007FF69F0C0000-0x00007FF69F411000-memory.dmp upx behavioral2/memory/2904-151-0x00007FF765660000-0x00007FF7659B1000-memory.dmp upx behavioral2/memory/3056-199-0x00007FF734180000-0x00007FF7344D1000-memory.dmp upx behavioral2/memory/2480-220-0x00007FF7EE8A0000-0x00007FF7EEBF1000-memory.dmp upx behavioral2/memory/1968-222-0x00007FF6E3B80000-0x00007FF6E3ED1000-memory.dmp upx behavioral2/memory/2680-224-0x00007FF7639D0000-0x00007FF763D21000-memory.dmp upx behavioral2/memory/5100-226-0x00007FF604D80000-0x00007FF6050D1000-memory.dmp upx behavioral2/memory/4976-228-0x00007FF6B5410000-0x00007FF6B5761000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\IOTMwSz.exe 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SwsfjSk.exe 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lThwaNh.exe 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GtBUiZj.exe 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\UCZUgxk.exe 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uGkiiwM.exe 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\oWrGCQV.exe 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uQwhfUo.exe 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LqnJnEy.exe 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\aurhctJ.exe 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hYviYFd.exe 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jIhdwjV.exe 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\whRiMlQ.exe 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BweNqWy.exe 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gzDRNXB.exe 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\pgvyVBo.exe 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rSaVfql.exe 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SAOPNeu.exe 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\txMcfwV.exe 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TbLijzA.exe 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jljTLla.exe 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2904 wrote to memory of 3056 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 2904 wrote to memory of 3056 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 2904 wrote to memory of 2480 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2904 wrote to memory of 2480 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2904 wrote to memory of 1968 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2904 wrote to memory of 1968 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2904 wrote to memory of 2680 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2904 wrote to memory of 2680 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2904 wrote to memory of 5100 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2904 wrote to memory of 5100 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2904 wrote to memory of 4976 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2904 wrote to memory of 4976 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2904 wrote to memory of 1576 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2904 wrote to memory of 1576 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2904 wrote to memory of 3012 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2904 wrote to memory of 3012 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2904 wrote to memory of 2092 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2904 wrote to memory of 2092 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2904 wrote to memory of 3508 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2904 wrote to memory of 3508 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2904 wrote to memory of 3176 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2904 wrote to memory of 3176 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2904 wrote to memory of 2028 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2904 wrote to memory of 2028 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2904 wrote to memory of 5076 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2904 wrote to memory of 5076 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2904 wrote to memory of 1828 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2904 wrote to memory of 1828 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2904 wrote to memory of 3768 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2904 wrote to memory of 3768 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2904 wrote to memory of 3464 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2904 wrote to memory of 3464 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2904 wrote to memory of 228 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2904 wrote to memory of 228 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2904 wrote to memory of 3192 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2904 wrote to memory of 3192 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2904 wrote to memory of 3828 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2904 wrote to memory of 3828 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2904 wrote to memory of 2524 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2904 wrote to memory of 2524 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2904 wrote to memory of 4436 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2904 wrote to memory of 4436 2904 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\System\IOTMwSz.exeC:\Windows\System\IOTMwSz.exe2⤵
- Executes dropped EXE
PID:3056
-
-
C:\Windows\System\gzDRNXB.exeC:\Windows\System\gzDRNXB.exe2⤵
- Executes dropped EXE
PID:2480
-
-
C:\Windows\System\uQwhfUo.exeC:\Windows\System\uQwhfUo.exe2⤵
- Executes dropped EXE
PID:1968
-
-
C:\Windows\System\SwsfjSk.exeC:\Windows\System\SwsfjSk.exe2⤵
- Executes dropped EXE
PID:2680
-
-
C:\Windows\System\pgvyVBo.exeC:\Windows\System\pgvyVBo.exe2⤵
- Executes dropped EXE
PID:5100
-
-
C:\Windows\System\rSaVfql.exeC:\Windows\System\rSaVfql.exe2⤵
- Executes dropped EXE
PID:4976
-
-
C:\Windows\System\lThwaNh.exeC:\Windows\System\lThwaNh.exe2⤵
- Executes dropped EXE
PID:1576
-
-
C:\Windows\System\GtBUiZj.exeC:\Windows\System\GtBUiZj.exe2⤵
- Executes dropped EXE
PID:3012
-
-
C:\Windows\System\LqnJnEy.exeC:\Windows\System\LqnJnEy.exe2⤵
- Executes dropped EXE
PID:2092
-
-
C:\Windows\System\aurhctJ.exeC:\Windows\System\aurhctJ.exe2⤵
- Executes dropped EXE
PID:3508
-
-
C:\Windows\System\hYviYFd.exeC:\Windows\System\hYviYFd.exe2⤵
- Executes dropped EXE
PID:3176
-
-
C:\Windows\System\jIhdwjV.exeC:\Windows\System\jIhdwjV.exe2⤵
- Executes dropped EXE
PID:2028
-
-
C:\Windows\System\SAOPNeu.exeC:\Windows\System\SAOPNeu.exe2⤵
- Executes dropped EXE
PID:5076
-
-
C:\Windows\System\txMcfwV.exeC:\Windows\System\txMcfwV.exe2⤵
- Executes dropped EXE
PID:1828
-
-
C:\Windows\System\UCZUgxk.exeC:\Windows\System\UCZUgxk.exe2⤵
- Executes dropped EXE
PID:3768
-
-
C:\Windows\System\uGkiiwM.exeC:\Windows\System\uGkiiwM.exe2⤵
- Executes dropped EXE
PID:3464
-
-
C:\Windows\System\whRiMlQ.exeC:\Windows\System\whRiMlQ.exe2⤵
- Executes dropped EXE
PID:228
-
-
C:\Windows\System\BweNqWy.exeC:\Windows\System\BweNqWy.exe2⤵
- Executes dropped EXE
PID:3192
-
-
C:\Windows\System\TbLijzA.exeC:\Windows\System\TbLijzA.exe2⤵
- Executes dropped EXE
PID:3828
-
-
C:\Windows\System\oWrGCQV.exeC:\Windows\System\oWrGCQV.exe2⤵
- Executes dropped EXE
PID:2524
-
-
C:\Windows\System\jljTLla.exeC:\Windows\System\jljTLla.exe2⤵
- Executes dropped EXE
PID:4436
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD50a37931d7275d2b02f1dcc9cf9158a5f
SHA1625abdae793c88ccf5b0a4f0d762b9a2e529fb64
SHA2562a9dff795afaa3d0ddb304c3c6291cfdd2aba6d20c255e2563a3204203fa21f1
SHA5125037d10fe6861e13bfab9274356120d08c5cd5540fa8e9ac40cff4845b4f675147f4b88c7587185a61ade41f28e2f259ade6ee2f9893cd830c516365b0905987
-
Filesize
5.2MB
MD583495ce77165d5ee5fdbca298b92b9f0
SHA1f89edb4ff902fb0ac4e8003394b751a1885845bb
SHA2568b956e4cedd30cebf2a1b2123f60722b586de58af574b03c6ca30a6ecaf2ff8b
SHA512d0f06c4c2f050a1f69bc2ef1f87939aa0c93ff40ef0486c17757cf9806ff551e5984e5310c86896a94bab861b0dd101e5e5ef20c15795da3e1aa9f40f81bfea9
-
Filesize
5.2MB
MD5f30b3000f85e38582f86e88cbab87d0e
SHA1bdb14b1c58629b5e0a803551a9dd01fbf1dba01f
SHA256c48a1168f90682d04c5ccd2cd12726ea7de3c97b7d700f2f374e78665e49af7c
SHA512929b8b337b5f461e8c500564601f8f2098a37809a4a64465caa9e1c1d965d6c54c46aef1f019824641c1ead2769cda24e5284975b977a3dbfaecc613bf412d63
-
Filesize
5.2MB
MD5fdbbefcb78561644b644df8b461d07c7
SHA18436298cd01c2c8d41b66f31c70409affc6cb175
SHA256fa806330d0b9fe5540a50217f8cace6b8bfa669393f2da1b6ed79a1ba440d35d
SHA5128f8df10ccde8e62825cd6ef20e24669b54fc77685e5a004f8ce1a529c38b89eac4855b09b852fe566b5490fa009ce53199356d98f6d9f2d343972e5d76dae0b5
-
Filesize
5.2MB
MD57addb03f40d656d354b532e7acb2da5a
SHA19959cd7801fde9a93a8ea17989b22e5cee7f8990
SHA256d1a5f69c9b04d088209cfbe3044364d10079e6c81258f0135e22adc274f49e0c
SHA512ca1acb33022166da71b13132095d0fba98ed8283e7589d83512331748d60622705531f4745c205c8296373be6127403d5be63ea6e8c53ee16c60cbf5db51584d
-
Filesize
5.2MB
MD52d8fd683c705478694c8085dd6ca08e5
SHA1f1a5ff5bf807f7a0e905899da34126a24dc5b906
SHA25631ece21d2cd0603717a1454fc325d220a31343289e059ce06994697b4990beff
SHA51281fc54d89997e0a90cb84d660ffec0cc3525b057d2569208cda84219574059ed783e3c710e28643e21d3452203589eab0ab28dce54b15d0bcdc6f88527b8f3d7
-
Filesize
5.2MB
MD52cb6d0fa0ba502ef9c5878a42f887eed
SHA10c73f7de65ae189f6a96f24e12bccc33601b8121
SHA256d60fef3c83c8d65ca0af33245e6e5a400fc216cfe08f66ddf5f195b9276701f1
SHA512f9c4c6ca8d4e21cea13d845af1e499662a0b9d4737f99944ab83d1a40dff6dac4f96ac1d987f1e9b2e5e0fd5293e6b853811da363b00d76723c9af400fba4630
-
Filesize
5.2MB
MD5cd250e3750ac65136d89186b597e2d1a
SHA1811d926422cbd19aa0b08ebbb6cb7e215cbcdfb6
SHA256b89d9ed08580c61841dd34459d9c5da679fac7f4254aba576b9cac49693a9f63
SHA512f551ad5514579f52e6875a3497af524ac1b65e44320a11fbcc6afefda9023e5a19cc2e06e712d4657ae7d57fc905dd20bba89e3bee5614ba94f108160f66f5df
-
Filesize
5.2MB
MD557c0bd8d01cb5cf4d4370bcd2a873dc5
SHA1321920273500e0358eaf8d9252cf760728fc12c8
SHA25647462799081011f3777cf201985ad0d588c0715c58bdd326161fe722309ee7d4
SHA512bacdd6f6a1a2f44f36141e9d1f10dba9f04184a90b8572ffdd348e5b2fd6c36a4d5df3a730efc17069134de133de5ab912ac17abf3e231b148a6acc2bb2f83c2
-
Filesize
5.2MB
MD528136bca68ca06f1a174a66b162f865f
SHA1fc8101ce50eca5432fc457bf5d0c346b7cbf2bd7
SHA2565fde3dde31e16d5de5623521180db9cf61e8008b456c2a1b55a4659101473c61
SHA512a474a174f7be553bba69afed4bab821fcd2115eee4079da5621c2bc9ad93729b26d18dc74b065e6b23e21c92db3d074ebe631d596f4fd6d891e6d4f058e47d22
-
Filesize
5.2MB
MD5569f12fe3e6ed2d19731cc77dbc983e8
SHA1b8467312eeb5df7bb09ea95f7e62c0675d996868
SHA2562d44b1dc3dee7fcb6973a2961cee3401d1a3026de66562a0d1fa5858524e95b2
SHA512f6422ff4d87eab58090c7cceddafb7b9f635902cf0b3825f7b4c535e0f2e041ed656b08dcd9c4ff131575b4e7b844b603254e91bd1c7d68fae7638e21b0763ca
-
Filesize
5.2MB
MD5ef05660d6a8a4e620ad37f74a02aacd4
SHA1ce29c61c5bab7e576fbb6cbd449330ee974e70eb
SHA256a340beca8c00114f26f80aae46eefbc11214aefe0f7b7d59aa0a22142ce2d546
SHA5124511270aa2fe811ffeb8f18924284dfc00018961df108df4098e34a52a1378ca4a011939ee5b9c6664561185efac827c448d79d2d07de86409b9f77995145ff2
-
Filesize
5.2MB
MD5bda25eb108ca070faad82786a1f245ff
SHA12d819c59eebed30a7313eaf9efd72196a48fc0ef
SHA25652f72bcc9bb135e93e25ef71d27ac06d93e4f157538e151184fa9ba63cfb6f1b
SHA5125df21493db2e8d6a0afb1a6382ae606af39fe1fd03740331d0f27a054c65b2d7adcb0ba39b9a3c67600fad0d72ffe54d69bfeecb9c4e20213bf03dbc91333dce
-
Filesize
5.2MB
MD5f77c854aba1b59a5e5f924680bc3e68f
SHA1b020244305673190fb9f67cfd2d69ec4c6982e20
SHA256990e9cb7bfe7d0c7645114fbd8ed7dae89c69660f5e35f2feb4baef2300e896a
SHA51291f2b0492fb221db71b7658060db9c54d895a127ac6a8e54b5d73436ced7c0bf4f78e190f73fe6901ef3a27ff3b2c8f1f4b78e7019755973f1360e724f1d8ea9
-
Filesize
5.2MB
MD566d7287b64186e6907bd52b87d9e128d
SHA1d4e326e7a60ba0e8b0454f9c3b6133254efe2623
SHA25677f6638eed2fe6eabb5ad66b45fd7087e0b22f94c9e4b8c4d9167899d24f1a12
SHA512d047e6ca84ff0812de22834cd8c69c86c9be85f1c10270a20b62af72848f14b11ca05075201c15f50ff09f52f12f8874bacbface0f7c65a21da03ee6742fe441
-
Filesize
5.2MB
MD59182c85d0ec9108293dfe190bd9d056f
SHA19c4c7d5906f75dea80c436848fca8a62a2e6a461
SHA256363b3458903fec8afff66f99736e7bf1406c2bf8630e637f9f8b47bb6b0695dc
SHA512b737018fe643d48e89dde26bc56b851a176de63d1a3fd5565aec2c79642e5a465f752554d4a14de0d6312b31e8dce688f071d140871b24361b388ca3c77024bf
-
Filesize
5.2MB
MD5f9ecd8b47c3bee68880878d5bffa29d2
SHA1268ecd8a364992db4bfa60c3741d99708bcb2699
SHA256f5231403271e22a07d5ad3527ab32be9f66e07f5ba0b2fdcb8d64d35979c6e7b
SHA512effc6810ecb74d03fcc2d489cd02df30992f673e9a6215219d5fa88e087b493add62686f7fa1b5a03b8d3fcb7944f7039fad581faf62d927fa2d18360086112e
-
Filesize
5.2MB
MD523e9da856d01bb7a59df65792aa71209
SHA1b8b06334ef0559bb3767710ff2ddfc45345eb0c2
SHA2562c6582467dc8d717c7c3903fb2c049a92630c6e0e4ca765ac5384f1b237d1f86
SHA51295e9122f63a6dbb57182a185362e2ea1640dc1c724d13582671611df8e30bb30ad3bc49872bd40161a073089e0ebf28ff6c2c82d58b8b21cce41c0ec139a86fc
-
Filesize
5.2MB
MD550211f065e4778f324d8db00e747b8c4
SHA1a6dc2e954c0406763aaa91682d130313bfa01ad6
SHA2563b079a88fcbf831903b8883c95d33df68bd359fe4aff79791a4619069db88e70
SHA512fdd476ff30217043731ed86b8c3057c793a995ed190e9ef39a7f481aec5141c3207a107a11c69ad30b8d1e5cd227c3147b7992586e545bdae745efbff7ef5725
-
Filesize
5.2MB
MD5059fe3674ededa14a42a81066119929f
SHA1f82bb502585c3db284d14be9da29fbe4caae763f
SHA256057617d95b5d188c5502b08f5b7e348af13fa931a59c2c5c34ccac9d58b8eb5f
SHA512c945cfa574b3e5976a83384cf03bbca1cc9fe5329c4577c2a7e083486247aa2a0bc66ccca1b58d9deb80b3353b6dc6f7ad40b932b974ccb203e60068b78746dc
-
Filesize
5.2MB
MD5d6d3ec54614becad5c9ab993ff9b9f7f
SHA103dcf99f4824d006afd2b0ec18f7746bd47e7308
SHA256c6a4684306d44424a664cd16631ff3413482132e9583739ba176d9ca8e0f9365
SHA512b33f8ffda4a4cfc893edd62bf48f6d53f6e7ff477c3a81252caa6d1758223a286b0fdd5ec7e01c6f24338d13d60d7d63283cddb0409b7cb0410e123753815a0a