Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 11:03
Behavioral task
behavioral1
Sample
2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240729-en
General
-
Target
2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
e76bccd527aa4169d316c7bd1606a974
-
SHA1
51946f0f8349bdabacc6eea67f5d3388ce571e19
-
SHA256
f66917555a3646dfcedf582dee6c9ed319ad8f1c6c4d21fe641f1717fee68cc0
-
SHA512
47f89fa8b5b3a77b572f859124cf1246240e6d208aa87821c33b339504ebb949dacf2f52f02fc258037db558cc705c9d2288100aa4e7effc05d04587f74ff5d5
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l8:RWWBibf56utgpPFotBER/mQ32lUw
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000800000002347a-5.dat cobalt_reflective_dll behavioral2/files/0x000700000002347e-11.dat cobalt_reflective_dll behavioral2/files/0x000700000002347f-15.dat cobalt_reflective_dll behavioral2/files/0x0007000000023480-23.dat cobalt_reflective_dll behavioral2/files/0x0007000000023481-30.dat cobalt_reflective_dll behavioral2/files/0x0007000000023482-35.dat cobalt_reflective_dll behavioral2/files/0x0007000000023483-41.dat cobalt_reflective_dll behavioral2/files/0x0007000000023484-47.dat cobalt_reflective_dll behavioral2/files/0x000800000002347b-52.dat cobalt_reflective_dll behavioral2/files/0x0007000000023487-70.dat cobalt_reflective_dll behavioral2/files/0x0007000000023488-80.dat cobalt_reflective_dll behavioral2/files/0x0007000000023489-91.dat cobalt_reflective_dll behavioral2/files/0x000700000002348a-95.dat cobalt_reflective_dll behavioral2/files/0x0007000000023486-72.dat cobalt_reflective_dll behavioral2/files/0x0007000000023485-60.dat cobalt_reflective_dll behavioral2/files/0x000700000002348b-103.dat cobalt_reflective_dll behavioral2/files/0x000700000002348f-122.dat cobalt_reflective_dll behavioral2/files/0x0007000000023490-126.dat cobalt_reflective_dll behavioral2/files/0x0007000000023491-137.dat cobalt_reflective_dll behavioral2/files/0x000800000002348e-118.dat cobalt_reflective_dll behavioral2/files/0x000800000002348c-114.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/2128-54-0x00007FF6B40F0000-0x00007FF6B4441000-memory.dmp xmrig behavioral2/memory/4704-59-0x00007FF61DF90000-0x00007FF61E2E1000-memory.dmp xmrig behavioral2/memory/3452-71-0x00007FF6C4C40000-0x00007FF6C4F91000-memory.dmp xmrig behavioral2/memory/5040-81-0x00007FF60CD00000-0x00007FF60D051000-memory.dmp xmrig behavioral2/memory/4724-87-0x00007FF6560E0000-0x00007FF656431000-memory.dmp xmrig behavioral2/memory/3640-96-0x00007FF70CAC0000-0x00007FF70CE11000-memory.dmp xmrig behavioral2/memory/1900-79-0x00007FF7203A0000-0x00007FF7206F1000-memory.dmp xmrig behavioral2/memory/1216-65-0x00007FF6C12C0000-0x00007FF6C1611000-memory.dmp xmrig behavioral2/memory/1968-117-0x00007FF661F80000-0x00007FF6622D1000-memory.dmp xmrig behavioral2/memory/2440-132-0x00007FF698770000-0x00007FF698AC1000-memory.dmp xmrig behavioral2/memory/4856-131-0x00007FF7266D0000-0x00007FF726A21000-memory.dmp xmrig behavioral2/memory/2236-102-0x00007FF708270000-0x00007FF7085C1000-memory.dmp xmrig behavioral2/memory/2676-53-0x00007FF6704B0000-0x00007FF670801000-memory.dmp xmrig behavioral2/memory/1072-139-0x00007FF6E0A30000-0x00007FF6E0D81000-memory.dmp xmrig behavioral2/memory/3352-141-0x00007FF7B2BF0000-0x00007FF7B2F41000-memory.dmp xmrig behavioral2/memory/2128-140-0x00007FF6B40F0000-0x00007FF6B4441000-memory.dmp xmrig behavioral2/memory/1080-150-0x00007FF70C130000-0x00007FF70C481000-memory.dmp xmrig behavioral2/memory/1816-151-0x00007FF6A4620000-0x00007FF6A4971000-memory.dmp xmrig behavioral2/memory/1752-161-0x00007FF72F6C0000-0x00007FF72FA11000-memory.dmp xmrig behavioral2/memory/2376-160-0x00007FF6163B0000-0x00007FF616701000-memory.dmp xmrig behavioral2/memory/4148-167-0x00007FF6A0B90000-0x00007FF6A0EE1000-memory.dmp xmrig behavioral2/memory/976-165-0x00007FF61F6E0000-0x00007FF61FA31000-memory.dmp xmrig behavioral2/memory/4544-166-0x00007FF688120000-0x00007FF688471000-memory.dmp xmrig behavioral2/memory/2128-168-0x00007FF6B40F0000-0x00007FF6B4441000-memory.dmp xmrig behavioral2/memory/4704-219-0x00007FF61DF90000-0x00007FF61E2E1000-memory.dmp xmrig behavioral2/memory/3452-221-0x00007FF6C4C40000-0x00007FF6C4F91000-memory.dmp xmrig behavioral2/memory/1900-223-0x00007FF7203A0000-0x00007FF7206F1000-memory.dmp xmrig behavioral2/memory/4724-229-0x00007FF6560E0000-0x00007FF656431000-memory.dmp xmrig behavioral2/memory/5040-230-0x00007FF60CD00000-0x00007FF60D051000-memory.dmp xmrig behavioral2/memory/3640-232-0x00007FF70CAC0000-0x00007FF70CE11000-memory.dmp xmrig behavioral2/memory/2236-234-0x00007FF708270000-0x00007FF7085C1000-memory.dmp xmrig behavioral2/memory/2676-241-0x00007FF6704B0000-0x00007FF670801000-memory.dmp xmrig behavioral2/memory/1216-243-0x00007FF6C12C0000-0x00007FF6C1611000-memory.dmp xmrig behavioral2/memory/1968-245-0x00007FF661F80000-0x00007FF6622D1000-memory.dmp xmrig behavioral2/memory/4856-250-0x00007FF7266D0000-0x00007FF726A21000-memory.dmp xmrig behavioral2/memory/2440-252-0x00007FF698770000-0x00007FF698AC1000-memory.dmp xmrig behavioral2/memory/3352-255-0x00007FF7B2BF0000-0x00007FF7B2F41000-memory.dmp xmrig behavioral2/memory/1072-256-0x00007FF6E0A30000-0x00007FF6E0D81000-memory.dmp xmrig behavioral2/memory/1080-258-0x00007FF70C130000-0x00007FF70C481000-memory.dmp xmrig behavioral2/memory/1816-263-0x00007FF6A4620000-0x00007FF6A4971000-memory.dmp xmrig behavioral2/memory/2376-265-0x00007FF6163B0000-0x00007FF616701000-memory.dmp xmrig behavioral2/memory/1752-269-0x00007FF72F6C0000-0x00007FF72FA11000-memory.dmp xmrig behavioral2/memory/4148-271-0x00007FF6A0B90000-0x00007FF6A0EE1000-memory.dmp xmrig behavioral2/memory/976-273-0x00007FF61F6E0000-0x00007FF61FA31000-memory.dmp xmrig behavioral2/memory/4544-275-0x00007FF688120000-0x00007FF688471000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4704 TwGFYYe.exe 3452 rMypbHi.exe 1900 OTGiQUE.exe 5040 AtnPdvm.exe 4724 RBLjMRA.exe 3640 SyxnKlx.exe 2236 LiVNNkt.exe 2676 BKxeetH.exe 1968 BQhCHDI.exe 1216 EmtLUfQ.exe 4856 JDkThKw.exe 2440 YWllxMg.exe 1072 ubvshGD.exe 3352 nxWPCuc.exe 1080 qGunXNt.exe 1816 CTmlgvI.exe 2376 VicMluU.exe 1752 cxBoWmx.exe 4148 xPJxGoI.exe 976 WyGZlYz.exe 4544 UVyedPH.exe -
resource yara_rule behavioral2/memory/2128-0-0x00007FF6B40F0000-0x00007FF6B4441000-memory.dmp upx behavioral2/files/0x000800000002347a-5.dat upx behavioral2/memory/4704-7-0x00007FF61DF90000-0x00007FF61E2E1000-memory.dmp upx behavioral2/files/0x000700000002347e-11.dat upx behavioral2/files/0x000700000002347f-15.dat upx behavioral2/memory/1900-17-0x00007FF7203A0000-0x00007FF7206F1000-memory.dmp upx behavioral2/files/0x0007000000023480-23.dat upx behavioral2/files/0x0007000000023481-30.dat upx behavioral2/files/0x0007000000023482-35.dat upx behavioral2/memory/3640-36-0x00007FF70CAC0000-0x00007FF70CE11000-memory.dmp upx behavioral2/files/0x0007000000023483-41.dat upx behavioral2/memory/2236-42-0x00007FF708270000-0x00007FF7085C1000-memory.dmp upx behavioral2/memory/4724-32-0x00007FF6560E0000-0x00007FF656431000-memory.dmp upx behavioral2/memory/5040-24-0x00007FF60CD00000-0x00007FF60D051000-memory.dmp upx behavioral2/memory/3452-12-0x00007FF6C4C40000-0x00007FF6C4F91000-memory.dmp upx behavioral2/files/0x0007000000023484-47.dat upx behavioral2/files/0x000800000002347b-52.dat upx behavioral2/memory/2128-54-0x00007FF6B40F0000-0x00007FF6B4441000-memory.dmp upx behavioral2/memory/4704-59-0x00007FF61DF90000-0x00007FF61E2E1000-memory.dmp upx behavioral2/files/0x0007000000023487-70.dat upx behavioral2/memory/3452-71-0x00007FF6C4C40000-0x00007FF6C4F91000-memory.dmp upx behavioral2/files/0x0007000000023488-80.dat upx behavioral2/memory/5040-81-0x00007FF60CD00000-0x00007FF60D051000-memory.dmp upx behavioral2/memory/4724-87-0x00007FF6560E0000-0x00007FF656431000-memory.dmp upx behavioral2/files/0x0007000000023489-91.dat upx behavioral2/memory/3352-88-0x00007FF7B2BF0000-0x00007FF7B2F41000-memory.dmp upx behavioral2/files/0x000700000002348a-95.dat upx behavioral2/memory/1080-97-0x00007FF70C130000-0x00007FF70C481000-memory.dmp upx behavioral2/memory/3640-96-0x00007FF70CAC0000-0x00007FF70CE11000-memory.dmp upx behavioral2/memory/1072-82-0x00007FF6E0A30000-0x00007FF6E0D81000-memory.dmp upx behavioral2/memory/1900-79-0x00007FF7203A0000-0x00007FF7206F1000-memory.dmp upx behavioral2/memory/2440-75-0x00007FF698770000-0x00007FF698AC1000-memory.dmp upx behavioral2/memory/4856-73-0x00007FF7266D0000-0x00007FF726A21000-memory.dmp upx behavioral2/files/0x0007000000023486-72.dat upx behavioral2/memory/1216-65-0x00007FF6C12C0000-0x00007FF6C1611000-memory.dmp upx behavioral2/files/0x0007000000023485-60.dat upx behavioral2/memory/1968-57-0x00007FF661F80000-0x00007FF6622D1000-memory.dmp upx behavioral2/files/0x000700000002348b-103.dat upx behavioral2/memory/1968-117-0x00007FF661F80000-0x00007FF6622D1000-memory.dmp upx behavioral2/files/0x000700000002348f-122.dat upx behavioral2/files/0x0007000000023490-126.dat upx behavioral2/files/0x0007000000023491-137.dat upx behavioral2/memory/4544-135-0x00007FF688120000-0x00007FF688471000-memory.dmp upx behavioral2/memory/976-133-0x00007FF61F6E0000-0x00007FF61FA31000-memory.dmp upx behavioral2/memory/2440-132-0x00007FF698770000-0x00007FF698AC1000-memory.dmp upx behavioral2/memory/4856-131-0x00007FF7266D0000-0x00007FF726A21000-memory.dmp upx behavioral2/memory/4148-125-0x00007FF6A0B90000-0x00007FF6A0EE1000-memory.dmp upx behavioral2/files/0x000800000002348e-118.dat upx behavioral2/memory/1752-116-0x00007FF72F6C0000-0x00007FF72FA11000-memory.dmp upx behavioral2/files/0x000800000002348c-114.dat upx behavioral2/memory/2376-113-0x00007FF6163B0000-0x00007FF616701000-memory.dmp upx behavioral2/memory/1816-106-0x00007FF6A4620000-0x00007FF6A4971000-memory.dmp upx behavioral2/memory/2236-102-0x00007FF708270000-0x00007FF7085C1000-memory.dmp upx behavioral2/memory/2676-53-0x00007FF6704B0000-0x00007FF670801000-memory.dmp upx behavioral2/memory/1072-139-0x00007FF6E0A30000-0x00007FF6E0D81000-memory.dmp upx behavioral2/memory/3352-141-0x00007FF7B2BF0000-0x00007FF7B2F41000-memory.dmp upx behavioral2/memory/2128-140-0x00007FF6B40F0000-0x00007FF6B4441000-memory.dmp upx behavioral2/memory/1080-150-0x00007FF70C130000-0x00007FF70C481000-memory.dmp upx behavioral2/memory/1816-151-0x00007FF6A4620000-0x00007FF6A4971000-memory.dmp upx behavioral2/memory/1752-161-0x00007FF72F6C0000-0x00007FF72FA11000-memory.dmp upx behavioral2/memory/2376-160-0x00007FF6163B0000-0x00007FF616701000-memory.dmp upx behavioral2/memory/4148-167-0x00007FF6A0B90000-0x00007FF6A0EE1000-memory.dmp upx behavioral2/memory/976-165-0x00007FF61F6E0000-0x00007FF61FA31000-memory.dmp upx behavioral2/memory/4544-166-0x00007FF688120000-0x00007FF688471000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\BQhCHDI.exe 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WyGZlYz.exe 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\UVyedPH.exe 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RBLjMRA.exe 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SyxnKlx.exe 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JDkThKw.exe 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nxWPCuc.exe 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BKxeetH.exe 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ubvshGD.exe 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qGunXNt.exe 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CTmlgvI.exe 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cxBoWmx.exe 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xPJxGoI.exe 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TwGFYYe.exe 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LiVNNkt.exe 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AtnPdvm.exe 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EmtLUfQ.exe 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YWllxMg.exe 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VicMluU.exe 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rMypbHi.exe 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\OTGiQUE.exe 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2128 wrote to memory of 4704 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2128 wrote to memory of 4704 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2128 wrote to memory of 3452 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2128 wrote to memory of 3452 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2128 wrote to memory of 1900 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2128 wrote to memory of 1900 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2128 wrote to memory of 5040 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2128 wrote to memory of 5040 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2128 wrote to memory of 4724 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2128 wrote to memory of 4724 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2128 wrote to memory of 3640 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2128 wrote to memory of 3640 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2128 wrote to memory of 2236 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2128 wrote to memory of 2236 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2128 wrote to memory of 2676 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2128 wrote to memory of 2676 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2128 wrote to memory of 1968 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2128 wrote to memory of 1968 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2128 wrote to memory of 1216 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2128 wrote to memory of 1216 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2128 wrote to memory of 4856 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2128 wrote to memory of 4856 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2128 wrote to memory of 2440 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2128 wrote to memory of 2440 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2128 wrote to memory of 1072 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2128 wrote to memory of 1072 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2128 wrote to memory of 3352 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2128 wrote to memory of 3352 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2128 wrote to memory of 1080 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2128 wrote to memory of 1080 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2128 wrote to memory of 1816 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2128 wrote to memory of 1816 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2128 wrote to memory of 2376 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2128 wrote to memory of 2376 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2128 wrote to memory of 1752 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 2128 wrote to memory of 1752 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 2128 wrote to memory of 4148 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 2128 wrote to memory of 4148 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 2128 wrote to memory of 976 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 2128 wrote to memory of 976 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 2128 wrote to memory of 4544 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 2128 wrote to memory of 4544 2128 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\System\TwGFYYe.exeC:\Windows\System\TwGFYYe.exe2⤵
- Executes dropped EXE
PID:4704
-
-
C:\Windows\System\rMypbHi.exeC:\Windows\System\rMypbHi.exe2⤵
- Executes dropped EXE
PID:3452
-
-
C:\Windows\System\OTGiQUE.exeC:\Windows\System\OTGiQUE.exe2⤵
- Executes dropped EXE
PID:1900
-
-
C:\Windows\System\AtnPdvm.exeC:\Windows\System\AtnPdvm.exe2⤵
- Executes dropped EXE
PID:5040
-
-
C:\Windows\System\RBLjMRA.exeC:\Windows\System\RBLjMRA.exe2⤵
- Executes dropped EXE
PID:4724
-
-
C:\Windows\System\SyxnKlx.exeC:\Windows\System\SyxnKlx.exe2⤵
- Executes dropped EXE
PID:3640
-
-
C:\Windows\System\LiVNNkt.exeC:\Windows\System\LiVNNkt.exe2⤵
- Executes dropped EXE
PID:2236
-
-
C:\Windows\System\BKxeetH.exeC:\Windows\System\BKxeetH.exe2⤵
- Executes dropped EXE
PID:2676
-
-
C:\Windows\System\BQhCHDI.exeC:\Windows\System\BQhCHDI.exe2⤵
- Executes dropped EXE
PID:1968
-
-
C:\Windows\System\EmtLUfQ.exeC:\Windows\System\EmtLUfQ.exe2⤵
- Executes dropped EXE
PID:1216
-
-
C:\Windows\System\JDkThKw.exeC:\Windows\System\JDkThKw.exe2⤵
- Executes dropped EXE
PID:4856
-
-
C:\Windows\System\YWllxMg.exeC:\Windows\System\YWllxMg.exe2⤵
- Executes dropped EXE
PID:2440
-
-
C:\Windows\System\ubvshGD.exeC:\Windows\System\ubvshGD.exe2⤵
- Executes dropped EXE
PID:1072
-
-
C:\Windows\System\nxWPCuc.exeC:\Windows\System\nxWPCuc.exe2⤵
- Executes dropped EXE
PID:3352
-
-
C:\Windows\System\qGunXNt.exeC:\Windows\System\qGunXNt.exe2⤵
- Executes dropped EXE
PID:1080
-
-
C:\Windows\System\CTmlgvI.exeC:\Windows\System\CTmlgvI.exe2⤵
- Executes dropped EXE
PID:1816
-
-
C:\Windows\System\VicMluU.exeC:\Windows\System\VicMluU.exe2⤵
- Executes dropped EXE
PID:2376
-
-
C:\Windows\System\cxBoWmx.exeC:\Windows\System\cxBoWmx.exe2⤵
- Executes dropped EXE
PID:1752
-
-
C:\Windows\System\xPJxGoI.exeC:\Windows\System\xPJxGoI.exe2⤵
- Executes dropped EXE
PID:4148
-
-
C:\Windows\System\WyGZlYz.exeC:\Windows\System\WyGZlYz.exe2⤵
- Executes dropped EXE
PID:976
-
-
C:\Windows\System\UVyedPH.exeC:\Windows\System\UVyedPH.exe2⤵
- Executes dropped EXE
PID:4544
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5e1cd4085fc589502685626654fd0c247
SHA17a4b8d49088f512de864676d83d24aa2ec052069
SHA25684dee60f32064dcf08a268d47ab78adf8415b0c7ca4b2ca7cf4c8ba59a46ae88
SHA51267d26d4a5042d6a55183443aec10f59ad5ae28f75164db707e450e560bdeec072cf3b9718ed99f523afb35eb05356de601b2a25d02a990034c0d7f926e928431
-
Filesize
5.2MB
MD5b24199dbff77b0d7eb35985afe580191
SHA1f9fdd4ddc80cedb98fd48e3af8ec9a843dde138d
SHA2566323446b43b89616bded823736f6582af57d8f4c6aa69b84bcbaae297a99d745
SHA5129d9f0a65658d579f6209f8a4f019dbda7387207bd1e364889a21f50c1928d0fc40592ce62145ba391cea3d80cf93de15ae0ca68f8f0430bed49aa76dff3f7a04
-
Filesize
5.2MB
MD5ce2c02149bc81b24185873c10fb13c93
SHA100ef9498872266d0984473189622fec1f539e8c3
SHA256a98ebab5ec3ea9643a84fdfc94d244333675c4966926b41745a5dddaae56648c
SHA51272d0c5c50eb4ee414c4b5016de9105aada7ecd79a37a0954d5af9ea5e60348ac1db56c8e985ea70f00dc826a70a22064ea613380d2ba824dff6fdbb43075e349
-
Filesize
5.2MB
MD50e48d145944e2d1579ef51a7fb368722
SHA1904520fd3f4da4f8fc7e5c27e759ef66d1e25d6b
SHA256b368f9ac6b68fa937dac4bfc16b2c1d2dc7a994cedd4dd7ba57c4e98c6e876c6
SHA5125698fb21784e401b9254b56281fed0af8067bfc31f1a5c0c1000592fcdc6cd0bf5e97eaea88f2257889b2cca995581245a674df595b745264a81c8851face099
-
Filesize
5.2MB
MD565633ecea55c5dac2fd04fb7cfc4cf18
SHA1cd30a6917c74e0042a29a07387bc94e94d69bd83
SHA256647ba66c14e4d3cd27322119ff331de10aff92c969ff805058e209f78bf65499
SHA512855c562896536e9d95bb08e7234552db4bd03b421bd93634c3da45415bbf8cf99e5924bfff4dd818e15edbf359904e18a4495b8368b54a9820923e5fc379e92b
-
Filesize
5.2MB
MD52046b038bb67a55b857f5abd7fd0ff80
SHA159de5fc30df012aa7960767b233b32ec5a119699
SHA25633951fbf44ab9451e37efd93e91001034ed650d1ebda79535da886e461bb8322
SHA512215362e6c686bf0a095e8eebe6bb57680d301ce33d5774f53065d1dc4a5ab261e77eff3652ff3141d9ec6373424687fbaa4353fe284ebc41271a336cb4d55d4a
-
Filesize
5.2MB
MD534288abdf27ea9c7b9604b29d2d940c8
SHA1fa96b605105bf3d0da6fa76afa464439a3d3da37
SHA256b995caf7117ee655a27152453380d52297b1e1c64e26208ffdbb5d7714e97905
SHA5123c9242a4335652949a4c0537e85a9c64fcdfee970438a691c1adf88967fbbd78dcd415fee9975e7e130b62907e982ff42c380552c7726108f593e31e77cbf7e7
-
Filesize
5.2MB
MD5f4679fd0ef402f351821b528e72f9a5a
SHA110c3ed3aa5479a9cd2a40f342d19c74b133e7c41
SHA256952ae56f8343b45a335ea589b05332380d0dca71db4de0b285adeccf2afe6cae
SHA512c6c850d04dfc037bfa573fc094e7970a8c9f12c8290aff0e0c8202b1592e46d89748da3a921425330aa011bf75a0858fb924705415c404038ffc9d2509c2099f
-
Filesize
5.2MB
MD529dda88cf8a07c0e9af52a0293767ffb
SHA14783ffb0a67dcf979184671ec9acebf535e4b885
SHA2565842f14d776c44f1c011a13bceb0479cc51c165807c8347ec871cc9b429cf627
SHA5126b1d53cf33b816c6980d6f61ae7142ddcfcde2a04fa800cdcb846b90af98dda8266ac17d980e94947febe28dad5c434efa234c90c6bdbd06dd9681ec471c9109
-
Filesize
5.2MB
MD5dcca9679b4c0254505aad42878da89b7
SHA141f4cc194d66b68bdef3fa0eecd82731d7ed28fb
SHA2560336771b2657c387696e004433d038f2bf20b09d6be08d863caade676d0fb949
SHA512fa39316ede6b51fb9b5ac47f1d9619d197946eda5da026b70ccb91d43dd2af083c6556482901e5c8260ae27dca36e9e18d8bf10d3c72d5607d02748b1c5e7226
-
Filesize
5.2MB
MD5d29891d28f9b41b99691f11480c54316
SHA1ff041a346d2630b0c974490b8c075eda8294d13d
SHA256040c4e73fc45bce44858410b42b1688af04b37835df200a545e46395623f7e43
SHA512a15e6156c2b99037bfac3c6cb44e66aaeea1bd052230f530ce11fb339858ab1a29a6bf0a7cfb3c6e8da39b7b7997cfc4779e10d525e6c4dfe6d144aaae0d4cd8
-
Filesize
5.2MB
MD5fa9b61391e4062ddc5143448dd668c45
SHA106196b3a2217af89bfe1dd6fe06def4050742265
SHA256769b3b8c763a13fb0d59bd282ffbaea8bf110c66c82da76169b0d07219a62a72
SHA512106b37a2d0c250e7f78eead8657551e8cdb88ef1ee5760e95ec633077150ffa5731d25a4bc3a53305d02396914755aad28281a5d7224590a5415b6c1fa4d3186
-
Filesize
5.2MB
MD5c156af41f059b255745abc292ff0ef74
SHA1cf7d47be2f3ae4faf15268127b4c310e4d197d13
SHA2568815f767e83b2491518de4913c7078d6a999d5200e8196131a1e34c64e200589
SHA51236b6bd9cda4ca6d1102b88a96e4edc9bdbc2096de9b423324af9f29546834e13ee591b88d145d019833d1765b426b6741c0346dbf5d73d59f24d1c09174d00c3
-
Filesize
5.2MB
MD59f7c80cabb9fdd1e322e6fd4e382ced3
SHA12492a16e9f36a2fd68ed881cdc0381e9cc235477
SHA2565c92d0c6b0d223fe9fc879ec14c7b4437390dc543c62c32558c241d616f1b892
SHA512e87859f700d30d6761b64e619d7164192e885600f28a34a1dd7ccd74a9e0dd959c11c89fd52b434e0a2dc52e4856fdcf504e6796a00898e5020996781f38020a
-
Filesize
5.2MB
MD50d685b1663910c8fff67ccfa01c0e2e5
SHA1d280b2276247dabbdcf6e4193f1d00d0eae960f2
SHA256ff0ac9a092421539d9a3ed17a9d1973b108bf438712feb5a1a71b7ca9941988f
SHA5121d16f6b7687d838b4282b1eaac3df9822d27682b31e8222ff88a4069de4a138096aeac788f5db7e84a8bf8d096487a75dbc1971051f8be7c23b8ee2b17cad286
-
Filesize
5.2MB
MD598625cdd444bea92433665656f10f7c1
SHA137c5f3484ef77e3fd2d3bafefc0222d40cfc233e
SHA25661ddb084ebc02ff8b3b92605216a3a6285255ae5ece2698bd8d2883a8eaae1f2
SHA5126c9d0013b92613729ae6c54354b18be366704f77f8e0b6bf01e5522e21585c2cdaf7abdc27716d96c5f3bee682e48baf231352f25dc9cb23c8c05220bfdffb71
-
Filesize
5.2MB
MD51c4bef2c6f3dbba98a231ac4127176d6
SHA19c58aa9e7ec669aaf4b7018e1372e72ceee36c84
SHA2568872839d7653e7cae042d2f6aa223135b9d8f843cd82f38a2c486c39ddfff899
SHA5124f3446e33c9f91f7c0b3b53efecc941d3b20761bc2a1fcf479ac5881b82eed9d5e00988dfa60350f73957f17faf680efa5bf914a6724a29cb1b00fc39fc13228
-
Filesize
5.2MB
MD50b6df975f2b905d4d7711121a5faea7f
SHA1db3b04928e97b01bc3fbe168d59c958957b59fd1
SHA256d04b8eb850b0a64ab2703fd6c6d62ebe92b454c3406250fbca232e39dbc07bf2
SHA5121325346809c3446bb761a30fa017a76d528a92da716a248bc14fc2a3f385a70ac4a2ad97b63ff6b1b3426f541f4d23a04a5f64d64521bd44953b75f99ac2095b
-
Filesize
5.2MB
MD5fe0b99ed0a2ff39d23d95be076186d7f
SHA124c439121c1ae19571906809ecaa8eebbdf2b9b8
SHA2563be6e74cd931c4b767035f6862173ee7cf6020c0461fda8f2a31c78d711cb31f
SHA512da3fb7f400343956124781e5cb0e08b1c2dea4737ef58374a2d7b4f329932e2c01fcef25cd9f52b7cf99463c1b3fedde93e334be35971fe8054a06bf1b7f4769
-
Filesize
5.2MB
MD53d8a2d3949b0a1ae4048f43357e5a667
SHA11d7f7038ae0653ef65adf01a37ea5f8a881c2746
SHA2561f73cca652673cc5cc88ed0ee8b67437f1dfd8db381ed25e00c7393a4232158b
SHA51242df1d6a131832415bcd441ea0382fc11201a392a058408b186018bc2449c62a71e7139eee26106893d37d2b9895600640dc60835ba633d3dc2870260b9f6cc5
-
Filesize
5.2MB
MD5341c0ff9de2e9a58323a3f3864f33c23
SHA13dbcc3ae3c8253578f5610653d0f9e58fc541605
SHA2564b180171a6807ed8100d9caf1ebcf4dea88777763147c0052d301996881dbaba
SHA512630e871fde6fb699e4457fdd7ddc0cc0546501f8569c711eec1554ea171081bcfc2eb5f83b5370055d11017091c6afaa0f7b8c8ab45aecb91f137a00431d6245