Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 10:28
Behavioral task
behavioral1
Sample
2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240729-en
General
-
Target
2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
e2b8bc3b15d824b761f54c53d394886c
-
SHA1
d66e36cab101c2bf7cde26e910c7bf73d9687ba4
-
SHA256
208297709d5170b955043494875092131d07ddc4b69e188d13687d986a8d1232
-
SHA512
7eeda23f107d36ae67a23b15f34e14251a2c71959628dd712429a652e8ba7b1886c4b57cb3a53c4bcc9e5a80e9bc8813130a364769b027cc65e9c9ce3bef84e2
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lX:RWWBibf56utgpPFotBER/mQ32lUj
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0009000000022705-5.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f5-10.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f6-17.dat cobalt_reflective_dll behavioral2/files/0x00070000000234fa-36.dat cobalt_reflective_dll behavioral2/files/0x00070000000234fb-51.dat cobalt_reflective_dll behavioral2/files/0x0007000000023500-64.dat cobalt_reflective_dll behavioral2/files/0x00070000000234fd-65.dat cobalt_reflective_dll behavioral2/files/0x00070000000234fe-81.dat cobalt_reflective_dll behavioral2/files/0x0007000000023502-87.dat cobalt_reflective_dll behavioral2/files/0x0007000000023506-115.dat cobalt_reflective_dll behavioral2/files/0x0007000000023507-118.dat cobalt_reflective_dll behavioral2/files/0x0007000000023505-112.dat cobalt_reflective_dll behavioral2/files/0x0007000000023504-110.dat cobalt_reflective_dll behavioral2/files/0x0007000000023503-108.dat cobalt_reflective_dll behavioral2/files/0x000a0000000234ef-96.dat cobalt_reflective_dll behavioral2/files/0x0007000000023501-94.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ff-76.dat cobalt_reflective_dll behavioral2/files/0x00070000000234fc-56.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f9-44.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f8-27.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f7-21.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/2264-70-0x00007FF650D00000-0x00007FF651051000-memory.dmp xmrig behavioral2/memory/2088-107-0x00007FF604DB0000-0x00007FF605101000-memory.dmp xmrig behavioral2/memory/3048-75-0x00007FF609260000-0x00007FF6095B1000-memory.dmp xmrig behavioral2/memory/2688-62-0x00007FF6BB640000-0x00007FF6BB991000-memory.dmp xmrig behavioral2/memory/4696-53-0x00007FF76E110000-0x00007FF76E461000-memory.dmp xmrig behavioral2/memory/3468-34-0x00007FF668E10000-0x00007FF669161000-memory.dmp xmrig behavioral2/memory/116-120-0x00007FF686CC0000-0x00007FF687011000-memory.dmp xmrig behavioral2/memory/3064-121-0x00007FF62AF80000-0x00007FF62B2D1000-memory.dmp xmrig behavioral2/memory/3720-123-0x00007FF7BE2E0000-0x00007FF7BE631000-memory.dmp xmrig behavioral2/memory/4892-125-0x00007FF60BAF0000-0x00007FF60BE41000-memory.dmp xmrig behavioral2/memory/3896-126-0x00007FF67A000000-0x00007FF67A351000-memory.dmp xmrig behavioral2/memory/668-124-0x00007FF6210E0000-0x00007FF621431000-memory.dmp xmrig behavioral2/memory/1360-127-0x00007FF6EB2C0000-0x00007FF6EB611000-memory.dmp xmrig behavioral2/memory/1560-122-0x00007FF7764A0000-0x00007FF7767F1000-memory.dmp xmrig behavioral2/memory/4600-131-0x00007FF79ED70000-0x00007FF79F0C1000-memory.dmp xmrig behavioral2/memory/3488-130-0x00007FF73D600000-0x00007FF73D951000-memory.dmp xmrig behavioral2/memory/5036-129-0x00007FF6F8E80000-0x00007FF6F91D1000-memory.dmp xmrig behavioral2/memory/4748-128-0x00007FF732D70000-0x00007FF7330C1000-memory.dmp xmrig behavioral2/memory/4068-143-0x00007FF76E510000-0x00007FF76E861000-memory.dmp xmrig behavioral2/memory/4064-146-0x00007FF708590000-0x00007FF7088E1000-memory.dmp xmrig behavioral2/memory/2192-140-0x00007FF687D40000-0x00007FF688091000-memory.dmp xmrig behavioral2/memory/1992-147-0x00007FF6C4810000-0x00007FF6C4B61000-memory.dmp xmrig behavioral2/memory/4748-150-0x00007FF732D70000-0x00007FF7330C1000-memory.dmp xmrig behavioral2/memory/4748-151-0x00007FF732D70000-0x00007FF7330C1000-memory.dmp xmrig behavioral2/memory/5036-212-0x00007FF6F8E80000-0x00007FF6F91D1000-memory.dmp xmrig behavioral2/memory/3488-214-0x00007FF73D600000-0x00007FF73D951000-memory.dmp xmrig behavioral2/memory/3468-216-0x00007FF668E10000-0x00007FF669161000-memory.dmp xmrig behavioral2/memory/4696-218-0x00007FF76E110000-0x00007FF76E461000-memory.dmp xmrig behavioral2/memory/4600-220-0x00007FF79ED70000-0x00007FF79F0C1000-memory.dmp xmrig behavioral2/memory/2688-223-0x00007FF6BB640000-0x00007FF6BB991000-memory.dmp xmrig behavioral2/memory/2088-224-0x00007FF604DB0000-0x00007FF605101000-memory.dmp xmrig behavioral2/memory/2264-226-0x00007FF650D00000-0x00007FF651051000-memory.dmp xmrig behavioral2/memory/116-229-0x00007FF686CC0000-0x00007FF687011000-memory.dmp xmrig behavioral2/memory/3048-230-0x00007FF609260000-0x00007FF6095B1000-memory.dmp xmrig behavioral2/memory/2192-238-0x00007FF687D40000-0x00007FF688091000-memory.dmp xmrig behavioral2/memory/3064-240-0x00007FF62AF80000-0x00007FF62B2D1000-memory.dmp xmrig behavioral2/memory/1560-244-0x00007FF7764A0000-0x00007FF7767F1000-memory.dmp xmrig behavioral2/memory/3720-242-0x00007FF7BE2E0000-0x00007FF7BE631000-memory.dmp xmrig behavioral2/memory/4068-246-0x00007FF76E510000-0x00007FF76E861000-memory.dmp xmrig behavioral2/memory/4892-254-0x00007FF60BAF0000-0x00007FF60BE41000-memory.dmp xmrig behavioral2/memory/4064-253-0x00007FF708590000-0x00007FF7088E1000-memory.dmp xmrig behavioral2/memory/668-258-0x00007FF6210E0000-0x00007FF621431000-memory.dmp xmrig behavioral2/memory/1360-257-0x00007FF6EB2C0000-0x00007FF6EB611000-memory.dmp xmrig behavioral2/memory/3896-249-0x00007FF67A000000-0x00007FF67A351000-memory.dmp xmrig behavioral2/memory/1992-251-0x00007FF6C4810000-0x00007FF6C4B61000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 5036 DbkcpEn.exe 3488 qwwDpjd.exe 4600 epdNwky.exe 3468 qqAPBBI.exe 4696 CfNTXLV.exe 2088 bNVftTp.exe 2688 oDiZrtd.exe 2264 iCZxnZC.exe 116 tTtQsNo.exe 3048 fTYRbcc.exe 3064 jpLbLFI.exe 1560 YHVqpWc.exe 2192 kQiAjOf.exe 3720 awRTQUL.exe 4068 ucdPksu.exe 668 IzZHjtn.exe 4892 baENvmq.exe 4064 XNYVkuE.exe 1992 pVmmHac.exe 3896 RQtVjcm.exe 1360 Knmjeye.exe -
resource yara_rule behavioral2/memory/4748-0-0x00007FF732D70000-0x00007FF7330C1000-memory.dmp upx behavioral2/files/0x0009000000022705-5.dat upx behavioral2/files/0x00070000000234f5-10.dat upx behavioral2/files/0x00070000000234f6-17.dat upx behavioral2/files/0x00070000000234fa-36.dat upx behavioral2/files/0x00070000000234fb-51.dat upx behavioral2/files/0x0007000000023500-64.dat upx behavioral2/files/0x00070000000234fd-65.dat upx behavioral2/memory/2264-70-0x00007FF650D00000-0x00007FF651051000-memory.dmp upx behavioral2/files/0x00070000000234fe-81.dat upx behavioral2/files/0x0007000000023502-87.dat upx behavioral2/memory/4068-99-0x00007FF76E510000-0x00007FF76E861000-memory.dmp upx behavioral2/memory/2088-107-0x00007FF604DB0000-0x00007FF605101000-memory.dmp upx behavioral2/files/0x0007000000023506-115.dat upx behavioral2/files/0x0007000000023507-118.dat upx behavioral2/files/0x0007000000023505-112.dat upx behavioral2/files/0x0007000000023504-110.dat upx behavioral2/memory/1992-103-0x00007FF6C4810000-0x00007FF6C4B61000-memory.dmp upx behavioral2/memory/4064-102-0x00007FF708590000-0x00007FF7088E1000-memory.dmp upx behavioral2/files/0x0007000000023503-108.dat upx behavioral2/files/0x000a0000000234ef-96.dat upx behavioral2/files/0x0007000000023501-94.dat upx behavioral2/memory/2192-88-0x00007FF687D40000-0x00007FF688091000-memory.dmp upx behavioral2/files/0x00070000000234ff-76.dat upx behavioral2/memory/3048-75-0x00007FF609260000-0x00007FF6095B1000-memory.dmp upx behavioral2/memory/2688-62-0x00007FF6BB640000-0x00007FF6BB991000-memory.dmp upx behavioral2/files/0x00070000000234fc-56.dat upx behavioral2/memory/4696-53-0x00007FF76E110000-0x00007FF76E461000-memory.dmp upx behavioral2/files/0x00070000000234f9-44.dat upx behavioral2/memory/3468-34-0x00007FF668E10000-0x00007FF669161000-memory.dmp upx behavioral2/files/0x00070000000234f8-27.dat upx behavioral2/files/0x00070000000234f7-21.dat upx behavioral2/memory/4600-20-0x00007FF79ED70000-0x00007FF79F0C1000-memory.dmp upx behavioral2/memory/3488-19-0x00007FF73D600000-0x00007FF73D951000-memory.dmp upx behavioral2/memory/5036-12-0x00007FF6F8E80000-0x00007FF6F91D1000-memory.dmp upx behavioral2/memory/116-120-0x00007FF686CC0000-0x00007FF687011000-memory.dmp upx behavioral2/memory/3064-121-0x00007FF62AF80000-0x00007FF62B2D1000-memory.dmp upx behavioral2/memory/3720-123-0x00007FF7BE2E0000-0x00007FF7BE631000-memory.dmp upx behavioral2/memory/4892-125-0x00007FF60BAF0000-0x00007FF60BE41000-memory.dmp upx behavioral2/memory/3896-126-0x00007FF67A000000-0x00007FF67A351000-memory.dmp upx behavioral2/memory/668-124-0x00007FF6210E0000-0x00007FF621431000-memory.dmp upx behavioral2/memory/1360-127-0x00007FF6EB2C0000-0x00007FF6EB611000-memory.dmp upx behavioral2/memory/1560-122-0x00007FF7764A0000-0x00007FF7767F1000-memory.dmp upx behavioral2/memory/4600-131-0x00007FF79ED70000-0x00007FF79F0C1000-memory.dmp upx behavioral2/memory/3488-130-0x00007FF73D600000-0x00007FF73D951000-memory.dmp upx behavioral2/memory/5036-129-0x00007FF6F8E80000-0x00007FF6F91D1000-memory.dmp upx behavioral2/memory/4748-128-0x00007FF732D70000-0x00007FF7330C1000-memory.dmp upx behavioral2/memory/4068-143-0x00007FF76E510000-0x00007FF76E861000-memory.dmp upx behavioral2/memory/4064-146-0x00007FF708590000-0x00007FF7088E1000-memory.dmp upx behavioral2/memory/2192-140-0x00007FF687D40000-0x00007FF688091000-memory.dmp upx behavioral2/memory/1992-147-0x00007FF6C4810000-0x00007FF6C4B61000-memory.dmp upx behavioral2/memory/4748-150-0x00007FF732D70000-0x00007FF7330C1000-memory.dmp upx behavioral2/memory/4748-151-0x00007FF732D70000-0x00007FF7330C1000-memory.dmp upx behavioral2/memory/5036-212-0x00007FF6F8E80000-0x00007FF6F91D1000-memory.dmp upx behavioral2/memory/3488-214-0x00007FF73D600000-0x00007FF73D951000-memory.dmp upx behavioral2/memory/3468-216-0x00007FF668E10000-0x00007FF669161000-memory.dmp upx behavioral2/memory/4696-218-0x00007FF76E110000-0x00007FF76E461000-memory.dmp upx behavioral2/memory/4600-220-0x00007FF79ED70000-0x00007FF79F0C1000-memory.dmp upx behavioral2/memory/2688-223-0x00007FF6BB640000-0x00007FF6BB991000-memory.dmp upx behavioral2/memory/2088-224-0x00007FF604DB0000-0x00007FF605101000-memory.dmp upx behavioral2/memory/2264-226-0x00007FF650D00000-0x00007FF651051000-memory.dmp upx behavioral2/memory/116-229-0x00007FF686CC0000-0x00007FF687011000-memory.dmp upx behavioral2/memory/3048-230-0x00007FF609260000-0x00007FF6095B1000-memory.dmp upx behavioral2/memory/2192-238-0x00007FF687D40000-0x00007FF688091000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\awRTQUL.exe 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XNYVkuE.exe 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\pVmmHac.exe 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DbkcpEn.exe 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\oDiZrtd.exe 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YHVqpWc.exe 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CfNTXLV.exe 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jpLbLFI.exe 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\baENvmq.exe 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fTYRbcc.exe 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ucdPksu.exe 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RQtVjcm.exe 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qwwDpjd.exe 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\iCZxnZC.exe 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\tTtQsNo.exe 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kQiAjOf.exe 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\IzZHjtn.exe 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\Knmjeye.exe 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\epdNwky.exe 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qqAPBBI.exe 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bNVftTp.exe 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4748 wrote to memory of 5036 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4748 wrote to memory of 5036 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4748 wrote to memory of 3488 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4748 wrote to memory of 3488 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4748 wrote to memory of 4600 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4748 wrote to memory of 4600 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4748 wrote to memory of 3468 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4748 wrote to memory of 3468 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4748 wrote to memory of 4696 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4748 wrote to memory of 4696 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4748 wrote to memory of 2688 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4748 wrote to memory of 2688 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4748 wrote to memory of 2088 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4748 wrote to memory of 2088 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4748 wrote to memory of 2264 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4748 wrote to memory of 2264 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4748 wrote to memory of 116 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4748 wrote to memory of 116 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4748 wrote to memory of 3048 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4748 wrote to memory of 3048 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4748 wrote to memory of 3064 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4748 wrote to memory of 3064 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4748 wrote to memory of 2192 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4748 wrote to memory of 2192 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4748 wrote to memory of 1560 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4748 wrote to memory of 1560 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4748 wrote to memory of 3720 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4748 wrote to memory of 3720 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4748 wrote to memory of 4068 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4748 wrote to memory of 4068 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4748 wrote to memory of 668 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4748 wrote to memory of 668 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4748 wrote to memory of 4892 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4748 wrote to memory of 4892 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4748 wrote to memory of 4064 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4748 wrote to memory of 4064 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4748 wrote to memory of 1992 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4748 wrote to memory of 1992 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4748 wrote to memory of 3896 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4748 wrote to memory of 3896 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4748 wrote to memory of 1360 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4748 wrote to memory of 1360 4748 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\System\DbkcpEn.exeC:\Windows\System\DbkcpEn.exe2⤵
- Executes dropped EXE
PID:5036
-
-
C:\Windows\System\qwwDpjd.exeC:\Windows\System\qwwDpjd.exe2⤵
- Executes dropped EXE
PID:3488
-
-
C:\Windows\System\epdNwky.exeC:\Windows\System\epdNwky.exe2⤵
- Executes dropped EXE
PID:4600
-
-
C:\Windows\System\qqAPBBI.exeC:\Windows\System\qqAPBBI.exe2⤵
- Executes dropped EXE
PID:3468
-
-
C:\Windows\System\CfNTXLV.exeC:\Windows\System\CfNTXLV.exe2⤵
- Executes dropped EXE
PID:4696
-
-
C:\Windows\System\oDiZrtd.exeC:\Windows\System\oDiZrtd.exe2⤵
- Executes dropped EXE
PID:2688
-
-
C:\Windows\System\bNVftTp.exeC:\Windows\System\bNVftTp.exe2⤵
- Executes dropped EXE
PID:2088
-
-
C:\Windows\System\iCZxnZC.exeC:\Windows\System\iCZxnZC.exe2⤵
- Executes dropped EXE
PID:2264
-
-
C:\Windows\System\tTtQsNo.exeC:\Windows\System\tTtQsNo.exe2⤵
- Executes dropped EXE
PID:116
-
-
C:\Windows\System\fTYRbcc.exeC:\Windows\System\fTYRbcc.exe2⤵
- Executes dropped EXE
PID:3048
-
-
C:\Windows\System\jpLbLFI.exeC:\Windows\System\jpLbLFI.exe2⤵
- Executes dropped EXE
PID:3064
-
-
C:\Windows\System\kQiAjOf.exeC:\Windows\System\kQiAjOf.exe2⤵
- Executes dropped EXE
PID:2192
-
-
C:\Windows\System\YHVqpWc.exeC:\Windows\System\YHVqpWc.exe2⤵
- Executes dropped EXE
PID:1560
-
-
C:\Windows\System\awRTQUL.exeC:\Windows\System\awRTQUL.exe2⤵
- Executes dropped EXE
PID:3720
-
-
C:\Windows\System\ucdPksu.exeC:\Windows\System\ucdPksu.exe2⤵
- Executes dropped EXE
PID:4068
-
-
C:\Windows\System\IzZHjtn.exeC:\Windows\System\IzZHjtn.exe2⤵
- Executes dropped EXE
PID:668
-
-
C:\Windows\System\baENvmq.exeC:\Windows\System\baENvmq.exe2⤵
- Executes dropped EXE
PID:4892
-
-
C:\Windows\System\XNYVkuE.exeC:\Windows\System\XNYVkuE.exe2⤵
- Executes dropped EXE
PID:4064
-
-
C:\Windows\System\pVmmHac.exeC:\Windows\System\pVmmHac.exe2⤵
- Executes dropped EXE
PID:1992
-
-
C:\Windows\System\RQtVjcm.exeC:\Windows\System\RQtVjcm.exe2⤵
- Executes dropped EXE
PID:3896
-
-
C:\Windows\System\Knmjeye.exeC:\Windows\System\Knmjeye.exe2⤵
- Executes dropped EXE
PID:1360
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5a989dc64b4b01a8c23b6315213572cb3
SHA1eff5824bd669487f565f1c9d8b9ab023dc4007f7
SHA256dac1767164610ba857c6752bd3b1dd69d268eb33c503b797a3e8afbb300953eb
SHA512e7b25fa8ae9459616bdfdf71e9adf864b311b45dacb08d0fd5547f36493cc1c2c24556e9b113e051960cff49478d65d524414bd9392f4485ea7f207e813ca140
-
Filesize
5.2MB
MD5d73f7b3dc46484a3f43a60b41f17144e
SHA171567d6d4efc91ab09d6f7207ab923ab01f932fc
SHA256280c054317260d9611e77d742c43fab7fa4f3260d15f1b8d623fa7b46a5f3101
SHA5129021427beb693a079c4b2572f271a9fbffc018c0987f4fbc424f903f632e1d8c7597d8d235deb72d06622c9f209f1288bf6eaca02269e10325088e95c69eb3f0
-
Filesize
5.2MB
MD5a857e8d1ac736e98551e19096e5c83c5
SHA1882add19a1762abc3394b7ffc13c9acc01a281ed
SHA256f076de36e72b85da882fc6812088af3113262dcbe664b710bab747b09ad8697a
SHA51222c00e73440ae5c427b45151694342c47bf9b1541193f0de99b58187b00f01a443a4ac0529b515dc0840a9fdc75a9be110c3932dd7360b13980cc09e5f5130c4
-
Filesize
5.2MB
MD5c9b286637d6f4d74a80500cefbf2264a
SHA17d87aa2ac17a35c67be07b9a36e19df09f4ca63e
SHA256348dde3668614918a11ecaab7a902ea0cdd1b412728232310a52629acc0ad60a
SHA5127812a865cba02ed01a3298c866ad959523913d2560f118cf137215e979828e3a0c415a021400c8c07b196014244d259af93d0b316730c9f9774bc1a6c85a9fc5
-
Filesize
5.2MB
MD52f0e8d35213859a0c9a3c208fafce37c
SHA1d8e4c9bd4fb2d38a8bad1489daa02e6a21e76178
SHA25658770cb5db2ae9b3e6357ab20a56cd5d34d1b2e16cb71965ae316903effd9fc4
SHA5125c66db90aa7ae6dd28ad4c5e4d3a7b7af5e37f8342e5e98fdb694b161e7322b20453bfbaace4e2b19ead426c809a2cb75dd432f448d42f2c0059206ce94096b9
-
Filesize
5.2MB
MD52f345b0899a1fd43080391cfde5530fe
SHA13517d69a34f4979120be4a16e815dcdd7b0462ff
SHA2561b392c93d04bcf972bfabaf8b2def13ba63b046c91f1812b204def88bf181322
SHA512897b3560436884feb6df1db28002db6c552bcabd1965c7b8f376217cab3c76589f46e1df67e1a00a78ecf9bfa76c370ed4755ad181455e6074ad61f5a6ce5c9b
-
Filesize
5.2MB
MD58c912b9db5a493a5c279b302685689d4
SHA1e95b017be53b7425497ccd6ba137085514a52fb1
SHA256024ee3d1f3c1d8ce1c55b059f54f110e2aae84747d766e6bbc57bfb3c1578e2f
SHA512f773aab898c7e809f71825a7e1fa662fdf763d6f3f69a161d16ea242f8bfd14349fb4ba0e4d9643349c3290c6c6c1c9defdf746827ac163cb096dbbd45521d60
-
Filesize
5.2MB
MD50e5c68d7bdec72cf0d8c1c51383a9d57
SHA181cce9abdbd15b0bdb970da715870f3149cb0a59
SHA25650da804b76f2566d602a4e1f1bb995d4e33b74c05d06bc42180b82b97f19725f
SHA512372b9780e44397af66b94bfb32537c05723d5edd45dbaa1c163c32a3d01e760e5cee2bf192f34adb9402828ac64941774df338cd792f3cb16673226a9339bdbb
-
Filesize
5.2MB
MD5405a6bd3cc432877e7ccdc91fb61b2e9
SHA1903ffae805014f24071351ddec9d39609a7c5bf3
SHA256ad52a879fab6c95cd411fbac37169ca496dee8164d95434e98500e1272da864b
SHA512c9329d6ff91907d406e0da8ec838a577b801e864b8267fd9fc60ed4d1bf1fd1608a46eecaf0a849f52ef6a81e226ae4c9e5fd09b37f88e67484b8b8edd5f083a
-
Filesize
5.2MB
MD51b8f1baee111e2122bef272af9dea6b7
SHA1b101dd0669541b981cb2f7d352b92bdd642bcbd6
SHA256136a7e5e85efba62003243be6bce383c1b93a1ab64b593b12f9c19b455385d25
SHA5120cdb362e0f740045967d97e07721aab69899c9bd8ca19abbb986597bf15fefe1b4cf4ab7ef98785d72f07968b73f37e98549a96227653b7127cafe730a312069
-
Filesize
5.2MB
MD593530e2f9d751e64651a84e10dcad873
SHA13c31f1cb1316c8f688127211efa26b26a3312b2f
SHA256f988d7fd88cd344bd171dfb6c8ec726b31599d09f547ef891a471be1a997e201
SHA5128e66ded956e9844cae1e62cf198f51c31afb9f4b06c60749d8ca062356cfd68dedf59d7631f51fc62977f9b132ecf75f570d903a35075636816ad9447527c93e
-
Filesize
5.2MB
MD5c24900801220393785e91b6d7628d07f
SHA1fef9032aaf5c0c1278ad27a1706f81e6ec01b646
SHA2565ebf510f4ece133fa5d43615d19f447a405a6d6d34267e93cb4d0146bddcff5e
SHA512fc4dcd480fd88d53ddc9b66a1eac42846e5120bf16d10c599d34bd10e818e21dac6e08ee62d7fe5c8f336175c5e19216d04c761f29ae1637d484eef2020e158c
-
Filesize
5.2MB
MD5f010de3a2e8d8be80e4215428a5b9c5b
SHA17b96c5ddbfbd6b6acd394b57f6ca844a8815bcb5
SHA256731c07cc599660630815eb848fe22c9345263963fcc14a4bf8b219129c8e48ec
SHA512499e5df12b05b37f52803f85c7ada974e1126af9504388fe57fde3f2993dce91a1f6569809bc6c464e6f4bb32cb53ecfd50cf2881ff60ae2b0f11c2cb2fa1610
-
Filesize
5.2MB
MD5b984b94d78dc7e771174717327ca5361
SHA1244964be362cc3d9b0f2b890acbbf8c072c07759
SHA256f4aa492b781b36a5d306c6a95e7cf64cdf5c779900333dc46d590183bb05152b
SHA5121af6fd24b13ad27671a60094552347d4d488648e1297e9af90644b40ca3af2896be127fa11e1704164ffafe9da4938978b3cdd26d8a5fc521ed87d5c9809e320
-
Filesize
5.2MB
MD5921d3156607880b8cb1a29e190f5ad8e
SHA1b03e612b7580881ce04e8fdc6e8d0dfc98a3f20a
SHA25681052be0d9446df51e3fc3e19c22d73c9055fecc8e04023a21e43685d8c6521f
SHA5121f44786f9f82a5a864e7d78caa9751931e7e74f7298a99ed9ec1968ba149895d024da9e3984f8b4bdc66ad9a2da27962e466f69329f072d806f0da9cb7825f4b
-
Filesize
5.2MB
MD5e30ea9d4c0ad503a376b4d98866cb862
SHA14aa6585052717c94cace49cf5a718b61f8292c70
SHA256749b3d249bd5b6f17c8063212f5b35f6d5aad802a1c0e0cf1f94fa2bfdbff199
SHA512fa608d763c821cd00b27116d72d4ae456575c3b84d4afcb7a38e5b4ca84ff20d4c045bbd164f18f7d463b22bad1ab87fcd650f8d666e1f8ffa07e2775d01a88b
-
Filesize
5.2MB
MD52531171551fd2c98027e9f1caf56a050
SHA17cbc2057c58807209ba998e72ce36c62926f5457
SHA256bcbea8610db54597922a381be02d5970d3a11e387ca040a460f8c65da676bf8c
SHA512e680f69ebb98e756aed9447a5c303c0f64f3cc437f84f102bf336f566cb586c300df7c7f9759a3b7002e48ada678a9cc453bf24346b1a2f5c3510cd208effc9f
-
Filesize
5.2MB
MD5bde6bc248d123165468314b418ec641f
SHA19939dc8cf9b4d0a062114399dd931dca3651ba58
SHA256ffcbb43b0848759d2ec3ecd805a31e3752b44a040b88e9549feac7da42ae3c37
SHA512076f47d7ba1e5db433c28ca2584a7f16a66590de022ed212043c9294edf61c10ed0a406cfdbf66918df96f10eabe7082989c1c2634061049cf551c034bcce99d
-
Filesize
5.2MB
MD5f85bbeb3156be7a676097b1523b4c0a7
SHA199f726d8633fda46a6699d44f7f8c26a03bc495f
SHA25656ea4700084b209b5243f4c8f20e949d2882877ba5b6d91971774a6c0ba64a1f
SHA5124d3e8e61eaf9b715bb5a2dd0e194b386b7109253e09d131221b492de4a1515ca2d7116bd289067b7b95f85bf0d4ed9fc7492bd4da356a10896423d12fcfc4957
-
Filesize
5.2MB
MD554c59388e240c525411d2951083eb7f8
SHA1ba5aa52259994b7bb9d3592eab3fbaf1173e9181
SHA256bbf7ebd9b46657c31c810e3a61c77a357f48ab3f509a4ad4ed386ca23509c917
SHA51279fc33a72dc7ef29f2811b218c1acaffdcd8684cf27ae0f4a265bc5b7ce80d9cbd4f2cc220fa802269f3bc384927b7aba18d89c5f5e2eed3e620cbb0e5168535
-
Filesize
5.2MB
MD5b8612a1da5de6346501e592df86f15ee
SHA1bdc1237b4f046f19136dc9a08ba60a3bffe1c0d1
SHA256e76f8cdfe1c38a27788d2695698ab055b3e7bcef961be57d92f376526b5db308
SHA51287b13f694ab1a1cb35656c0e5e75aaf91af7bf1d4e118a5d4f385dfadb71a0339c8071464fae1cc62a6d45036ef6ea9f6056989fa9f082e6d691cd671de3cd03