Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 10:44
Behavioral task
behavioral1
Sample
2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240705-en
General
-
Target
2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
576a258f7767af98d3d30c02d0271b9e
-
SHA1
9d460e39402a66bf87b8a2ef601db3b0837181ef
-
SHA256
d501bdb6f2f87f83525b1fe9fe20c02ad38dbdae6e391a5c8a9dc539ef867781
-
SHA512
a425cf0a0946374d8109f609ebaa2d58b334a54085073cdec8c617a3311bdd219630bd1e9c6409b9735fcd4d34fff853313ad17fed7ae2727beb93eec8ea156c
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lp:RWWBibf56utgpPFotBER/mQ32lUF
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0007000000023613-8.dat cobalt_reflective_dll behavioral2/files/0x000800000002360e-6.dat cobalt_reflective_dll behavioral2/files/0x0007000000023612-12.dat cobalt_reflective_dll behavioral2/files/0x0007000000023614-19.dat cobalt_reflective_dll behavioral2/files/0x0007000000023615-25.dat cobalt_reflective_dll behavioral2/files/0x0007000000023616-43.dat cobalt_reflective_dll behavioral2/files/0x0007000000023618-46.dat cobalt_reflective_dll behavioral2/files/0x0007000000023617-51.dat cobalt_reflective_dll behavioral2/files/0x000700000002361b-57.dat cobalt_reflective_dll behavioral2/files/0x000800000002360f-69.dat cobalt_reflective_dll behavioral2/files/0x000700000002361d-110.dat cobalt_reflective_dll behavioral2/files/0x0007000000023621-109.dat cobalt_reflective_dll behavioral2/files/0x0007000000023620-107.dat cobalt_reflective_dll behavioral2/files/0x000700000002361f-105.dat cobalt_reflective_dll behavioral2/files/0x000700000002361e-98.dat cobalt_reflective_dll behavioral2/files/0x000700000002361c-96.dat cobalt_reflective_dll behavioral2/files/0x000700000002361a-70.dat cobalt_reflective_dll behavioral2/files/0x0007000000023619-60.dat cobalt_reflective_dll behavioral2/files/0x0007000000023623-140.dat cobalt_reflective_dll behavioral2/files/0x0007000000023622-143.dat cobalt_reflective_dll behavioral2/files/0x0007000000023624-146.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 46 IoCs
resource yara_rule behavioral2/memory/6084-17-0x00007FF6326F0000-0x00007FF632A41000-memory.dmp xmrig behavioral2/memory/4136-102-0x00007FF7D97A0000-0x00007FF7D9AF1000-memory.dmp xmrig behavioral2/memory/5624-103-0x00007FF7C0D70000-0x00007FF7C10C1000-memory.dmp xmrig behavioral2/memory/3452-95-0x00007FF65D890000-0x00007FF65DBE1000-memory.dmp xmrig behavioral2/memory/1048-132-0x00007FF7AE420000-0x00007FF7AE771000-memory.dmp xmrig behavioral2/memory/3600-133-0x00007FF60FEE0000-0x00007FF610231000-memory.dmp xmrig behavioral2/memory/6084-138-0x00007FF6326F0000-0x00007FF632A41000-memory.dmp xmrig behavioral2/memory/1944-131-0x00007FF651570000-0x00007FF6518C1000-memory.dmp xmrig behavioral2/memory/1488-129-0x00007FF6328E0000-0x00007FF632C31000-memory.dmp xmrig behavioral2/memory/5888-128-0x00007FF6655D0000-0x00007FF665921000-memory.dmp xmrig behavioral2/memory/3224-127-0x00007FF6CFF50000-0x00007FF6D02A1000-memory.dmp xmrig behavioral2/memory/3592-126-0x00007FF7F1D50000-0x00007FF7F20A1000-memory.dmp xmrig behavioral2/memory/4132-125-0x00007FF6334E0000-0x00007FF633831000-memory.dmp xmrig behavioral2/memory/4968-123-0x00007FF73BF70000-0x00007FF73C2C1000-memory.dmp xmrig behavioral2/memory/5656-122-0x00007FF64B5F0000-0x00007FF64B941000-memory.dmp xmrig behavioral2/memory/3448-121-0x00007FF725C00000-0x00007FF725F51000-memory.dmp xmrig behavioral2/memory/4524-120-0x00007FF617CC0000-0x00007FF618011000-memory.dmp xmrig behavioral2/memory/5168-118-0x00007FF6A85A0000-0x00007FF6A88F1000-memory.dmp xmrig behavioral2/memory/1432-124-0x00007FF6CD7F0000-0x00007FF6CDB41000-memory.dmp xmrig behavioral2/memory/5356-117-0x00007FF696210000-0x00007FF696561000-memory.dmp xmrig behavioral2/memory/4532-149-0x00007FF76E0D0000-0x00007FF76E421000-memory.dmp xmrig behavioral2/memory/3452-150-0x00007FF65D890000-0x00007FF65DBE1000-memory.dmp xmrig behavioral2/memory/5772-169-0x00007FF7146F0000-0x00007FF714A41000-memory.dmp xmrig behavioral2/memory/5660-171-0x00007FF6DA610000-0x00007FF6DA961000-memory.dmp xmrig behavioral2/memory/3452-172-0x00007FF65D890000-0x00007FF65DBE1000-memory.dmp xmrig behavioral2/memory/4136-205-0x00007FF7D97A0000-0x00007FF7D9AF1000-memory.dmp xmrig behavioral2/memory/6084-207-0x00007FF6326F0000-0x00007FF632A41000-memory.dmp xmrig behavioral2/memory/5356-209-0x00007FF696210000-0x00007FF696561000-memory.dmp xmrig behavioral2/memory/5168-211-0x00007FF6A85A0000-0x00007FF6A88F1000-memory.dmp xmrig behavioral2/memory/4524-213-0x00007FF617CC0000-0x00007FF618011000-memory.dmp xmrig behavioral2/memory/3448-225-0x00007FF725C00000-0x00007FF725F51000-memory.dmp xmrig behavioral2/memory/1432-227-0x00007FF6CD7F0000-0x00007FF6CDB41000-memory.dmp xmrig behavioral2/memory/5656-231-0x00007FF64B5F0000-0x00007FF64B941000-memory.dmp xmrig behavioral2/memory/4968-230-0x00007FF73BF70000-0x00007FF73C2C1000-memory.dmp xmrig behavioral2/memory/4132-233-0x00007FF6334E0000-0x00007FF633831000-memory.dmp xmrig behavioral2/memory/1048-240-0x00007FF7AE420000-0x00007FF7AE771000-memory.dmp xmrig behavioral2/memory/3224-247-0x00007FF6CFF50000-0x00007FF6D02A1000-memory.dmp xmrig behavioral2/memory/3592-249-0x00007FF7F1D50000-0x00007FF7F20A1000-memory.dmp xmrig behavioral2/memory/1488-246-0x00007FF6328E0000-0x00007FF632C31000-memory.dmp xmrig behavioral2/memory/5624-243-0x00007FF7C0D70000-0x00007FF7C10C1000-memory.dmp xmrig behavioral2/memory/5888-242-0x00007FF6655D0000-0x00007FF665921000-memory.dmp xmrig behavioral2/memory/1944-238-0x00007FF651570000-0x00007FF6518C1000-memory.dmp xmrig behavioral2/memory/3600-236-0x00007FF60FEE0000-0x00007FF610231000-memory.dmp xmrig behavioral2/memory/5772-259-0x00007FF7146F0000-0x00007FF714A41000-memory.dmp xmrig behavioral2/memory/4532-258-0x00007FF76E0D0000-0x00007FF76E421000-memory.dmp xmrig behavioral2/memory/5660-261-0x00007FF6DA610000-0x00007FF6DA961000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4136 PvDbrOv.exe 6084 SvfaYty.exe 5356 kWjgCJO.exe 5168 OpJooXW.exe 4524 EWHEnIq.exe 3448 NsxVjjA.exe 5656 Ticnvij.exe 4968 AyhLRTq.exe 1432 aGpzwvv.exe 4132 JwtUZeH.exe 3592 KYYmgoK.exe 3224 aEppgbU.exe 5888 CKsYyqY.exe 5624 TRTvSpj.exe 1944 gLfzEbv.exe 1048 LSewzxp.exe 3600 YoXWrzz.exe 1488 WvfOKNO.exe 5772 nRrFaSX.exe 4532 AEuuSMM.exe 5660 qoCgjzh.exe -
resource yara_rule behavioral2/memory/3452-0-0x00007FF65D890000-0x00007FF65DBE1000-memory.dmp upx behavioral2/files/0x0007000000023613-8.dat upx behavioral2/files/0x000800000002360e-6.dat upx behavioral2/files/0x0007000000023612-12.dat upx behavioral2/memory/4136-9-0x00007FF7D97A0000-0x00007FF7D9AF1000-memory.dmp upx behavioral2/memory/6084-17-0x00007FF6326F0000-0x00007FF632A41000-memory.dmp upx behavioral2/files/0x0007000000023614-19.dat upx behavioral2/memory/5356-21-0x00007FF696210000-0x00007FF696561000-memory.dmp upx behavioral2/files/0x0007000000023615-25.dat upx behavioral2/files/0x0007000000023616-43.dat upx behavioral2/files/0x0007000000023618-46.dat upx behavioral2/files/0x0007000000023617-51.dat upx behavioral2/files/0x000700000002361b-57.dat upx behavioral2/files/0x000800000002360f-69.dat upx behavioral2/memory/4132-72-0x00007FF6334E0000-0x00007FF633831000-memory.dmp upx behavioral2/memory/5888-77-0x00007FF6655D0000-0x00007FF665921000-memory.dmp upx behavioral2/memory/1944-90-0x00007FF651570000-0x00007FF6518C1000-memory.dmp upx behavioral2/memory/4136-102-0x00007FF7D97A0000-0x00007FF7D9AF1000-memory.dmp upx behavioral2/files/0x000700000002361d-110.dat upx behavioral2/files/0x0007000000023621-109.dat upx behavioral2/files/0x0007000000023620-107.dat upx behavioral2/files/0x000700000002361f-105.dat upx behavioral2/memory/3600-104-0x00007FF60FEE0000-0x00007FF610231000-memory.dmp upx behavioral2/memory/5624-103-0x00007FF7C0D70000-0x00007FF7C10C1000-memory.dmp upx behavioral2/files/0x000700000002361e-98.dat upx behavioral2/files/0x000700000002361c-96.dat upx behavioral2/memory/3452-95-0x00007FF65D890000-0x00007FF65DBE1000-memory.dmp upx behavioral2/memory/1488-94-0x00007FF6328E0000-0x00007FF632C31000-memory.dmp upx behavioral2/memory/1048-91-0x00007FF7AE420000-0x00007FF7AE771000-memory.dmp upx behavioral2/memory/3224-82-0x00007FF6CFF50000-0x00007FF6D02A1000-memory.dmp upx behavioral2/files/0x000700000002361a-70.dat upx behavioral2/memory/3592-67-0x00007FF7F1D50000-0x00007FF7F20A1000-memory.dmp upx behavioral2/memory/4968-64-0x00007FF73BF70000-0x00007FF73C2C1000-memory.dmp upx behavioral2/files/0x0007000000023619-60.dat upx behavioral2/memory/1432-53-0x00007FF6CD7F0000-0x00007FF6CDB41000-memory.dmp upx behavioral2/memory/5656-48-0x00007FF64B5F0000-0x00007FF64B941000-memory.dmp upx behavioral2/memory/3448-41-0x00007FF725C00000-0x00007FF725F51000-memory.dmp upx behavioral2/memory/4524-29-0x00007FF617CC0000-0x00007FF618011000-memory.dmp upx behavioral2/memory/5168-26-0x00007FF6A85A0000-0x00007FF6A88F1000-memory.dmp upx behavioral2/memory/1048-132-0x00007FF7AE420000-0x00007FF7AE771000-memory.dmp upx behavioral2/memory/3600-133-0x00007FF60FEE0000-0x00007FF610231000-memory.dmp upx behavioral2/files/0x0007000000023623-140.dat upx behavioral2/files/0x0007000000023622-143.dat upx behavioral2/files/0x0007000000023624-146.dat upx behavioral2/memory/5772-139-0x00007FF7146F0000-0x00007FF714A41000-memory.dmp upx behavioral2/memory/6084-138-0x00007FF6326F0000-0x00007FF632A41000-memory.dmp upx behavioral2/memory/1944-131-0x00007FF651570000-0x00007FF6518C1000-memory.dmp upx behavioral2/memory/1488-129-0x00007FF6328E0000-0x00007FF632C31000-memory.dmp upx behavioral2/memory/5888-128-0x00007FF6655D0000-0x00007FF665921000-memory.dmp upx behavioral2/memory/3224-127-0x00007FF6CFF50000-0x00007FF6D02A1000-memory.dmp upx behavioral2/memory/3592-126-0x00007FF7F1D50000-0x00007FF7F20A1000-memory.dmp upx behavioral2/memory/4132-125-0x00007FF6334E0000-0x00007FF633831000-memory.dmp upx behavioral2/memory/4968-123-0x00007FF73BF70000-0x00007FF73C2C1000-memory.dmp upx behavioral2/memory/5656-122-0x00007FF64B5F0000-0x00007FF64B941000-memory.dmp upx behavioral2/memory/3448-121-0x00007FF725C00000-0x00007FF725F51000-memory.dmp upx behavioral2/memory/4524-120-0x00007FF617CC0000-0x00007FF618011000-memory.dmp upx behavioral2/memory/5168-118-0x00007FF6A85A0000-0x00007FF6A88F1000-memory.dmp upx behavioral2/memory/1432-124-0x00007FF6CD7F0000-0x00007FF6CDB41000-memory.dmp upx behavioral2/memory/5356-117-0x00007FF696210000-0x00007FF696561000-memory.dmp upx behavioral2/memory/5660-148-0x00007FF6DA610000-0x00007FF6DA961000-memory.dmp upx behavioral2/memory/4532-149-0x00007FF76E0D0000-0x00007FF76E421000-memory.dmp upx behavioral2/memory/3452-150-0x00007FF65D890000-0x00007FF65DBE1000-memory.dmp upx behavioral2/memory/5772-169-0x00007FF7146F0000-0x00007FF714A41000-memory.dmp upx behavioral2/memory/5660-171-0x00007FF6DA610000-0x00007FF6DA961000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\nRrFaSX.exe 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NsxVjjA.exe 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\Ticnvij.exe 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AyhLRTq.exe 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YoXWrzz.exe 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LSewzxp.exe 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AEuuSMM.exe 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qoCgjzh.exe 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SvfaYty.exe 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\aGpzwvv.exe 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WvfOKNO.exe 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TRTvSpj.exe 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kWjgCJO.exe 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\aEppgbU.exe 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CKsYyqY.exe 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KYYmgoK.exe 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gLfzEbv.exe 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PvDbrOv.exe 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\OpJooXW.exe 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EWHEnIq.exe 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JwtUZeH.exe 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3452 wrote to memory of 4136 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3452 wrote to memory of 4136 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3452 wrote to memory of 6084 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3452 wrote to memory of 6084 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3452 wrote to memory of 5356 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3452 wrote to memory of 5356 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3452 wrote to memory of 5168 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3452 wrote to memory of 5168 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3452 wrote to memory of 4524 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3452 wrote to memory of 4524 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3452 wrote to memory of 3448 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3452 wrote to memory of 3448 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3452 wrote to memory of 5656 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3452 wrote to memory of 5656 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3452 wrote to memory of 4968 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3452 wrote to memory of 4968 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3452 wrote to memory of 1432 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3452 wrote to memory of 1432 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3452 wrote to memory of 4132 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3452 wrote to memory of 4132 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3452 wrote to memory of 3592 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3452 wrote to memory of 3592 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3452 wrote to memory of 3224 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3452 wrote to memory of 3224 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3452 wrote to memory of 5888 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3452 wrote to memory of 5888 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3452 wrote to memory of 1488 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3452 wrote to memory of 1488 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3452 wrote to memory of 5624 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 3452 wrote to memory of 5624 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 3452 wrote to memory of 1944 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 3452 wrote to memory of 1944 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 3452 wrote to memory of 1048 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 3452 wrote to memory of 1048 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 3452 wrote to memory of 3600 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 110 PID 3452 wrote to memory of 3600 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 110 PID 3452 wrote to memory of 5772 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 111 PID 3452 wrote to memory of 5772 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 111 PID 3452 wrote to memory of 4532 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 115 PID 3452 wrote to memory of 4532 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 115 PID 3452 wrote to memory of 5660 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 116 PID 3452 wrote to memory of 5660 3452 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\System\PvDbrOv.exeC:\Windows\System\PvDbrOv.exe2⤵
- Executes dropped EXE
PID:4136
-
-
C:\Windows\System\SvfaYty.exeC:\Windows\System\SvfaYty.exe2⤵
- Executes dropped EXE
PID:6084
-
-
C:\Windows\System\kWjgCJO.exeC:\Windows\System\kWjgCJO.exe2⤵
- Executes dropped EXE
PID:5356
-
-
C:\Windows\System\OpJooXW.exeC:\Windows\System\OpJooXW.exe2⤵
- Executes dropped EXE
PID:5168
-
-
C:\Windows\System\EWHEnIq.exeC:\Windows\System\EWHEnIq.exe2⤵
- Executes dropped EXE
PID:4524
-
-
C:\Windows\System\NsxVjjA.exeC:\Windows\System\NsxVjjA.exe2⤵
- Executes dropped EXE
PID:3448
-
-
C:\Windows\System\Ticnvij.exeC:\Windows\System\Ticnvij.exe2⤵
- Executes dropped EXE
PID:5656
-
-
C:\Windows\System\AyhLRTq.exeC:\Windows\System\AyhLRTq.exe2⤵
- Executes dropped EXE
PID:4968
-
-
C:\Windows\System\aGpzwvv.exeC:\Windows\System\aGpzwvv.exe2⤵
- Executes dropped EXE
PID:1432
-
-
C:\Windows\System\JwtUZeH.exeC:\Windows\System\JwtUZeH.exe2⤵
- Executes dropped EXE
PID:4132
-
-
C:\Windows\System\KYYmgoK.exeC:\Windows\System\KYYmgoK.exe2⤵
- Executes dropped EXE
PID:3592
-
-
C:\Windows\System\aEppgbU.exeC:\Windows\System\aEppgbU.exe2⤵
- Executes dropped EXE
PID:3224
-
-
C:\Windows\System\CKsYyqY.exeC:\Windows\System\CKsYyqY.exe2⤵
- Executes dropped EXE
PID:5888
-
-
C:\Windows\System\WvfOKNO.exeC:\Windows\System\WvfOKNO.exe2⤵
- Executes dropped EXE
PID:1488
-
-
C:\Windows\System\TRTvSpj.exeC:\Windows\System\TRTvSpj.exe2⤵
- Executes dropped EXE
PID:5624
-
-
C:\Windows\System\gLfzEbv.exeC:\Windows\System\gLfzEbv.exe2⤵
- Executes dropped EXE
PID:1944
-
-
C:\Windows\System\LSewzxp.exeC:\Windows\System\LSewzxp.exe2⤵
- Executes dropped EXE
PID:1048
-
-
C:\Windows\System\YoXWrzz.exeC:\Windows\System\YoXWrzz.exe2⤵
- Executes dropped EXE
PID:3600
-
-
C:\Windows\System\nRrFaSX.exeC:\Windows\System\nRrFaSX.exe2⤵
- Executes dropped EXE
PID:5772
-
-
C:\Windows\System\AEuuSMM.exeC:\Windows\System\AEuuSMM.exe2⤵
- Executes dropped EXE
PID:4532
-
-
C:\Windows\System\qoCgjzh.exeC:\Windows\System\qoCgjzh.exe2⤵
- Executes dropped EXE
PID:5660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3820,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4768 /prefetch:81⤵PID:428
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD56937d03f3b8815f814f613f662f0d3f5
SHA1a0193f94de6fb9f294d2d36fb542d9507eb74c7f
SHA2567f70a40d056952a1d8b6e0ac1ca75ec0fd3ea569817b5cc78fdf4b58a1d67868
SHA512f517ef8d03368d56d259dc1b32b97a2d3f22e45d35e0eb967cd02392d57d7d88ee421053c3a39557c08e80bdf1938d2bcb5bbe8b257e43c5c5c37c08438676d9
-
Filesize
5.2MB
MD5d3c8a80791120b1dd2bb0afa9d74a3ea
SHA1daee4b299b0e6c0e49695d9b549eb13de8f88773
SHA25697395ffdeaa05be8b082d805427529c3440842a55804628b3b3b969e134ee2b9
SHA51290245a4144e3ca9a64547457a3f8caae576445cdbef56736ded51092b44f2a7723101b17991a7665913e4d5fee21ce7d7e2e2abd0225c61fd14e2b62bdec0359
-
Filesize
5.2MB
MD5f2fa89edbc59bab58ac4d551385c46ef
SHA11919c0cc52908fd8308aed625d15772aacfa3a24
SHA256dedfbc0d0459cf30386b2d5409c677ba8246bc91da62288828387080d7fb4c92
SHA51265903c1f150e8e990fbf22e293c0d14b18d8432657239952fd53b1216b258680aef3bc651c83e68d51398f31ebf7e826a771ca48a0641b9dadeae1126fb13ab8
-
Filesize
5.2MB
MD5b25c3cd928a5913f1226b9728ec1ce91
SHA1ed5cacf531fb3cf7bdd55f6441778dfce96bd340
SHA256308d0df60751b4f6928c49943dabedd3546eed91d60788ef2803548e354d1caa
SHA512406b1486525c95e3407eaa6d25cd286994fe442f4769f4bdd52ff4715330964198bfcf76a50d1f5af1b28540a15d9a814a455767d6b198d6a690420d0b4378ab
-
Filesize
5.2MB
MD5bea3be3215e0b678e3d919fe858f84c3
SHA1a7c2827ea40f7a8852d048b567efb2d4fb145b96
SHA2568c0f19c002623675326cc6618b8e1337c083f4cb7b4048b0c45f7e1e552758b0
SHA5124338458a404cfae0045345eda5bf3a5130683609dd943c2b5bffa5f2ba4948ec4902469425b940b7ae73ab413bcdc4cefd76082990f7ded24caaa258b3c6d6af
-
Filesize
5.2MB
MD57a219fcbed816501886e9b4500da27e4
SHA1dca431b44a696f92f6ddecf72647ab2e513f4302
SHA256a651a0780f80423f081385eaaf1ad9dbcd0abcdca6ebf8b8948a4ef577fcbef7
SHA512b764319d821fd7c1cc5b9daacb05b55067690905faeab71fdf1338c3047c57d9e6b175280c2678a09d556edf8cf8bf882ee986d9dc14fabbf6714579e8480296
-
Filesize
5.2MB
MD5d424e829f392686e2d44276a7b72898a
SHA18d5d0105c6ffbdd7452fc3ad5cb924173c86d925
SHA2560d20b15cd55a79fc2f09b3dff81bdc7a8126861e45c0d8501056f6f2d2aad335
SHA5129379cd7ca2893e578b5c4576a82fe295ddc9e0d09d948b01a5245fb28f6e36fb24d89b3705c3ccce79beb395e6b0b11a1e70f8d1e8437b73616a2eb5ed58a3cd
-
Filesize
5.2MB
MD50008f1dc6b96ef2d051e9d79261cbe86
SHA13e03580414de63f2188393f4d5317b0893fd0530
SHA2569d0de3fe8134c860df01c46949b2cf2f14bbfe9d99308236cb22890a9687aa83
SHA512c2a0ddcd8262ea4a2a3846255169a7792c3f60321becf77b970ec5dafaae6af1df6ab7a38e158d63fa2f4aa5a427fe797338813c521fef35a99cb8a26050f701
-
Filesize
5.2MB
MD508cd8adad853e96e596c4f5effb57fe9
SHA14f4b8ac72c2ed283468936ae0f7fefd648d60e31
SHA256e332782ed5744b00d2be9cd569ef01eb1abad3e7ced3d5217f179ceeadf1d721
SHA512f88db728021b2cc4c1385839dc9796c6bc28580d12e875fb9afb60d8c40010369cbfc0ec6190885dc76f13e6e4e208c6e080b88bdc5fccfb235931d45db36e47
-
Filesize
5.2MB
MD5aed81308851d99e02d3cb40f91015e6a
SHA16a49030b72daa4dda6d9731ce9753fbeb9dc1a46
SHA256e12d7735c7e946b07b08808514d110cddb6224fbe3ffe8d77c0b11eed49c7c10
SHA512f6e2bc6c4362dd45c1d731cb497eac1c411fdae6f628e9ff675909690b32ba8c112c9287d84e0d4127a6f60786405e08eb4919f8966e3ffae9f0da214c040a52
-
Filesize
5.2MB
MD514d924295176c6d9db03eec60bd90918
SHA15b84a992a76c2dd5dd2bb9b7a3caa27cf4477fdc
SHA2564d1c3a5c9347929e63f3314fbf47b15429437192a57f98705c3282fdf7070e10
SHA5123f7ee8d75be238957771031d0a3f2b05a9b893d01fc138808481f0393b48693299fc7cf747aebd318fa9a59d7b41733bd23ec686c4b7ede23d1319cb1fca41a8
-
Filesize
5.2MB
MD504cccd73fcb19d1aca19d54cbdd05dcf
SHA1ad5588556bd3e6e5f86c7b627e2c1425dc9f95dc
SHA2567b036c97feaee6c74c41734fcc50e2ea08fbb0c2baaf8ed825650131634d7a56
SHA51291ac0e0781f9365f67c185443d29e57b4308e90d9c791a061435a5516fca90bafc931570aef2798c873e46774c158d14201335a9609425de45c71215f7c5b576
-
Filesize
5.2MB
MD5f94f19ea188d3dfde2ea04fe2ecc7ab4
SHA113dc58e3c8e993e66aa5c3043cede8c3c074eb6d
SHA256acece87119ec5b00f2ff8df2c183d24c4d4403b69bfa13e3da49aebd52fd8b6e
SHA512c4f7c6261a52859fe5bb8955fab9ca6994299f8d8043a6fc3ece316f12b5e3b9607b7422c881454d1ee994ebd565dd03f5a82de0b3d68e2b6512379a941039a0
-
Filesize
5.2MB
MD529a17f28c41f82b15607deb593d2480a
SHA10690fad0e99c86b8d8e69118d7e1af978b1b691e
SHA2564f82c2ada016de0045a7cb04ab7fa6df8faa02f165c4fc7abdb2491c7562a1f6
SHA512f8119bfc98e377a5a2cefe3ab58f298a5e7f08aae14df7c95586b679849ed77766d8ac75141164460c0a74ed5dea0c80fdbec92ee3e62ba044c4440bc13668ee
-
Filesize
5.2MB
MD59c43bcac662a6982b537079e78de26ab
SHA104a33e308849d12708376b76165874159262f850
SHA2561dd69b4a6844911161d0d991744dbb539763d62eb7107184c9ec7ff605f118dc
SHA512f536fd66fde28bc8c954e53b53d5396863e6711123b3556382354c2cb3bd916fb2962b29d336665add903d3d32a6f5da2d470788b471761fb4b6bdd73b4fb15b
-
Filesize
5.2MB
MD5e295738d39545db9e63080634ed41931
SHA1c01503ad8d8b72e3bd7d990b31bc4cb1eabc904e
SHA2563b822db1057fd65bcf4e29c3a326a41ba09897f656403dbc9f054647be58efef
SHA51222a16ba68d235f50c47e06f740d125d6cb408650e650640efcbe1e6eb397c8904dfdef985702864efe4c0f8908c339278f80051801e26992df187786fdf5d766
-
Filesize
5.2MB
MD5ecda2f41318f2ae7af1631708cd1dc30
SHA1724ab899aff7776e1917259a5807c706db808da1
SHA2560174a24d398a0366de4126b35966bee29838ad7ddda97b16a6e0f216ab35d9e9
SHA512ae2329a9b87bfc111a8d89c5e59e945ed9e3252f44ca17c6f1c7040a1be6668cb0065493c29a0a3818fc243b130f4123046ca065b5edbbce7e1bd66db1367f06
-
Filesize
5.2MB
MD51a46842517217924e92f6478685cae44
SHA1786161c1f4b2c870dddac1535dc02cc8a1b6cef0
SHA256443a181cd080c4172a9c7caa2299b1293e635240bb09be1cf393212301b8bd68
SHA512d969d4fba174baaf0b583834c87b40f6024657b12a5db166b23f26c5f0baa110128a67f8b871652579c332a33a627755ca220dba574e32720dc3c1d0636ddb3d
-
Filesize
5.2MB
MD50a80b8de65808f94864ddfa1d191b178
SHA131a1da37f85a86e38e6f28781cd72a6f505801a5
SHA256b93e9513061d363e5b6df9805fff987265947c029dd95a00b55f31355660fa58
SHA51263785f0fc55c1eb5ff09da6011e0f9621412f62b18c6b5f600bcdc7ff1d05250fa09e83ac51ff1afbd19f9caf9e6a6f85e5dbffd52b19894eb863cf616a60ae7
-
Filesize
5.2MB
MD564a19f816bde15a998d49a487404f48a
SHA1aef7efe4363c7e4592947d59a270abe543f553d0
SHA2561a5d51b18a40afc2bd190df2c9f63042d74b558f747987740516a09607e14ce4
SHA51242098acaee81ddc013627f8013b83c9640ea6ee7eb8f7f0ddb6348add4621ee9dae17aed213c37924f9d3dc3402d2b1ed027df2def833fd0eab38a40b42f145d
-
Filesize
5.2MB
MD554c5993bdec767624f0cbdac19d51d17
SHA130d32832cba2d16ef96eee760550e605219c47ce
SHA256018691614bb8ed18c8bcefdda99092edbe1d3ca72b936fbba559aef1c78448b3
SHA51294862303d9d2c09c737d10d15f29465c37a2fdb09958dc516a016d35586883aad9db78f8e2af347db32715fb249fb7e5f3d3af5d87ca1aac811c4b60423b1a2a