Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 10:47
Behavioral task
behavioral1
Sample
2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240708-en
General
-
Target
2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
6b524e2d8698c55b583d9bbcbcdcd714
-
SHA1
ad609e0ac5e9f355cc0a9c527804f65974a1fbeb
-
SHA256
d4c62700ce14c4cb710f5e1ba743afd1ca4ba3382b44f802015d66c4f8c05613
-
SHA512
76500484d331f9de4c5715a94fb61fc460ff8b072dabd2522f31564fd315c594f5a05543401527ea54d0d591d0a3c88f8dca7c644be4eee1b79a7d7596e4bc2e
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l9:RWWBibf56utgpPFotBER/mQ32lUB
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00090000000234ce-4.dat cobalt_reflective_dll behavioral2/files/0x00070000000234da-9.dat cobalt_reflective_dll behavioral2/files/0x00070000000234de-38.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e0-49.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e4-72.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e6-97.dat cobalt_reflective_dll behavioral2/files/0x00090000000234d6-95.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e5-93.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e3-71.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e2-69.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e1-55.dat cobalt_reflective_dll behavioral2/files/0x00070000000234df-50.dat cobalt_reflective_dll behavioral2/files/0x00070000000234db-39.dat cobalt_reflective_dll behavioral2/files/0x00070000000234dc-35.dat cobalt_reflective_dll behavioral2/files/0x00070000000234dd-31.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d9-17.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e7-101.dat cobalt_reflective_dll behavioral2/files/0x00070000000234eb-123.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ea-125.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e8-121.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e9-112.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 46 IoCs
resource yara_rule behavioral2/memory/4188-58-0x00007FF79E0F0000-0x00007FF79E441000-memory.dmp xmrig behavioral2/memory/2800-75-0x00007FF773350000-0x00007FF7736A1000-memory.dmp xmrig behavioral2/memory/1476-81-0x00007FF75E650000-0x00007FF75E9A1000-memory.dmp xmrig behavioral2/memory/3876-74-0x00007FF72D360000-0x00007FF72D6B1000-memory.dmp xmrig behavioral2/memory/3824-73-0x00007FF67B180000-0x00007FF67B4D1000-memory.dmp xmrig behavioral2/memory/2436-65-0x00007FF626C30000-0x00007FF626F81000-memory.dmp xmrig behavioral2/memory/452-45-0x00007FF762820000-0x00007FF762B71000-memory.dmp xmrig behavioral2/memory/2680-44-0x00007FF712210000-0x00007FF712561000-memory.dmp xmrig behavioral2/memory/4776-102-0x00007FF603A70000-0x00007FF603DC1000-memory.dmp xmrig behavioral2/memory/5008-108-0x00007FF73F980000-0x00007FF73FCD1000-memory.dmp xmrig behavioral2/memory/3704-117-0x00007FF638F10000-0x00007FF639261000-memory.dmp xmrig behavioral2/memory/4700-122-0x00007FF685980000-0x00007FF685CD1000-memory.dmp xmrig behavioral2/memory/2680-131-0x00007FF712210000-0x00007FF712561000-memory.dmp xmrig behavioral2/memory/3964-129-0x00007FF644AA0000-0x00007FF644DF1000-memory.dmp xmrig behavioral2/memory/4064-139-0x00007FF696030000-0x00007FF696381000-memory.dmp xmrig behavioral2/memory/2792-137-0x00007FF7D63B0000-0x00007FF7D6701000-memory.dmp xmrig behavioral2/memory/5108-141-0x00007FF6AF3B0000-0x00007FF6AF701000-memory.dmp xmrig behavioral2/memory/4972-145-0x00007FF64AB20000-0x00007FF64AE71000-memory.dmp xmrig behavioral2/memory/1688-144-0x00007FF7D1440000-0x00007FF7D1791000-memory.dmp xmrig behavioral2/memory/1108-142-0x00007FF7B6950000-0x00007FF7B6CA1000-memory.dmp xmrig behavioral2/memory/4356-140-0x00007FF78D6A0000-0x00007FF78D9F1000-memory.dmp xmrig behavioral2/memory/1544-143-0x00007FF690790000-0x00007FF690AE1000-memory.dmp xmrig behavioral2/memory/4776-146-0x00007FF603A70000-0x00007FF603DC1000-memory.dmp xmrig behavioral2/memory/4832-147-0x00007FF7AE260000-0x00007FF7AE5B1000-memory.dmp xmrig behavioral2/memory/4776-169-0x00007FF603A70000-0x00007FF603DC1000-memory.dmp xmrig behavioral2/memory/5008-200-0x00007FF73F980000-0x00007FF73FCD1000-memory.dmp xmrig behavioral2/memory/3704-216-0x00007FF638F10000-0x00007FF639261000-memory.dmp xmrig behavioral2/memory/4188-218-0x00007FF79E0F0000-0x00007FF79E441000-memory.dmp xmrig behavioral2/memory/4700-220-0x00007FF685980000-0x00007FF685CD1000-memory.dmp xmrig behavioral2/memory/2680-222-0x00007FF712210000-0x00007FF712561000-memory.dmp xmrig behavioral2/memory/452-224-0x00007FF762820000-0x00007FF762B71000-memory.dmp xmrig behavioral2/memory/2436-226-0x00007FF626C30000-0x00007FF626F81000-memory.dmp xmrig behavioral2/memory/2800-228-0x00007FF773350000-0x00007FF7736A1000-memory.dmp xmrig behavioral2/memory/3824-230-0x00007FF67B180000-0x00007FF67B4D1000-memory.dmp xmrig behavioral2/memory/1476-233-0x00007FF75E650000-0x00007FF75E9A1000-memory.dmp xmrig behavioral2/memory/3876-234-0x00007FF72D360000-0x00007FF72D6B1000-memory.dmp xmrig behavioral2/memory/4356-236-0x00007FF78D6A0000-0x00007FF78D9F1000-memory.dmp xmrig behavioral2/memory/5108-238-0x00007FF6AF3B0000-0x00007FF6AF701000-memory.dmp xmrig behavioral2/memory/1688-240-0x00007FF7D1440000-0x00007FF7D1791000-memory.dmp xmrig behavioral2/memory/1108-244-0x00007FF7B6950000-0x00007FF7B6CA1000-memory.dmp xmrig behavioral2/memory/1544-243-0x00007FF690790000-0x00007FF690AE1000-memory.dmp xmrig behavioral2/memory/4972-251-0x00007FF64AB20000-0x00007FF64AE71000-memory.dmp xmrig behavioral2/memory/3964-253-0x00007FF644AA0000-0x00007FF644DF1000-memory.dmp xmrig behavioral2/memory/4832-255-0x00007FF7AE260000-0x00007FF7AE5B1000-memory.dmp xmrig behavioral2/memory/4064-259-0x00007FF696030000-0x00007FF696381000-memory.dmp xmrig behavioral2/memory/2792-257-0x00007FF7D63B0000-0x00007FF7D6701000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 5008 EsLbEoe.exe 3704 CeNKpNX.exe 4700 hChkuld.exe 2680 zbULbuk.exe 452 CvJnVpm.exe 4188 irwDwOO.exe 3824 ItacToq.exe 2436 RGEUvyy.exe 3876 btmDWwy.exe 2800 PiPAFYI.exe 1476 LAqrZoH.exe 4356 iQiFUZI.exe 5108 CWIzEZN.exe 1108 PtvhuVC.exe 1544 StcJlJV.exe 1688 Wcspvex.exe 4972 cqouLGi.exe 4832 VSgnHQo.exe 3964 GlERwev.exe 2792 YaWXOzc.exe 4064 dbaSZMn.exe -
resource yara_rule behavioral2/memory/4776-0-0x00007FF603A70000-0x00007FF603DC1000-memory.dmp upx behavioral2/files/0x00090000000234ce-4.dat upx behavioral2/files/0x00070000000234da-9.dat upx behavioral2/memory/5008-7-0x00007FF73F980000-0x00007FF73FCD1000-memory.dmp upx behavioral2/files/0x00070000000234de-38.dat upx behavioral2/files/0x00070000000234e0-49.dat upx behavioral2/memory/4188-58-0x00007FF79E0F0000-0x00007FF79E441000-memory.dmp upx behavioral2/files/0x00070000000234e4-72.dat upx behavioral2/memory/2800-75-0x00007FF773350000-0x00007FF7736A1000-memory.dmp upx behavioral2/memory/5108-89-0x00007FF6AF3B0000-0x00007FF6AF701000-memory.dmp upx behavioral2/memory/1688-91-0x00007FF7D1440000-0x00007FF7D1791000-memory.dmp upx behavioral2/files/0x00070000000234e6-97.dat upx behavioral2/files/0x00090000000234d6-95.dat upx behavioral2/files/0x00070000000234e5-93.dat upx behavioral2/memory/1108-92-0x00007FF7B6950000-0x00007FF7B6CA1000-memory.dmp upx behavioral2/memory/1544-90-0x00007FF690790000-0x00007FF690AE1000-memory.dmp upx behavioral2/memory/1476-81-0x00007FF75E650000-0x00007FF75E9A1000-memory.dmp upx behavioral2/memory/3876-74-0x00007FF72D360000-0x00007FF72D6B1000-memory.dmp upx behavioral2/memory/3824-73-0x00007FF67B180000-0x00007FF67B4D1000-memory.dmp upx behavioral2/files/0x00070000000234e3-71.dat upx behavioral2/files/0x00070000000234e2-69.dat upx behavioral2/memory/4356-68-0x00007FF78D6A0000-0x00007FF78D9F1000-memory.dmp upx behavioral2/memory/2436-65-0x00007FF626C30000-0x00007FF626F81000-memory.dmp upx behavioral2/files/0x00070000000234e1-55.dat upx behavioral2/files/0x00070000000234df-50.dat upx behavioral2/memory/452-45-0x00007FF762820000-0x00007FF762B71000-memory.dmp upx behavioral2/memory/2680-44-0x00007FF712210000-0x00007FF712561000-memory.dmp upx behavioral2/files/0x00070000000234db-39.dat upx behavioral2/files/0x00070000000234dc-35.dat upx behavioral2/files/0x00070000000234dd-31.dat upx behavioral2/memory/4700-24-0x00007FF685980000-0x00007FF685CD1000-memory.dmp upx behavioral2/memory/3704-20-0x00007FF638F10000-0x00007FF639261000-memory.dmp upx behavioral2/files/0x00070000000234d9-17.dat upx behavioral2/files/0x00070000000234e7-101.dat upx behavioral2/memory/4776-102-0x00007FF603A70000-0x00007FF603DC1000-memory.dmp upx behavioral2/memory/5008-108-0x00007FF73F980000-0x00007FF73FCD1000-memory.dmp upx behavioral2/memory/3704-117-0x00007FF638F10000-0x00007FF639261000-memory.dmp upx behavioral2/files/0x00070000000234eb-123.dat upx behavioral2/files/0x00070000000234ea-125.dat upx behavioral2/memory/4700-122-0x00007FF685980000-0x00007FF685CD1000-memory.dmp upx behavioral2/files/0x00070000000234e8-121.dat upx behavioral2/memory/4832-116-0x00007FF7AE260000-0x00007FF7AE5B1000-memory.dmp upx behavioral2/memory/2680-131-0x00007FF712210000-0x00007FF712561000-memory.dmp upx behavioral2/memory/3964-129-0x00007FF644AA0000-0x00007FF644DF1000-memory.dmp upx behavioral2/memory/4064-139-0x00007FF696030000-0x00007FF696381000-memory.dmp upx behavioral2/memory/2792-137-0x00007FF7D63B0000-0x00007FF7D6701000-memory.dmp upx behavioral2/files/0x00070000000234e9-112.dat upx behavioral2/memory/4972-105-0x00007FF64AB20000-0x00007FF64AE71000-memory.dmp upx behavioral2/memory/5108-141-0x00007FF6AF3B0000-0x00007FF6AF701000-memory.dmp upx behavioral2/memory/4972-145-0x00007FF64AB20000-0x00007FF64AE71000-memory.dmp upx behavioral2/memory/1688-144-0x00007FF7D1440000-0x00007FF7D1791000-memory.dmp upx behavioral2/memory/1108-142-0x00007FF7B6950000-0x00007FF7B6CA1000-memory.dmp upx behavioral2/memory/4356-140-0x00007FF78D6A0000-0x00007FF78D9F1000-memory.dmp upx behavioral2/memory/1544-143-0x00007FF690790000-0x00007FF690AE1000-memory.dmp upx behavioral2/memory/4776-146-0x00007FF603A70000-0x00007FF603DC1000-memory.dmp upx behavioral2/memory/4832-147-0x00007FF7AE260000-0x00007FF7AE5B1000-memory.dmp upx behavioral2/memory/4776-169-0x00007FF603A70000-0x00007FF603DC1000-memory.dmp upx behavioral2/memory/5008-200-0x00007FF73F980000-0x00007FF73FCD1000-memory.dmp upx behavioral2/memory/3704-216-0x00007FF638F10000-0x00007FF639261000-memory.dmp upx behavioral2/memory/4188-218-0x00007FF79E0F0000-0x00007FF79E441000-memory.dmp upx behavioral2/memory/4700-220-0x00007FF685980000-0x00007FF685CD1000-memory.dmp upx behavioral2/memory/2680-222-0x00007FF712210000-0x00007FF712561000-memory.dmp upx behavioral2/memory/452-224-0x00007FF762820000-0x00007FF762B71000-memory.dmp upx behavioral2/memory/2436-226-0x00007FF626C30000-0x00007FF626F81000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\RGEUvyy.exe 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GlERwev.exe 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dbaSZMn.exe 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\irwDwOO.exe 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CvJnVpm.exe 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zbULbuk.exe 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LAqrZoH.exe 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PtvhuVC.exe 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\Wcspvex.exe 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CeNKpNX.exe 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\StcJlJV.exe 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VSgnHQo.exe 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YaWXOzc.exe 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ItacToq.exe 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hChkuld.exe 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\btmDWwy.exe 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PiPAFYI.exe 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\iQiFUZI.exe 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CWIzEZN.exe 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cqouLGi.exe 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EsLbEoe.exe 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4776 wrote to memory of 5008 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4776 wrote to memory of 5008 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4776 wrote to memory of 3704 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4776 wrote to memory of 3704 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4776 wrote to memory of 4700 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4776 wrote to memory of 4700 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4776 wrote to memory of 452 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4776 wrote to memory of 452 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4776 wrote to memory of 2680 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4776 wrote to memory of 2680 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4776 wrote to memory of 4188 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4776 wrote to memory of 4188 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4776 wrote to memory of 3824 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4776 wrote to memory of 3824 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4776 wrote to memory of 2436 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4776 wrote to memory of 2436 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4776 wrote to memory of 3876 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4776 wrote to memory of 3876 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4776 wrote to memory of 2800 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4776 wrote to memory of 2800 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4776 wrote to memory of 1476 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4776 wrote to memory of 1476 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4776 wrote to memory of 4356 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4776 wrote to memory of 4356 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4776 wrote to memory of 5108 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4776 wrote to memory of 5108 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4776 wrote to memory of 1108 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4776 wrote to memory of 1108 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4776 wrote to memory of 1544 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4776 wrote to memory of 1544 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4776 wrote to memory of 1688 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4776 wrote to memory of 1688 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4776 wrote to memory of 4972 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4776 wrote to memory of 4972 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4776 wrote to memory of 4832 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4776 wrote to memory of 4832 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4776 wrote to memory of 3964 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4776 wrote to memory of 3964 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4776 wrote to memory of 2792 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4776 wrote to memory of 2792 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4776 wrote to memory of 4064 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4776 wrote to memory of 4064 4776 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\System\EsLbEoe.exeC:\Windows\System\EsLbEoe.exe2⤵
- Executes dropped EXE
PID:5008
-
-
C:\Windows\System\CeNKpNX.exeC:\Windows\System\CeNKpNX.exe2⤵
- Executes dropped EXE
PID:3704
-
-
C:\Windows\System\hChkuld.exeC:\Windows\System\hChkuld.exe2⤵
- Executes dropped EXE
PID:4700
-
-
C:\Windows\System\CvJnVpm.exeC:\Windows\System\CvJnVpm.exe2⤵
- Executes dropped EXE
PID:452
-
-
C:\Windows\System\zbULbuk.exeC:\Windows\System\zbULbuk.exe2⤵
- Executes dropped EXE
PID:2680
-
-
C:\Windows\System\irwDwOO.exeC:\Windows\System\irwDwOO.exe2⤵
- Executes dropped EXE
PID:4188
-
-
C:\Windows\System\ItacToq.exeC:\Windows\System\ItacToq.exe2⤵
- Executes dropped EXE
PID:3824
-
-
C:\Windows\System\RGEUvyy.exeC:\Windows\System\RGEUvyy.exe2⤵
- Executes dropped EXE
PID:2436
-
-
C:\Windows\System\btmDWwy.exeC:\Windows\System\btmDWwy.exe2⤵
- Executes dropped EXE
PID:3876
-
-
C:\Windows\System\PiPAFYI.exeC:\Windows\System\PiPAFYI.exe2⤵
- Executes dropped EXE
PID:2800
-
-
C:\Windows\System\LAqrZoH.exeC:\Windows\System\LAqrZoH.exe2⤵
- Executes dropped EXE
PID:1476
-
-
C:\Windows\System\iQiFUZI.exeC:\Windows\System\iQiFUZI.exe2⤵
- Executes dropped EXE
PID:4356
-
-
C:\Windows\System\CWIzEZN.exeC:\Windows\System\CWIzEZN.exe2⤵
- Executes dropped EXE
PID:5108
-
-
C:\Windows\System\PtvhuVC.exeC:\Windows\System\PtvhuVC.exe2⤵
- Executes dropped EXE
PID:1108
-
-
C:\Windows\System\StcJlJV.exeC:\Windows\System\StcJlJV.exe2⤵
- Executes dropped EXE
PID:1544
-
-
C:\Windows\System\Wcspvex.exeC:\Windows\System\Wcspvex.exe2⤵
- Executes dropped EXE
PID:1688
-
-
C:\Windows\System\cqouLGi.exeC:\Windows\System\cqouLGi.exe2⤵
- Executes dropped EXE
PID:4972
-
-
C:\Windows\System\VSgnHQo.exeC:\Windows\System\VSgnHQo.exe2⤵
- Executes dropped EXE
PID:4832
-
-
C:\Windows\System\GlERwev.exeC:\Windows\System\GlERwev.exe2⤵
- Executes dropped EXE
PID:3964
-
-
C:\Windows\System\YaWXOzc.exeC:\Windows\System\YaWXOzc.exe2⤵
- Executes dropped EXE
PID:2792
-
-
C:\Windows\System\dbaSZMn.exeC:\Windows\System\dbaSZMn.exe2⤵
- Executes dropped EXE
PID:4064
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5ed68b0ce7914f16b4646a4ef7270c436
SHA11a4cdb18530e939b82dd3d38aec9648f198e523d
SHA256e3f7edf7abaeb83a8394291e0690ce2b2527fde605687c88a451adba6c538087
SHA512c15bc83f71ac91727a284b12b50ba4345f3d6f16bf8c1046becfa3abda6be9130b1ff2ce978d15839d61b42d0cd03813844117c3ce102fb56d9481e285404bc7
-
Filesize
5.2MB
MD5fe07916af8c6ff237597c8d2df8b24ea
SHA184e0b3ff184a9dcbb66e65e0d826fc621f3fe5ad
SHA256e4cebbe2702df29b7a24ceeed00e739aaa3279f6f343251671500a9765dc4843
SHA512777bcdea4e93fc35a2ef721e053093af4d044f79cefe584720270b1cce63ce62a1191f6c8750b3685d612a06cb06334ddd75e311bef7594ad4246e99b0bec777
-
Filesize
5.2MB
MD583231076ee7cb8395ae2ff8dbf3605e7
SHA1519ad80bd18f8135b9f77a79fb0635e5f153f83b
SHA2564a42a675aa89e9207c17bdcd4cb80ed9d45f21926ecf000121c14d874a85f5df
SHA5125c0c85657440b1720f3415b93db000e87b02cdb2f92e1438c6ad422a35f7e716149123d9749c0f20b5fa508b2fbde8845e2628a2c6e5e9d6658ea673fed58c01
-
Filesize
5.2MB
MD5a0c3a5ab8d453327c8608b2b46dc0c08
SHA186b34be6674f2dc58de63fd34a10485f19374cb4
SHA25678cde5e640e0ef696a87b54dae53064196cc2a2b9ac5b206b1e84cb7aa0a7315
SHA512649307f0db47391468f2a134de02e42ace6ad53f22dff3fb45d678ed30b81107df4cf26e5ce243e0b34c7a7ad4c16d8bd55312e63810d016750ecc2738f96389
-
Filesize
5.2MB
MD5e9f7ce3fb4022878f68dc4bcc7acf9e6
SHA1854083c259949670e81c34bb3c2fccec74ce92ba
SHA256c3318d83be603f011e5bded6fa6d7fe3a7108327c8e61305e357965d15e94261
SHA512c1efd3cf92fe4daaca3ffc229e7057225503bcafe4fff8c1a1b6b77ec7f7b829ee64e5b569616bed19c5a853f7b0f98f19e5431278ad3373c6c7431d23714819
-
Filesize
5.2MB
MD50d9c85f7b68d90ab2e86679346d16269
SHA199e8e92676b36659d12fbe2e5df930353a0685e4
SHA25649ab13a354524078f627f7ea96fdf19a6f2418f40ff97983306bc4b9ae736e67
SHA5124626aba9a1296ccebdea3d53b73e98cdf6d40f9a5bffc318afc8a783e387c4cca70772d67dd0e35a4779897788a93d9fa26cef62f5c1d7f7015a78783e1abf95
-
Filesize
5.2MB
MD52b368e319fc2f79d3eb303d4b860bf6f
SHA1d3d90e62b57ff6eb9591deb34330db951fe02cf7
SHA256789f137965c5f518314be17151aa35870cd600aae79c2d34b6f6a2971b7ae0e0
SHA5122e895d8b6ea2c9260a6b4c9d8cbea6866c97dc3f2c37d49e10a4604b1b9f5a80783c520913e7e049d192462f67e2230680531da703ae95ae143bcf61fd46e0da
-
Filesize
5.2MB
MD58d611548a2902d111580dfa163dfa84a
SHA1c232a71c39868c1dc7b8fe6b2018fbef53e49912
SHA256ca6dc7e7f58dc74208bab4eee59ff5ee71754a8789c942a87e2b4c8e7dd6518e
SHA512ebc1c7461120ad4c5e7e61b4f5f6630740266781ffd1c59ba794f21ba384f171219ba447a642daaa5c01b4da8540f0ef896f2317e004e70c1cb24bf6f44d2e65
-
Filesize
5.2MB
MD5d62da8969782055141d678464d9e9ff1
SHA16718c88be155e517e86e89f68385f950d0a10468
SHA2566ce3e4e581f999b4ac5a3177e6063bd87c5c2e71bb1ea93ff041ae841878ed61
SHA5124631f4f9db494febafecbae65ad06b7e052c6f4146cf6f52c48fab8351944c34f107214ee8f4029f2bbec75c491477aa7629fcc35d99ee13fc090271f067ccda
-
Filesize
5.2MB
MD577f45e1df61c7ea0efbb6f4baabffd98
SHA1579ca46ff92fc63dfe7d5d52546d7cde4342487a
SHA256d0380ad67060232419959d643743d9272e80e2f8d493dafcd0c53db94aee7284
SHA512a08ec46d98559c44fe4601f76169bc1101b1d4065bcc702a4372ca4203a637c8bd08bd15a2b5c0cb397d47806e0c5b7d2dd6ff66ad062b45fc9921335fc59e68
-
Filesize
5.2MB
MD53d2e53b2338b6e3bd1c8f6376fefaedb
SHA1620a1a2badf14059364ecb8127dcc58bc9eab4a0
SHA2563e72f4b1e6a922a21a958665a4a3769f16574222fec88ea0952151aa6deac7dd
SHA512ed9132a1ac71957ecaa5419e8732986934bf882722811ff38a2d409d2b19db2c69ec93cdd154c0431e9a8521b58cb76698fd09a4e84a1364b784008aae560b63
-
Filesize
5.2MB
MD5cb71e8901fca9b86d02ffeded67cc076
SHA1aa915ec87f2a3c7419043ef1357d7020b24fd81e
SHA2569362af382ad50f7d59e2d9db3aa844caadc5b5981dba9bd219aebdcd8be0243b
SHA512263d01f0304dc1bdb118053571b0ff223e04826329261afb4885690e71e4892f410872f8725ffd84030f4acc42b0c0b8f5b6485b660b9b0c71f802559ea01320
-
Filesize
5.2MB
MD5b9d9427f619b23eb4ba2ccf932f99c11
SHA141b867b1055422f6ba8b1b2c5e71e5e30a7d81a6
SHA2561ef26c2c3d59ad8a9ee68a9281badd34ccdc99b776fbc9821b1e9c4abc97b220
SHA512ecdc3e39a0d7a51d1c3bd05bd561252370fc8df5a524e803dc48512212fadf6c2dc92a9b8eac281b639c1ddfe08884b040806e5b1dc197b316d3b7714d1f3021
-
Filesize
5.2MB
MD56f9abaf6164a41e136533295856e93ee
SHA1be4dae08ffc68ae325c3b5ea19df64da885d3cfa
SHA256159fee32e2fbfa1889c98c9fd280c58641663fcfcceeecf438cf10b550cc3349
SHA512073406de243747b719c554b9bcc714f3595b67049fe3528236c8cb649c69ce044f3590167542ccc7f3d57d8ed533015b80d4f26626a0443b62ab0bde693820a9
-
Filesize
5.2MB
MD5820fa2eecf656135c42b0e6aa3e2439d
SHA153dc66f4a0c3051862c9c0e964ae65b691ea6043
SHA2568ba9a557fbbcde6b878b65bda463240a53e5a532ee68c7a70801442a981954c8
SHA512442ec9edcaf11cb78d69fe33d86691c2b5367f6b565f0e04a9ea81b14f466b885fac9ab05dc132904c8bbc1ace2ec574b85359fca29f3e3d079d2c2198ab89c9
-
Filesize
5.2MB
MD54ab2a5f992814eb6a1c5a56a9070f590
SHA1db02c344d78d9e3d24b17371bd60a453bd9f6a54
SHA256e664a88e4dd453757f1478c6a9d1d274eef543898c938ac191d856d58a3fd248
SHA51269697c9697f89c8d2e5175830fc6c0e8fcc3f9ccb4fbe0fde695a7215be990e8449f2e828f3cd31a8aa405f8d4f5898fcc1aae596bbf1458615c3c8a57eb56a5
-
Filesize
5.2MB
MD5d148de388d07d644c3dccdf447487fcc
SHA1f144ef5db12d1bc3a630cd5bfb19cb476b2500dc
SHA256735ac8a1f838186137639955d7385bfa038626112ecd7c09131b09413b3f5dd4
SHA51257f6c8377f5572ba016c60efe747e43cd84895b5f993459cb4a37583b3254d253dadfabd94e08c23bc7349ceba380efc6c1f5c926c6d736b5abed50ce831758a
-
Filesize
5.2MB
MD5ff05741375a2972d36cc9c8af4313f41
SHA1155377141c92bc3e6ed3c2158dbb02091b56d274
SHA256b105ddba92213e1e170bee0f645f08d995fdf5a3b7ffd4e01291bd2be1f73882
SHA51205e415024491983ce6b1cfe4890deb5519a2ab0150fe8a047179047b7e89cbce888eeabb72141aefb33c8ad8356ea36e872f77ec78543162024e121a19084c37
-
Filesize
5.2MB
MD5a47e02257fc0fba200b7432b7abe9c71
SHA16a041d3cc78b8871e5bed9a5c8a4ad98c472db63
SHA2564deb060b1e9ed93c83e0504f8c3132c826818a94a85d1d70f939a611cbbcc15e
SHA5123ad9fd3ca3e76db76e42607f31e490b92ebe49a67264a3e68b5b04dd475937e9c2b3175e51cddf315d1bfd1992c3d5569bb5ddb1850a2572339607c9d15f4356
-
Filesize
5.2MB
MD5755c21475c8bca45181803dd7ed09c8e
SHA1fc563134b72ee4e8e6c4511fc1b32d6c085115d9
SHA2561f1bd101e25b682885b63fb85bf3e0d2f6777927dd38f010997f97f5dc363b64
SHA5121ae63c9e5998bd6b19fab8b14d5183a935f9da7658b2609b9c4cec2b35385c2838f204c9f1740a8c30e58e0690e9524c7ca1d29849e4ab02434c478975642152
-
Filesize
5.2MB
MD5732e76121a988cc066a3426e6c339599
SHA1aeafce5a654334bf3da08d8f59dd9419c9b90a99
SHA256471aea48ad8537d8b89a3c62f35b7c5e664fa90f7e0bab960b1a3962505002f8
SHA5128f129b2d3e06d02bff7e1f7962dc5319f55763f35470277765df96f788d0e85efa932087f19e6973fbfdb75ef9d10ce51a58bc761d19d3b466560b2733538096