Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 10:47
Behavioral task
behavioral1
Sample
2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240729-en
General
-
Target
2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
6c5862dd6742b207080c3bf04987ed32
-
SHA1
28cefb613aac4959f44677a2348391cae9e89e6b
-
SHA256
e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1
-
SHA512
9582818d8a419bb34e979980b259fdbbd9c92c1c42f695fc3e490080d14fbe7822304d7a0c196a4fedd03541ee874bfe5d3dd0dafdb39d50410da17cf7e901e0
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lx:RWWBibf56utgpPFotBER/mQ32lUt
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0007000000023439-10.dat cobalt_reflective_dll behavioral2/files/0x0007000000023438-11.dat cobalt_reflective_dll behavioral2/files/0x000c000000023429-6.dat cobalt_reflective_dll behavioral2/files/0x000700000002343a-27.dat cobalt_reflective_dll behavioral2/files/0x000700000002343e-43.dat cobalt_reflective_dll behavioral2/files/0x0008000000023435-47.dat cobalt_reflective_dll behavioral2/files/0x000700000002343f-57.dat cobalt_reflective_dll behavioral2/files/0x0007000000023443-71.dat cobalt_reflective_dll behavioral2/files/0x0007000000023446-94.dat cobalt_reflective_dll behavioral2/files/0x0007000000023448-104.dat cobalt_reflective_dll behavioral2/files/0x0007000000023447-121.dat cobalt_reflective_dll behavioral2/files/0x000700000002344a-119.dat cobalt_reflective_dll behavioral2/files/0x0007000000023449-114.dat cobalt_reflective_dll behavioral2/files/0x0007000000023444-107.dat cobalt_reflective_dll behavioral2/files/0x0007000000023442-102.dat cobalt_reflective_dll behavioral2/files/0x0007000000023445-99.dat cobalt_reflective_dll behavioral2/files/0x0007000000023440-81.dat cobalt_reflective_dll behavioral2/files/0x0007000000023441-79.dat cobalt_reflective_dll behavioral2/files/0x000700000002343d-51.dat cobalt_reflective_dll behavioral2/files/0x000700000002343c-45.dat cobalt_reflective_dll behavioral2/files/0x000700000002343b-39.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 44 IoCs
resource yara_rule behavioral2/memory/3916-123-0x00007FF696E40000-0x00007FF697191000-memory.dmp xmrig behavioral2/memory/2872-127-0x00007FF75A240000-0x00007FF75A591000-memory.dmp xmrig behavioral2/memory/1440-126-0x00007FF6B5940000-0x00007FF6B5C91000-memory.dmp xmrig behavioral2/memory/4036-125-0x00007FF696D00000-0x00007FF697051000-memory.dmp xmrig behavioral2/memory/4040-124-0x00007FF76D980000-0x00007FF76DCD1000-memory.dmp xmrig behavioral2/memory/3588-118-0x00007FF610180000-0x00007FF6104D1000-memory.dmp xmrig behavioral2/memory/1592-90-0x00007FF6C1C50000-0x00007FF6C1FA1000-memory.dmp xmrig behavioral2/memory/3268-74-0x00007FF7473E0000-0x00007FF747731000-memory.dmp xmrig behavioral2/memory/4388-55-0x00007FF690A60000-0x00007FF690DB1000-memory.dmp xmrig behavioral2/memory/4772-130-0x00007FF63DE30000-0x00007FF63E181000-memory.dmp xmrig behavioral2/memory/5016-131-0x00007FF69AFA0000-0x00007FF69B2F1000-memory.dmp xmrig behavioral2/memory/2792-129-0x00007FF7CAF50000-0x00007FF7CB2A1000-memory.dmp xmrig behavioral2/memory/4812-128-0x00007FF6E92D0000-0x00007FF6E9621000-memory.dmp xmrig behavioral2/memory/556-139-0x00007FF75AE10000-0x00007FF75B161000-memory.dmp xmrig behavioral2/memory/2636-132-0x00007FF777EA0000-0x00007FF7781F1000-memory.dmp xmrig behavioral2/memory/3500-138-0x00007FF69A7F0000-0x00007FF69AB41000-memory.dmp xmrig behavioral2/memory/5000-143-0x00007FF72FC80000-0x00007FF72FFD1000-memory.dmp xmrig behavioral2/memory/3416-146-0x00007FF604FC0000-0x00007FF605311000-memory.dmp xmrig behavioral2/memory/4284-144-0x00007FF7F1DA0000-0x00007FF7F20F1000-memory.dmp xmrig behavioral2/memory/2704-133-0x00007FF607D60000-0x00007FF6080B1000-memory.dmp xmrig behavioral2/memory/2256-137-0x00007FF624150000-0x00007FF6244A1000-memory.dmp xmrig behavioral2/memory/2228-134-0x00007FF7D1720000-0x00007FF7D1A71000-memory.dmp xmrig behavioral2/memory/4812-150-0x00007FF6E92D0000-0x00007FF6E9621000-memory.dmp xmrig behavioral2/memory/2792-199-0x00007FF7CAF50000-0x00007FF7CB2A1000-memory.dmp xmrig behavioral2/memory/4772-201-0x00007FF63DE30000-0x00007FF63E181000-memory.dmp xmrig behavioral2/memory/5016-217-0x00007FF69AFA0000-0x00007FF69B2F1000-memory.dmp xmrig behavioral2/memory/2636-219-0x00007FF777EA0000-0x00007FF7781F1000-memory.dmp xmrig behavioral2/memory/2704-221-0x00007FF607D60000-0x00007FF6080B1000-memory.dmp xmrig behavioral2/memory/4388-224-0x00007FF690A60000-0x00007FF690DB1000-memory.dmp xmrig behavioral2/memory/2228-225-0x00007FF7D1720000-0x00007FF7D1A71000-memory.dmp xmrig behavioral2/memory/3268-227-0x00007FF7473E0000-0x00007FF747731000-memory.dmp xmrig behavioral2/memory/3500-237-0x00007FF69A7F0000-0x00007FF69AB41000-memory.dmp xmrig behavioral2/memory/556-233-0x00007FF75AE10000-0x00007FF75B161000-memory.dmp xmrig behavioral2/memory/2256-236-0x00007FF624150000-0x00007FF6244A1000-memory.dmp xmrig behavioral2/memory/1592-239-0x00007FF6C1C50000-0x00007FF6C1FA1000-memory.dmp xmrig behavioral2/memory/1440-246-0x00007FF6B5940000-0x00007FF6B5C91000-memory.dmp xmrig behavioral2/memory/4040-255-0x00007FF76D980000-0x00007FF76DCD1000-memory.dmp xmrig behavioral2/memory/3588-257-0x00007FF610180000-0x00007FF6104D1000-memory.dmp xmrig behavioral2/memory/4284-254-0x00007FF7F1DA0000-0x00007FF7F20F1000-memory.dmp xmrig behavioral2/memory/4036-252-0x00007FF696D00000-0x00007FF697051000-memory.dmp xmrig behavioral2/memory/5000-250-0x00007FF72FC80000-0x00007FF72FFD1000-memory.dmp xmrig behavioral2/memory/2872-247-0x00007FF75A240000-0x00007FF75A591000-memory.dmp xmrig behavioral2/memory/3416-242-0x00007FF604FC0000-0x00007FF605311000-memory.dmp xmrig behavioral2/memory/3916-243-0x00007FF696E40000-0x00007FF697191000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2792 icuvtEB.exe 4772 ELRIjCN.exe 5016 BwsPaEr.exe 2636 EilvOVR.exe 2704 gexnndi.exe 2228 mZBgisT.exe 4388 awaVaKx.exe 3268 hEjlGEY.exe 3500 ebbPaoh.exe 2256 nbHewlH.exe 556 tkTnwvA.exe 1592 bkGdnjG.exe 4040 hUCsPuQ.exe 4036 IOmtonY.exe 5000 xAJuAyn.exe 4284 RzmGEDq.exe 1440 LvhHQzc.exe 3416 fPRYZLN.exe 2872 xfyBEMO.exe 3588 YQOqzYI.exe 3916 xnDAVat.exe -
resource yara_rule behavioral2/memory/4812-0-0x00007FF6E92D0000-0x00007FF6E9621000-memory.dmp upx behavioral2/memory/2792-7-0x00007FF7CAF50000-0x00007FF7CB2A1000-memory.dmp upx behavioral2/files/0x0007000000023439-10.dat upx behavioral2/files/0x0007000000023438-11.dat upx behavioral2/memory/4772-12-0x00007FF63DE30000-0x00007FF63E181000-memory.dmp upx behavioral2/files/0x000c000000023429-6.dat upx behavioral2/memory/5016-18-0x00007FF69AFA0000-0x00007FF69B2F1000-memory.dmp upx behavioral2/files/0x000700000002343a-27.dat upx behavioral2/files/0x000700000002343e-43.dat upx behavioral2/files/0x0008000000023435-47.dat upx behavioral2/files/0x000700000002343f-57.dat upx behavioral2/files/0x0007000000023443-71.dat upx behavioral2/files/0x0007000000023446-94.dat upx behavioral2/files/0x0007000000023448-104.dat upx behavioral2/memory/3916-123-0x00007FF696E40000-0x00007FF697191000-memory.dmp upx behavioral2/memory/2872-127-0x00007FF75A240000-0x00007FF75A591000-memory.dmp upx behavioral2/memory/1440-126-0x00007FF6B5940000-0x00007FF6B5C91000-memory.dmp upx behavioral2/memory/4036-125-0x00007FF696D00000-0x00007FF697051000-memory.dmp upx behavioral2/memory/4040-124-0x00007FF76D980000-0x00007FF76DCD1000-memory.dmp upx behavioral2/files/0x0007000000023447-121.dat upx behavioral2/files/0x000700000002344a-119.dat upx behavioral2/memory/3588-118-0x00007FF610180000-0x00007FF6104D1000-memory.dmp upx behavioral2/memory/3416-117-0x00007FF604FC0000-0x00007FF605311000-memory.dmp upx behavioral2/files/0x0007000000023449-114.dat upx behavioral2/memory/4284-110-0x00007FF7F1DA0000-0x00007FF7F20F1000-memory.dmp upx behavioral2/files/0x0007000000023444-107.dat upx behavioral2/files/0x0007000000023442-102.dat upx behavioral2/memory/5000-100-0x00007FF72FC80000-0x00007FF72FFD1000-memory.dmp upx behavioral2/files/0x0007000000023445-99.dat upx behavioral2/memory/1592-90-0x00007FF6C1C50000-0x00007FF6C1FA1000-memory.dmp upx behavioral2/memory/2256-89-0x00007FF624150000-0x00007FF6244A1000-memory.dmp upx behavioral2/files/0x0007000000023440-81.dat upx behavioral2/files/0x0007000000023441-79.dat upx behavioral2/memory/3268-74-0x00007FF7473E0000-0x00007FF747731000-memory.dmp upx behavioral2/memory/556-67-0x00007FF75AE10000-0x00007FF75B161000-memory.dmp upx behavioral2/memory/3500-61-0x00007FF69A7F0000-0x00007FF69AB41000-memory.dmp upx behavioral2/memory/4388-55-0x00007FF690A60000-0x00007FF690DB1000-memory.dmp upx behavioral2/memory/2704-53-0x00007FF607D60000-0x00007FF6080B1000-memory.dmp upx behavioral2/files/0x000700000002343d-51.dat upx behavioral2/files/0x000700000002343c-45.dat upx behavioral2/files/0x000700000002343b-39.dat upx behavioral2/memory/2228-38-0x00007FF7D1720000-0x00007FF7D1A71000-memory.dmp upx behavioral2/memory/2636-33-0x00007FF777EA0000-0x00007FF7781F1000-memory.dmp upx behavioral2/memory/4772-130-0x00007FF63DE30000-0x00007FF63E181000-memory.dmp upx behavioral2/memory/5016-131-0x00007FF69AFA0000-0x00007FF69B2F1000-memory.dmp upx behavioral2/memory/2792-129-0x00007FF7CAF50000-0x00007FF7CB2A1000-memory.dmp upx behavioral2/memory/4812-128-0x00007FF6E92D0000-0x00007FF6E9621000-memory.dmp upx behavioral2/memory/556-139-0x00007FF75AE10000-0x00007FF75B161000-memory.dmp upx behavioral2/memory/2636-132-0x00007FF777EA0000-0x00007FF7781F1000-memory.dmp upx behavioral2/memory/3500-138-0x00007FF69A7F0000-0x00007FF69AB41000-memory.dmp upx behavioral2/memory/5000-143-0x00007FF72FC80000-0x00007FF72FFD1000-memory.dmp upx behavioral2/memory/3416-146-0x00007FF604FC0000-0x00007FF605311000-memory.dmp upx behavioral2/memory/4284-144-0x00007FF7F1DA0000-0x00007FF7F20F1000-memory.dmp upx behavioral2/memory/2704-133-0x00007FF607D60000-0x00007FF6080B1000-memory.dmp upx behavioral2/memory/2256-137-0x00007FF624150000-0x00007FF6244A1000-memory.dmp upx behavioral2/memory/2228-134-0x00007FF7D1720000-0x00007FF7D1A71000-memory.dmp upx behavioral2/memory/4812-150-0x00007FF6E92D0000-0x00007FF6E9621000-memory.dmp upx behavioral2/memory/2792-199-0x00007FF7CAF50000-0x00007FF7CB2A1000-memory.dmp upx behavioral2/memory/4772-201-0x00007FF63DE30000-0x00007FF63E181000-memory.dmp upx behavioral2/memory/5016-217-0x00007FF69AFA0000-0x00007FF69B2F1000-memory.dmp upx behavioral2/memory/2636-219-0x00007FF777EA0000-0x00007FF7781F1000-memory.dmp upx behavioral2/memory/2704-221-0x00007FF607D60000-0x00007FF6080B1000-memory.dmp upx behavioral2/memory/4388-224-0x00007FF690A60000-0x00007FF690DB1000-memory.dmp upx behavioral2/memory/2228-225-0x00007FF7D1720000-0x00007FF7D1A71000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\ELRIjCN.exe 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gexnndi.exe 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nbHewlH.exe 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ebbPaoh.exe 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hUCsPuQ.exe 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LvhHQzc.exe 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YQOqzYI.exe 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EilvOVR.exe 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\tkTnwvA.exe 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bkGdnjG.exe 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\IOmtonY.exe 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RzmGEDq.exe 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xfyBEMO.exe 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BwsPaEr.exe 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mZBgisT.exe 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fPRYZLN.exe 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\icuvtEB.exe 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\awaVaKx.exe 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hEjlGEY.exe 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xAJuAyn.exe 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xnDAVat.exe 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4812 wrote to memory of 2792 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4812 wrote to memory of 2792 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4812 wrote to memory of 4772 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4812 wrote to memory of 4772 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4812 wrote to memory of 5016 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4812 wrote to memory of 5016 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4812 wrote to memory of 2636 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4812 wrote to memory of 2636 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4812 wrote to memory of 2704 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4812 wrote to memory of 2704 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4812 wrote to memory of 2228 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4812 wrote to memory of 2228 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4812 wrote to memory of 4388 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4812 wrote to memory of 4388 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4812 wrote to memory of 3268 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4812 wrote to memory of 3268 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4812 wrote to memory of 2256 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4812 wrote to memory of 2256 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4812 wrote to memory of 3500 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4812 wrote to memory of 3500 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4812 wrote to memory of 556 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4812 wrote to memory of 556 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4812 wrote to memory of 1592 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4812 wrote to memory of 1592 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4812 wrote to memory of 4036 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4812 wrote to memory of 4036 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4812 wrote to memory of 4040 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4812 wrote to memory of 4040 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4812 wrote to memory of 5000 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4812 wrote to memory of 5000 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4812 wrote to memory of 4284 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4812 wrote to memory of 4284 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4812 wrote to memory of 1440 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4812 wrote to memory of 1440 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4812 wrote to memory of 3416 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4812 wrote to memory of 3416 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4812 wrote to memory of 2872 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4812 wrote to memory of 2872 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4812 wrote to memory of 3588 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 4812 wrote to memory of 3588 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 4812 wrote to memory of 3916 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 4812 wrote to memory of 3916 4812 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\System\icuvtEB.exeC:\Windows\System\icuvtEB.exe2⤵
- Executes dropped EXE
PID:2792
-
-
C:\Windows\System\ELRIjCN.exeC:\Windows\System\ELRIjCN.exe2⤵
- Executes dropped EXE
PID:4772
-
-
C:\Windows\System\BwsPaEr.exeC:\Windows\System\BwsPaEr.exe2⤵
- Executes dropped EXE
PID:5016
-
-
C:\Windows\System\EilvOVR.exeC:\Windows\System\EilvOVR.exe2⤵
- Executes dropped EXE
PID:2636
-
-
C:\Windows\System\gexnndi.exeC:\Windows\System\gexnndi.exe2⤵
- Executes dropped EXE
PID:2704
-
-
C:\Windows\System\mZBgisT.exeC:\Windows\System\mZBgisT.exe2⤵
- Executes dropped EXE
PID:2228
-
-
C:\Windows\System\awaVaKx.exeC:\Windows\System\awaVaKx.exe2⤵
- Executes dropped EXE
PID:4388
-
-
C:\Windows\System\hEjlGEY.exeC:\Windows\System\hEjlGEY.exe2⤵
- Executes dropped EXE
PID:3268
-
-
C:\Windows\System\nbHewlH.exeC:\Windows\System\nbHewlH.exe2⤵
- Executes dropped EXE
PID:2256
-
-
C:\Windows\System\ebbPaoh.exeC:\Windows\System\ebbPaoh.exe2⤵
- Executes dropped EXE
PID:3500
-
-
C:\Windows\System\tkTnwvA.exeC:\Windows\System\tkTnwvA.exe2⤵
- Executes dropped EXE
PID:556
-
-
C:\Windows\System\bkGdnjG.exeC:\Windows\System\bkGdnjG.exe2⤵
- Executes dropped EXE
PID:1592
-
-
C:\Windows\System\IOmtonY.exeC:\Windows\System\IOmtonY.exe2⤵
- Executes dropped EXE
PID:4036
-
-
C:\Windows\System\hUCsPuQ.exeC:\Windows\System\hUCsPuQ.exe2⤵
- Executes dropped EXE
PID:4040
-
-
C:\Windows\System\xAJuAyn.exeC:\Windows\System\xAJuAyn.exe2⤵
- Executes dropped EXE
PID:5000
-
-
C:\Windows\System\RzmGEDq.exeC:\Windows\System\RzmGEDq.exe2⤵
- Executes dropped EXE
PID:4284
-
-
C:\Windows\System\LvhHQzc.exeC:\Windows\System\LvhHQzc.exe2⤵
- Executes dropped EXE
PID:1440
-
-
C:\Windows\System\fPRYZLN.exeC:\Windows\System\fPRYZLN.exe2⤵
- Executes dropped EXE
PID:3416
-
-
C:\Windows\System\xfyBEMO.exeC:\Windows\System\xfyBEMO.exe2⤵
- Executes dropped EXE
PID:2872
-
-
C:\Windows\System\YQOqzYI.exeC:\Windows\System\YQOqzYI.exe2⤵
- Executes dropped EXE
PID:3588
-
-
C:\Windows\System\xnDAVat.exeC:\Windows\System\xnDAVat.exe2⤵
- Executes dropped EXE
PID:3916
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5ac5cd9e20d3edd3f969f47206521cb6e
SHA1f4894a2035e61fe9d3f0fe3ec4641e5a2c565b52
SHA2569b6c389ec15938152b07c7f67d59249644607ff70d42edf9ae23fb1a3d90a6a5
SHA512e872d5e0ac26a0b4c17cae90bb6366e2e92633dab84d91f1eee91b4b195c72764fbaadbbb707c199f61ce43764557db6d2733f3dd1f80fa277248dbaf71f4edf
-
Filesize
5.2MB
MD54a16f39f2ac4c032e01b9a991a609519
SHA1d25d49fc7a02e62caf114f93d5730911a53d0f72
SHA2562fb3965043659737311b4b7945ec37775a965bc9ebadf9c46428981a20c9f306
SHA512a226321c39148e4228d95def038af65dbfb893739d2eee3a9730fc95a55ba6e352c571c1c23690a938bb56f348c23f1fbe82739e3f3af6229bc9e13cc95abc65
-
Filesize
5.2MB
MD5b5d42630ba95d1b8aa4fa881e6edc768
SHA18fd6d7eb3ceba5137e2d7f77f98d82a71db6020f
SHA256d697bb3f70a103775a14f986e4d377078bf0979e7445fcb2283f743f3b95f41b
SHA512f85a5e672d8892d8ad6f6933f09ef2a3d838ef33d72ef27ebafc612507831b5a1a89d0742200678e881367f82918874ee1338ac76d7f5c9ae25c6ad73777a9b0
-
Filesize
5.2MB
MD5830fe606d05c011f2dcc2a5d5ef8bbfb
SHA13025b27c8cea16fdc7664f16d83559e449f02ba8
SHA25644bb79b48862c5b4add57fbf923f526d038415ab37618e1377dfbda5611688b9
SHA512d2584c55124503017f83a35c7e277719ebadc014d32dd4812bd9a447ad9a4100a457273d22cc1d73a90f7aa395d81288c67f445e8827ec640983160897f7de6a
-
Filesize
5.2MB
MD5de4204d96f3c40fa70a1a0a31c9c97c7
SHA15a69b22faedac3203222f9ec758ac97a69250b36
SHA2560097509158c920e819088bbb3d53e7ed529be559d49d4dac14e37a5fd9f6936e
SHA51296384aac4e1bc1076f40c3cf8173cc39c79d2a213fc308e7f6595a50e28edf5556ef75f2f85801c82513ee03ad41c1d0706dd1fc81d872efd48f73df4093d0fc
-
Filesize
5.2MB
MD53a85a50be704a066db3bc725035f452b
SHA1eb77c3ac92116ba782880165ad682b53f4e46e1e
SHA256ef53855d78f23e6280fcec8ab8aff53c543b9d3b443427ca83d3b8c2cb5f11da
SHA51254eb91188b6dbfeaede33a85d6fc186de76cd2e38dbb78d7ad42c7e5c023d1a5358cdda5a3fff826fd1ca94049bab41d24b310de2b3a8f8adb0e118e52ecbb5b
-
Filesize
5.2MB
MD564121f80d451c5a87a278d0a7e3164f7
SHA174ae04cfdc07c5af5df554ddff7a3eb6c3e2df82
SHA25642a7456ff3aa506659ec86789c35c93565a5055fbf09abd365dbd1be933dffc3
SHA512373121d459209d9f695e871d521fa7ba3532f31bb2a787075cda65ec36379ca9cd2b314557b248a470b295dbe0f5a9605eb1ffba4447dd258e75005363752d6a
-
Filesize
5.2MB
MD50b450a3f9ea0c2dea0c196b06ec42d3e
SHA11787646dcc46017a273a0777fe918b604c742f21
SHA256713bd4a8d0662a2f50396e4d52bb8b8b7932028e910bb37c7c90451379766f62
SHA51266af5adbce30a540ed191eb5f0c598e5111d955500713639f52a5bb4b514a8ae9cceceda16a302ab3fb004574a7b3fda018100a9f9ef52b652ccf4ee842d58aa
-
Filesize
5.2MB
MD56c4bdb7131e3c2018164b777b870c2c4
SHA1d34a002973f368417b1323291d8054a2b03d0a2d
SHA256e070fca12ec6c5d637ff86152d88e70bbe1793cc74c0ebf38a00caed18ffc435
SHA5120847434ce570b7ac4b5d0ecfd9f3cd2d8979ae94522d0682b3e7cac06a611235ff9cb411f2f276cd8c2e680c4f4b08078014e4133499c14e22f522faabb3b60e
-
Filesize
5.2MB
MD57d3fa332b54aaf81b690a810491712a9
SHA1b78e0ba335ce3bdaaea23cb7b8ecb00b4307d173
SHA256552fb694d1161d8dddd90c26a148d72118063cd81ef7e00e28ae44b09ae690bc
SHA512869967c4f67d47884156a24695e061b11d3b209c816573af334e3eb346f795488fc5783142b29a87cd189a1ddc22ebf199d1bbd95bca71ff5f4e705a0ea26c0c
-
Filesize
5.2MB
MD5d54b460bdcfa8b71094fb03215bbd7a1
SHA17f52a5670ee4ece55c767ad46b275b09fab66bc0
SHA256bf1a8c7ee76ff6794dee13b0e6248e04e1f8825beae58b8b4c523776768b06d1
SHA51207f5bdce4dd90e9c5a4aa79984c77d426887a06d48758c23d593d7a8ca6f587d4cba8837e2d94bcabc275d30eb5f7a7b87eb4f0e178d259c1433d7de4ff80958
-
Filesize
5.2MB
MD527abdbb99f799fc5ff6032c8b4c7c6f3
SHA1eb3b005b9e7a8dc4e189199edfaf1ec2810e1ca4
SHA25685ac7aabf5ee75188f77ff56e8af8184427bf5ab3dd5b8a38d86148f311eefbd
SHA512086931e7795ae7eb48715f3d4ed467d542309729c61baaa6e9486d3c719083260e88bab5a8e8e2413edde68a78209d6614442405be291ff1da71fc27708ca71d
-
Filesize
5.2MB
MD53869418ed38a45742f7c08703bc118b2
SHA1b644df3a7e279c6b1ed7dd46fc0a108972d20e69
SHA256591adf3c7b144f80b3858ea126eaeaa17aa72b79577b9ab44f9e7cfa74d8f8cf
SHA512c71261d4ee1c98dd97f2b36896b98235b963c2cbcedd7588ad74ebb0bf21a6c30bb3cd847fb7f986afa1d8d2969b2ed0d669ed15e4cf123869aa3500f8484f88
-
Filesize
5.2MB
MD581b64fbd165684732d01d45e50e5197e
SHA1005a2c57812dafef3ccfb44f17777b4fffd523d8
SHA256add029a26dc423e56f183e7b34a6a6c7473f311fa72051d36b3a7ee67564896e
SHA5126af4ab26a21d99f00b454df55626fe8990802102d4acb1d9e670ea856c990774c58886e777499f89e63e50ec6b7ecd6879570b72a6af7bd1781e1adab3cfaca5
-
Filesize
5.2MB
MD5bdd0fd3cf38024d1f624800375ca484b
SHA195eb522f386bf38107493a6f0d0668035b959d37
SHA256c5fae26d5281e458d272e52a377509cd0dfe4e0cdade69f61be2df8f0f60c407
SHA51247876e15c469c16320ec9bd583cffc2dbfe09300b092169a91e83e1c4ccfed8732b8b3e1e80b9b5562db890ae6c1141c7ffd9d9365c64ffe98fa040bace2d4a0
-
Filesize
5.2MB
MD5ef99a7d32c84a940e09098915a15bc10
SHA1f420f73c53ebea9e5ed36b8aeed2a53a2215fe31
SHA2566166e37c7a996e7e7d57c39d997a65153d7bb543ff561b9a6f80b61873500c21
SHA5124a94d4e7f0cdb44a27606a7d63705221b0489244d3973b2e31350db1ae6248a7c98eb14b1db6efc37860d220b9247f6eac68de94f924ab3d1fc5c61e973750bf
-
Filesize
5.2MB
MD5435fe85978728c72a4fb32b5e23ccc9a
SHA1fdd044dc6365cb533aeb406235026d5100ceab52
SHA256b097f0e813eead32a76078634d363f7a6b6dc090012de2497b64017501854b67
SHA512e59c621162e43911324c5a466ccac51c118ffa326ec60a86b148d0b819f1657ade53511ce89e3663ffcf5842b0a98265a08779f510f7daffb40d3d3866e868e9
-
Filesize
5.2MB
MD549e757dd81780cde3713ff6e84624032
SHA17534e6025d490f21a211c83ca4a9a14bff49ed6c
SHA2565f5559b89248ba0980c2cb218f6508be2553b332defe155a37708bc8a8b802eb
SHA51263cadf2bf0d58c2d4aefd2c2ccaf5a6983cc7427d2c7a5604852d52ea3dc8c04541fec0396e35dab2afd656b89d95101d63117e2eec73f0ede423c51f38d2be6
-
Filesize
5.2MB
MD5ef2ae1b34d67d0ee8ffb14024fbe2583
SHA10af41358aa2004d67caadd8803e6b4424d3c6156
SHA25610063ed5f10e581bd71aa09d2fc2e82bc3daa24d574b899ba81cebd50ca4ba5d
SHA5121e469cec6ff030a594db9ad729b1be33ecd32bef459ca5f70e80dadcfa03760140ef42d4896ed00a04fe90aff3863f56a8416a8d612fba2286eaa3b505cce60c
-
Filesize
5.2MB
MD5444918270c46ff2f0ec14e529f5d9e6b
SHA1d231352494976d43e464a3d8586d59e0ff5dbbf5
SHA2567cfae6907c82d82ec9bc23fe29de094051a12dc8329add61129d6aa9fd4d7cb9
SHA512151c2e16afdc6951adabd4c9308f2c7d8d174e7233c6a6a22735b5730a3bc660c943d5b644c48c70651321917a9272fa0b3502313b10907cae048704562bc67c
-
Filesize
5.2MB
MD5bcdeca127a8a72259ce0fe60a3b1096c
SHA1ef117fd771eee2a1c85b9e0ccd8b755dcc3281b3
SHA2569520b6e1252637665782259827a2d6246f9b324ad0530f7d2e61d7a8c61c57bb
SHA512d7dff5eac2caf730110be031be6fdfaa6d9796d0451f0ed0023b795d377ae9737e2bf6302115dc3bf87f86658323d0378b0fef78af9b1e01dd2ddfe9591d0bd5