Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 10:49
Behavioral task
behavioral1
Sample
2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240705-en
General
-
Target
2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
88455dbda7e54d7eecc1645585c9db25
-
SHA1
15284c7f0f5a4dddb779be50c2566d4890506ac3
-
SHA256
a4d3c52ddd999983d3962eeed98a8d5e9f0b1ca6b24ea4b8b462c74a2ad329c1
-
SHA512
870dea19d6a69177d3d7c338c3a2fb08d556ff4aa739b9b66652bc89a2dc8d38f0ffa5af09d93034db1932f20a20d1aec9dac9b6c9d592f892feb4a4368f898c
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l4:RWWBibf56utgpPFotBER/mQ32lUU
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0009000000023433-4.dat cobalt_reflective_dll behavioral2/files/0x000700000002343e-12.dat cobalt_reflective_dll behavioral2/files/0x0007000000023440-20.dat cobalt_reflective_dll behavioral2/files/0x000700000002343f-17.dat cobalt_reflective_dll behavioral2/files/0x0007000000023445-45.dat cobalt_reflective_dll behavioral2/files/0x0007000000023446-53.dat cobalt_reflective_dll behavioral2/files/0x0007000000023448-64.dat cobalt_reflective_dll behavioral2/files/0x000700000002344b-86.dat cobalt_reflective_dll behavioral2/files/0x000700000002344c-98.dat cobalt_reflective_dll behavioral2/files/0x0007000000023450-119.dat cobalt_reflective_dll behavioral2/files/0x000700000002344f-126.dat cobalt_reflective_dll behavioral2/files/0x000700000002344e-118.dat cobalt_reflective_dll behavioral2/files/0x000700000002344d-116.dat cobalt_reflective_dll behavioral2/files/0x0009000000023437-105.dat cobalt_reflective_dll behavioral2/files/0x000700000002344a-103.dat cobalt_reflective_dll behavioral2/files/0x0007000000023449-89.dat cobalt_reflective_dll behavioral2/files/0x0007000000023447-74.dat cobalt_reflective_dll behavioral2/files/0x0007000000023444-51.dat cobalt_reflective_dll behavioral2/files/0x0007000000023443-48.dat cobalt_reflective_dll behavioral2/files/0x0007000000023441-44.dat cobalt_reflective_dll behavioral2/files/0x0007000000023442-43.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 47 IoCs
resource yara_rule behavioral2/memory/5032-121-0x00007FF7F1D30000-0x00007FF7F2081000-memory.dmp xmrig behavioral2/memory/440-81-0x00007FF7B67F0000-0x00007FF7B6B41000-memory.dmp xmrig behavioral2/memory/2624-69-0x00007FF7BFB40000-0x00007FF7BFE91000-memory.dmp xmrig behavioral2/memory/3516-58-0x00007FF6803E0000-0x00007FF680731000-memory.dmp xmrig behavioral2/memory/3948-27-0x00007FF634CD0000-0x00007FF635021000-memory.dmp xmrig behavioral2/memory/1484-128-0x00007FF623260000-0x00007FF6235B1000-memory.dmp xmrig behavioral2/memory/1484-129-0x00007FF623260000-0x00007FF6235B1000-memory.dmp xmrig behavioral2/memory/3328-131-0x00007FF6691B0000-0x00007FF669501000-memory.dmp xmrig behavioral2/memory/2444-130-0x00007FF6E0950000-0x00007FF6E0CA1000-memory.dmp xmrig behavioral2/memory/3948-133-0x00007FF634CD0000-0x00007FF635021000-memory.dmp xmrig behavioral2/memory/3516-137-0x00007FF6803E0000-0x00007FF680731000-memory.dmp xmrig behavioral2/memory/4592-148-0x00007FF7E1B10000-0x00007FF7E1E61000-memory.dmp xmrig behavioral2/memory/4068-150-0x00007FF6CDF40000-0x00007FF6CE291000-memory.dmp xmrig behavioral2/memory/3480-149-0x00007FF726D50000-0x00007FF7270A1000-memory.dmp xmrig behavioral2/memory/4620-147-0x00007FF7FBF50000-0x00007FF7FC2A1000-memory.dmp xmrig behavioral2/memory/5040-145-0x00007FF665590000-0x00007FF6658E1000-memory.dmp xmrig behavioral2/memory/4732-144-0x00007FF6A3090000-0x00007FF6A33E1000-memory.dmp xmrig behavioral2/memory/3124-143-0x00007FF7F79D0000-0x00007FF7F7D21000-memory.dmp xmrig behavioral2/memory/4924-141-0x00007FF675B60000-0x00007FF675EB1000-memory.dmp xmrig behavioral2/memory/5068-139-0x00007FF7F07B0000-0x00007FF7F0B01000-memory.dmp xmrig behavioral2/memory/3920-136-0x00007FF7D30A0000-0x00007FF7D33F1000-memory.dmp xmrig behavioral2/memory/4912-135-0x00007FF6D3680000-0x00007FF6D39D1000-memory.dmp xmrig behavioral2/memory/4764-134-0x00007FF607160000-0x00007FF6074B1000-memory.dmp xmrig behavioral2/memory/1032-142-0x00007FF604DC0000-0x00007FF605111000-memory.dmp xmrig behavioral2/memory/1656-132-0x00007FF70C8D0000-0x00007FF70CC21000-memory.dmp xmrig behavioral2/memory/1484-151-0x00007FF623260000-0x00007FF6235B1000-memory.dmp xmrig behavioral2/memory/2444-202-0x00007FF6E0950000-0x00007FF6E0CA1000-memory.dmp xmrig behavioral2/memory/3948-221-0x00007FF634CD0000-0x00007FF635021000-memory.dmp xmrig behavioral2/memory/3328-222-0x00007FF6691B0000-0x00007FF669501000-memory.dmp xmrig behavioral2/memory/1656-224-0x00007FF70C8D0000-0x00007FF70CC21000-memory.dmp xmrig behavioral2/memory/4912-228-0x00007FF6D3680000-0x00007FF6D39D1000-memory.dmp xmrig behavioral2/memory/3920-227-0x00007FF7D30A0000-0x00007FF7D33F1000-memory.dmp xmrig behavioral2/memory/4764-233-0x00007FF607160000-0x00007FF6074B1000-memory.dmp xmrig behavioral2/memory/3516-234-0x00007FF6803E0000-0x00007FF680731000-memory.dmp xmrig behavioral2/memory/2624-231-0x00007FF7BFB40000-0x00007FF7BFE91000-memory.dmp xmrig behavioral2/memory/4924-239-0x00007FF675B60000-0x00007FF675EB1000-memory.dmp xmrig behavioral2/memory/5068-240-0x00007FF7F07B0000-0x00007FF7F0B01000-memory.dmp xmrig behavioral2/memory/440-237-0x00007FF7B67F0000-0x00007FF7B6B41000-memory.dmp xmrig behavioral2/memory/3124-242-0x00007FF7F79D0000-0x00007FF7F7D21000-memory.dmp xmrig behavioral2/memory/4732-248-0x00007FF6A3090000-0x00007FF6A33E1000-memory.dmp xmrig behavioral2/memory/1032-245-0x00007FF604DC0000-0x00007FF605111000-memory.dmp xmrig behavioral2/memory/5040-246-0x00007FF665590000-0x00007FF6658E1000-memory.dmp xmrig behavioral2/memory/3480-252-0x00007FF726D50000-0x00007FF7270A1000-memory.dmp xmrig behavioral2/memory/4592-254-0x00007FF7E1B10000-0x00007FF7E1E61000-memory.dmp xmrig behavioral2/memory/4068-257-0x00007FF6CDF40000-0x00007FF6CE291000-memory.dmp xmrig behavioral2/memory/4620-258-0x00007FF7FBF50000-0x00007FF7FC2A1000-memory.dmp xmrig behavioral2/memory/5032-251-0x00007FF7F1D30000-0x00007FF7F2081000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2444 AYeHzDR.exe 3328 wysoCwX.exe 1656 faMitaO.exe 3948 vfvHyCy.exe 4764 pJHOVsi.exe 3920 LZJGxNM.exe 4912 ZgZixCE.exe 3516 VjCoEtv.exe 2624 pOcBcUN.exe 5068 nUMKkit.exe 440 VmUNgiJ.exe 4924 QyJJJdq.exe 1032 xFAtEaN.exe 3124 gmXhzCI.exe 4732 JRAApjQ.exe 5040 rHKaQVk.exe 5032 RyLLpyy.exe 4620 IAqyVZX.exe 4592 qiwpHeM.exe 4068 FKawCaX.exe 3480 lVsQShw.exe -
resource yara_rule behavioral2/memory/1484-0-0x00007FF623260000-0x00007FF6235B1000-memory.dmp upx behavioral2/files/0x0009000000023433-4.dat upx behavioral2/memory/2444-10-0x00007FF6E0950000-0x00007FF6E0CA1000-memory.dmp upx behavioral2/files/0x000700000002343e-12.dat upx behavioral2/memory/3328-22-0x00007FF6691B0000-0x00007FF669501000-memory.dmp upx behavioral2/files/0x0007000000023440-20.dat upx behavioral2/files/0x000700000002343f-17.dat upx behavioral2/memory/4764-36-0x00007FF607160000-0x00007FF6074B1000-memory.dmp upx behavioral2/memory/4912-40-0x00007FF6D3680000-0x00007FF6D39D1000-memory.dmp upx behavioral2/files/0x0007000000023445-45.dat upx behavioral2/files/0x0007000000023446-53.dat upx behavioral2/files/0x0007000000023448-64.dat upx behavioral2/files/0x000700000002344b-86.dat upx behavioral2/memory/5040-96-0x00007FF665590000-0x00007FF6658E1000-memory.dmp upx behavioral2/files/0x000700000002344c-98.dat upx behavioral2/memory/3124-111-0x00007FF7F79D0000-0x00007FF7F7D21000-memory.dmp upx behavioral2/files/0x0007000000023450-119.dat upx behavioral2/memory/3480-123-0x00007FF726D50000-0x00007FF7270A1000-memory.dmp upx behavioral2/files/0x000700000002344f-126.dat upx behavioral2/memory/5032-121-0x00007FF7F1D30000-0x00007FF7F2081000-memory.dmp upx behavioral2/memory/4068-120-0x00007FF6CDF40000-0x00007FF6CE291000-memory.dmp upx behavioral2/files/0x000700000002344e-118.dat upx behavioral2/files/0x000700000002344d-116.dat upx behavioral2/memory/4592-115-0x00007FF7E1B10000-0x00007FF7E1E61000-memory.dmp upx behavioral2/memory/4620-114-0x00007FF7FBF50000-0x00007FF7FC2A1000-memory.dmp upx behavioral2/files/0x0009000000023437-105.dat upx behavioral2/files/0x000700000002344a-103.dat upx behavioral2/memory/4732-88-0x00007FF6A3090000-0x00007FF6A33E1000-memory.dmp upx behavioral2/memory/1032-87-0x00007FF604DC0000-0x00007FF605111000-memory.dmp upx behavioral2/files/0x0007000000023449-89.dat upx behavioral2/memory/440-81-0x00007FF7B67F0000-0x00007FF7B6B41000-memory.dmp upx behavioral2/memory/5068-79-0x00007FF7F07B0000-0x00007FF7F0B01000-memory.dmp upx behavioral2/files/0x0007000000023447-74.dat upx behavioral2/memory/2624-69-0x00007FF7BFB40000-0x00007FF7BFE91000-memory.dmp upx behavioral2/memory/4924-65-0x00007FF675B60000-0x00007FF675EB1000-memory.dmp upx behavioral2/memory/3516-58-0x00007FF6803E0000-0x00007FF680731000-memory.dmp upx behavioral2/files/0x0007000000023444-51.dat upx behavioral2/files/0x0007000000023443-48.dat upx behavioral2/memory/3920-47-0x00007FF7D30A0000-0x00007FF7D33F1000-memory.dmp upx behavioral2/files/0x0007000000023441-44.dat upx behavioral2/files/0x0007000000023442-43.dat upx behavioral2/memory/1656-31-0x00007FF70C8D0000-0x00007FF70CC21000-memory.dmp upx behavioral2/memory/3948-27-0x00007FF634CD0000-0x00007FF635021000-memory.dmp upx behavioral2/memory/1484-128-0x00007FF623260000-0x00007FF6235B1000-memory.dmp upx behavioral2/memory/1484-129-0x00007FF623260000-0x00007FF6235B1000-memory.dmp upx behavioral2/memory/3328-131-0x00007FF6691B0000-0x00007FF669501000-memory.dmp upx behavioral2/memory/2444-130-0x00007FF6E0950000-0x00007FF6E0CA1000-memory.dmp upx behavioral2/memory/3948-133-0x00007FF634CD0000-0x00007FF635021000-memory.dmp upx behavioral2/memory/3516-137-0x00007FF6803E0000-0x00007FF680731000-memory.dmp upx behavioral2/memory/4592-148-0x00007FF7E1B10000-0x00007FF7E1E61000-memory.dmp upx behavioral2/memory/4068-150-0x00007FF6CDF40000-0x00007FF6CE291000-memory.dmp upx behavioral2/memory/3480-149-0x00007FF726D50000-0x00007FF7270A1000-memory.dmp upx behavioral2/memory/4620-147-0x00007FF7FBF50000-0x00007FF7FC2A1000-memory.dmp upx behavioral2/memory/5040-145-0x00007FF665590000-0x00007FF6658E1000-memory.dmp upx behavioral2/memory/4732-144-0x00007FF6A3090000-0x00007FF6A33E1000-memory.dmp upx behavioral2/memory/3124-143-0x00007FF7F79D0000-0x00007FF7F7D21000-memory.dmp upx behavioral2/memory/4924-141-0x00007FF675B60000-0x00007FF675EB1000-memory.dmp upx behavioral2/memory/5068-139-0x00007FF7F07B0000-0x00007FF7F0B01000-memory.dmp upx behavioral2/memory/3920-136-0x00007FF7D30A0000-0x00007FF7D33F1000-memory.dmp upx behavioral2/memory/4912-135-0x00007FF6D3680000-0x00007FF6D39D1000-memory.dmp upx behavioral2/memory/4764-134-0x00007FF607160000-0x00007FF6074B1000-memory.dmp upx behavioral2/memory/1032-142-0x00007FF604DC0000-0x00007FF605111000-memory.dmp upx behavioral2/memory/1656-132-0x00007FF70C8D0000-0x00007FF70CC21000-memory.dmp upx behavioral2/memory/1484-151-0x00007FF623260000-0x00007FF6235B1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\VjCoEtv.exe 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nUMKkit.exe 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rHKaQVk.exe 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AYeHzDR.exe 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\faMitaO.exe 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vfvHyCy.exe 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\pJHOVsi.exe 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZgZixCE.exe 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VmUNgiJ.exe 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LZJGxNM.exe 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\pOcBcUN.exe 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qiwpHeM.exe 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FKawCaX.exe 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\IAqyVZX.exe 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lVsQShw.exe 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\wysoCwX.exe 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QyJJJdq.exe 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xFAtEaN.exe 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gmXhzCI.exe 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JRAApjQ.exe 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RyLLpyy.exe 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1484 wrote to memory of 2444 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 1484 wrote to memory of 2444 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 1484 wrote to memory of 3328 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 1484 wrote to memory of 3328 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 1484 wrote to memory of 1656 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 1484 wrote to memory of 1656 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 1484 wrote to memory of 3948 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 1484 wrote to memory of 3948 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 1484 wrote to memory of 4764 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 1484 wrote to memory of 4764 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 1484 wrote to memory of 4912 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 1484 wrote to memory of 4912 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 1484 wrote to memory of 3920 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 1484 wrote to memory of 3920 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 1484 wrote to memory of 3516 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 1484 wrote to memory of 3516 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 1484 wrote to memory of 2624 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 1484 wrote to memory of 2624 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 1484 wrote to memory of 5068 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 1484 wrote to memory of 5068 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 1484 wrote to memory of 440 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 1484 wrote to memory of 440 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 1484 wrote to memory of 4924 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 1484 wrote to memory of 4924 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 1484 wrote to memory of 1032 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 1484 wrote to memory of 1032 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 1484 wrote to memory of 3124 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 1484 wrote to memory of 3124 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 1484 wrote to memory of 4732 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 1484 wrote to memory of 4732 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 1484 wrote to memory of 5040 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 1484 wrote to memory of 5040 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 1484 wrote to memory of 5032 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 1484 wrote to memory of 5032 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 1484 wrote to memory of 4620 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 1484 wrote to memory of 4620 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 1484 wrote to memory of 4592 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 1484 wrote to memory of 4592 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 1484 wrote to memory of 3480 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 1484 wrote to memory of 3480 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 1484 wrote to memory of 4068 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 1484 wrote to memory of 4068 1484 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\System\AYeHzDR.exeC:\Windows\System\AYeHzDR.exe2⤵
- Executes dropped EXE
PID:2444
-
-
C:\Windows\System\wysoCwX.exeC:\Windows\System\wysoCwX.exe2⤵
- Executes dropped EXE
PID:3328
-
-
C:\Windows\System\faMitaO.exeC:\Windows\System\faMitaO.exe2⤵
- Executes dropped EXE
PID:1656
-
-
C:\Windows\System\vfvHyCy.exeC:\Windows\System\vfvHyCy.exe2⤵
- Executes dropped EXE
PID:3948
-
-
C:\Windows\System\pJHOVsi.exeC:\Windows\System\pJHOVsi.exe2⤵
- Executes dropped EXE
PID:4764
-
-
C:\Windows\System\ZgZixCE.exeC:\Windows\System\ZgZixCE.exe2⤵
- Executes dropped EXE
PID:4912
-
-
C:\Windows\System\LZJGxNM.exeC:\Windows\System\LZJGxNM.exe2⤵
- Executes dropped EXE
PID:3920
-
-
C:\Windows\System\VjCoEtv.exeC:\Windows\System\VjCoEtv.exe2⤵
- Executes dropped EXE
PID:3516
-
-
C:\Windows\System\pOcBcUN.exeC:\Windows\System\pOcBcUN.exe2⤵
- Executes dropped EXE
PID:2624
-
-
C:\Windows\System\nUMKkit.exeC:\Windows\System\nUMKkit.exe2⤵
- Executes dropped EXE
PID:5068
-
-
C:\Windows\System\VmUNgiJ.exeC:\Windows\System\VmUNgiJ.exe2⤵
- Executes dropped EXE
PID:440
-
-
C:\Windows\System\QyJJJdq.exeC:\Windows\System\QyJJJdq.exe2⤵
- Executes dropped EXE
PID:4924
-
-
C:\Windows\System\xFAtEaN.exeC:\Windows\System\xFAtEaN.exe2⤵
- Executes dropped EXE
PID:1032
-
-
C:\Windows\System\gmXhzCI.exeC:\Windows\System\gmXhzCI.exe2⤵
- Executes dropped EXE
PID:3124
-
-
C:\Windows\System\JRAApjQ.exeC:\Windows\System\JRAApjQ.exe2⤵
- Executes dropped EXE
PID:4732
-
-
C:\Windows\System\rHKaQVk.exeC:\Windows\System\rHKaQVk.exe2⤵
- Executes dropped EXE
PID:5040
-
-
C:\Windows\System\RyLLpyy.exeC:\Windows\System\RyLLpyy.exe2⤵
- Executes dropped EXE
PID:5032
-
-
C:\Windows\System\IAqyVZX.exeC:\Windows\System\IAqyVZX.exe2⤵
- Executes dropped EXE
PID:4620
-
-
C:\Windows\System\qiwpHeM.exeC:\Windows\System\qiwpHeM.exe2⤵
- Executes dropped EXE
PID:4592
-
-
C:\Windows\System\lVsQShw.exeC:\Windows\System\lVsQShw.exe2⤵
- Executes dropped EXE
PID:3480
-
-
C:\Windows\System\FKawCaX.exeC:\Windows\System\FKawCaX.exe2⤵
- Executes dropped EXE
PID:4068
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD50d8bbb300d21f10e26a9385fc822669f
SHA171380a854db3ef0f3a2405401dc5ba19f02da719
SHA256da1778c1b6c5f4c5fa5b9688803ec3f16739af146c0a91d504b8c836319342fb
SHA512d061405e13308b789b6a9eebbc7ef81835af3c0566b6ccc972c5538974aaf445c84f43ab474f1a5d5e1f008f55a11966d47fd5808f4f8e44115b38a05c5fe189
-
Filesize
5.2MB
MD5a376bb3115028e9b58e2a627c08a5def
SHA1d78411a0ef2254c76f8defb7f3def68361b6236d
SHA256e19673e1ef1a7c000520eba4f3c2cb60598f193e72fcae286b078802418730a5
SHA5120b4a07b3ba00ee6ec193565a93f49cb2c2865bf71a21b3707e3660b89fc6ea7ed227707ca7f6cdce86d269746b3fa4a1a4eb00b5a2105c66624711098683d1af
-
Filesize
5.2MB
MD58cd088bd4854424d44950ea018bee2c7
SHA116680bfa407c391f7d59b20f01d2beaf3314bccb
SHA256f1ba3840d4c1bb002d91a491385766c3fd521f35cfa17c6397d9b2ac161fd5a1
SHA51296fa5f3d98f8719e2881a47978711c773a7cc77e9a334f3003748b719229d055f56b838bdd773da2dca0da3b1f98f236aafe7bc43fb0b0474c4c0abba0903028
-
Filesize
5.2MB
MD5f35b68dedf86003f37d86055a9243969
SHA1f29fe00c66703dc3e61bb4127de8408f033d12b6
SHA2569e1f5f485ac393a6c8b4ebe1d978f7ed7f935f45d1d8e30b2c2fe2e782a974dc
SHA512ca4818fc8a64547b55c84a5621b198cc3bbee937ea33ae4ac83e9d0fdf9b931cc220373bc68b39640c0f808258b0eb8c28c59eb142e26f93ebf03a2e0edbed5a
-
Filesize
5.2MB
MD56f5a9c06281d25d2b63f24257a6d0f1d
SHA1f20981fe93771f241f9dd2c2cadf7c4774ee1e79
SHA2569b08150ad0cf8d2628794e304927a2721f506c1d6a8a29a9c759df86d75e7c6f
SHA512dcfffbea0c97c8c33aea89fa2f9270b58e6d0017efafd32fc48b0af63199c476a9aac405d1d0cb66f78044017b530dde6211c8c170b27ab52304ce299b6035eb
-
Filesize
5.2MB
MD535940f904f1c6274cedda2537dc64e63
SHA103bc8543586e2e085db74bead13dfa0f1631641c
SHA256888b90d7487fd3b1bb89100e0967ebc89dead7561aaf1871250a1a16f46f8090
SHA5126034d47a38d9efb2ccd56d1f205c68a8eef361b1cf118f495b58533646064a8eff7ef302cf670316def6b6f4bf4a445152717bf4fa8e81106ba522ee19945510
-
Filesize
5.2MB
MD5cbabee3c46e6376f06e6dc2417e8c21e
SHA1ed6335679d9d196634e1a7102d9a8a46bc843b17
SHA256a68dc34719d44e2dc6be5bcf17f0dfcd8a69676d5046eecd8d6b38e0fc3f02e5
SHA5120b0c4b02b8bc942a55b511b628eaeff3ea62a50a71803fe2e08266afd9f1d91ba430c168871c65ec20450c7e0555f83e982d0a88115915694278d5c28abe01f4
-
Filesize
5.2MB
MD59ab2dbb3b7ce84257b07b34bdac52a4b
SHA17f69794850aab763ecb59de52e2a5f8f5c32044b
SHA25648b7a43e11c7f82402658e897d1a68a3a1e9a0dccb8cbf13b9bc209fcc2b4208
SHA512a14d778cbb23d82a078bba8a811d932bad54c55a7ca9be6b7ca910172935a1fff9df93fdb3ec489062055e0c9a57c09ddb0e6b24f97323a6b48252b7f6d1c34b
-
Filesize
5.2MB
MD5a19ffc4da3bd714cc8fc4e62b9b52b14
SHA10acf1b151ad199e52be799d8e38a458dd6dba1ba
SHA25644de80d5da597e6b5cea58d0eceb5ab2250c9302ced98dc232c82c44d967d5ae
SHA51225c5e58a92bee17d4887dee644c812acd9910cbceace7c5ee3c1541a9b70c74b2716ce95579806c769f9b71e151a3c9f65c1f2661fe528f5f7aee9cd5ab334cb
-
Filesize
5.2MB
MD5870f5f42bf143e026ceacc68703a84c6
SHA1ae4da4613ccbc9df59218be73c8007e4c6541d17
SHA25634129542df93d495418466426e2d05527cfd91cb3ec6578e970e4de688fe4b11
SHA512039572b0484ae23bdd45b7dadb1a581c70ddb79d6fd68e212088b95cface9423b98cf177bec198c36f8f0fac99106c7ae07f3e252b1643b2312457de9ec6cf4c
-
Filesize
5.2MB
MD5cca901924a28cdcb6718eb2201dcfa53
SHA14fc47f8a59fc0b69b452ea304bc02f7dd946381e
SHA256e048cf52c4423a0f41eec500c280df610790e3419b807b4a1fb24af3ac9f309a
SHA512c5b76e2bde39e44ef09c1cd93f270ea2b9e49212a78298e8158a72d421db45a542b6fc1bf6bc8d0e45e56ec728ba37d9874337ae120bcce71057c87c1bf8d6f0
-
Filesize
5.2MB
MD5cedba16e5f2e32888e313bad5d3b2a1b
SHA1ccf0d8b5e94e31c377442cc17ed04516fc5c85b9
SHA256e2626a49bf1c6e1a3f4325f1685aabcb8c682394a9c69f04640513b2116d5cdb
SHA5122511ff125705d446832725b3427ea8bdbc825a0e9ca54d519f989741652c64250985b2fcac090d4cd076e9ea99e0172f25605c7306186ab0b786679e208547dd
-
Filesize
5.2MB
MD5bb6d6ca03d790613ff68b52f5d5b8fe6
SHA1cb538264147911fe925f98e833776f52f0ba0800
SHA256d74b51f7dae139995dc97546b4d3d001c3384d1caac5c817d17e1155f2ed33af
SHA5121908691184d5fd42c73451a2582f5737bd573880ca7c94f0a403d63862d204b956cadff92a213606fb77ba4e8a5942fb3126211805d914d0713669f0d766cf88
-
Filesize
5.2MB
MD5de4629eefd0499f763def91f7358078c
SHA1d23e1f9aac560b4afda4254d5d53c68103c8167f
SHA25639a8255dbbd6ad18ce04a6dccb2ec06d0c3f7fe936a73df4fa19d4e4f8cc2a5e
SHA512a69ca675c79830aa90bc0d96bebf37a80ed9d00c20fffa16aa12d917f38ad4638bde18bf5b539faf66eb1cc836822be4ab68f4846d4fa1fab126a1853129b131
-
Filesize
5.2MB
MD569289ce35ff1c8a2b0a6a0a8e6816da2
SHA16979e53dff5f6c77a1b452805cc40968095fe8ae
SHA256dca09c661fbd8acfe2df396a878b1c372f2b763bc010e5ba5595e352a5cc9d54
SHA5125f8e04e8053393ed2d6baa2536894d4262a58738b02946379d1dc152f91233cb74ff024e1d8a911c4570f2f3cf588413134eb3ffcdd1a42e76631f9aae4b9e55
-
Filesize
5.2MB
MD5e7674709920171155b74d55bdeb04194
SHA1d68a284cdb082f5d71c0c98acd06cc6f3019bc33
SHA256b0a8086b96f802f41e81cf98d83729fc474d4994289af798feee790c2a80c90f
SHA51275560da7d83a8f8c0635beca25ff00fbc04d9b327244ff407e5a5dc915b7fd27df69a1d6dabdfb224de32dfd977ee1eda045cec999a5a0da7fff39f9b61cad56
-
Filesize
5.2MB
MD55f1d4ef5528569cefb88b9ca2e64aca9
SHA110fdcbd261351c5c9601f23a99b4f634091c9edd
SHA25669da8cd28316dcec7eae83b646ef3d39cc5664975a6607a1e02f83e7807968dd
SHA51245bfb7ab6148d9fa09e2ec67d3c691fccbf67f281cd6765a71c52e92f76f8a7bbbe2cbde9306020d44193f6439c03e21b2eef94c4ebb6f3d2b73e88f26b644a8
-
Filesize
5.2MB
MD5d4207e35ec52896e787ef4bac2a5981d
SHA1e9474b770f66d32acbf4e0e8ff9074feb7ddf398
SHA2566a684a373b35abd1f71b72b344520fa809e9956f9d9a71766174be2d2a1fdee6
SHA512884af338e14469b8c7681799e6e8450667bff765b6c71f4c7680f2bec410da5255ed01a08adde58f70b747b68d703aab2e9600e359d72e55961359245b247778
-
Filesize
5.2MB
MD55e6a13ecbcc32e82d2bd80c8f9df6220
SHA198f5337c817df00fa8420ca86e38ec114d48891c
SHA25690aa7680d804d61ee3ea69c7f82b77c5387eb8452f787e9088d71fad506c5bc1
SHA512b48353b10f6c22120dd33b2a6eb33f78350cce6cdd009bff89611bdac53777a36af756705bae647be96bc33aa06c2c93c469b4b4bbf29c523cc368c641b9e9ad
-
Filesize
5.2MB
MD5cc7920b36766e7b3e934e2024efaba92
SHA1fced483b04ce955e9e13dbb7d8f739c20c382e39
SHA256a93d310eb73488dc280e1e7d17739f6d2cb80aae7d351fac6a3abbebbd0cbebd
SHA51262516c59d82f26d7a9c21adbb03fbf0e2cb18d6b0fe8ee65fadb441bdf1fe75a5a03766de38acc2fbf0a2529e0427583abba1bd5e28ac85550cfc4088553162e
-
Filesize
5.2MB
MD5eacce68997d5fb64a789fe11b1066f3e
SHA1b87af987b4d00a04578f6ac13e207a3758e30037
SHA2565e0b9fba3d4b824aec0e049f568c8ed03cc1d1a314c38fd89511436feacfe388
SHA51282085cbc49a9454a83b0b387ced568f130be81ec430fe6f636db4b4860914378af1f495482a1d1a44708369777b1a6205994a974ed6afe20f041aa5b6944730c