Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 10:50
Behavioral task
behavioral1
Sample
2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240708-en
General
-
Target
2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
a555dad139cf57c035aedc927c5cafcf
-
SHA1
bcf863a3cb3a64ac2d5c6efd41b010811b677c48
-
SHA256
3df9f79354d14edf3f142b7916aa887cb9e7b8e9be6c249c3a92517ec8d291c9
-
SHA512
46f4b6def334209c859d236945f400f84d920bd46da230c58286090042193f8c158cc14bd3d148333ec4c3753bea4ea00036c4c1296ad10ab2f1363346079fea
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l+:RWWBibf56utgpPFotBER/mQ32lU6
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00080000000235ac-4.dat cobalt_reflective_dll behavioral2/files/0x00070000000235b1-9.dat cobalt_reflective_dll behavioral2/files/0x00070000000235b0-11.dat cobalt_reflective_dll behavioral2/files/0x00070000000235b4-24.dat cobalt_reflective_dll behavioral2/files/0x00070000000235b3-29.dat cobalt_reflective_dll behavioral2/files/0x00070000000235b6-44.dat cobalt_reflective_dll behavioral2/files/0x00070000000235b5-47.dat cobalt_reflective_dll behavioral2/files/0x00070000000235b7-52.dat cobalt_reflective_dll behavioral2/files/0x00080000000235ad-70.dat cobalt_reflective_dll behavioral2/files/0x00070000000235ba-82.dat cobalt_reflective_dll behavioral2/files/0x00070000000235bb-87.dat cobalt_reflective_dll behavioral2/files/0x00070000000235b9-76.dat cobalt_reflective_dll behavioral2/files/0x00070000000235b8-73.dat cobalt_reflective_dll behavioral2/files/0x00070000000235b2-38.dat cobalt_reflective_dll behavioral2/files/0x00070000000235bc-107.dat cobalt_reflective_dll behavioral2/files/0x00070000000235c2-130.dat cobalt_reflective_dll behavioral2/files/0x00070000000235be-129.dat cobalt_reflective_dll behavioral2/files/0x00070000000235bf-137.dat cobalt_reflective_dll behavioral2/files/0x00070000000235bd-126.dat cobalt_reflective_dll behavioral2/files/0x00070000000235c1-125.dat cobalt_reflective_dll behavioral2/files/0x00070000000235c0-124.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/2336-34-0x00007FF7C8B70000-0x00007FF7C8EC1000-memory.dmp xmrig behavioral2/memory/1840-85-0x00007FF732D30000-0x00007FF733081000-memory.dmp xmrig behavioral2/memory/2316-84-0x00007FF631CB0000-0x00007FF632001000-memory.dmp xmrig behavioral2/memory/2196-42-0x00007FF7ED590000-0x00007FF7ED8E1000-memory.dmp xmrig behavioral2/memory/1412-103-0x00007FF79AFA0000-0x00007FF79B2F1000-memory.dmp xmrig behavioral2/memory/3092-145-0x00007FF769410000-0x00007FF769761000-memory.dmp xmrig behavioral2/memory/2924-144-0x00007FF6F6B90000-0x00007FF6F6EE1000-memory.dmp xmrig behavioral2/memory/1912-143-0x00007FF66C870000-0x00007FF66CBC1000-memory.dmp xmrig behavioral2/memory/1116-140-0x00007FF72B450000-0x00007FF72B7A1000-memory.dmp xmrig behavioral2/memory/3212-139-0x00007FF68F4A0000-0x00007FF68F7F1000-memory.dmp xmrig behavioral2/memory/1904-117-0x00007FF676440000-0x00007FF676791000-memory.dmp xmrig behavioral2/memory/5112-116-0x00007FF781F10000-0x00007FF782261000-memory.dmp xmrig behavioral2/memory/908-102-0x00007FF780E50000-0x00007FF7811A1000-memory.dmp xmrig behavioral2/memory/2212-101-0x00007FF667BC0000-0x00007FF667F11000-memory.dmp xmrig behavioral2/memory/1180-100-0x00007FF67A7B0000-0x00007FF67AB01000-memory.dmp xmrig behavioral2/memory/3936-99-0x00007FF669D80000-0x00007FF66A0D1000-memory.dmp xmrig behavioral2/memory/5056-94-0x00007FF68A960000-0x00007FF68ACB1000-memory.dmp xmrig behavioral2/memory/3332-95-0x00007FF75AB10000-0x00007FF75AE61000-memory.dmp xmrig behavioral2/memory/1488-106-0x00007FF641080000-0x00007FF6413D1000-memory.dmp xmrig behavioral2/memory/4660-98-0x00007FF698770000-0x00007FF698AC1000-memory.dmp xmrig behavioral2/memory/2316-146-0x00007FF631CB0000-0x00007FF632001000-memory.dmp xmrig behavioral2/memory/2164-163-0x00007FF70E1A0000-0x00007FF70E4F1000-memory.dmp xmrig behavioral2/memory/752-161-0x00007FF7781B0000-0x00007FF778501000-memory.dmp xmrig behavioral2/memory/2316-168-0x00007FF631CB0000-0x00007FF632001000-memory.dmp xmrig behavioral2/memory/1840-207-0x00007FF732D30000-0x00007FF733081000-memory.dmp xmrig behavioral2/memory/1488-215-0x00007FF641080000-0x00007FF6413D1000-memory.dmp xmrig behavioral2/memory/2336-217-0x00007FF7C8B70000-0x00007FF7C8EC1000-memory.dmp xmrig behavioral2/memory/5056-219-0x00007FF68A960000-0x00007FF68ACB1000-memory.dmp xmrig behavioral2/memory/2196-221-0x00007FF7ED590000-0x00007FF7ED8E1000-memory.dmp xmrig behavioral2/memory/3332-225-0x00007FF75AB10000-0x00007FF75AE61000-memory.dmp xmrig behavioral2/memory/4660-224-0x00007FF698770000-0x00007FF698AC1000-memory.dmp xmrig behavioral2/memory/3936-227-0x00007FF669D80000-0x00007FF66A0D1000-memory.dmp xmrig behavioral2/memory/1412-234-0x00007FF79AFA0000-0x00007FF79B2F1000-memory.dmp xmrig behavioral2/memory/2212-238-0x00007FF667BC0000-0x00007FF667F11000-memory.dmp xmrig behavioral2/memory/1180-239-0x00007FF67A7B0000-0x00007FF67AB01000-memory.dmp xmrig behavioral2/memory/908-236-0x00007FF780E50000-0x00007FF7811A1000-memory.dmp xmrig behavioral2/memory/5112-232-0x00007FF781F10000-0x00007FF782261000-memory.dmp xmrig behavioral2/memory/1904-229-0x00007FF676440000-0x00007FF676791000-memory.dmp xmrig behavioral2/memory/3212-251-0x00007FF68F4A0000-0x00007FF68F7F1000-memory.dmp xmrig behavioral2/memory/1116-250-0x00007FF72B450000-0x00007FF72B7A1000-memory.dmp xmrig behavioral2/memory/752-261-0x00007FF7781B0000-0x00007FF778501000-memory.dmp xmrig behavioral2/memory/1912-259-0x00007FF66C870000-0x00007FF66CBC1000-memory.dmp xmrig behavioral2/memory/3092-258-0x00007FF769410000-0x00007FF769761000-memory.dmp xmrig behavioral2/memory/2924-256-0x00007FF6F6B90000-0x00007FF6F6EE1000-memory.dmp xmrig behavioral2/memory/2164-254-0x00007FF70E1A0000-0x00007FF70E4F1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 1840 iHEboqA.exe 1488 maiaofq.exe 5056 gbfUQft.exe 2336 HPOAXVh.exe 2196 oWeLtQQ.exe 3332 dEqibIo.exe 4660 ZVxCRTX.exe 3936 GvWVEMS.exe 1180 MtzFDGP.exe 2212 QlSEghp.exe 908 qEeSeMU.exe 1412 kPEeDQr.exe 5112 lTYoxvp.exe 1904 npcukMT.exe 752 pfDImYI.exe 2164 QDtzrMU.exe 3092 uvrLutd.exe 3212 cXNhOiy.exe 1116 KCuPINj.exe 1912 AdkZojk.exe 2924 EYIJkus.exe -
resource yara_rule behavioral2/memory/2316-0-0x00007FF631CB0000-0x00007FF632001000-memory.dmp upx behavioral2/files/0x00080000000235ac-4.dat upx behavioral2/files/0x00070000000235b1-9.dat upx behavioral2/files/0x00070000000235b0-11.dat upx behavioral2/memory/1840-7-0x00007FF732D30000-0x00007FF733081000-memory.dmp upx behavioral2/files/0x00070000000235b4-24.dat upx behavioral2/files/0x00070000000235b3-29.dat upx behavioral2/memory/2336-34-0x00007FF7C8B70000-0x00007FF7C8EC1000-memory.dmp upx behavioral2/files/0x00070000000235b6-44.dat upx behavioral2/files/0x00070000000235b5-47.dat upx behavioral2/files/0x00070000000235b7-52.dat upx behavioral2/memory/2212-66-0x00007FF667BC0000-0x00007FF667F11000-memory.dmp upx behavioral2/files/0x00080000000235ad-70.dat upx behavioral2/files/0x00070000000235ba-82.dat upx behavioral2/files/0x00070000000235bb-87.dat upx behavioral2/memory/1904-86-0x00007FF676440000-0x00007FF676791000-memory.dmp upx behavioral2/memory/1840-85-0x00007FF732D30000-0x00007FF733081000-memory.dmp upx behavioral2/memory/2316-84-0x00007FF631CB0000-0x00007FF632001000-memory.dmp upx behavioral2/memory/5112-80-0x00007FF781F10000-0x00007FF782261000-memory.dmp upx behavioral2/memory/1412-79-0x00007FF79AFA0000-0x00007FF79B2F1000-memory.dmp upx behavioral2/files/0x00070000000235b9-76.dat upx behavioral2/files/0x00070000000235b8-73.dat upx behavioral2/memory/908-69-0x00007FF780E50000-0x00007FF7811A1000-memory.dmp upx behavioral2/memory/1180-58-0x00007FF67A7B0000-0x00007FF67AB01000-memory.dmp upx behavioral2/memory/3936-46-0x00007FF669D80000-0x00007FF66A0D1000-memory.dmp upx behavioral2/memory/4660-45-0x00007FF698770000-0x00007FF698AC1000-memory.dmp upx behavioral2/memory/2196-42-0x00007FF7ED590000-0x00007FF7ED8E1000-memory.dmp upx behavioral2/files/0x00070000000235b2-38.dat upx behavioral2/memory/3332-28-0x00007FF75AB10000-0x00007FF75AE61000-memory.dmp upx behavioral2/memory/5056-27-0x00007FF68A960000-0x00007FF68ACB1000-memory.dmp upx behavioral2/memory/1488-19-0x00007FF641080000-0x00007FF6413D1000-memory.dmp upx behavioral2/memory/1412-103-0x00007FF79AFA0000-0x00007FF79B2F1000-memory.dmp upx behavioral2/files/0x00070000000235bc-107.dat upx behavioral2/files/0x00070000000235c2-130.dat upx behavioral2/files/0x00070000000235be-129.dat upx behavioral2/files/0x00070000000235bf-137.dat upx behavioral2/memory/3092-145-0x00007FF769410000-0x00007FF769761000-memory.dmp upx behavioral2/memory/2924-144-0x00007FF6F6B90000-0x00007FF6F6EE1000-memory.dmp upx behavioral2/memory/1912-143-0x00007FF66C870000-0x00007FF66CBC1000-memory.dmp upx behavioral2/memory/1116-140-0x00007FF72B450000-0x00007FF72B7A1000-memory.dmp upx behavioral2/memory/3212-139-0x00007FF68F4A0000-0x00007FF68F7F1000-memory.dmp upx behavioral2/memory/2164-136-0x00007FF70E1A0000-0x00007FF70E4F1000-memory.dmp upx behavioral2/memory/752-131-0x00007FF7781B0000-0x00007FF778501000-memory.dmp upx behavioral2/files/0x00070000000235bd-126.dat upx behavioral2/files/0x00070000000235c1-125.dat upx behavioral2/files/0x00070000000235c0-124.dat upx behavioral2/memory/1904-117-0x00007FF676440000-0x00007FF676791000-memory.dmp upx behavioral2/memory/5112-116-0x00007FF781F10000-0x00007FF782261000-memory.dmp upx behavioral2/memory/908-102-0x00007FF780E50000-0x00007FF7811A1000-memory.dmp upx behavioral2/memory/2212-101-0x00007FF667BC0000-0x00007FF667F11000-memory.dmp upx behavioral2/memory/1180-100-0x00007FF67A7B0000-0x00007FF67AB01000-memory.dmp upx behavioral2/memory/3936-99-0x00007FF669D80000-0x00007FF66A0D1000-memory.dmp upx behavioral2/memory/5056-94-0x00007FF68A960000-0x00007FF68ACB1000-memory.dmp upx behavioral2/memory/3332-95-0x00007FF75AB10000-0x00007FF75AE61000-memory.dmp upx behavioral2/memory/1488-106-0x00007FF641080000-0x00007FF6413D1000-memory.dmp upx behavioral2/memory/4660-98-0x00007FF698770000-0x00007FF698AC1000-memory.dmp upx behavioral2/memory/2316-146-0x00007FF631CB0000-0x00007FF632001000-memory.dmp upx behavioral2/memory/2164-163-0x00007FF70E1A0000-0x00007FF70E4F1000-memory.dmp upx behavioral2/memory/752-161-0x00007FF7781B0000-0x00007FF778501000-memory.dmp upx behavioral2/memory/2316-168-0x00007FF631CB0000-0x00007FF632001000-memory.dmp upx behavioral2/memory/1840-207-0x00007FF732D30000-0x00007FF733081000-memory.dmp upx behavioral2/memory/1488-215-0x00007FF641080000-0x00007FF6413D1000-memory.dmp upx behavioral2/memory/2336-217-0x00007FF7C8B70000-0x00007FF7C8EC1000-memory.dmp upx behavioral2/memory/5056-219-0x00007FF68A960000-0x00007FF68ACB1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\QDtzrMU.exe 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uvrLutd.exe 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EYIJkus.exe 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\iHEboqA.exe 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gbfUQft.exe 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HPOAXVh.exe 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kPEeDQr.exe 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AdkZojk.exe 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cXNhOiy.exe 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KCuPINj.exe 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZVxCRTX.exe 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GvWVEMS.exe 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QlSEghp.exe 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\npcukMT.exe 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\pfDImYI.exe 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lTYoxvp.exe 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\maiaofq.exe 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dEqibIo.exe 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\oWeLtQQ.exe 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MtzFDGP.exe 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qEeSeMU.exe 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2316 wrote to memory of 1840 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2316 wrote to memory of 1840 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2316 wrote to memory of 1488 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2316 wrote to memory of 1488 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2316 wrote to memory of 5056 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2316 wrote to memory of 5056 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2316 wrote to memory of 3332 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2316 wrote to memory of 3332 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2316 wrote to memory of 2336 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2316 wrote to memory of 2336 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2316 wrote to memory of 2196 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2316 wrote to memory of 2196 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2316 wrote to memory of 4660 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2316 wrote to memory of 4660 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2316 wrote to memory of 3936 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2316 wrote to memory of 3936 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2316 wrote to memory of 1180 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2316 wrote to memory of 1180 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2316 wrote to memory of 2212 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2316 wrote to memory of 2212 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2316 wrote to memory of 908 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2316 wrote to memory of 908 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2316 wrote to memory of 1412 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2316 wrote to memory of 1412 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2316 wrote to memory of 5112 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2316 wrote to memory of 5112 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2316 wrote to memory of 1904 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2316 wrote to memory of 1904 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2316 wrote to memory of 752 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 2316 wrote to memory of 752 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 2316 wrote to memory of 1912 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 2316 wrote to memory of 1912 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 2316 wrote to memory of 2164 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 2316 wrote to memory of 2164 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 2316 wrote to memory of 3092 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 110 PID 2316 wrote to memory of 3092 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 110 PID 2316 wrote to memory of 3212 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 111 PID 2316 wrote to memory of 3212 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 111 PID 2316 wrote to memory of 1116 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 112 PID 2316 wrote to memory of 1116 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 112 PID 2316 wrote to memory of 2924 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 113 PID 2316 wrote to memory of 2924 2316 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\System\iHEboqA.exeC:\Windows\System\iHEboqA.exe2⤵
- Executes dropped EXE
PID:1840
-
-
C:\Windows\System\maiaofq.exeC:\Windows\System\maiaofq.exe2⤵
- Executes dropped EXE
PID:1488
-
-
C:\Windows\System\gbfUQft.exeC:\Windows\System\gbfUQft.exe2⤵
- Executes dropped EXE
PID:5056
-
-
C:\Windows\System\dEqibIo.exeC:\Windows\System\dEqibIo.exe2⤵
- Executes dropped EXE
PID:3332
-
-
C:\Windows\System\HPOAXVh.exeC:\Windows\System\HPOAXVh.exe2⤵
- Executes dropped EXE
PID:2336
-
-
C:\Windows\System\oWeLtQQ.exeC:\Windows\System\oWeLtQQ.exe2⤵
- Executes dropped EXE
PID:2196
-
-
C:\Windows\System\ZVxCRTX.exeC:\Windows\System\ZVxCRTX.exe2⤵
- Executes dropped EXE
PID:4660
-
-
C:\Windows\System\GvWVEMS.exeC:\Windows\System\GvWVEMS.exe2⤵
- Executes dropped EXE
PID:3936
-
-
C:\Windows\System\MtzFDGP.exeC:\Windows\System\MtzFDGP.exe2⤵
- Executes dropped EXE
PID:1180
-
-
C:\Windows\System\QlSEghp.exeC:\Windows\System\QlSEghp.exe2⤵
- Executes dropped EXE
PID:2212
-
-
C:\Windows\System\qEeSeMU.exeC:\Windows\System\qEeSeMU.exe2⤵
- Executes dropped EXE
PID:908
-
-
C:\Windows\System\kPEeDQr.exeC:\Windows\System\kPEeDQr.exe2⤵
- Executes dropped EXE
PID:1412
-
-
C:\Windows\System\lTYoxvp.exeC:\Windows\System\lTYoxvp.exe2⤵
- Executes dropped EXE
PID:5112
-
-
C:\Windows\System\npcukMT.exeC:\Windows\System\npcukMT.exe2⤵
- Executes dropped EXE
PID:1904
-
-
C:\Windows\System\pfDImYI.exeC:\Windows\System\pfDImYI.exe2⤵
- Executes dropped EXE
PID:752
-
-
C:\Windows\System\AdkZojk.exeC:\Windows\System\AdkZojk.exe2⤵
- Executes dropped EXE
PID:1912
-
-
C:\Windows\System\QDtzrMU.exeC:\Windows\System\QDtzrMU.exe2⤵
- Executes dropped EXE
PID:2164
-
-
C:\Windows\System\uvrLutd.exeC:\Windows\System\uvrLutd.exe2⤵
- Executes dropped EXE
PID:3092
-
-
C:\Windows\System\cXNhOiy.exeC:\Windows\System\cXNhOiy.exe2⤵
- Executes dropped EXE
PID:3212
-
-
C:\Windows\System\KCuPINj.exeC:\Windows\System\KCuPINj.exe2⤵
- Executes dropped EXE
PID:1116
-
-
C:\Windows\System\EYIJkus.exeC:\Windows\System\EYIJkus.exe2⤵
- Executes dropped EXE
PID:2924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4072,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:81⤵PID:4008
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5544009f68c1b4a66a17e1b86d08b5742
SHA1c16ed7481cf27fe27a128265ec1134c50e564c99
SHA256231b6cae839bea172661e6faf4928ee049a33538d38f7422f3d893a0afeb1c07
SHA512a66643d503d7b3df377fa1608bee30a7ef97283a6cc3508144ad462d4f4b9ab2b81be95b651ee4cc2227d1e1b87fb34a02aecacf3f253f75ab4e774c128db87b
-
Filesize
5.2MB
MD5847eec894d5b8aa3ac1b514f7e4afbd8
SHA1c3089b6167a77be46c8a4e6fdc2263c882c0b95a
SHA2565908638aedf9d2047cb5d4b5463500d17f1528e503fdf27a82c0d0e1b5fd14ce
SHA5127d0927d077441178b9fc03e9149dbe7857c37af0272b7e2faacd44a8fa255a5b7e64644b73f04140bb5401525a521f84c7844f6cf395a8cb2582ef6dea770dc8
-
Filesize
5.2MB
MD5fa938132e20dcd1e66192f7c4c6b4363
SHA1edb11a2542f7e3a71e30e4af5b8b02fa1dd64b8b
SHA256d34cec2c6d4f65066eb86654d4d07084c4429bfeb10b906cebd1a70c59e49b52
SHA5124dd18e35b175c78f5592b1b2210e7f0a7d4e22a5cd7ddf952c0bdef29966a0586b498f90b13b623723c6d8de3bfb2cb93fbb81417652848f14dc807607d716d2
-
Filesize
5.2MB
MD5166058ddc3d4d2ce9b4c9988a37fd2bf
SHA1e2dde234e65b6e4a678caf1f2c477f8eed75b392
SHA256416a667a53d2a902eb8f897927cfeffaee6624b7251499965f2fb00379514bcb
SHA51257e34a95d44ea168c09ec1ef7bea474ca955fd1d7ac307e1f43507d1360f4c61fb1f605307f41ea10826f2bf315940626fd8d8e4c6415e6355cb185974ddfe7a
-
Filesize
5.2MB
MD5ef518ae3154a79c6b7a6816810493081
SHA1651a561aafbdabd990db4eea2f3f2bef2baa73a2
SHA25602c056054e6daaf2faba4de620685cc9bcc01b8f60612bb171867109fada064b
SHA512776ad50ee3e51dd1b5989204ea81dfd32fda90a144a7e9e63148ccb2bb04aec459dae545e23487d727f6f7d0f1259ff4e70083c6c0f394e887e0677d2d679561
-
Filesize
5.2MB
MD50ae2d026903c2ae76cc5c691e58fd6b8
SHA1fe5ff750e1e61038ff797ed699ba1d1b131c9567
SHA256bb0fd9c1ea93e4f3638adaff709477a00811edd6d588a02e167e7dcc675081c2
SHA512673eb350f946c0d1e94aa9cebf6282eea8a2293c93a7db121054d60149f4067996aaaa68c73dcf98db68dab0128457b251aaff4988b50ef029cf6f9c3f90a261
-
Filesize
5.2MB
MD5f6760f2133d03a852d97cd657f64db65
SHA19c593b25c069944d2e2caca60e898d46a84e695b
SHA25686b1fd26671c36ab433cd743385060b8ff2199390fa867b12d77b12ef572d4ab
SHA5125b0a93789591f09d75f88f5167b2e28652574f809d2c9a6dd3163b6a019c3a2b8e565dfa275b8ad5dae1ca01a1a94dd400a5ed58607c87c4200203fb4de66080
-
Filesize
5.2MB
MD548baf9ac42e6a94a42e58a293a845bed
SHA10e6586d0873e4acc479b3320b63790f07f599b08
SHA256c183bbdc5bd25da6741008c5391b817a8d37e966ceec59e89ac7fe29b20accc5
SHA512a76cd18ff3cc474e4ec9130a2fa9f891f420a09a05db654c36ab50a631253d159210e1db777713cac9f4ec63fce111b1bb4adb16490402abd83be24c5034613f
-
Filesize
5.2MB
MD592ffe3b510cf16117764266390a08e57
SHA12ff4c4b511b5c430f80e553ce74ee42041c6adf0
SHA25618dd848816389f0a9f6c42f6fd44287bb9189166debfc76f9a5afb27a309458e
SHA512730f7c9e31946d3343790de478e7a7e05c5f6c1f4d23f0943cc3064af04711d464318940fa5b023cebd9ff4cdd03b53861c5a9e2a09409af4c7af5692b88f110
-
Filesize
5.2MB
MD52a99407f2f5ec56599e49d318010429a
SHA19a77a3e5e10bb8577b1d96b56c41075f85d5310d
SHA256803e8fc643aa32358ae65b93b003e2e16836fae4cf6757339062dfe2fde7fe6b
SHA512ffd403bfe2b902386fbfccf14ce67b8448a959a75556fede5d42f83bd53cd12534677c41f297934b289d1b0b8e7888371088e834d4be81b3755f0b9fb897e232
-
Filesize
5.2MB
MD5d4c01c995e534ee44aa5c77237bf39f9
SHA11d9629efef4e54d491f3e49e72e77041629bb9bb
SHA2563a215cebf3836a5c4de0ef71d5db5db2813a5ffbe20eb47cfeea9f4fbb645d12
SHA51290de4ae97bbed6714ebc1a232fb36288cd6ab1d71f8edcdd6fe398d4edc4df1f1aa5283ba37e623cbc79b286b429c4d0c37b929a7cda3e972de6560434cc6410
-
Filesize
5.2MB
MD59d2a554a38a58a7c56f94af914152fce
SHA16fe58ba05768901eabfcdbaaf725e11fd59a5b52
SHA256cafc4b47805c1b5f02dcba150d57097c8170ed3ceacf4a1d23e2983763601b8f
SHA512575b53b22f461b0dab29f1236db4dfeac875f8ec1f3edd80eee09b95b1e123e76fd4c560dcd62cc30efb83822b19a029d61d1c96e25a5b55dddc17a15983a1a5
-
Filesize
5.2MB
MD5c7c4daba696ccfc4715787ce1e23c760
SHA1ecb0720a16107b602ca18c62f80dd28b1ec91d46
SHA2560048c18392a9642d2e46e73f0760e5f7bfcaaa8d517a7091422ee806ba444829
SHA512e58cc4dad496fdde7bbdc183f0b8a231ac6efc8ec3b1cd364f2db2840ce5baa43f86ad3edb3f4772ad7ef7d765bbe355834f04e8ff7394344884230421ec2323
-
Filesize
5.2MB
MD58d3172dec2efe1399a97bb5297e93429
SHA1dbf6cba53ea0fb823a2c98125039ab5953f2faa1
SHA256f48e742098a6055d11bc3b03199f09ab871ef8d1ec760a9ab7766b2c4781be9b
SHA5129d24925fe11b5480826f356b30abbce8f62bd3c0eeae5a231b66c64c2f5fc76d0fde1ad359f139e19e1579c5177c3d7bbd0a748b1f2a00731dee7781fed223ef
-
Filesize
5.2MB
MD597aa840fa89d23deb7311c0e9a80d47f
SHA15efc3bb3c3e7d0aaed1a956cd87c0a54b885f145
SHA256f37a2ec1fe7efbdba6aa6f9668069e9f4ced772d677edf0e55a65d1da7b5a9aa
SHA51249706aa5ec158c8a30c8d0c909a8903c9754528fb54db0385b1ff6c44fe9d090ee7959353752f09c340abe662809cc0df3bda3a3a2d3ab575a704fd65fd64025
-
Filesize
5.2MB
MD5a154adf1682c1924502c548a6944d3ea
SHA1910f3509be3a32628d8e872dc4fdb1c473f6fea1
SHA25678e7c1662b61d5c92f6b5f04399e53e7d541228851b3712404e568e3badbf184
SHA5122974ea98566e0c454133a001a8c8400dba39cb982ff094fdaaa8ad5dc2d7f2ab85e3fa271f13e2369471537646e4cbf84eb2ba08e54676c013bac8192404de03
-
Filesize
5.2MB
MD58904f371cd5ceaa227c32251a0a432c5
SHA12008ba624a1363b088d478fec095e8bd128f2ee5
SHA256b0aca9b4d73361f473f9e820c30765a5a8cb193f6e49c85f4866cb169f2c9ea5
SHA5121b7a51894e1177f2d3acef19ae8324cca9df1127a06d0e5d8209d87674e994acdebc30d41f9b4833e590fb72dd65bea6b72e56ae1f28d92e6e84c6c5ed3c5c4f
-
Filesize
5.2MB
MD54b53a5bdb3e58618168dc1e22efaf294
SHA1a8e4b151951eb8ef183a3651d09d628823dbafe9
SHA256ef66d8a07cbb5260f9764322ab13d1704a861792925c4ec7a259871593eab022
SHA512186d22a36be4a0925125a0bad04419914635d2a3e88f0df9d19f176889be746f709ccd26bde749566f5a7b4dbdb2cf0f1ec73f16db36e8d67288a58ffc536315
-
Filesize
5.2MB
MD543110caf8a03a2e68c253dce7d18a853
SHA11b59978034b3a9e0379ce76b87a6f696491d2ec7
SHA256fa580b083e1f70684b1fdc75704b0f64ea42b9da1413404274557cd2f4cd799e
SHA5123a8ac2ca00afae0d6d41314f4e1164f70d7c7bd4148bb70e08f1ba48697832315f497bdb307dd0ada888ca947d5210d9df9b2bca80d5e3eb5572d48de6fb7fe0
-
Filesize
5.2MB
MD5241dd1e23c823d561c349d9ffa890a16
SHA14df3786ced40b77c1ffee0528168c5515bbca3d8
SHA256ba833d00a45a254efaa5b82f07579898be98d9421f2d71bd088c570b0fb72173
SHA51239f6ec450f38134186d36fc1dec659687b9258ecce55309ad46d23a138e4b865e642b998073c2dff5201522d99c34b78f5aeeb7e0de6833524834bcedfa9d867
-
Filesize
5.2MB
MD52fc0bc8b96730619352409d491f7f2f2
SHA1fc4e6dadfd7246f6bcc5b6ba04872395091f1e6f
SHA2563d9a3eedc8baff1058a11cb0de5966edd13fc9c56c872c510e1078e48e5d46ea
SHA512b89d2a6469a2e73574ce31a672ca227aec35bc8f69e288d8ee05f68573007f8f165d5eac742da139d44254301c1dfaeb68070995b73fabdf3002742282073fb1