Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 10:53
Behavioral task
behavioral1
Sample
2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240705-en
General
-
Target
2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
b19220e7df143d39bd88607c17f94732
-
SHA1
f75bffa6bd13633f181348eceb2a1cd9ddcb715a
-
SHA256
9311ff1052617b0a651f8b395441dcd4939677da44d9a255bccca5ed9a1c71b5
-
SHA512
88c31480cab7a3665be327d7dfbf5b55e5f86e6102bac202b2881af3704f14d96740d5ef07288f99005a4dbfdc7dd9e7eabe91cc712d73f4369b67e609f8857e
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l5:RWWBibf56utgpPFotBER/mQ32lUl
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0009000000023496-5.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f7-12.dat cobalt_reflective_dll behavioral2/files/0x00070000000234fa-33.dat cobalt_reflective_dll behavioral2/files/0x00070000000234fc-37.dat cobalt_reflective_dll behavioral2/files/0x00070000000234fb-40.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ff-59.dat cobalt_reflective_dll behavioral2/files/0x0007000000023500-63.dat cobalt_reflective_dll behavioral2/files/0x00070000000234fe-57.dat cobalt_reflective_dll behavioral2/files/0x00070000000234fd-52.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f9-25.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f8-21.dat cobalt_reflective_dll behavioral2/files/0x0007000000023501-75.dat cobalt_reflective_dll behavioral2/files/0x0007000000023502-91.dat cobalt_reflective_dll behavioral2/files/0x0007000000023504-102.dat cobalt_reflective_dll behavioral2/files/0x0007000000023505-111.dat cobalt_reflective_dll behavioral2/files/0x0007000000023503-98.dat cobalt_reflective_dll behavioral2/files/0x00080000000234f4-81.dat cobalt_reflective_dll behavioral2/files/0x0007000000023506-116.dat cobalt_reflective_dll behavioral2/files/0x000700000002350a-136.dat cobalt_reflective_dll behavioral2/files/0x0007000000023509-133.dat cobalt_reflective_dll behavioral2/files/0x0007000000023508-129.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/3308-51-0x00007FF779CB0000-0x00007FF77A001000-memory.dmp xmrig behavioral2/memory/3444-64-0x00007FF76A780000-0x00007FF76AAD1000-memory.dmp xmrig behavioral2/memory/428-73-0x00007FF7FC390000-0x00007FF7FC6E1000-memory.dmp xmrig behavioral2/memory/1216-79-0x00007FF79E880000-0x00007FF79EBD1000-memory.dmp xmrig behavioral2/memory/3868-82-0x00007FF652CF0000-0x00007FF653041000-memory.dmp xmrig behavioral2/memory/5072-89-0x00007FF79BFA0000-0x00007FF79C2F1000-memory.dmp xmrig behavioral2/memory/3160-105-0x00007FF64F5C0000-0x00007FF64F911000-memory.dmp xmrig behavioral2/memory/1196-95-0x00007FF631850000-0x00007FF631BA1000-memory.dmp xmrig behavioral2/memory/1300-80-0x00007FF61D690000-0x00007FF61D9E1000-memory.dmp xmrig behavioral2/memory/872-113-0x00007FF6F3860000-0x00007FF6F3BB1000-memory.dmp xmrig behavioral2/memory/3848-71-0x00007FF687010000-0x00007FF687361000-memory.dmp xmrig behavioral2/memory/4932-124-0x00007FF6FBE20000-0x00007FF6FC171000-memory.dmp xmrig behavioral2/memory/532-138-0x00007FF716780000-0x00007FF716AD1000-memory.dmp xmrig behavioral2/memory/4600-117-0x00007FF77F190000-0x00007FF77F4E1000-memory.dmp xmrig behavioral2/memory/2236-139-0x00007FF608330000-0x00007FF608681000-memory.dmp xmrig behavioral2/memory/2672-140-0x00007FF727C50000-0x00007FF727FA1000-memory.dmp xmrig behavioral2/memory/1104-142-0x00007FF6BDB00000-0x00007FF6BDE51000-memory.dmp xmrig behavioral2/memory/2232-141-0x00007FF77AE20000-0x00007FF77B171000-memory.dmp xmrig behavioral2/memory/3444-143-0x00007FF76A780000-0x00007FF76AAD1000-memory.dmp xmrig behavioral2/memory/832-148-0x00007FF6FF9C0000-0x00007FF6FFD11000-memory.dmp xmrig behavioral2/memory/4476-157-0x00007FF6D0B30000-0x00007FF6D0E81000-memory.dmp xmrig behavioral2/memory/1960-163-0x00007FF752B20000-0x00007FF752E71000-memory.dmp xmrig behavioral2/memory/2944-165-0x00007FF616A50000-0x00007FF616DA1000-memory.dmp xmrig behavioral2/memory/3444-169-0x00007FF76A780000-0x00007FF76AAD1000-memory.dmp xmrig behavioral2/memory/3848-225-0x00007FF687010000-0x00007FF687361000-memory.dmp xmrig behavioral2/memory/428-227-0x00007FF7FC390000-0x00007FF7FC6E1000-memory.dmp xmrig behavioral2/memory/1216-229-0x00007FF79E880000-0x00007FF79EBD1000-memory.dmp xmrig behavioral2/memory/3868-231-0x00007FF652CF0000-0x00007FF653041000-memory.dmp xmrig behavioral2/memory/5072-233-0x00007FF79BFA0000-0x00007FF79C2F1000-memory.dmp xmrig behavioral2/memory/3308-235-0x00007FF779CB0000-0x00007FF77A001000-memory.dmp xmrig behavioral2/memory/1196-237-0x00007FF631850000-0x00007FF631BA1000-memory.dmp xmrig behavioral2/memory/3160-241-0x00007FF64F5C0000-0x00007FF64F911000-memory.dmp xmrig behavioral2/memory/872-243-0x00007FF6F3860000-0x00007FF6F3BB1000-memory.dmp xmrig behavioral2/memory/4932-247-0x00007FF6FBE20000-0x00007FF6FC171000-memory.dmp xmrig behavioral2/memory/4600-245-0x00007FF77F190000-0x00007FF77F4E1000-memory.dmp xmrig behavioral2/memory/1300-255-0x00007FF61D690000-0x00007FF61D9E1000-memory.dmp xmrig behavioral2/memory/2236-257-0x00007FF608330000-0x00007FF608681000-memory.dmp xmrig behavioral2/memory/2672-259-0x00007FF727C50000-0x00007FF727FA1000-memory.dmp xmrig behavioral2/memory/2232-261-0x00007FF77AE20000-0x00007FF77B171000-memory.dmp xmrig behavioral2/memory/832-265-0x00007FF6FF9C0000-0x00007FF6FFD11000-memory.dmp xmrig behavioral2/memory/1104-263-0x00007FF6BDB00000-0x00007FF6BDE51000-memory.dmp xmrig behavioral2/memory/4476-270-0x00007FF6D0B30000-0x00007FF6D0E81000-memory.dmp xmrig behavioral2/memory/1960-272-0x00007FF752B20000-0x00007FF752E71000-memory.dmp xmrig behavioral2/memory/532-276-0x00007FF716780000-0x00007FF716AD1000-memory.dmp xmrig behavioral2/memory/2944-274-0x00007FF616A50000-0x00007FF616DA1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 3848 dZJmlJU.exe 428 EjLSJKt.exe 1216 ornhikP.exe 3868 ZLxCpdj.exe 5072 ieNwCGZ.exe 1196 WEnVqKK.exe 3308 iupFaFp.exe 3160 IaYVdEZ.exe 872 RtfopzW.exe 4600 CZfBebo.exe 4932 sMIMFvG.exe 1300 jbwTEXE.exe 2236 yolmzwK.exe 2672 lFDWffz.exe 2232 eTiSDNG.exe 1104 QpSgtFj.exe 832 OUfXvMY.exe 4476 mbKkSId.exe 1960 KybSQoN.exe 2944 MsmHxtI.exe 532 OyDgiVf.exe -
resource yara_rule behavioral2/memory/3444-0-0x00007FF76A780000-0x00007FF76AAD1000-memory.dmp upx behavioral2/files/0x0009000000023496-5.dat upx behavioral2/memory/3848-8-0x00007FF687010000-0x00007FF687361000-memory.dmp upx behavioral2/files/0x00070000000234f7-12.dat upx behavioral2/files/0x00070000000234fa-33.dat upx behavioral2/memory/5072-35-0x00007FF79BFA0000-0x00007FF79C2F1000-memory.dmp upx behavioral2/files/0x00070000000234fc-37.dat upx behavioral2/files/0x00070000000234fb-40.dat upx behavioral2/memory/1196-45-0x00007FF631850000-0x00007FF631BA1000-memory.dmp upx behavioral2/memory/3308-51-0x00007FF779CB0000-0x00007FF77A001000-memory.dmp upx behavioral2/files/0x00070000000234ff-59.dat upx behavioral2/files/0x0007000000023500-63.dat upx behavioral2/memory/4932-65-0x00007FF6FBE20000-0x00007FF6FC171000-memory.dmp upx behavioral2/memory/3444-64-0x00007FF76A780000-0x00007FF76AAD1000-memory.dmp upx behavioral2/memory/4600-62-0x00007FF77F190000-0x00007FF77F4E1000-memory.dmp upx behavioral2/files/0x00070000000234fe-57.dat upx behavioral2/memory/872-54-0x00007FF6F3860000-0x00007FF6F3BB1000-memory.dmp upx behavioral2/memory/3160-49-0x00007FF64F5C0000-0x00007FF64F911000-memory.dmp upx behavioral2/files/0x00070000000234fd-52.dat upx behavioral2/memory/3868-29-0x00007FF652CF0000-0x00007FF653041000-memory.dmp upx behavioral2/files/0x00070000000234f9-25.dat upx behavioral2/memory/1216-23-0x00007FF79E880000-0x00007FF79EBD1000-memory.dmp upx behavioral2/files/0x00070000000234f8-21.dat upx behavioral2/memory/428-18-0x00007FF7FC390000-0x00007FF7FC6E1000-memory.dmp upx behavioral2/memory/428-73-0x00007FF7FC390000-0x00007FF7FC6E1000-memory.dmp upx behavioral2/files/0x0007000000023501-75.dat upx behavioral2/memory/1216-79-0x00007FF79E880000-0x00007FF79EBD1000-memory.dmp upx behavioral2/memory/2236-83-0x00007FF608330000-0x00007FF608681000-memory.dmp upx behavioral2/memory/3868-82-0x00007FF652CF0000-0x00007FF653041000-memory.dmp upx behavioral2/files/0x0007000000023502-91.dat upx behavioral2/memory/2672-90-0x00007FF727C50000-0x00007FF727FA1000-memory.dmp upx behavioral2/memory/5072-89-0x00007FF79BFA0000-0x00007FF79C2F1000-memory.dmp upx behavioral2/files/0x0007000000023504-102.dat upx behavioral2/files/0x0007000000023505-111.dat upx behavioral2/memory/832-108-0x00007FF6FF9C0000-0x00007FF6FFD11000-memory.dmp upx behavioral2/memory/1104-107-0x00007FF6BDB00000-0x00007FF6BDE51000-memory.dmp upx behavioral2/memory/3160-105-0x00007FF64F5C0000-0x00007FF64F911000-memory.dmp upx behavioral2/memory/2232-97-0x00007FF77AE20000-0x00007FF77B171000-memory.dmp upx behavioral2/files/0x0007000000023503-98.dat upx behavioral2/memory/1196-95-0x00007FF631850000-0x00007FF631BA1000-memory.dmp upx behavioral2/files/0x00080000000234f4-81.dat upx behavioral2/memory/1300-80-0x00007FF61D690000-0x00007FF61D9E1000-memory.dmp upx behavioral2/memory/872-113-0x00007FF6F3860000-0x00007FF6F3BB1000-memory.dmp upx behavioral2/memory/3848-71-0x00007FF687010000-0x00007FF687361000-memory.dmp upx behavioral2/files/0x0007000000023506-116.dat upx behavioral2/memory/4932-124-0x00007FF6FBE20000-0x00007FF6FC171000-memory.dmp upx behavioral2/memory/2944-134-0x00007FF616A50000-0x00007FF616DA1000-memory.dmp upx behavioral2/files/0x000700000002350a-136.dat upx behavioral2/memory/532-138-0x00007FF716780000-0x00007FF716AD1000-memory.dmp upx behavioral2/files/0x0007000000023509-133.dat upx behavioral2/files/0x0007000000023508-129.dat upx behavioral2/memory/1960-127-0x00007FF752B20000-0x00007FF752E71000-memory.dmp upx behavioral2/memory/4476-118-0x00007FF6D0B30000-0x00007FF6D0E81000-memory.dmp upx behavioral2/memory/4600-117-0x00007FF77F190000-0x00007FF77F4E1000-memory.dmp upx behavioral2/memory/2236-139-0x00007FF608330000-0x00007FF608681000-memory.dmp upx behavioral2/memory/2672-140-0x00007FF727C50000-0x00007FF727FA1000-memory.dmp upx behavioral2/memory/1104-142-0x00007FF6BDB00000-0x00007FF6BDE51000-memory.dmp upx behavioral2/memory/2232-141-0x00007FF77AE20000-0x00007FF77B171000-memory.dmp upx behavioral2/memory/3444-143-0x00007FF76A780000-0x00007FF76AAD1000-memory.dmp upx behavioral2/memory/832-148-0x00007FF6FF9C0000-0x00007FF6FFD11000-memory.dmp upx behavioral2/memory/4476-157-0x00007FF6D0B30000-0x00007FF6D0E81000-memory.dmp upx behavioral2/memory/1960-163-0x00007FF752B20000-0x00007FF752E71000-memory.dmp upx behavioral2/memory/2944-165-0x00007FF616A50000-0x00007FF616DA1000-memory.dmp upx behavioral2/memory/3444-169-0x00007FF76A780000-0x00007FF76AAD1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\QpSgtFj.exe 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\OUfXvMY.exe 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EjLSJKt.exe 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ieNwCGZ.exe 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WEnVqKK.exe 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\sMIMFvG.exe 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jbwTEXE.exe 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yolmzwK.exe 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KybSQoN.exe 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mbKkSId.exe 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MsmHxtI.exe 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dZJmlJU.exe 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\iupFaFp.exe 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RtfopzW.exe 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CZfBebo.exe 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lFDWffz.exe 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\OyDgiVf.exe 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ornhikP.exe 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZLxCpdj.exe 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\IaYVdEZ.exe 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\eTiSDNG.exe 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3444 wrote to memory of 3848 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3444 wrote to memory of 3848 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3444 wrote to memory of 428 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3444 wrote to memory of 428 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3444 wrote to memory of 1216 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3444 wrote to memory of 1216 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3444 wrote to memory of 3868 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3444 wrote to memory of 3868 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3444 wrote to memory of 5072 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3444 wrote to memory of 5072 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3444 wrote to memory of 1196 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3444 wrote to memory of 1196 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3444 wrote to memory of 3308 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3444 wrote to memory of 3308 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3444 wrote to memory of 3160 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3444 wrote to memory of 3160 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3444 wrote to memory of 872 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3444 wrote to memory of 872 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3444 wrote to memory of 4600 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3444 wrote to memory of 4600 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3444 wrote to memory of 4932 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3444 wrote to memory of 4932 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3444 wrote to memory of 1300 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3444 wrote to memory of 1300 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3444 wrote to memory of 2236 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3444 wrote to memory of 2236 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3444 wrote to memory of 2672 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3444 wrote to memory of 2672 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3444 wrote to memory of 2232 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3444 wrote to memory of 2232 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3444 wrote to memory of 1104 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3444 wrote to memory of 1104 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3444 wrote to memory of 832 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3444 wrote to memory of 832 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3444 wrote to memory of 4476 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3444 wrote to memory of 4476 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3444 wrote to memory of 1960 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3444 wrote to memory of 1960 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3444 wrote to memory of 2944 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3444 wrote to memory of 2944 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3444 wrote to memory of 532 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 3444 wrote to memory of 532 3444 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\System\dZJmlJU.exeC:\Windows\System\dZJmlJU.exe2⤵
- Executes dropped EXE
PID:3848
-
-
C:\Windows\System\EjLSJKt.exeC:\Windows\System\EjLSJKt.exe2⤵
- Executes dropped EXE
PID:428
-
-
C:\Windows\System\ornhikP.exeC:\Windows\System\ornhikP.exe2⤵
- Executes dropped EXE
PID:1216
-
-
C:\Windows\System\ZLxCpdj.exeC:\Windows\System\ZLxCpdj.exe2⤵
- Executes dropped EXE
PID:3868
-
-
C:\Windows\System\ieNwCGZ.exeC:\Windows\System\ieNwCGZ.exe2⤵
- Executes dropped EXE
PID:5072
-
-
C:\Windows\System\WEnVqKK.exeC:\Windows\System\WEnVqKK.exe2⤵
- Executes dropped EXE
PID:1196
-
-
C:\Windows\System\iupFaFp.exeC:\Windows\System\iupFaFp.exe2⤵
- Executes dropped EXE
PID:3308
-
-
C:\Windows\System\IaYVdEZ.exeC:\Windows\System\IaYVdEZ.exe2⤵
- Executes dropped EXE
PID:3160
-
-
C:\Windows\System\RtfopzW.exeC:\Windows\System\RtfopzW.exe2⤵
- Executes dropped EXE
PID:872
-
-
C:\Windows\System\CZfBebo.exeC:\Windows\System\CZfBebo.exe2⤵
- Executes dropped EXE
PID:4600
-
-
C:\Windows\System\sMIMFvG.exeC:\Windows\System\sMIMFvG.exe2⤵
- Executes dropped EXE
PID:4932
-
-
C:\Windows\System\jbwTEXE.exeC:\Windows\System\jbwTEXE.exe2⤵
- Executes dropped EXE
PID:1300
-
-
C:\Windows\System\yolmzwK.exeC:\Windows\System\yolmzwK.exe2⤵
- Executes dropped EXE
PID:2236
-
-
C:\Windows\System\lFDWffz.exeC:\Windows\System\lFDWffz.exe2⤵
- Executes dropped EXE
PID:2672
-
-
C:\Windows\System\eTiSDNG.exeC:\Windows\System\eTiSDNG.exe2⤵
- Executes dropped EXE
PID:2232
-
-
C:\Windows\System\QpSgtFj.exeC:\Windows\System\QpSgtFj.exe2⤵
- Executes dropped EXE
PID:1104
-
-
C:\Windows\System\OUfXvMY.exeC:\Windows\System\OUfXvMY.exe2⤵
- Executes dropped EXE
PID:832
-
-
C:\Windows\System\mbKkSId.exeC:\Windows\System\mbKkSId.exe2⤵
- Executes dropped EXE
PID:4476
-
-
C:\Windows\System\KybSQoN.exeC:\Windows\System\KybSQoN.exe2⤵
- Executes dropped EXE
PID:1960
-
-
C:\Windows\System\MsmHxtI.exeC:\Windows\System\MsmHxtI.exe2⤵
- Executes dropped EXE
PID:2944
-
-
C:\Windows\System\OyDgiVf.exeC:\Windows\System\OyDgiVf.exe2⤵
- Executes dropped EXE
PID:532
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5df25396eebb164f86c42e82d2acfe4ae
SHA1b98a3f6e3555a1553dbe00efbfae81398352d6e6
SHA256612867ba3cdf01b98df85539fe562d8e1b5cece3c484ebdfb9200792f2645bb1
SHA5123a6f578b38827791f2a1ef0c03b10b029b86a56d1dcfce3649d17e202625b3cf70f0d742bedee1b238437a93e0a35484e34c5df6ca0af8334bed28ac346da9b9
-
Filesize
5.2MB
MD5ba0b9ca9efa44da291708eebcae368b2
SHA125ed9eb10649a595df13ecb60f668a740f11fc23
SHA256f6bd8d5d30fe7c89230f4b82802cc2e348a16c17415d02ca5b18ed5ff88638d1
SHA5124666f2cc86ed25af029ebfc9aac629e3d64ee8959c2bc2fc17126128f80ca779204605953fc79412ccb787ebdca91e23b18f4b50b7901a1f0a10d5f100301567
-
Filesize
5.2MB
MD53619b1653ca30c9760b4e2bceb772b6f
SHA1e82974b609351c2a7db60d63c727650dd665d6e9
SHA256253d52c3d367d7cf40d07b59e7a84bc8f4f0268796dd99123b177e7d64da0326
SHA51237ea515c6220a6227d56a566c2ae5e5c2a1be81cc9576f708c6b1e42b58130e46d787e9757966f4beef732b6f4d746930e178f7beebe335aaff32dc7571c08e3
-
Filesize
5.2MB
MD5438b697db2e28218af012cdc3f23cbc2
SHA128a51981f6a8557de4905bbcca3ab15579e1d9c6
SHA2566f10d91e89fae8c238ee39a284b30ad55f753c5a987543e150c24a3f9c6351a4
SHA5122d2546b1b7c9930a03d39f8879d0adbc7c733b9bfcd759103a612874f170474ba8063b4793d11f319c24d6783b88a25ed153902d3fd2e24bd75c9d11f4714ecf
-
Filesize
5.2MB
MD5da65af14142b17b9e62cad0ea6aa3ada
SHA12e14690a2c250ddf63c9000560557663d94912af
SHA2566296d17770e2894675ebb7d493ea1c60aae30f3639bc2af43eed9f8df1c7df37
SHA5124653d117d1ed6552203573c64567c7e16e12bf980e68ef612f273c335801eb9a697b64cb20539d737e01a64beb2b82d7ba32705a604546bc65f0e066c3b42fd9
-
Filesize
5.2MB
MD5c6754fbd3842dabb85b0477821e2960b
SHA1b83add4e9e9434b233f03115ef143efa97f4cb22
SHA256ec4b6533b36e99e7ed0437e9299ed75925fc1b5bf696319160efbb3dabef9571
SHA5123fac7bcb12867db8817600c7b4c554b5b2ceb4be260f2206efe6f60e36a39ecea9984927522e5f3818439b8bb1cd4d20417637cb165bce8db0c1c140865b225e
-
Filesize
5.2MB
MD5713edfe2a44ec5a56af5212fd3e0c5f6
SHA1d881889b99536e6bd218e2c359776b745fed8994
SHA25632032b21fe20ee1a996e5ad6006ba030509f909518e977a91e1d1fa9900fab55
SHA512818be3f20219e1138cec012f42e426397634293d304e9c6af6b7614d51b6f2cb2145c693b87d2f7464c22852aeeeffe41e59db3714c55d394bd5b55e4c2fa0cf
-
Filesize
5.2MB
MD5143df7085279957b2e5b6bff37863d2e
SHA16ffc2ace25e437afb289f3300656659ff0f309cf
SHA256015c2417c571ee351182ce05d0b7a0517e9838e080c3bfbee15b6efdf5a78a7b
SHA5127db59372c12ac3a8ee515a00ce48aad25c87adb7cdb6141bfa01849dc142f6e497a7b0d1aab65c15cd70f6ea888c163384f38b7f393b62b049ed034eb1392f0a
-
Filesize
5.2MB
MD53a5c3f57f96f24473e722ac79b2c7016
SHA143ccb8f1c8f7b0366e9fa26f8da38460626a0b1d
SHA256e1039eaa865d0daa5d4682268b185021cd0209bbdb53bb5f3804ec5f8d140d62
SHA5122fd7bd1143cacefcca78f3453d880a9f728e946efc92e90352c7ca70fca4016c591b3b2f1f46b640c8d94d4c69c1a7c684df65016708865dae05f5043d1b0ce8
-
Filesize
5.2MB
MD5a816df0afc02db72aed84cf69417780b
SHA1daf30940ace0a55d5f54ae74ba4fd07a55087f3d
SHA2560924d02f3312012ac4820a71a86ba59b361577a1ccf3eb857760c5ae6db466dc
SHA512e49d68b54df1f70b2d88a5b08112febe73784c261464f4878b88997e6412436572435e48cc4003464fa85d0d1b4ebd3a219cb9885ecf0c1c1f62647d04132b61
-
Filesize
5.2MB
MD56adba04bc90ae488f11109bf838a0f55
SHA17f962408fdb14c7c7a66e56ca2bc98914ab2f08b
SHA25612091e358b647a0fe39464d5ca2bbdc140a9c3532dd258c976e84277c2874e59
SHA51299aeb8db44a44ed875e82bc4953a34b2704e8aadd8ba5630753463fc32476af31788debabec84b5fdd1dd25b1106c53bbecd6a43fbd8f9384c3039424cadc762
-
Filesize
5.2MB
MD5d5e2ad2168012d1c90d9c93947511e45
SHA17b854106020bace938b974ce2b651732e6f7ed81
SHA2569c58b1238c4edd54896dff8e32bf844a8d3df2ddccaf707f347c7598ee6ad987
SHA512d71d8c296041513bc0421c5f84f401f46936be275c3439469d442cbd95e0e6eaf75743ebe0d5314490ba4af003168ced474a2724ee07e3eab5698c99e7ffc2df
-
Filesize
5.2MB
MD50598c1d9443fce494689e7e5460e4fd2
SHA12c2b03fdafe3349ee7321a6fc6b7cb50cfbbe3a1
SHA25681802cb7eb7ea87767068f77a9a8b37d131cb8b7ce2f15e2561f2c83f6dcc377
SHA5125a6a5ef88f0d36be94532bc34ad241a62cddafc98e3bf62344927505c25eb5488fa45e6f58f5d73ffb8962c24ce1a0aaf2462f0c205fb8153e6edf7491a05fc1
-
Filesize
5.2MB
MD5b020c7d0085f43a0aed05374d9c4e0c0
SHA19d340be5c84bf11728c79606dce4edc397530388
SHA256c09b5b7ab689de8d46729db852801417b57d5eebf12149fb4a63c0727d76d8cb
SHA5120b066faf5c1c690419f7a1f5e5fac8356b9bfbf819a2e0a539994c1b5ed0c73e71b3bd8f5b4a659f8abd66d21ca19ce1d0e1b8f1df276cb30882810256ad6c78
-
Filesize
5.2MB
MD575d685a159229305125c9bcfd58e41bf
SHA112eb21aabdc7bccdc62abe6327d787173b6eaa61
SHA25635d705f8a240ac7a7245fc59f196f143c4ea9fc707455a1086c953b2472f2e32
SHA51214f761d02a2ea2d4ecc028048b8e72d72bad9c9f40c37a7b081bffa956b86fac69659798535bab2357ed9474827f5ef92e8870be53a4fbfcf35b4a1a8a8b460b
-
Filesize
5.2MB
MD5649bdec09dd46c129580e3ca35829a0d
SHA172398bfd1f86a8220fc186dca241259bb59f4559
SHA256b54415fea7861ac84b72a0bdaa8aadfb9f560e339752ad1bf68a3265b76e3b0b
SHA512b5947c5219092e424746ad43dc0c5ccbe0e50208af731ef48a74e138a98fc42404dc1b984971af33b730b4980f3f990c2ecf2ae465b0c82a35a7a82eb1d0c2b2
-
Filesize
5.2MB
MD53681529c9b0132b4076c0100e3848270
SHA13c05ff368cded41f587f1b30acb426694f3a8a9a
SHA25615b0e8ff79501534b63547073a76d0a86d7ce9031d8448aa57a431ca509e9ab0
SHA512785451062be06af6e2cf3693f236e5be92c8fcc13702d1fe8d9301328734cde154c678a352693614cc0a1a36c93659074239a4fb2453476f3e933a74f5aafffd
-
Filesize
5.2MB
MD5588a14e757003563e5c5de73cf494424
SHA1062cb29b076aee3244a00df17db48f81770ab58f
SHA256c81b85d8111ac102757eba8919ff2feaa24ad14adee9dd1bbc6d24549afb86db
SHA512b19e5a2d2dedab8c5053fc4664a4f718a671231c5be296894154477ebf5580635461f76060376b17eb0720732f43b4dedc7a9945e3fd0c63c491fd08496136ab
-
Filesize
5.2MB
MD52863837307334581d54bf9f2e2e2c080
SHA17709a433fa8882d4599864c460d5a555dfce914f
SHA25688a87f3138c968c75c13ae947603505424a781e7b663be87f4967fe16e980a01
SHA5128898050c6cea15d2815baf6ef87e6add284f418cdadeab8be22b40f5a9674448e43d37fa71d185160120ac35adf355828ecfb851594f50cc99cfdea928539c5a
-
Filesize
5.2MB
MD51f4c50486abd889204320505bf940739
SHA11147ac4aa1052175b7ab5b7359a2a783f7706fb4
SHA2561d1dbe5fdec45c4ada576d04b5a5b09d3e383e2d8ded870b2f9d13befbd281a8
SHA51246e7b2c8d6a35a45dcba35d650930d6efabddf86ef5d4eac18804d63b7ee0c18a6e0a3117d251068061e3157d2b5f7b8b4ac8a076ced449360a34efd3b00c76b
-
Filesize
5.2MB
MD5f87dc1e0cdb00d232689ba8d11c11107
SHA16a6123a4307473b47e8c6a63f14e2f5abd362c6d
SHA2569ce7f64f87963320ae2d6ee4c90096d2d989b60dfe8914a7d429e1059396a00b
SHA5128dd140618ba27a93497203a9ecc7d372dbfc3d68d847a07a1fd1d59a4be8f82ed25095db2b71e1c05a0246474b93d28062e55816b0d45e1e7eaaf3991d9fcc87