Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 10:53
Behavioral task
behavioral1
Sample
2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240729-en
General
-
Target
2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
b471a1a0e8a077241816a8dceceaf9dd
-
SHA1
25ccaa6d28f9b511ccb93552bb8c4ab9be146168
-
SHA256
c7b4dca410e01266e143d8fd5f6428efa26ea5191c41c7b66094101e90132e13
-
SHA512
04e367c84439f842814f2b6347569909fce5454ef804430ab1b7937d94d9fcb1f7d2d228dac535e5a094307772bd284a343cf1a6b5b7cac03be26b64cb466f1c
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ls:RWWBibf56utgpPFotBER/mQ32lUo
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0008000000023445-3.dat cobalt_reflective_dll behavioral2/files/0x0007000000023449-11.dat cobalt_reflective_dll behavioral2/files/0x000700000002344a-17.dat cobalt_reflective_dll behavioral2/files/0x000700000002344b-22.dat cobalt_reflective_dll behavioral2/files/0x000700000002344c-29.dat cobalt_reflective_dll behavioral2/files/0x0008000000023446-35.dat cobalt_reflective_dll behavioral2/files/0x000700000002344e-40.dat cobalt_reflective_dll behavioral2/files/0x000700000002344f-46.dat cobalt_reflective_dll behavioral2/files/0x0007000000023450-55.dat cobalt_reflective_dll behavioral2/files/0x0007000000023451-61.dat cobalt_reflective_dll behavioral2/files/0x0007000000023452-67.dat cobalt_reflective_dll behavioral2/files/0x0008000000023454-79.dat cobalt_reflective_dll behavioral2/files/0x0007000000023453-80.dat cobalt_reflective_dll behavioral2/files/0x0009000000023378-86.dat cobalt_reflective_dll behavioral2/files/0x0008000000023456-98.dat cobalt_reflective_dll behavioral2/files/0x0007000000023457-102.dat cobalt_reflective_dll behavioral2/files/0x0007000000023458-106.dat cobalt_reflective_dll behavioral2/files/0x0007000000023459-118.dat cobalt_reflective_dll behavioral2/files/0x000700000002345b-131.dat cobalt_reflective_dll behavioral2/files/0x000700000002345a-130.dat cobalt_reflective_dll behavioral2/files/0x000700000002345c-128.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 47 IoCs
resource yara_rule behavioral2/memory/1816-21-0x00007FF7C6310000-0x00007FF7C6661000-memory.dmp xmrig behavioral2/memory/3784-41-0x00007FF645C90000-0x00007FF645FE1000-memory.dmp xmrig behavioral2/memory/1296-36-0x00007FF631830000-0x00007FF631B81000-memory.dmp xmrig behavioral2/memory/1840-59-0x00007FF7D26A0000-0x00007FF7D29F1000-memory.dmp xmrig behavioral2/memory/3232-68-0x00007FF7D2350000-0x00007FF7D26A1000-memory.dmp xmrig behavioral2/memory/1192-64-0x00007FF613FC0000-0x00007FF614311000-memory.dmp xmrig behavioral2/memory/4888-62-0x00007FF6A64F0000-0x00007FF6A6841000-memory.dmp xmrig behavioral2/memory/1896-82-0x00007FF62EF90000-0x00007FF62F2E1000-memory.dmp xmrig behavioral2/memory/1816-75-0x00007FF7C6310000-0x00007FF7C6661000-memory.dmp xmrig behavioral2/memory/4564-96-0x00007FF6857A0000-0x00007FF685AF1000-memory.dmp xmrig behavioral2/memory/1284-95-0x00007FF699050000-0x00007FF6993A1000-memory.dmp xmrig behavioral2/memory/404-111-0x00007FF696A40000-0x00007FF696D91000-memory.dmp xmrig behavioral2/memory/772-132-0x00007FF677430000-0x00007FF677781000-memory.dmp xmrig behavioral2/memory/1840-137-0x00007FF7D26A0000-0x00007FF7D29F1000-memory.dmp xmrig behavioral2/memory/2196-136-0x00007FF6030B0000-0x00007FF603401000-memory.dmp xmrig behavioral2/memory/2568-143-0x00007FF7D9A00000-0x00007FF7D9D51000-memory.dmp xmrig behavioral2/memory/2332-149-0x00007FF70F6D0000-0x00007FF70FA21000-memory.dmp xmrig behavioral2/memory/876-150-0x00007FF79A7D0000-0x00007FF79AB21000-memory.dmp xmrig behavioral2/memory/3620-155-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp xmrig behavioral2/memory/3264-156-0x00007FF7ACD80000-0x00007FF7AD0D1000-memory.dmp xmrig behavioral2/memory/3936-161-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp xmrig behavioral2/memory/1080-160-0x00007FF6A6F50000-0x00007FF6A72A1000-memory.dmp xmrig behavioral2/memory/3544-162-0x00007FF636A40000-0x00007FF636D91000-memory.dmp xmrig behavioral2/memory/224-166-0x00007FF610B50000-0x00007FF610EA1000-memory.dmp xmrig behavioral2/memory/772-165-0x00007FF677430000-0x00007FF677781000-memory.dmp xmrig behavioral2/memory/1840-167-0x00007FF7D26A0000-0x00007FF7D29F1000-memory.dmp xmrig behavioral2/memory/4888-217-0x00007FF6A64F0000-0x00007FF6A6841000-memory.dmp xmrig behavioral2/memory/3232-219-0x00007FF7D2350000-0x00007FF7D26A1000-memory.dmp xmrig behavioral2/memory/1816-221-0x00007FF7C6310000-0x00007FF7C6661000-memory.dmp xmrig behavioral2/memory/1896-223-0x00007FF62EF90000-0x00007FF62F2E1000-memory.dmp xmrig behavioral2/memory/1296-228-0x00007FF631830000-0x00007FF631B81000-memory.dmp xmrig behavioral2/memory/3784-230-0x00007FF645C90000-0x00007FF645FE1000-memory.dmp xmrig behavioral2/memory/1284-235-0x00007FF699050000-0x00007FF6993A1000-memory.dmp xmrig behavioral2/memory/4564-237-0x00007FF6857A0000-0x00007FF685AF1000-memory.dmp xmrig behavioral2/memory/404-239-0x00007FF696A40000-0x00007FF696D91000-memory.dmp xmrig behavioral2/memory/1192-243-0x00007FF613FC0000-0x00007FF614311000-memory.dmp xmrig behavioral2/memory/2196-245-0x00007FF6030B0000-0x00007FF603401000-memory.dmp xmrig behavioral2/memory/2568-249-0x00007FF7D9A00000-0x00007FF7D9D51000-memory.dmp xmrig behavioral2/memory/876-251-0x00007FF79A7D0000-0x00007FF79AB21000-memory.dmp xmrig behavioral2/memory/2332-253-0x00007FF70F6D0000-0x00007FF70FA21000-memory.dmp xmrig behavioral2/memory/3620-262-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp xmrig behavioral2/memory/3264-264-0x00007FF7ACD80000-0x00007FF7AD0D1000-memory.dmp xmrig behavioral2/memory/1080-266-0x00007FF6A6F50000-0x00007FF6A72A1000-memory.dmp xmrig behavioral2/memory/3544-268-0x00007FF636A40000-0x00007FF636D91000-memory.dmp xmrig behavioral2/memory/3936-270-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp xmrig behavioral2/memory/224-272-0x00007FF610B50000-0x00007FF610EA1000-memory.dmp xmrig behavioral2/memory/772-274-0x00007FF677430000-0x00007FF677781000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4888 urWpCSw.exe 3232 LliolhH.exe 1816 eaKcnhf.exe 1896 JcqMSld.exe 1296 QhqHKnq.exe 3784 RjnQNUN.exe 1284 ylAshbW.exe 4564 wmyPcpk.exe 404 lPcMCbe.exe 1192 zxKnpxv.exe 2196 xOGFAGq.exe 2568 MYVsfEY.exe 2332 NURapao.exe 876 XRgemyS.exe 3620 YsYuAxz.exe 3264 YhFLZOd.exe 1080 hNUVjQl.exe 3544 mgVqtRq.exe 3936 CrHqCuJ.exe 224 VrTNMrf.exe 772 HtGquuU.exe -
resource yara_rule behavioral2/memory/1840-0-0x00007FF7D26A0000-0x00007FF7D29F1000-memory.dmp upx behavioral2/files/0x0008000000023445-3.dat upx behavioral2/memory/4888-7-0x00007FF6A64F0000-0x00007FF6A6841000-memory.dmp upx behavioral2/files/0x0007000000023449-11.dat upx behavioral2/files/0x000700000002344a-17.dat upx behavioral2/memory/3232-14-0x00007FF7D2350000-0x00007FF7D26A1000-memory.dmp upx behavioral2/files/0x000700000002344b-22.dat upx behavioral2/memory/1896-23-0x00007FF62EF90000-0x00007FF62F2E1000-memory.dmp upx behavioral2/memory/1816-21-0x00007FF7C6310000-0x00007FF7C6661000-memory.dmp upx behavioral2/files/0x000700000002344c-29.dat upx behavioral2/files/0x0008000000023446-35.dat upx behavioral2/files/0x000700000002344e-40.dat upx behavioral2/memory/3784-41-0x00007FF645C90000-0x00007FF645FE1000-memory.dmp upx behavioral2/files/0x000700000002344f-46.dat upx behavioral2/memory/404-54-0x00007FF696A40000-0x00007FF696D91000-memory.dmp upx behavioral2/files/0x0007000000023450-55.dat upx behavioral2/memory/4564-47-0x00007FF6857A0000-0x00007FF685AF1000-memory.dmp upx behavioral2/memory/1284-44-0x00007FF699050000-0x00007FF6993A1000-memory.dmp upx behavioral2/memory/1296-36-0x00007FF631830000-0x00007FF631B81000-memory.dmp upx behavioral2/memory/1840-59-0x00007FF7D26A0000-0x00007FF7D29F1000-memory.dmp upx behavioral2/files/0x0007000000023451-61.dat upx behavioral2/files/0x0007000000023452-67.dat upx behavioral2/memory/2196-69-0x00007FF6030B0000-0x00007FF603401000-memory.dmp upx behavioral2/memory/3232-68-0x00007FF7D2350000-0x00007FF7D26A1000-memory.dmp upx behavioral2/memory/1192-64-0x00007FF613FC0000-0x00007FF614311000-memory.dmp upx behavioral2/memory/4888-62-0x00007FF6A64F0000-0x00007FF6A6841000-memory.dmp upx behavioral2/files/0x0008000000023454-79.dat upx behavioral2/memory/2568-77-0x00007FF7D9A00000-0x00007FF7D9D51000-memory.dmp upx behavioral2/memory/1896-82-0x00007FF62EF90000-0x00007FF62F2E1000-memory.dmp upx behavioral2/files/0x0007000000023453-80.dat upx behavioral2/files/0x0009000000023378-86.dat upx behavioral2/memory/876-87-0x00007FF79A7D0000-0x00007FF79AB21000-memory.dmp upx behavioral2/memory/2332-84-0x00007FF70F6D0000-0x00007FF70FA21000-memory.dmp upx behavioral2/memory/1816-75-0x00007FF7C6310000-0x00007FF7C6661000-memory.dmp upx behavioral2/memory/4564-96-0x00007FF6857A0000-0x00007FF685AF1000-memory.dmp upx behavioral2/memory/1284-95-0x00007FF699050000-0x00007FF6993A1000-memory.dmp upx behavioral2/files/0x0008000000023456-98.dat upx behavioral2/memory/3620-97-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp upx behavioral2/files/0x0007000000023457-102.dat upx behavioral2/memory/3264-103-0x00007FF7ACD80000-0x00007FF7AD0D1000-memory.dmp upx behavioral2/files/0x0007000000023458-106.dat upx behavioral2/files/0x0007000000023459-118.dat upx behavioral2/memory/1080-115-0x00007FF6A6F50000-0x00007FF6A72A1000-memory.dmp upx behavioral2/memory/404-111-0x00007FF696A40000-0x00007FF696D91000-memory.dmp upx behavioral2/memory/3936-124-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp upx behavioral2/memory/224-129-0x00007FF610B50000-0x00007FF610EA1000-memory.dmp upx behavioral2/memory/772-132-0x00007FF677430000-0x00007FF677781000-memory.dmp upx behavioral2/files/0x000700000002345b-131.dat upx behavioral2/files/0x000700000002345a-130.dat upx behavioral2/files/0x000700000002345c-128.dat upx behavioral2/memory/3544-122-0x00007FF636A40000-0x00007FF636D91000-memory.dmp upx behavioral2/memory/1840-137-0x00007FF7D26A0000-0x00007FF7D29F1000-memory.dmp upx behavioral2/memory/2196-136-0x00007FF6030B0000-0x00007FF603401000-memory.dmp upx behavioral2/memory/2568-143-0x00007FF7D9A00000-0x00007FF7D9D51000-memory.dmp upx behavioral2/memory/2332-149-0x00007FF70F6D0000-0x00007FF70FA21000-memory.dmp upx behavioral2/memory/876-150-0x00007FF79A7D0000-0x00007FF79AB21000-memory.dmp upx behavioral2/memory/3620-155-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp upx behavioral2/memory/3264-156-0x00007FF7ACD80000-0x00007FF7AD0D1000-memory.dmp upx behavioral2/memory/3936-161-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp upx behavioral2/memory/1080-160-0x00007FF6A6F50000-0x00007FF6A72A1000-memory.dmp upx behavioral2/memory/3544-162-0x00007FF636A40000-0x00007FF636D91000-memory.dmp upx behavioral2/memory/224-166-0x00007FF610B50000-0x00007FF610EA1000-memory.dmp upx behavioral2/memory/772-165-0x00007FF677430000-0x00007FF677781000-memory.dmp upx behavioral2/memory/1840-167-0x00007FF7D26A0000-0x00007FF7D29F1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\LliolhH.exe 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\eaKcnhf.exe 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\wmyPcpk.exe 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lPcMCbe.exe 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NURapao.exe 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YsYuAxz.exe 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YhFLZOd.exe 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hNUVjQl.exe 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VrTNMrf.exe 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JcqMSld.exe 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ylAshbW.exe 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xOGFAGq.exe 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mgVqtRq.exe 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MYVsfEY.exe 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CrHqCuJ.exe 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\urWpCSw.exe 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QhqHKnq.exe 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RjnQNUN.exe 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zxKnpxv.exe 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XRgemyS.exe 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HtGquuU.exe 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1840 wrote to memory of 4888 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 1840 wrote to memory of 4888 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 1840 wrote to memory of 3232 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 1840 wrote to memory of 3232 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 1840 wrote to memory of 1816 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 1840 wrote to memory of 1816 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 1840 wrote to memory of 1896 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 1840 wrote to memory of 1896 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 1840 wrote to memory of 1296 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 1840 wrote to memory of 1296 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 1840 wrote to memory of 3784 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 1840 wrote to memory of 3784 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 1840 wrote to memory of 1284 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 1840 wrote to memory of 1284 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 1840 wrote to memory of 4564 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 1840 wrote to memory of 4564 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 1840 wrote to memory of 404 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 1840 wrote to memory of 404 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 1840 wrote to memory of 1192 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 1840 wrote to memory of 1192 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 1840 wrote to memory of 2196 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 1840 wrote to memory of 2196 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 1840 wrote to memory of 2568 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 1840 wrote to memory of 2568 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 1840 wrote to memory of 2332 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 1840 wrote to memory of 2332 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 1840 wrote to memory of 876 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 1840 wrote to memory of 876 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 1840 wrote to memory of 3620 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 1840 wrote to memory of 3620 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 1840 wrote to memory of 3264 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 1840 wrote to memory of 3264 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 1840 wrote to memory of 1080 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 1840 wrote to memory of 1080 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 1840 wrote to memory of 3544 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 1840 wrote to memory of 3544 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 1840 wrote to memory of 3936 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 1840 wrote to memory of 3936 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 1840 wrote to memory of 224 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 1840 wrote to memory of 224 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 1840 wrote to memory of 772 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 110 PID 1840 wrote to memory of 772 1840 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\System\urWpCSw.exeC:\Windows\System\urWpCSw.exe2⤵
- Executes dropped EXE
PID:4888
-
-
C:\Windows\System\LliolhH.exeC:\Windows\System\LliolhH.exe2⤵
- Executes dropped EXE
PID:3232
-
-
C:\Windows\System\eaKcnhf.exeC:\Windows\System\eaKcnhf.exe2⤵
- Executes dropped EXE
PID:1816
-
-
C:\Windows\System\JcqMSld.exeC:\Windows\System\JcqMSld.exe2⤵
- Executes dropped EXE
PID:1896
-
-
C:\Windows\System\QhqHKnq.exeC:\Windows\System\QhqHKnq.exe2⤵
- Executes dropped EXE
PID:1296
-
-
C:\Windows\System\RjnQNUN.exeC:\Windows\System\RjnQNUN.exe2⤵
- Executes dropped EXE
PID:3784
-
-
C:\Windows\System\ylAshbW.exeC:\Windows\System\ylAshbW.exe2⤵
- Executes dropped EXE
PID:1284
-
-
C:\Windows\System\wmyPcpk.exeC:\Windows\System\wmyPcpk.exe2⤵
- Executes dropped EXE
PID:4564
-
-
C:\Windows\System\lPcMCbe.exeC:\Windows\System\lPcMCbe.exe2⤵
- Executes dropped EXE
PID:404
-
-
C:\Windows\System\zxKnpxv.exeC:\Windows\System\zxKnpxv.exe2⤵
- Executes dropped EXE
PID:1192
-
-
C:\Windows\System\xOGFAGq.exeC:\Windows\System\xOGFAGq.exe2⤵
- Executes dropped EXE
PID:2196
-
-
C:\Windows\System\MYVsfEY.exeC:\Windows\System\MYVsfEY.exe2⤵
- Executes dropped EXE
PID:2568
-
-
C:\Windows\System\NURapao.exeC:\Windows\System\NURapao.exe2⤵
- Executes dropped EXE
PID:2332
-
-
C:\Windows\System\XRgemyS.exeC:\Windows\System\XRgemyS.exe2⤵
- Executes dropped EXE
PID:876
-
-
C:\Windows\System\YsYuAxz.exeC:\Windows\System\YsYuAxz.exe2⤵
- Executes dropped EXE
PID:3620
-
-
C:\Windows\System\YhFLZOd.exeC:\Windows\System\YhFLZOd.exe2⤵
- Executes dropped EXE
PID:3264
-
-
C:\Windows\System\hNUVjQl.exeC:\Windows\System\hNUVjQl.exe2⤵
- Executes dropped EXE
PID:1080
-
-
C:\Windows\System\mgVqtRq.exeC:\Windows\System\mgVqtRq.exe2⤵
- Executes dropped EXE
PID:3544
-
-
C:\Windows\System\CrHqCuJ.exeC:\Windows\System\CrHqCuJ.exe2⤵
- Executes dropped EXE
PID:3936
-
-
C:\Windows\System\VrTNMrf.exeC:\Windows\System\VrTNMrf.exe2⤵
- Executes dropped EXE
PID:224
-
-
C:\Windows\System\HtGquuU.exeC:\Windows\System\HtGquuU.exe2⤵
- Executes dropped EXE
PID:772
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5fc5808f9e6bfb79f708d91b6cc2e254e
SHA184103c07d170f2ebcfc1a5a576a7e7538d9487f9
SHA256d870ca3b446ee851ae639b691b704a9eb09cadea76d5c78944f31401cda93d27
SHA512ccd8d9cfd31e2707f11dce1d1f3337f00ce9d47a55dccb1159b42ab7b0873bd605d34575deff60dc8228105355d4b840ca1efd18b329d929324923cc61c10c89
-
Filesize
5.2MB
MD5322994dac57a530b5c42444025de163d
SHA1c206f0800d4c26b05ec67870984957e6fada4243
SHA256655ee3327fc5cf0a4d810227b2ee65aada22e27b314296e2ec21c3209043b5a1
SHA51285679468a52f728646e9fe26976030940bb0350eae5572c25487b5c65889b345b802c5d177044a8ef35556ecf739ad88023eb7d038b58335ebb74b6498fe5179
-
Filesize
5.2MB
MD52814390e206534f196bbcf05878cea78
SHA101986a9f86c5b756988d0b8157b08c379d3d99b8
SHA2569dd0b16337920386564fc0805fcc4f7c6e58eead582a86897f8abece479ac0df
SHA51239b99d48261442394344c237ea976d9003f2fa642d9c716a30aff84c43ef47f053bb3831e879a2e0f7f28c86435b3cebf012f403ae999258aed433670c4d4107
-
Filesize
5.2MB
MD57a6f80dec687dbeee77b27c2f9cc65c5
SHA12d1addfa27d83cb6bb00d629b98b34b37bfe85d7
SHA2567cb4d874afa69145e6f23f66502c89bac9973f9be311e97fbb6d7adc6f4314ae
SHA512b2bd011017ef05f5ec412edd039490308bb329e42f28dcedb4b3917ac54b9b3deeb20a6d95e9faf0d3d5c77edb56b6e08d1595fbd915e953a247b01e873bcc2a
-
Filesize
5.2MB
MD5a03c1c4ac24a430aeae48055287c3687
SHA1b8313e8c5cddf4b26a20be3ee5cbc79b3fdcd61b
SHA25685d4e18398369a870cafd3de21410d7e54334abbeca734a48cde0932a237314a
SHA5125df36fbb1cf3733cbb5f2082c0feee4e74a88fb592d2269c2ccc33a9962e44de20afac8c220148d0c287ca17c9cab6ede0e9427071e213edb441005863213668
-
Filesize
5.2MB
MD527b4f72476fb1bfc3c972f1583e1a806
SHA160d4bf53a4815e87c592a87f5767876c274c4f49
SHA256ca14684c8b22116df2829b26c2a614eaec5c892095bd9cdd56ca2b759d1c950d
SHA51271a54551b506ffdc7ba3b369473c42f798a1b57721e594a1d8a64f2c4704d9b542dd5ec48cbe9be7b8f4cbf222bf3c376ed2ae72d5cb06f5e2a4d7a2bfa8b6aa
-
Filesize
5.2MB
MD582208d989e97bfb6ea7aec7f0455ae30
SHA13d7b7ea0796d5cce37b39d27fb773025ae6f0c5c
SHA2566cdc9b8b3ad1446ed7d95bde8bfdfa65ac5f352c2b975f078a44028b20665af1
SHA512f7e88d411ff04fcb2b40fd55c278b284fc5a3e6a794df6a4852b6013d89a7641c1f15b449012a94914f47667062e78c30a8d4755f7f0ba3569b180d0d960a350
-
Filesize
5.2MB
MD576e97519b3d174b20459713195f85f9d
SHA1408af039237425e889a2a5190814fdbe33f58fb2
SHA25664c488f8b41a5a23a1415d6fca8b897b24502c97df3bfa6675c8fbede50a78b0
SHA5125dff318d2a8ce9e59634b699a638c743362e45fe0c6bb072b3ff40e59ffbdefb80b85c1a3834c476ab14893658d9d3361d666ec47998b4ec3272c8b5fef82703
-
Filesize
5.2MB
MD5d949c769b0124a5121c6de5aefbecd0f
SHA121ef1dcb88a44ccf27ec952fa914f5317abf843a
SHA256d50cf604bced86223356cd5729efccc68f931f8316d53dde7ff7c04c8253fe2b
SHA512fce38b71ffd4807bb1c7d715a8d5687f0ec0846d37d8ac130000154179f704fe52ffca7f1bebab566fbed3894c1f902f28a93cccead098a081f9ed6b097fa3bd
-
Filesize
5.2MB
MD5c5cac17b8cb931c4f3214447f1544ddb
SHA1118d053c6735065d72aec9709b07756b7cb222ed
SHA256f59dd5a89944cf27a3ac218a6e786e51a018ab1165e0a942aad70df87b6d65ee
SHA512639caaeba6905b45bc12529712f1cb971197277f6e18ab3e1fededdef9021b9eb73a47654fbab4c3f50ba71b8d6eeedd9ca408898d62ce214528c7dbba051126
-
Filesize
5.2MB
MD5f96666ce65504d97d51d2f57b939cbf9
SHA115aaf0d27b98e54e430ba8a59d4bf717e273db6d
SHA25684bab327419c7439356d987e32c73cd51659d87d607af2375d4efc7b21825441
SHA512bf4abe33f1848354a98cc8a140eaedf023bfe0c2cd7e91c463edefeac476fa3c88eb8fe20ac1328fdba2bcf85ec5f6b9ade9163e208ada018ab77c26f3e01ec0
-
Filesize
5.2MB
MD59f987f2a5c5c225d5e38ebb5bdbd3c6e
SHA175245d5655023532cf8c6ccedd007cfa96c7815a
SHA256bb25ea0c879cc324b86d898771c57546c75683f26e071e01e3873169bf2b844f
SHA51222040c24c710c60b07300a4aadb3c758856fb1d97cb28c192bbd8bc01434dc38ab8d0d669f6a406369052f16c078fe35dccef31d7b16391dfd3a314a82ae4b21
-
Filesize
5.2MB
MD50fed4b25c7b63359988a989d311876a4
SHA155fd5df89a53dc30af2a035af212c44bd662a10e
SHA2564c886efdb8ab0601d4fb4126fdf2cc7d783ea05ab9197c3d8a703e46fdc294b8
SHA512bc8bf991bb3fc4c4970d1516035da356a1175cbae409c09ecb67045bb73912abf2883232ec8033c869115bfadc89d063a7ea18d7e94952cf8cbbeaa8f51d8039
-
Filesize
5.2MB
MD52d85823a5546ded18d70f6131307a64e
SHA17ce4062a4c9dc57581de7a4a03245ce85028cbac
SHA256faf4cb2af8158b9b41ef8cde1c342ce4f128672e02350bf62b4a15538e93e9db
SHA512b40e430031f3fb54217b19be584588f1bef5ea9c7e7465a46c6fa2e6a02e44172615a0f249c7a4dbbba6337fd580a457f966ec80ef9d98cb941d490de554f6c4
-
Filesize
5.2MB
MD5d0460bb2a5535bfce3f3af8070703064
SHA1b0daa3b68a74dbbb83e42d348fe9f14fb22816a5
SHA2568902f0bb2cf89671346963c8c86d4c8f7a80edb70d6e1651addf3a4fc7c231b7
SHA51277766ddbfa274d8e0a5b383584baf46d4e77428b01028d5105e700bedfb5b27be45986241daca28d5a7f10c39490e49ec206caf2b14af06ad2c0983e73d9db9c
-
Filesize
5.2MB
MD5cd01f3cc5895789b15201608abc436e5
SHA1a79baf72b6bf22e3992fb8660613e0e0c23b8f9d
SHA256d2b45647760247eda46af8056d1c871e23fe31e07c7aae6f3635f115c699d8b9
SHA5126a62c21cd401531e898ab6bb53f0d784dc98656a5825f9e4f52114bd64168cf64bd51f3d34303f31ddc1f74c34244bdaaa8b68c19052cfc15082aaf655f2405d
-
Filesize
5.2MB
MD5aac3403fdbc5b04a9cc76ae9cde6d09a
SHA140f7a0fd4dbdd6dd7e3e2ad790adbb73427e6cf9
SHA25641522a1206fda750c725b12ed3ef1adf33075a7d1766c87f03a9e124f2c32de3
SHA5127474388db3c0379f24bca8c9f12770c819ed68b14172325ff2d1e4a411c495576ff174f652d66e64205e9cb13b5fc9ecb7ae92b276732187d60e6aa44dad388d
-
Filesize
5.2MB
MD5e4d320f6c423c3302af13cef21e32698
SHA13471d83f80deab0e849b807a7123f517d4004a9a
SHA2564b04c477a531cb9bad76aff60642a9a57a7712ba9b6bf700f011c86a1654a935
SHA512027cd4713339ebcc1fef983fc49f132f716d464946592a97396b192ee06782d8c1fc35ef9c9370f74c6662890d5fa0ef217a32ac53894b9d11e2643916f2346b
-
Filesize
5.2MB
MD558a29fbe125f168e068e8629429dd924
SHA1907639a28032fcb83ffd71fb53175349d7494521
SHA256381455e3f520aae1a122e7f4c21d9aefcfb19a98a95982bc54bd7da026cdc422
SHA512ad805f2f970cdf6e63b9a636c020e19d370d91fa2b12065d8334b6ddd2b35b8c3aa7cc47a633297440b9c80d9c5fd9346b50957670f44d8e6830c1049ddef30a
-
Filesize
5.2MB
MD563e26d4335d8ec305905e732824ce490
SHA1f74bd500c8772de3a0f90205d9f0ab98a920fd73
SHA2562e79a1de04e5784b7eda1b1b49ebf0a505ece0d9de4e2a76eb253b4c6f9cad2f
SHA51231be3bdde39cf11a8f02387a382cdb17ec7bb4998ecae574cf05b076fab4e92ea650124ec3e92bd04d697bf12dd3ea91c4a19546facf2be823d2bdef74ff2087
-
Filesize
5.2MB
MD5555dca9c8ec0a146d9abc35c7f2b76f4
SHA14d1226589516c3082937975f0ca630a2a97daf15
SHA2567af4b6cf135adae6f01f6cd37cbbfdb234442facf3b037a5a539ed15b2e1a5c2
SHA512fdf3d869a88e9869932729106ac6d14e5e92ddf832035dff7cef21b64d916ef401a3bb56682222cc8fe728f939fd133bd09d1b2d7e164a654ae3f956dd9cc04a