Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 11:23
Behavioral task
behavioral1
Sample
2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240729-en
General
-
Target
2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
16e74e4d3f6c08a4e610deb189b41023
-
SHA1
154bd7e5c389959001eefe21ae1e0d9a1933e67a
-
SHA256
333e58bb3a5a406fdf706e8be1fd15043bf203cd5e231af3b8d7e373909e3c60
-
SHA512
e91234beed5b6ea5371b40db4e2cc7ea8368341d3f5d2a794f2f6942dd3714ee384f9aef7c79039dcff6c7f9629a6779e44b9b89683ef0a7aa1f2b9ae6c56bba
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l7:RWWBibf56utgpPFotBER/mQ32lUP
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00080000000234bc-5.dat cobalt_reflective_dll behavioral2/files/0x00070000000234c0-14.dat cobalt_reflective_dll behavioral2/files/0x00070000000234c1-11.dat cobalt_reflective_dll behavioral2/files/0x00070000000234c2-31.dat cobalt_reflective_dll behavioral2/files/0x00070000000234c3-23.dat cobalt_reflective_dll behavioral2/files/0x00070000000234c8-47.dat cobalt_reflective_dll behavioral2/files/0x00070000000234c9-58.dat cobalt_reflective_dll behavioral2/files/0x00070000000234cc-76.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ce-93.dat cobalt_reflective_dll behavioral2/files/0x00080000000234bd-112.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d0-114.dat cobalt_reflective_dll behavioral2/files/0x00070000000234cf-110.dat cobalt_reflective_dll behavioral2/files/0x00070000000234cd-91.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ca-81.dat cobalt_reflective_dll behavioral2/files/0x00070000000234cb-85.dat cobalt_reflective_dll behavioral2/files/0x00070000000234c5-55.dat cobalt_reflective_dll behavioral2/files/0x00070000000234c7-54.dat cobalt_reflective_dll behavioral2/files/0x00070000000234c6-48.dat cobalt_reflective_dll behavioral2/files/0x00070000000234c4-50.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d3-136.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d1-143.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/1792-105-0x00007FF6DE660000-0x00007FF6DE9B1000-memory.dmp xmrig behavioral2/memory/1824-107-0x00007FF712330000-0x00007FF712681000-memory.dmp xmrig behavioral2/memory/5048-90-0x00007FF660EB0000-0x00007FF661201000-memory.dmp xmrig behavioral2/memory/1388-66-0x00007FF6E7240000-0x00007FF6E7591000-memory.dmp xmrig behavioral2/memory/4576-53-0x00007FF7E9120000-0x00007FF7E9471000-memory.dmp xmrig behavioral2/memory/3352-37-0x00007FF718C90000-0x00007FF718FE1000-memory.dmp xmrig behavioral2/memory/3264-121-0x00007FF6CCFE0000-0x00007FF6CD331000-memory.dmp xmrig behavioral2/memory/3364-134-0x00007FF72E2B0000-0x00007FF72E601000-memory.dmp xmrig behavioral2/memory/4468-128-0x00007FF68B5C0000-0x00007FF68B911000-memory.dmp xmrig behavioral2/memory/1828-126-0x00007FF79B2C0000-0x00007FF79B611000-memory.dmp xmrig behavioral2/memory/4972-124-0x00007FF728240000-0x00007FF728591000-memory.dmp xmrig behavioral2/memory/2008-119-0x00007FF775BC0000-0x00007FF775F11000-memory.dmp xmrig behavioral2/memory/2528-118-0x00007FF79A980000-0x00007FF79ACD1000-memory.dmp xmrig behavioral2/memory/1216-117-0x00007FF611910000-0x00007FF611C61000-memory.dmp xmrig behavioral2/memory/4004-141-0x00007FF62B5D0000-0x00007FF62B921000-memory.dmp xmrig behavioral2/memory/1216-146-0x00007FF611910000-0x00007FF611C61000-memory.dmp xmrig behavioral2/memory/3604-144-0x00007FF7EC040000-0x00007FF7EC391000-memory.dmp xmrig behavioral2/memory/644-140-0x00007FF723820000-0x00007FF723B71000-memory.dmp xmrig behavioral2/memory/3996-130-0x00007FF6A9440000-0x00007FF6A9791000-memory.dmp xmrig behavioral2/memory/1268-125-0x00007FF668320000-0x00007FF668671000-memory.dmp xmrig behavioral2/memory/4968-147-0x00007FF6E4600000-0x00007FF6E4951000-memory.dmp xmrig behavioral2/memory/536-148-0x00007FF770E70000-0x00007FF7711C1000-memory.dmp xmrig behavioral2/memory/1216-149-0x00007FF611910000-0x00007FF611C61000-memory.dmp xmrig behavioral2/memory/1416-160-0x00007FF645250000-0x00007FF6455A1000-memory.dmp xmrig behavioral2/memory/2528-208-0x00007FF79A980000-0x00007FF79ACD1000-memory.dmp xmrig behavioral2/memory/2008-210-0x00007FF775BC0000-0x00007FF775F11000-memory.dmp xmrig behavioral2/memory/3352-212-0x00007FF718C90000-0x00007FF718FE1000-memory.dmp xmrig behavioral2/memory/3264-214-0x00007FF6CCFE0000-0x00007FF6CD331000-memory.dmp xmrig behavioral2/memory/4576-216-0x00007FF7E9120000-0x00007FF7E9471000-memory.dmp xmrig behavioral2/memory/1388-218-0x00007FF6E7240000-0x00007FF6E7591000-memory.dmp xmrig behavioral2/memory/4972-231-0x00007FF728240000-0x00007FF728591000-memory.dmp xmrig behavioral2/memory/1268-233-0x00007FF668320000-0x00007FF668671000-memory.dmp xmrig behavioral2/memory/1828-230-0x00007FF79B2C0000-0x00007FF79B611000-memory.dmp xmrig behavioral2/memory/5048-235-0x00007FF660EB0000-0x00007FF661201000-memory.dmp xmrig behavioral2/memory/1792-237-0x00007FF6DE660000-0x00007FF6DE9B1000-memory.dmp xmrig behavioral2/memory/3996-239-0x00007FF6A9440000-0x00007FF6A9791000-memory.dmp xmrig behavioral2/memory/3364-245-0x00007FF72E2B0000-0x00007FF72E601000-memory.dmp xmrig behavioral2/memory/1824-244-0x00007FF712330000-0x00007FF712681000-memory.dmp xmrig behavioral2/memory/4468-247-0x00007FF68B5C0000-0x00007FF68B911000-memory.dmp xmrig behavioral2/memory/644-242-0x00007FF723820000-0x00007FF723B71000-memory.dmp xmrig behavioral2/memory/4968-253-0x00007FF6E4600000-0x00007FF6E4951000-memory.dmp xmrig behavioral2/memory/3604-251-0x00007FF7EC040000-0x00007FF7EC391000-memory.dmp xmrig behavioral2/memory/536-250-0x00007FF770E70000-0x00007FF7711C1000-memory.dmp xmrig behavioral2/memory/4004-258-0x00007FF62B5D0000-0x00007FF62B921000-memory.dmp xmrig behavioral2/memory/1416-260-0x00007FF645250000-0x00007FF6455A1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2528 wsMBrgo.exe 2008 dedwTNZ.exe 3264 oJTeMEp.exe 3352 xVscyvA.exe 4576 qCnPgrt.exe 1388 GlKXYCQ.exe 4972 NaBRSai.exe 1268 aXHnyaT.exe 1828 TVcrzHf.exe 5048 CxcBICE.exe 4468 DnznMpS.exe 1792 chrXRUp.exe 3996 xlWwmUY.exe 3364 nOvrYXl.exe 1824 MhwycNl.exe 644 VTEVSgJ.exe 3604 jToVWfj.exe 4968 QcdCgjo.exe 536 VKeGVLe.exe 4004 DDkCgOv.exe 1416 ZdquIqY.exe -
resource yara_rule behavioral2/memory/1216-0-0x00007FF611910000-0x00007FF611C61000-memory.dmp upx behavioral2/files/0x00080000000234bc-5.dat upx behavioral2/files/0x00070000000234c0-14.dat upx behavioral2/files/0x00070000000234c1-11.dat upx behavioral2/memory/2528-8-0x00007FF79A980000-0x00007FF79ACD1000-memory.dmp upx behavioral2/files/0x00070000000234c2-31.dat upx behavioral2/files/0x00070000000234c3-23.dat upx behavioral2/memory/2008-18-0x00007FF775BC0000-0x00007FF775F11000-memory.dmp upx behavioral2/memory/3264-28-0x00007FF6CCFE0000-0x00007FF6CD331000-memory.dmp upx behavioral2/files/0x00070000000234c8-47.dat upx behavioral2/files/0x00070000000234c9-58.dat upx behavioral2/files/0x00070000000234cc-76.dat upx behavioral2/memory/644-89-0x00007FF723820000-0x00007FF723B71000-memory.dmp upx behavioral2/files/0x00070000000234ce-93.dat upx behavioral2/memory/1792-105-0x00007FF6DE660000-0x00007FF6DE9B1000-memory.dmp upx behavioral2/files/0x00080000000234bd-112.dat upx behavioral2/files/0x00070000000234d0-114.dat upx behavioral2/memory/536-113-0x00007FF770E70000-0x00007FF7711C1000-memory.dmp upx behavioral2/files/0x00070000000234cf-110.dat upx behavioral2/memory/3604-109-0x00007FF7EC040000-0x00007FF7EC391000-memory.dmp upx behavioral2/memory/4968-108-0x00007FF6E4600000-0x00007FF6E4951000-memory.dmp upx behavioral2/memory/1824-107-0x00007FF712330000-0x00007FF712681000-memory.dmp upx behavioral2/memory/4468-99-0x00007FF68B5C0000-0x00007FF68B911000-memory.dmp upx behavioral2/files/0x00070000000234cd-91.dat upx behavioral2/memory/5048-90-0x00007FF660EB0000-0x00007FF661201000-memory.dmp upx behavioral2/memory/3364-84-0x00007FF72E2B0000-0x00007FF72E601000-memory.dmp upx behavioral2/files/0x00070000000234ca-81.dat upx behavioral2/files/0x00070000000234cb-85.dat upx behavioral2/memory/3996-78-0x00007FF6A9440000-0x00007FF6A9791000-memory.dmp upx behavioral2/memory/1268-77-0x00007FF668320000-0x00007FF668671000-memory.dmp upx behavioral2/memory/1388-66-0x00007FF6E7240000-0x00007FF6E7591000-memory.dmp upx behavioral2/files/0x00070000000234c5-55.dat upx behavioral2/memory/4576-53-0x00007FF7E9120000-0x00007FF7E9471000-memory.dmp upx behavioral2/files/0x00070000000234c7-54.dat upx behavioral2/files/0x00070000000234c6-48.dat upx behavioral2/memory/1828-46-0x00007FF79B2C0000-0x00007FF79B611000-memory.dmp upx behavioral2/memory/4972-45-0x00007FF728240000-0x00007FF728591000-memory.dmp upx behavioral2/files/0x00070000000234c4-50.dat upx behavioral2/memory/3352-37-0x00007FF718C90000-0x00007FF718FE1000-memory.dmp upx behavioral2/memory/3264-121-0x00007FF6CCFE0000-0x00007FF6CD331000-memory.dmp upx behavioral2/memory/3364-134-0x00007FF72E2B0000-0x00007FF72E601000-memory.dmp upx behavioral2/files/0x00070000000234d3-136.dat upx behavioral2/memory/4468-128-0x00007FF68B5C0000-0x00007FF68B911000-memory.dmp upx behavioral2/memory/1828-126-0x00007FF79B2C0000-0x00007FF79B611000-memory.dmp upx behavioral2/memory/4972-124-0x00007FF728240000-0x00007FF728591000-memory.dmp upx behavioral2/memory/2008-119-0x00007FF775BC0000-0x00007FF775F11000-memory.dmp upx behavioral2/memory/2528-118-0x00007FF79A980000-0x00007FF79ACD1000-memory.dmp upx behavioral2/memory/1216-117-0x00007FF611910000-0x00007FF611C61000-memory.dmp upx behavioral2/memory/4004-141-0x00007FF62B5D0000-0x00007FF62B921000-memory.dmp upx behavioral2/memory/1416-142-0x00007FF645250000-0x00007FF6455A1000-memory.dmp upx behavioral2/memory/1216-146-0x00007FF611910000-0x00007FF611C61000-memory.dmp upx behavioral2/memory/3604-144-0x00007FF7EC040000-0x00007FF7EC391000-memory.dmp upx behavioral2/files/0x00070000000234d1-143.dat upx behavioral2/memory/644-140-0x00007FF723820000-0x00007FF723B71000-memory.dmp upx behavioral2/memory/3996-130-0x00007FF6A9440000-0x00007FF6A9791000-memory.dmp upx behavioral2/memory/1268-125-0x00007FF668320000-0x00007FF668671000-memory.dmp upx behavioral2/memory/4968-147-0x00007FF6E4600000-0x00007FF6E4951000-memory.dmp upx behavioral2/memory/536-148-0x00007FF770E70000-0x00007FF7711C1000-memory.dmp upx behavioral2/memory/1216-149-0x00007FF611910000-0x00007FF611C61000-memory.dmp upx behavioral2/memory/1416-160-0x00007FF645250000-0x00007FF6455A1000-memory.dmp upx behavioral2/memory/2528-208-0x00007FF79A980000-0x00007FF79ACD1000-memory.dmp upx behavioral2/memory/2008-210-0x00007FF775BC0000-0x00007FF775F11000-memory.dmp upx behavioral2/memory/3352-212-0x00007FF718C90000-0x00007FF718FE1000-memory.dmp upx behavioral2/memory/3264-214-0x00007FF6CCFE0000-0x00007FF6CD331000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\nOvrYXl.exe 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QcdCgjo.exe 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZdquIqY.exe 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DDkCgOv.exe 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\oJTeMEp.exe 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\chrXRUp.exe 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VTEVSgJ.exe 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NaBRSai.exe 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xVscyvA.exe 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GlKXYCQ.exe 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\aXHnyaT.exe 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DnznMpS.exe 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xlWwmUY.exe 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MhwycNl.exe 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VKeGVLe.exe 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\wsMBrgo.exe 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qCnPgrt.exe 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TVcrzHf.exe 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CxcBICE.exe 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jToVWfj.exe 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dedwTNZ.exe 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1216 wrote to memory of 2528 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 1216 wrote to memory of 2528 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 1216 wrote to memory of 2008 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 1216 wrote to memory of 2008 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 1216 wrote to memory of 3352 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 1216 wrote to memory of 3352 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 1216 wrote to memory of 3264 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 1216 wrote to memory of 3264 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 1216 wrote to memory of 4576 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 1216 wrote to memory of 4576 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 1216 wrote to memory of 1388 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 1216 wrote to memory of 1388 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 1216 wrote to memory of 4972 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 1216 wrote to memory of 4972 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 1216 wrote to memory of 1268 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 1216 wrote to memory of 1268 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 1216 wrote to memory of 1828 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 1216 wrote to memory of 1828 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 1216 wrote to memory of 5048 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 1216 wrote to memory of 5048 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 1216 wrote to memory of 4468 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 1216 wrote to memory of 4468 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 1216 wrote to memory of 1792 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 1216 wrote to memory of 1792 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 1216 wrote to memory of 3996 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 1216 wrote to memory of 3996 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 1216 wrote to memory of 3364 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 1216 wrote to memory of 3364 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 1216 wrote to memory of 1824 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 1216 wrote to memory of 1824 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 1216 wrote to memory of 644 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 1216 wrote to memory of 644 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 1216 wrote to memory of 3604 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 1216 wrote to memory of 3604 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 1216 wrote to memory of 4968 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 1216 wrote to memory of 4968 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 1216 wrote to memory of 536 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 1216 wrote to memory of 536 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 1216 wrote to memory of 1416 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 1216 wrote to memory of 1416 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 1216 wrote to memory of 4004 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 1216 wrote to memory of 4004 1216 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\System\wsMBrgo.exeC:\Windows\System\wsMBrgo.exe2⤵
- Executes dropped EXE
PID:2528
-
-
C:\Windows\System\dedwTNZ.exeC:\Windows\System\dedwTNZ.exe2⤵
- Executes dropped EXE
PID:2008
-
-
C:\Windows\System\xVscyvA.exeC:\Windows\System\xVscyvA.exe2⤵
- Executes dropped EXE
PID:3352
-
-
C:\Windows\System\oJTeMEp.exeC:\Windows\System\oJTeMEp.exe2⤵
- Executes dropped EXE
PID:3264
-
-
C:\Windows\System\qCnPgrt.exeC:\Windows\System\qCnPgrt.exe2⤵
- Executes dropped EXE
PID:4576
-
-
C:\Windows\System\GlKXYCQ.exeC:\Windows\System\GlKXYCQ.exe2⤵
- Executes dropped EXE
PID:1388
-
-
C:\Windows\System\NaBRSai.exeC:\Windows\System\NaBRSai.exe2⤵
- Executes dropped EXE
PID:4972
-
-
C:\Windows\System\aXHnyaT.exeC:\Windows\System\aXHnyaT.exe2⤵
- Executes dropped EXE
PID:1268
-
-
C:\Windows\System\TVcrzHf.exeC:\Windows\System\TVcrzHf.exe2⤵
- Executes dropped EXE
PID:1828
-
-
C:\Windows\System\CxcBICE.exeC:\Windows\System\CxcBICE.exe2⤵
- Executes dropped EXE
PID:5048
-
-
C:\Windows\System\DnznMpS.exeC:\Windows\System\DnznMpS.exe2⤵
- Executes dropped EXE
PID:4468
-
-
C:\Windows\System\chrXRUp.exeC:\Windows\System\chrXRUp.exe2⤵
- Executes dropped EXE
PID:1792
-
-
C:\Windows\System\xlWwmUY.exeC:\Windows\System\xlWwmUY.exe2⤵
- Executes dropped EXE
PID:3996
-
-
C:\Windows\System\nOvrYXl.exeC:\Windows\System\nOvrYXl.exe2⤵
- Executes dropped EXE
PID:3364
-
-
C:\Windows\System\MhwycNl.exeC:\Windows\System\MhwycNl.exe2⤵
- Executes dropped EXE
PID:1824
-
-
C:\Windows\System\VTEVSgJ.exeC:\Windows\System\VTEVSgJ.exe2⤵
- Executes dropped EXE
PID:644
-
-
C:\Windows\System\jToVWfj.exeC:\Windows\System\jToVWfj.exe2⤵
- Executes dropped EXE
PID:3604
-
-
C:\Windows\System\QcdCgjo.exeC:\Windows\System\QcdCgjo.exe2⤵
- Executes dropped EXE
PID:4968
-
-
C:\Windows\System\VKeGVLe.exeC:\Windows\System\VKeGVLe.exe2⤵
- Executes dropped EXE
PID:536
-
-
C:\Windows\System\ZdquIqY.exeC:\Windows\System\ZdquIqY.exe2⤵
- Executes dropped EXE
PID:1416
-
-
C:\Windows\System\DDkCgOv.exeC:\Windows\System\DDkCgOv.exe2⤵
- Executes dropped EXE
PID:4004
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD51e88355934e1c76f8faf24a85e911d78
SHA1c7ee8166629e6436578f72462ec2938f3540da01
SHA2564391def8227ad136c3d1855628e47552e062a61f614765d6f71c01ec3628fbad
SHA512e059f34bdaf6ce9d5bea7a62d89d6ec93bcee240043873f83b7626da863b96fc9f8d04b10462efbf4ca30e9ca954078b78218eaec0374eaf8682c65548353e30
-
Filesize
5.2MB
MD5f367131435f778c259e37beda3a41be7
SHA101a23fe7c1b8a669310ed23e5353a440c8722639
SHA2567aa0c19175dc23fcb695df50b166c30b1af9dcdd8a1e25c95b5eb3ad9c6c70e4
SHA512d44aaeaff99b3d3c3a2b9d06ee09dce49a3f715bf999a3f71ce7b402387672328a4b1b2ca95fb7f16388e40e4a795e6e424d02e6f86defdbdb21bad089a66b6e
-
Filesize
5.2MB
MD59a317a1ae20db8b82588bcd5d3021112
SHA15080e0904a07a89a76873153a313eefb62ae308d
SHA2565e17c68636816639df46296189e316418a43480dbc3b381a3e67970167aa148e
SHA5124852cc255b2e7c1e4ce48452e7e8e073396863668419d5c44cd587c43cdbb857b9a9ecfef26f826795b8f05bd9883edae7e185e9a5f9a6d9fb15b04358e135ed
-
Filesize
5.2MB
MD5c778f52e77dac06597d248bb4a7a9c31
SHA1f050c1a5115e09de219bd2e461f536fa55672d93
SHA2560d8768a396e71c2ffa513643e3ca1c2a37dd98c1bc09f61243f0bb61d6e4aa05
SHA51245edd6af20e5dd13e9fe01607344ac91ff4922dbf36cecc69a75af483b652e16ff497b5897b5af4ae50a37355d07f6b86bca90961aacc60af505c7d6b0581901
-
Filesize
5.2MB
MD5550828611639ef63a2ed46e238470c07
SHA1c3a6f823f29fd821c124d98744c0110c481d0d8b
SHA25609c3f6c2d14f90d10b515b7479ad0dd335bd3b6a0691234be51470ebe06e9eaf
SHA5121efecf95430f69769abc92712ea893f4b489ec53232daef9e156640298903030db8e4c8e6038677b4796fc0e362b6ffa9c406f72bb412a520fd7c10f803f36e4
-
Filesize
5.2MB
MD5d44c3c5653147f3ed9ed15d152a5d0c6
SHA156feff4e041cda6fe8722c3586899b43e2859acf
SHA2565cc06c5366ff7fbeb6ec030e063ad6d639db9a9fc4bd2877b80b2e21f939eb03
SHA512e0501c284878dac9ce748f687ff295f1c334de8f2a1c4b6bf27169968e63a883774745ee222ffca6b241b243574961f5ac0f7682fedd6a9d65c894d7817cddbb
-
Filesize
5.2MB
MD54a249fa5e484239e3d88101e637c8842
SHA1143ccc518c2b924a9c7bcea74a85092731141861
SHA25627ad84f6e0d1068fb23a8c2c6077492aeb8abf54658a0963c9a35ba4cd74e6a9
SHA512ecc1818f8e4612306fe6adfcb37405aa2e4b2f4885e1ca72502332819fadc3a4e67d931970b7d04481e66ab5a0c93c1fd3410b9c654d67dc5563f434f08a753e
-
Filesize
5.2MB
MD5ff4eb7a43c5b64b04f659fb44017a589
SHA18c410fb5aefa9646f501d837aa7d81728ce7d613
SHA256b432719d3aec341f75ea4be2c232d8d504e603fffdc9935c0f2dce211db6179c
SHA512dec50b8a429cacdc9ceb73bc9bb830c47ee6bfe1a404237a2b5767f51f6ce00c6cbe46190bdf7c8b699103b0818e31df50fd45b824f569a06ddf819e508f4bd9
-
Filesize
5.2MB
MD589ddad8765e18382e8e32cdccb473436
SHA14018a9d2099d1c7611aa43eeae99dc0743b247a3
SHA2562a46391c0990656cb2b2a8deb0bbc858f0a557eb3eba4441fe80d9e8d50a7f92
SHA5129e6e7ead8c9ae1fed03b67ab88ea473d89f724df48c30564e7f70ca33873222d5544059de2543a883d9a1d053a4d39d95611b73f5057d98cdb049977406a6d5e
-
Filesize
5.2MB
MD5bc1d12d545efc32b237588db87e5b8cd
SHA11e89a9300d4bd41cbb7cabf4fe71c9ea5b8c82d5
SHA2565a4f293e41484899bc2eb3e7054218a15137308719b34ae7de88421843a6ee21
SHA512e8a209088fad31ceb1af28c16a16a15d1735cb4d210f7d2dbfacdaae443f3353c4d70aa44e3270767e184dc06ff44bee88e2c7a4ebed574daf9002c573237c7d
-
Filesize
5.2MB
MD5ab55e4466cccc10f93a3df772a927cab
SHA15ab99800143c178591410a12530ba5ad1ab13068
SHA2569c7ec379a92c7550b705768270dc99a7d00e61b104c4688f77fe2ee56e6001fe
SHA5126883c1f87deac79442ad7fede593fcf629ee26f7dff0fe051b4abd485bce451705823437671d1207bc90b28506bf15f36ae9b4d76a966714cc70e74ee9ea25c3
-
Filesize
5.2MB
MD5a9986172ee94db607030aa289d6b7f57
SHA14df515f237f1a50bfea56c5818f7238cb925dc4f
SHA2561e1b1bb14254c89bb81d34e05c31e924e539d4d01d3fcaa274cd1edec6fcd585
SHA5126ec15482013435c35c72806576d2da6e5485cbf9a59695d13aa1309707471d09231a0aaa8f5b085ffb778633fee75cc58b00d1655c77492869ca570939941048
-
Filesize
5.2MB
MD5d9d65dfb5d567e77e662899ffff5d99d
SHA1edb3439b1fa8d168ef14134487ec513e51361e7a
SHA2569b0aea51c5f2c7b46c70d20a06914ef6e4174f0d482cce4514fa8e05dcc873aa
SHA512d3870737f98127191525e0a49417571c0a489c9ae31dd9219febfd8af76027fa5bdee6af3b5ec9613606e0f93bbebeb763c909466d43984624b586a8a98127de
-
Filesize
5.2MB
MD57570553c76ffbc3539dbbaee8529588a
SHA1e7b8d355347dde3c80b054d98de4147f4de02060
SHA2564efb899923b8552ff67e98099e5f31a7a2c5f52c51e871f5b9f3b9ca192f5441
SHA512bba4d990235e3e9fe7bbe1a3550fd6ab59c79d2328445f1cffd22003a2d0b2ca6e2506becfe2276fcaf5a51a339b327c2c83472f01367b1508981a3a282a9ad0
-
Filesize
5.2MB
MD57018e80488fbb8ac55e14b0e02bcfde6
SHA1138b74352f71ba303a6eaa2b3be3ebdf5f0ee1ad
SHA256bfc85b276edae863350917aa95ec9a1caf639328019df17a0f835e7516ea270e
SHA512b9bb73de958745f70ca4208666c31f517e522babe008eadf46d67e446c9ca60ab5351b0c25cf1d9e3ddc549742d8e27fb64c9fe2d240ca394c76324566705935
-
Filesize
5.2MB
MD58794f2f1ff6aacbbb8e14e27ed353c8d
SHA1f9db2c0b5f2d48d91d3279ebb7eaebfd9de2be3b
SHA256088f06caa3de2cf9d7662d03707ace4896ef2de3695013f3aaf38c590ca27004
SHA5120dd8755bdbac5971bfeff4bf200f8581e5a221cd0b6deb1081df1bad900516b2dddf4f1e61fefbe575d98caa0e779f5d5430ca7943f58a429144e8b891f67595
-
Filesize
5.2MB
MD52732feb1173e8f79828e102c7ea6ad05
SHA1cad90a5fb9752c6f4dcf4d2ee2a0513a33d28af8
SHA2568b2e807dfed5439e7da30a0e2cc9e605ca2507a5b343fee5037189e7f15962fb
SHA51209c43e4df28aa3783fc247eec822a288f2f6a3cb5418414ff81a100c68732e2da4d1ee854dc402462cd7d7604a54703116bc54d6ef7c4c9846993e70a8359c40
-
Filesize
5.2MB
MD588247d1704873da7a8ba22d82ec2b277
SHA16b22df343c3175fc1332478c7abbfc985ab3050d
SHA256edf8ccbf2d9300be602b49dfe85cfa7ad854860393d97ef20d85355a17480f02
SHA512798eba54c1b5b83a65fce56cd154cae5a14e81b0b0b72604514df59c8a43d9a721ed42a2edcf60b87eac98e920bf70491e34ed10726dc9c9d7123a65b6044824
-
Filesize
5.2MB
MD52e59b4098d40170192657a26b52055bc
SHA1a1b6981df224a60526cd40dc46ae0d6d59e78b05
SHA256eb6454ba708a81f50b1277e84094ddd9b36635890e9518b7fee0af6d90116c69
SHA51262a22c6768096f31b8ba01d99588a7dce02ab7ca49c3856da908df23f286c66a6b3e0a9abd41ef8291f2ecf896c3ba6ade0426f789ac91f2cd666aa361e8b14a
-
Filesize
5.2MB
MD51062a3bd5d15910607c211b102b0968f
SHA1bcac530b9b7273887d07fa5883d01e8b0e027208
SHA2561482f69e17eca98cb3e019fcc1afbe18d2c41b3a147279fd06d3e42fbd29f4b6
SHA512ab446dab2062442134e03bb5c474dc248d6a3afc91fcd3fbbe635f38da5e0f5f0975a76e26dbc7763b7741c8c48c5983ab7ce22fe51380098b335e224eb4ec75
-
Filesize
5.2MB
MD598e255a984fbe0ff4ec969f7d2c7a1b2
SHA1c71acb8f9e48323577df65ccf99aeea42524ac3c
SHA256a0607b199aefe1fcd0690692edc17f03866269610d61fa9940c14deb0cbc1fa3
SHA51241b58b70f6f2ed912022ab3ad9ebe363a80fad053c71b2f2e9e159942088262c5b3a897b247c3265846153a576a649ba3e44b281e0495f9ccca764f8efd8c040