Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 11:26
Behavioral task
behavioral1
Sample
2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240708-en
General
-
Target
2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
31673e4247eae31d066ac22e97907cf3
-
SHA1
c39903c24a15bbe4056405f54210c59b49652486
-
SHA256
9dc08942a9069f8cc18d378a4a19af33a18c4d75ecfd03fe3cbfbbc22d2b077f
-
SHA512
ed518d4d7cbfd8a2c7e19a2977b486171c1a895d2d834e51dce47ad95c55b09a97075463ef41dda6c0ff8f6088dcd1f7b8de5f425f5bb711a4399e072e595dc6
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lk:RWWBibf56utgpPFotBER/mQ32lUA
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0009000000023368-4.dat cobalt_reflective_dll behavioral2/files/0x00070000000233bd-10.dat cobalt_reflective_dll behavioral2/files/0x00070000000233be-11.dat cobalt_reflective_dll behavioral2/files/0x00070000000233c0-21.dat cobalt_reflective_dll behavioral2/files/0x00080000000233ba-25.dat cobalt_reflective_dll behavioral2/files/0x00070000000233c1-35.dat cobalt_reflective_dll behavioral2/files/0x00070000000233c2-41.dat cobalt_reflective_dll behavioral2/files/0x00070000000233c3-48.dat cobalt_reflective_dll behavioral2/files/0x00070000000233c4-55.dat cobalt_reflective_dll behavioral2/files/0x00070000000233c5-59.dat cobalt_reflective_dll behavioral2/files/0x00070000000233c7-77.dat cobalt_reflective_dll behavioral2/files/0x00070000000233c9-85.dat cobalt_reflective_dll behavioral2/files/0x00070000000233ca-93.dat cobalt_reflective_dll behavioral2/files/0x00070000000233cc-100.dat cobalt_reflective_dll behavioral2/files/0x00070000000233ce-107.dat cobalt_reflective_dll behavioral2/files/0x00070000000233d0-119.dat cobalt_reflective_dll behavioral2/files/0x00070000000233cf-117.dat cobalt_reflective_dll behavioral2/files/0x00070000000233cd-108.dat cobalt_reflective_dll behavioral2/files/0x00070000000233cb-98.dat cobalt_reflective_dll behavioral2/files/0x00070000000233c8-83.dat cobalt_reflective_dll behavioral2/files/0x00070000000233c6-70.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 46 IoCs
resource yara_rule behavioral2/memory/712-30-0x00007FF7BDB70000-0x00007FF7BDEC1000-memory.dmp xmrig behavioral2/memory/1032-73-0x00007FF7D34B0000-0x00007FF7D3801000-memory.dmp xmrig behavioral2/memory/3352-66-0x00007FF73BBF0000-0x00007FF73BF41000-memory.dmp xmrig behavioral2/memory/3056-54-0x00007FF6ED0A0000-0x00007FF6ED3F1000-memory.dmp xmrig behavioral2/memory/1188-121-0x00007FF7B61A0000-0x00007FF7B64F1000-memory.dmp xmrig behavioral2/memory/3484-122-0x00007FF6C7C20000-0x00007FF6C7F71000-memory.dmp xmrig behavioral2/memory/900-124-0x00007FF78C620000-0x00007FF78C971000-memory.dmp xmrig behavioral2/memory/4940-123-0x00007FF72DDC0000-0x00007FF72E111000-memory.dmp xmrig behavioral2/memory/4104-125-0x00007FF71E650000-0x00007FF71E9A1000-memory.dmp xmrig behavioral2/memory/3352-126-0x00007FF73BBF0000-0x00007FF73BF41000-memory.dmp xmrig behavioral2/memory/4708-130-0x00007FF66A3A0000-0x00007FF66A6F1000-memory.dmp xmrig behavioral2/memory/4744-129-0x00007FF7BB450000-0x00007FF7BB7A1000-memory.dmp xmrig behavioral2/memory/776-132-0x00007FF6D7EE0000-0x00007FF6D8231000-memory.dmp xmrig behavioral2/memory/2560-134-0x00007FF650BE0000-0x00007FF650F31000-memory.dmp xmrig behavioral2/memory/1516-133-0x00007FF773910000-0x00007FF773C61000-memory.dmp xmrig behavioral2/memory/992-131-0x00007FF778C90000-0x00007FF778FE1000-memory.dmp xmrig behavioral2/memory/1880-138-0x00007FF787660000-0x00007FF7879B1000-memory.dmp xmrig behavioral2/memory/3544-140-0x00007FF662CB0000-0x00007FF663001000-memory.dmp xmrig behavioral2/memory/4220-137-0x00007FF7694C0000-0x00007FF769811000-memory.dmp xmrig behavioral2/memory/712-136-0x00007FF7BDB70000-0x00007FF7BDEC1000-memory.dmp xmrig behavioral2/memory/4280-135-0x00007FF6E0660000-0x00007FF6E09B1000-memory.dmp xmrig behavioral2/memory/440-141-0x00007FF7992F0000-0x00007FF799641000-memory.dmp xmrig behavioral2/memory/2716-143-0x00007FF6C85E0000-0x00007FF6C8931000-memory.dmp xmrig behavioral2/memory/3244-142-0x00007FF6BCC10000-0x00007FF6BCF61000-memory.dmp xmrig behavioral2/memory/3352-153-0x00007FF73BBF0000-0x00007FF73BF41000-memory.dmp xmrig behavioral2/memory/1032-203-0x00007FF7D34B0000-0x00007FF7D3801000-memory.dmp xmrig behavioral2/memory/1188-205-0x00007FF7B61A0000-0x00007FF7B64F1000-memory.dmp xmrig behavioral2/memory/4280-217-0x00007FF6E0660000-0x00007FF6E09B1000-memory.dmp xmrig behavioral2/memory/4708-221-0x00007FF66A3A0000-0x00007FF66A6F1000-memory.dmp xmrig behavioral2/memory/712-220-0x00007FF7BDB70000-0x00007FF7BDEC1000-memory.dmp xmrig behavioral2/memory/4220-226-0x00007FF7694C0000-0x00007FF769811000-memory.dmp xmrig behavioral2/memory/1880-227-0x00007FF787660000-0x00007FF7879B1000-memory.dmp xmrig behavioral2/memory/3544-229-0x00007FF662CB0000-0x00007FF663001000-memory.dmp xmrig behavioral2/memory/3056-224-0x00007FF6ED0A0000-0x00007FF6ED3F1000-memory.dmp xmrig behavioral2/memory/3244-233-0x00007FF6BCC10000-0x00007FF6BCF61000-memory.dmp xmrig behavioral2/memory/2716-235-0x00007FF6C85E0000-0x00007FF6C8931000-memory.dmp xmrig behavioral2/memory/440-232-0x00007FF7992F0000-0x00007FF799641000-memory.dmp xmrig behavioral2/memory/3484-248-0x00007FF6C7C20000-0x00007FF6C7F71000-memory.dmp xmrig behavioral2/memory/2560-254-0x00007FF650BE0000-0x00007FF650F31000-memory.dmp xmrig behavioral2/memory/992-256-0x00007FF778C90000-0x00007FF778FE1000-memory.dmp xmrig behavioral2/memory/1516-260-0x00007FF773910000-0x00007FF773C61000-memory.dmp xmrig behavioral2/memory/776-258-0x00007FF6D7EE0000-0x00007FF6D8231000-memory.dmp xmrig behavioral2/memory/4104-251-0x00007FF71E650000-0x00007FF71E9A1000-memory.dmp xmrig behavioral2/memory/900-247-0x00007FF78C620000-0x00007FF78C971000-memory.dmp xmrig behavioral2/memory/4940-253-0x00007FF72DDC0000-0x00007FF72E111000-memory.dmp xmrig behavioral2/memory/4744-245-0x00007FF7BB450000-0x00007FF7BB7A1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 1032 FjBxCuW.exe 1188 QXZvFVt.exe 4708 YEVKYyq.exe 4280 sfxDGoe.exe 712 lkTjlzX.exe 4220 xNlkhSH.exe 1880 BbZAvGd.exe 3056 HnJgTrX.exe 3544 hCirSkm.exe 440 ADqpiVO.exe 3244 qyJMvnk.exe 2716 bdRJFIs.exe 3484 cgvyYsx.exe 2560 lItmsKe.exe 4940 oWSqqAO.exe 900 VmksQfD.exe 4104 ovFtZMQ.exe 4744 NtHrteb.exe 992 LHlqCnZ.exe 776 cQNubHK.exe 1516 GLDyBYG.exe -
resource yara_rule behavioral2/memory/3352-0-0x00007FF73BBF0000-0x00007FF73BF41000-memory.dmp upx behavioral2/files/0x0009000000023368-4.dat upx behavioral2/memory/1032-7-0x00007FF7D34B0000-0x00007FF7D3801000-memory.dmp upx behavioral2/files/0x00070000000233bd-10.dat upx behavioral2/files/0x00070000000233be-11.dat upx behavioral2/memory/1188-14-0x00007FF7B61A0000-0x00007FF7B64F1000-memory.dmp upx behavioral2/memory/4708-18-0x00007FF66A3A0000-0x00007FF66A6F1000-memory.dmp upx behavioral2/files/0x00070000000233c0-21.dat upx behavioral2/files/0x00080000000233ba-25.dat upx behavioral2/memory/712-30-0x00007FF7BDB70000-0x00007FF7BDEC1000-memory.dmp upx behavioral2/files/0x00070000000233c1-35.dat upx behavioral2/files/0x00070000000233c2-41.dat upx behavioral2/memory/4220-36-0x00007FF7694C0000-0x00007FF769811000-memory.dmp upx behavioral2/files/0x00070000000233c3-48.dat upx behavioral2/memory/3544-52-0x00007FF662CB0000-0x00007FF663001000-memory.dmp upx behavioral2/files/0x00070000000233c4-55.dat upx behavioral2/files/0x00070000000233c5-59.dat upx behavioral2/memory/440-60-0x00007FF7992F0000-0x00007FF799641000-memory.dmp upx behavioral2/memory/1032-73-0x00007FF7D34B0000-0x00007FF7D3801000-memory.dmp upx behavioral2/files/0x00070000000233c7-77.dat upx behavioral2/files/0x00070000000233c9-85.dat upx behavioral2/files/0x00070000000233ca-93.dat upx behavioral2/files/0x00070000000233cc-100.dat upx behavioral2/files/0x00070000000233ce-107.dat upx behavioral2/files/0x00070000000233d0-119.dat upx behavioral2/files/0x00070000000233cf-117.dat upx behavioral2/files/0x00070000000233cd-108.dat upx behavioral2/files/0x00070000000233cb-98.dat upx behavioral2/files/0x00070000000233c8-83.dat upx behavioral2/memory/2716-74-0x00007FF6C85E0000-0x00007FF6C8931000-memory.dmp upx behavioral2/files/0x00070000000233c6-70.dat upx behavioral2/memory/3244-69-0x00007FF6BCC10000-0x00007FF6BCF61000-memory.dmp upx behavioral2/memory/3352-66-0x00007FF73BBF0000-0x00007FF73BF41000-memory.dmp upx behavioral2/memory/3056-54-0x00007FF6ED0A0000-0x00007FF6ED3F1000-memory.dmp upx behavioral2/memory/1880-42-0x00007FF787660000-0x00007FF7879B1000-memory.dmp upx behavioral2/memory/4280-22-0x00007FF6E0660000-0x00007FF6E09B1000-memory.dmp upx behavioral2/memory/1188-121-0x00007FF7B61A0000-0x00007FF7B64F1000-memory.dmp upx behavioral2/memory/3484-122-0x00007FF6C7C20000-0x00007FF6C7F71000-memory.dmp upx behavioral2/memory/900-124-0x00007FF78C620000-0x00007FF78C971000-memory.dmp upx behavioral2/memory/4940-123-0x00007FF72DDC0000-0x00007FF72E111000-memory.dmp upx behavioral2/memory/4104-125-0x00007FF71E650000-0x00007FF71E9A1000-memory.dmp upx behavioral2/memory/3352-126-0x00007FF73BBF0000-0x00007FF73BF41000-memory.dmp upx behavioral2/memory/4708-130-0x00007FF66A3A0000-0x00007FF66A6F1000-memory.dmp upx behavioral2/memory/4744-129-0x00007FF7BB450000-0x00007FF7BB7A1000-memory.dmp upx behavioral2/memory/776-132-0x00007FF6D7EE0000-0x00007FF6D8231000-memory.dmp upx behavioral2/memory/2560-134-0x00007FF650BE0000-0x00007FF650F31000-memory.dmp upx behavioral2/memory/1516-133-0x00007FF773910000-0x00007FF773C61000-memory.dmp upx behavioral2/memory/992-131-0x00007FF778C90000-0x00007FF778FE1000-memory.dmp upx behavioral2/memory/1880-138-0x00007FF787660000-0x00007FF7879B1000-memory.dmp upx behavioral2/memory/3544-140-0x00007FF662CB0000-0x00007FF663001000-memory.dmp upx behavioral2/memory/4220-137-0x00007FF7694C0000-0x00007FF769811000-memory.dmp upx behavioral2/memory/712-136-0x00007FF7BDB70000-0x00007FF7BDEC1000-memory.dmp upx behavioral2/memory/4280-135-0x00007FF6E0660000-0x00007FF6E09B1000-memory.dmp upx behavioral2/memory/440-141-0x00007FF7992F0000-0x00007FF799641000-memory.dmp upx behavioral2/memory/2716-143-0x00007FF6C85E0000-0x00007FF6C8931000-memory.dmp upx behavioral2/memory/3244-142-0x00007FF6BCC10000-0x00007FF6BCF61000-memory.dmp upx behavioral2/memory/3352-153-0x00007FF73BBF0000-0x00007FF73BF41000-memory.dmp upx behavioral2/memory/1032-203-0x00007FF7D34B0000-0x00007FF7D3801000-memory.dmp upx behavioral2/memory/1188-205-0x00007FF7B61A0000-0x00007FF7B64F1000-memory.dmp upx behavioral2/memory/4280-217-0x00007FF6E0660000-0x00007FF6E09B1000-memory.dmp upx behavioral2/memory/4708-221-0x00007FF66A3A0000-0x00007FF66A6F1000-memory.dmp upx behavioral2/memory/712-220-0x00007FF7BDB70000-0x00007FF7BDEC1000-memory.dmp upx behavioral2/memory/4220-226-0x00007FF7694C0000-0x00007FF769811000-memory.dmp upx behavioral2/memory/1880-227-0x00007FF787660000-0x00007FF7879B1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\xNlkhSH.exe 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FjBxCuW.exe 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lkTjlzX.exe 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HnJgTrX.exe 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lItmsKe.exe 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\oWSqqAO.exe 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ovFtZMQ.exe 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YEVKYyq.exe 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BbZAvGd.exe 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hCirSkm.exe 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qyJMvnk.exe 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VmksQfD.exe 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NtHrteb.exe 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LHlqCnZ.exe 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cQNubHK.exe 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QXZvFVt.exe 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\sfxDGoe.exe 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cgvyYsx.exe 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GLDyBYG.exe 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ADqpiVO.exe 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bdRJFIs.exe 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3352 wrote to memory of 1032 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 3352 wrote to memory of 1032 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 3352 wrote to memory of 1188 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3352 wrote to memory of 1188 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3352 wrote to memory of 4708 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3352 wrote to memory of 4708 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3352 wrote to memory of 4280 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3352 wrote to memory of 4280 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3352 wrote to memory of 712 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3352 wrote to memory of 712 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3352 wrote to memory of 4220 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3352 wrote to memory of 4220 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3352 wrote to memory of 1880 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3352 wrote to memory of 1880 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3352 wrote to memory of 3056 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3352 wrote to memory of 3056 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3352 wrote to memory of 3544 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3352 wrote to memory of 3544 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3352 wrote to memory of 440 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3352 wrote to memory of 440 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3352 wrote to memory of 3244 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3352 wrote to memory of 3244 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3352 wrote to memory of 2716 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3352 wrote to memory of 2716 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3352 wrote to memory of 3484 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3352 wrote to memory of 3484 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3352 wrote to memory of 2560 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3352 wrote to memory of 2560 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3352 wrote to memory of 4940 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3352 wrote to memory of 4940 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3352 wrote to memory of 900 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3352 wrote to memory of 900 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3352 wrote to memory of 4104 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3352 wrote to memory of 4104 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3352 wrote to memory of 4744 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3352 wrote to memory of 4744 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3352 wrote to memory of 992 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3352 wrote to memory of 992 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3352 wrote to memory of 776 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3352 wrote to memory of 776 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3352 wrote to memory of 1516 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 3352 wrote to memory of 1516 3352 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\System\FjBxCuW.exeC:\Windows\System\FjBxCuW.exe2⤵
- Executes dropped EXE
PID:1032
-
-
C:\Windows\System\QXZvFVt.exeC:\Windows\System\QXZvFVt.exe2⤵
- Executes dropped EXE
PID:1188
-
-
C:\Windows\System\YEVKYyq.exeC:\Windows\System\YEVKYyq.exe2⤵
- Executes dropped EXE
PID:4708
-
-
C:\Windows\System\sfxDGoe.exeC:\Windows\System\sfxDGoe.exe2⤵
- Executes dropped EXE
PID:4280
-
-
C:\Windows\System\lkTjlzX.exeC:\Windows\System\lkTjlzX.exe2⤵
- Executes dropped EXE
PID:712
-
-
C:\Windows\System\xNlkhSH.exeC:\Windows\System\xNlkhSH.exe2⤵
- Executes dropped EXE
PID:4220
-
-
C:\Windows\System\BbZAvGd.exeC:\Windows\System\BbZAvGd.exe2⤵
- Executes dropped EXE
PID:1880
-
-
C:\Windows\System\HnJgTrX.exeC:\Windows\System\HnJgTrX.exe2⤵
- Executes dropped EXE
PID:3056
-
-
C:\Windows\System\hCirSkm.exeC:\Windows\System\hCirSkm.exe2⤵
- Executes dropped EXE
PID:3544
-
-
C:\Windows\System\ADqpiVO.exeC:\Windows\System\ADqpiVO.exe2⤵
- Executes dropped EXE
PID:440
-
-
C:\Windows\System\qyJMvnk.exeC:\Windows\System\qyJMvnk.exe2⤵
- Executes dropped EXE
PID:3244
-
-
C:\Windows\System\bdRJFIs.exeC:\Windows\System\bdRJFIs.exe2⤵
- Executes dropped EXE
PID:2716
-
-
C:\Windows\System\cgvyYsx.exeC:\Windows\System\cgvyYsx.exe2⤵
- Executes dropped EXE
PID:3484
-
-
C:\Windows\System\lItmsKe.exeC:\Windows\System\lItmsKe.exe2⤵
- Executes dropped EXE
PID:2560
-
-
C:\Windows\System\oWSqqAO.exeC:\Windows\System\oWSqqAO.exe2⤵
- Executes dropped EXE
PID:4940
-
-
C:\Windows\System\VmksQfD.exeC:\Windows\System\VmksQfD.exe2⤵
- Executes dropped EXE
PID:900
-
-
C:\Windows\System\ovFtZMQ.exeC:\Windows\System\ovFtZMQ.exe2⤵
- Executes dropped EXE
PID:4104
-
-
C:\Windows\System\NtHrteb.exeC:\Windows\System\NtHrteb.exe2⤵
- Executes dropped EXE
PID:4744
-
-
C:\Windows\System\LHlqCnZ.exeC:\Windows\System\LHlqCnZ.exe2⤵
- Executes dropped EXE
PID:992
-
-
C:\Windows\System\cQNubHK.exeC:\Windows\System\cQNubHK.exe2⤵
- Executes dropped EXE
PID:776
-
-
C:\Windows\System\GLDyBYG.exeC:\Windows\System\GLDyBYG.exe2⤵
- Executes dropped EXE
PID:1516
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD56c2583c996f111f19e5b7f75afc483b3
SHA19f8d1d5f527474b84b9f6e172ab16ae35f0e101c
SHA2562b8191bfda83140beb86e2143ede8b8a5233558cdd52a8f11e9a3b3229b87ec5
SHA512dc29aad93ad5b7efd4fdeed38c1e9c573cdec3292823d99e9adcd15f2ca7ff45ad21d79872dad969a7ebe7508fc7c67b1b4a1f70d603c3b54359387f0a84a5b2
-
Filesize
5.2MB
MD5e2480807fdc6b4ccc1a1416566411963
SHA182cb25938e6cb2410d0cdeead1baf7e097b0acd9
SHA2568bd3613ab347cba28a8cfdfa0353e1246de18d4bfdb42512f1f8e9dbd6e5d9c6
SHA512216ceff4364b986992eec3414a3202015ed816f11adc1a8705698ab9f2c80ba4196f9e2cd6ed928ba8a5b12dcb14c32ecb36d525318edccc10f24717e7c81332
-
Filesize
5.2MB
MD5e8fa3f6841807d9afb9e89ecd8adfaea
SHA193cf284a25383997ea077ae006659288b6a6b484
SHA25649bb4e10ed381dbcf5bd994f1699cefb6a3983ab9c3985de8c1d2491f5e906c6
SHA512e8e401f84e84e9ea521b95acf12d5e5fbe622feb5a10dd76bf4af15b6402078e463a9c06b534f9e61c05825fd3b44c9eda4f7c4045b7b04a7ddffdea5f815788
-
Filesize
5.2MB
MD5e032952e73475f0e6c9d4003cc4adf41
SHA1162589ef8c75fffa70e1e299ab4ca87ba08baf4d
SHA256647fd13facb74876ec209a0733fc791264640d58e014bb5a7611b42e9d430e68
SHA512d8c221179149e068349c7ff9ece5721a64c10ca7dc25f048f46eff8da800a0ff82f620ab49591d7f74986facffc90dc07afb5f51fcd4801a6c1ac7aed2b960ce
-
Filesize
5.2MB
MD5d3a76127cd59c2dcbd1a63a59b60e73b
SHA184a746446aa28161849a58c6bd6d761246056dab
SHA256d15bc19edd2ff7179216cfe7854bb327675abdc8b64d65f57157f4ff82d41de4
SHA512331a83d8b2323b65d024de9ae6e258d56b3b0b413e3423d364935e6d861252f257dfd10be0d5810743fb736f16a72356da373637ad3a266ec8b74d6cfd4318b8
-
Filesize
5.2MB
MD5d8d489b54d3997a4acff082fb366ff92
SHA1e8b395136af54e9b181b4a308c2f9ccee83f9470
SHA2563ac5207e873b0e1f063f44fc9951c471545c81096ac50ea2fa6914627baf1997
SHA512a2f57c80ea180e8f999390123817aafdf3437b2fd3900d47a8ad750dc5d6ced0e31f004e7b72548bd737adee150ec34fb5469ff123c014a27767a8acfc5bc4e5
-
Filesize
5.2MB
MD55f8c8bda73e71eed27d6ed53a23a03e3
SHA1d2651135b02aea22b5c70a7b2e4f9fb424f8e8b9
SHA25620047d58aca3acff7ba22709f20e598f0f2cd1ba21da80fe5556fa05a420bf84
SHA512bc9c84047d48d36e93bedcc500ed7e7ee74721979765b0cc62ea7d56cbede5df9764920583a51e25866c8757c4f7b702f239f2c541a619d1ef15f368db40c6ff
-
Filesize
5.2MB
MD5d7378d35b0bdd9da0cda68688417bc04
SHA1a18682c31572a35d95990195d56df0d0c100fdb7
SHA256017a6e607e36d9215fce1ad9ad509e6ccf145c4c91c3f681317e6ccdf2bdff64
SHA5121546af34ad9f3e1e81500739dc5f10307f9bcf2d4ddf9daaf3e5c87fceb6ac7cda6839eaf27150995f7dd1b24f57a9fcd81428c52b3ec7894cebe43d9fa94c17
-
Filesize
5.2MB
MD5d36d365b614faeea4f86f6a7746dce48
SHA121ce70eb2d20ec25a82828270481b2487e3ea3fe
SHA256734d707e9907fc052b2127afc9a7ec5f7055991a4b6e502a58fae1f4bcc34075
SHA51288305bf00f12469d0a0d61fd938606872b2a13666ab596fe6ce6f5284f2ad85e6db0b602927dd13048f46a72789b38dc3c7a7f6f55c31d9ca91ab47a530f8b8e
-
Filesize
5.2MB
MD551b300dfd3d8dfe39b1815c66d6b253a
SHA1f4cedf4e456ac8d7f6c712abe365390792b9cad5
SHA2567c4a6650d2e7e237f587ba2cfc7329d59fa3936b0ba79ea8e38c1109b525be71
SHA512c1a23137ccb568470312928e71d6eebb77cc7fae45997614cdd2d221c3010e5563fc43a73846455e0e52e2cbbf60a634d55cfcab108fd40ce35ff4c8fe558813
-
Filesize
5.2MB
MD51fa12096508c3758bd3ddbf9be648964
SHA1224ac0cbeb61e1495729cb4c75a44c401e7cee40
SHA256c33e78f25e37f3a67acacade190ce3c529a0e57bf09a17b394f57f02c03e9fe6
SHA512d1ad99754cf2eb019c011b2b26b4578580bb9c9e99d3ffc887937d5203de2307a43a8bce5ae3f4bd611d4d6bde68ddf63fd4b2c5082c61708bc5a81bdaca15c0
-
Filesize
5.2MB
MD55fad8d860d8f195a113df5cd79864250
SHA120ba13de75c87dfc7744448e1bddff9bef97da2f
SHA256c6a3c659532ed50824ab507ad5a23cfd0d31f537860da1dc77c57ce6e954c59a
SHA512c0cb9e295fb1cdee4036c727cbce441f49ed9e2614aa5bf2218dbf4420636a56be491fdeaab30df088a8ba04f4745026a52381d9c248a3b0060430760442c47c
-
Filesize
5.2MB
MD5e00950f43b0f7be7fc64b684fb3c4870
SHA177a76239829f5097b0f2be6195704398bd33cd2a
SHA25630a76e28dda71078a26f45e7a6cb338902713a9572634950e6427d7da6faa12b
SHA512901f26e4bb2008527709808773b78ac91a41528745123866224b26cacfe678839cc95943d214c542d0dd52a7189e846a3f8eef53dce1de49d6fb5f7b4d36690a
-
Filesize
5.2MB
MD593e262a9e74bf3c44c1cb730de184b0e
SHA1c626a8d93cdcfdd5656e82d162acf4a77c41adfa
SHA256ef43e3500bcc66989ce727b775b5a7efd4808f52efe74c95d6f550c363530022
SHA512cc5d82fb68b811637d3477e7e7fd127ff2ba1afb0ad2cc165e058366260565d8ccd718fa6be1bf3ea619bf792ec9401cf629b9b896bf9d9947c86493633de0ff
-
Filesize
5.2MB
MD5ac269a7c7f990cab81b4fb599f0846ef
SHA14ad00c599aef5642575b902889254a4bbf13a97c
SHA256e0aa76d4964649872309ba61d600a1f610694d251aaa156ae18c207b1e71d649
SHA512fbd784d91f285df05ebe72741291e4121431ac1b24e51c071e29b482f5074a9ebcd859327912317f4ad952c22fe779263138aad4182c83764ddf002bbb028e8c
-
Filesize
5.2MB
MD57baf4d303584a39e0be2f3ec81d6779d
SHA17ba4922f5749a64a0e37da9d013c80194cf42167
SHA2568377a857efabc0d5bd083545f9a9d78014784d3474f489d69464d6239b605856
SHA512c134fd6c9cf3326a8f0b9000dfcfc69cfa44f5de932144df2da0bdd8a49225e0e95da16840364ad9aeb4a3d5e6f726b9a02cd7397a18790a372fe6a3425f5cd9
-
Filesize
5.2MB
MD5facc283c552d499f18cc317bd2dee48c
SHA1821a7d8b6095c87b07d96ebca06d55b8b1383106
SHA2562d8d7a9e2306b59aa57f5cd27fb7747f7e02f6cc21ebefa36bde32a5d8c123db
SHA51294dd57a8982d06c67379001898e63c780b9695c917c81c5c438deaa2df60cfd8a9f6aac1de917f0b86c60958e726ccfd779ca2f4a43d72f766176af93c7ccf8a
-
Filesize
5.2MB
MD535a70af3a989d82bd9ca87e04fa6f19e
SHA1aefa5f268746b98cd1bbde79578f1d936a662281
SHA2568244541193388ec0c36a2e42c14d81180a029489079fb1aae9fbe975eb8849a4
SHA512e404480c7349e0fa3ebe9e695bce8b251ccbefbc61d0865a373eee74a34b3af274496133d9cc717fb234323714f5102e3542d5e85161600a02b5f9e3ee9116a3
-
Filesize
5.2MB
MD56e24d3cb8f69e2276bde10fc5dbd44d0
SHA1ecb9dac4b91d33d1890a1c509b4b89079dd3cd70
SHA25617e8587ff7914772fb30e5b1b8cafd831ec0403f1c79eaa9661acb46d98fe128
SHA512e04486d6c1a9a992542fd365dc08981f445c1f7163cfc9cf47a474adc09268062c43c28dc925aee9c1a31f5d13af0bd5eb79864b127c3f72e1711661fa99ae79
-
Filesize
5.2MB
MD543cbfe605aaeedfedee64ac7ef04aac9
SHA14137f14e350a0a08e27a793a5d2b7588fb48c61c
SHA2564bbf370c33c818498257c297ebc2efd333640270497552e168c69e1f5354420b
SHA512408bc153a21a573dd349de18f1f7cd9d85d8d7569ffdbc33c847b12d25c6da67daa3f621d8c3c9c9e6be4d1d1b598fc4343907b4eb9ba190d7912b12bacdf189
-
Filesize
5.2MB
MD5e87503ac0486a4378abcf0586a21f0cd
SHA17807da7eabc8e6dbc9df2807251c7a40d82281a9
SHA2568eabbee432808eddcea0029215e5c01db210939e19498f983a9269a34f1df3e8
SHA5122d5552df5e6058c505e4c2adcf5aa5cd2bafbd55ba88cae3c85b323634deb2117b1c50cec9ced2c55d995faee6d38a3d6536fb95ead0b47836727dd4d2ccf0e0