Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 11:29
Behavioral task
behavioral1
Sample
2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240705-en
General
-
Target
2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
4aedd5adc0f9824d8153024baaf597a6
-
SHA1
460af53930695e2a6ac01b77986abda1ff890523
-
SHA256
0982f6db774f8549398f52a461dda8701963f9d3c9d3ec59c635e2ca6994632c
-
SHA512
42f605648dd6401b8613ef219b85d1444cc4a7e8eb5ba24c4e54239cbdef10492dfdf9aa247dc78b7e1e9ad91261e5842126ebcd7ff94c1ebdb6ea9197a11e2a
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lZ:RWWBibf56utgpPFotBER/mQ32lUN
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00090000000233ba-4.dat cobalt_reflective_dll behavioral2/files/0x0007000000023425-9.dat cobalt_reflective_dll behavioral2/files/0x0007000000023428-23.dat cobalt_reflective_dll behavioral2/files/0x0007000000023426-22.dat cobalt_reflective_dll behavioral2/files/0x000700000002342d-52.dat cobalt_reflective_dll behavioral2/files/0x000700000002342e-68.dat cobalt_reflective_dll behavioral2/files/0x0007000000023431-84.dat cobalt_reflective_dll behavioral2/files/0x0007000000023432-96.dat cobalt_reflective_dll behavioral2/files/0x0007000000023435-112.dat cobalt_reflective_dll behavioral2/files/0x0007000000023437-126.dat cobalt_reflective_dll behavioral2/files/0x0007000000023436-123.dat cobalt_reflective_dll behavioral2/files/0x0007000000023434-119.dat cobalt_reflective_dll behavioral2/files/0x0008000000023422-102.dat cobalt_reflective_dll behavioral2/files/0x0007000000023433-100.dat cobalt_reflective_dll behavioral2/files/0x0007000000023430-87.dat cobalt_reflective_dll behavioral2/files/0x000700000002342f-78.dat cobalt_reflective_dll behavioral2/files/0x000700000002342c-74.dat cobalt_reflective_dll behavioral2/files/0x000700000002342a-55.dat cobalt_reflective_dll behavioral2/files/0x0007000000023429-49.dat cobalt_reflective_dll behavioral2/files/0x000700000002342b-47.dat cobalt_reflective_dll behavioral2/files/0x0007000000023427-32.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 44 IoCs
resource yara_rule behavioral2/memory/4064-75-0x00007FF76B550000-0x00007FF76B8A1000-memory.dmp xmrig behavioral2/memory/5012-98-0x00007FF74D2D0000-0x00007FF74D621000-memory.dmp xmrig behavioral2/memory/3064-93-0x00007FF7ACFA0000-0x00007FF7AD2F1000-memory.dmp xmrig behavioral2/memory/2724-83-0x00007FF6545F0000-0x00007FF654941000-memory.dmp xmrig behavioral2/memory/2692-82-0x00007FF7534F0000-0x00007FF753841000-memory.dmp xmrig behavioral2/memory/2596-61-0x00007FF7AAE40000-0x00007FF7AB191000-memory.dmp xmrig behavioral2/memory/4596-130-0x00007FF6B0960000-0x00007FF6B0CB1000-memory.dmp xmrig behavioral2/memory/1296-131-0x00007FF6E6E60000-0x00007FF6E71B1000-memory.dmp xmrig behavioral2/memory/3040-129-0x00007FF6CCB80000-0x00007FF6CCED1000-memory.dmp xmrig behavioral2/memory/4512-128-0x00007FF6C82C0000-0x00007FF6C8611000-memory.dmp xmrig behavioral2/memory/3328-137-0x00007FF65E550000-0x00007FF65E8A1000-memory.dmp xmrig behavioral2/memory/2324-139-0x00007FF6C07D0000-0x00007FF6C0B21000-memory.dmp xmrig behavioral2/memory/2656-145-0x00007FF762980000-0x00007FF762CD1000-memory.dmp xmrig behavioral2/memory/4008-146-0x00007FF676FD0000-0x00007FF677321000-memory.dmp xmrig behavioral2/memory/892-143-0x00007FF648590000-0x00007FF6488E1000-memory.dmp xmrig behavioral2/memory/1392-136-0x00007FF7BD2D0000-0x00007FF7BD621000-memory.dmp xmrig behavioral2/memory/880-144-0x00007FF62F8D0000-0x00007FF62FC21000-memory.dmp xmrig behavioral2/memory/3144-132-0x00007FF7E4F60000-0x00007FF7E52B1000-memory.dmp xmrig behavioral2/memory/4648-133-0x00007FF730C20000-0x00007FF730F71000-memory.dmp xmrig behavioral2/memory/1396-148-0x00007FF7C37D0000-0x00007FF7C3B21000-memory.dmp xmrig behavioral2/memory/2468-149-0x00007FF795140000-0x00007FF795491000-memory.dmp xmrig behavioral2/memory/816-147-0x00007FF72D300000-0x00007FF72D651000-memory.dmp xmrig behavioral2/memory/4512-150-0x00007FF6C82C0000-0x00007FF6C8611000-memory.dmp xmrig behavioral2/memory/4596-209-0x00007FF6B0960000-0x00007FF6B0CB1000-memory.dmp xmrig behavioral2/memory/3040-211-0x00007FF6CCB80000-0x00007FF6CCED1000-memory.dmp xmrig behavioral2/memory/3144-213-0x00007FF7E4F60000-0x00007FF7E52B1000-memory.dmp xmrig behavioral2/memory/1296-215-0x00007FF6E6E60000-0x00007FF6E71B1000-memory.dmp xmrig behavioral2/memory/1392-218-0x00007FF7BD2D0000-0x00007FF7BD621000-memory.dmp xmrig behavioral2/memory/2596-219-0x00007FF7AAE40000-0x00007FF7AB191000-memory.dmp xmrig behavioral2/memory/4064-221-0x00007FF76B550000-0x00007FF76B8A1000-memory.dmp xmrig behavioral2/memory/2692-223-0x00007FF7534F0000-0x00007FF753841000-memory.dmp xmrig behavioral2/memory/4648-233-0x00007FF730C20000-0x00007FF730F71000-memory.dmp xmrig behavioral2/memory/892-238-0x00007FF648590000-0x00007FF6488E1000-memory.dmp xmrig behavioral2/memory/2724-244-0x00007FF6545F0000-0x00007FF654941000-memory.dmp xmrig behavioral2/memory/2324-245-0x00007FF6C07D0000-0x00007FF6C0B21000-memory.dmp xmrig behavioral2/memory/3328-241-0x00007FF65E550000-0x00007FF65E8A1000-memory.dmp xmrig behavioral2/memory/5012-240-0x00007FF74D2D0000-0x00007FF74D621000-memory.dmp xmrig behavioral2/memory/3064-236-0x00007FF7ACFA0000-0x00007FF7AD2F1000-memory.dmp xmrig behavioral2/memory/880-256-0x00007FF62F8D0000-0x00007FF62FC21000-memory.dmp xmrig behavioral2/memory/2656-254-0x00007FF762980000-0x00007FF762CD1000-memory.dmp xmrig behavioral2/memory/4008-257-0x00007FF676FD0000-0x00007FF677321000-memory.dmp xmrig behavioral2/memory/2468-250-0x00007FF795140000-0x00007FF795491000-memory.dmp xmrig behavioral2/memory/1396-252-0x00007FF7C37D0000-0x00007FF7C3B21000-memory.dmp xmrig behavioral2/memory/816-249-0x00007FF72D300000-0x00007FF72D651000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 3040 OTbTBIy.exe 4596 AneVIkp.exe 3144 zJnWWGR.exe 1296 wLtExFK.exe 4648 JzahhfW.exe 4064 eroeGdX.exe 1392 cPELJOm.exe 2596 PBBfqnp.exe 2692 exhDQTx.exe 3328 wSJURPA.exe 2324 KSDyqZp.exe 2724 biDaVYe.exe 3064 QKtcyYg.exe 5012 YArcfJh.exe 892 WlLweSX.exe 880 grifmNx.exe 2656 qNivVtG.exe 4008 UXNlubQ.exe 816 ygAAAVI.exe 1396 HPrEamr.exe 2468 fegQgSL.exe -
resource yara_rule behavioral2/memory/4512-0-0x00007FF6C82C0000-0x00007FF6C8611000-memory.dmp upx behavioral2/files/0x00090000000233ba-4.dat upx behavioral2/files/0x0007000000023425-9.dat upx behavioral2/files/0x0007000000023428-23.dat upx behavioral2/files/0x0007000000023426-22.dat upx behavioral2/files/0x000700000002342d-52.dat upx behavioral2/files/0x000700000002342e-68.dat upx behavioral2/memory/4064-75-0x00007FF76B550000-0x00007FF76B8A1000-memory.dmp upx behavioral2/files/0x0007000000023431-84.dat upx behavioral2/files/0x0007000000023432-96.dat upx behavioral2/files/0x0007000000023435-112.dat upx behavioral2/files/0x0007000000023437-126.dat upx behavioral2/memory/2468-125-0x00007FF795140000-0x00007FF795491000-memory.dmp upx behavioral2/files/0x0007000000023436-123.dat upx behavioral2/files/0x0007000000023434-119.dat upx behavioral2/memory/1396-118-0x00007FF7C37D0000-0x00007FF7C3B21000-memory.dmp upx behavioral2/memory/816-117-0x00007FF72D300000-0x00007FF72D651000-memory.dmp upx behavioral2/memory/4008-115-0x00007FF676FD0000-0x00007FF677321000-memory.dmp upx behavioral2/memory/880-104-0x00007FF62F8D0000-0x00007FF62FC21000-memory.dmp upx behavioral2/files/0x0008000000023422-102.dat upx behavioral2/files/0x0007000000023433-100.dat upx behavioral2/memory/2656-99-0x00007FF762980000-0x00007FF762CD1000-memory.dmp upx behavioral2/memory/5012-98-0x00007FF74D2D0000-0x00007FF74D621000-memory.dmp upx behavioral2/memory/3064-93-0x00007FF7ACFA0000-0x00007FF7AD2F1000-memory.dmp upx behavioral2/memory/892-92-0x00007FF648590000-0x00007FF6488E1000-memory.dmp upx behavioral2/files/0x0007000000023430-87.dat upx behavioral2/memory/2724-83-0x00007FF6545F0000-0x00007FF654941000-memory.dmp upx behavioral2/memory/2692-82-0x00007FF7534F0000-0x00007FF753841000-memory.dmp upx behavioral2/files/0x000700000002342f-78.dat upx behavioral2/files/0x000700000002342c-74.dat upx behavioral2/memory/2324-66-0x00007FF6C07D0000-0x00007FF6C0B21000-memory.dmp upx behavioral2/memory/3328-65-0x00007FF65E550000-0x00007FF65E8A1000-memory.dmp upx behavioral2/memory/2596-61-0x00007FF7AAE40000-0x00007FF7AB191000-memory.dmp upx behavioral2/memory/1392-60-0x00007FF7BD2D0000-0x00007FF7BD621000-memory.dmp upx behavioral2/files/0x000700000002342a-55.dat upx behavioral2/files/0x0007000000023429-49.dat upx behavioral2/files/0x000700000002342b-47.dat upx behavioral2/memory/4648-45-0x00007FF730C20000-0x00007FF730F71000-memory.dmp upx behavioral2/memory/1296-41-0x00007FF6E6E60000-0x00007FF6E71B1000-memory.dmp upx behavioral2/files/0x0007000000023427-32.dat upx behavioral2/memory/3144-30-0x00007FF7E4F60000-0x00007FF7E52B1000-memory.dmp upx behavioral2/memory/4596-16-0x00007FF6B0960000-0x00007FF6B0CB1000-memory.dmp upx behavioral2/memory/3040-6-0x00007FF6CCB80000-0x00007FF6CCED1000-memory.dmp upx behavioral2/memory/4596-130-0x00007FF6B0960000-0x00007FF6B0CB1000-memory.dmp upx behavioral2/memory/1296-131-0x00007FF6E6E60000-0x00007FF6E71B1000-memory.dmp upx behavioral2/memory/3040-129-0x00007FF6CCB80000-0x00007FF6CCED1000-memory.dmp upx behavioral2/memory/4512-128-0x00007FF6C82C0000-0x00007FF6C8611000-memory.dmp upx behavioral2/memory/3328-137-0x00007FF65E550000-0x00007FF65E8A1000-memory.dmp upx behavioral2/memory/2324-139-0x00007FF6C07D0000-0x00007FF6C0B21000-memory.dmp upx behavioral2/memory/2656-145-0x00007FF762980000-0x00007FF762CD1000-memory.dmp upx behavioral2/memory/4008-146-0x00007FF676FD0000-0x00007FF677321000-memory.dmp upx behavioral2/memory/892-143-0x00007FF648590000-0x00007FF6488E1000-memory.dmp upx behavioral2/memory/1392-136-0x00007FF7BD2D0000-0x00007FF7BD621000-memory.dmp upx behavioral2/memory/880-144-0x00007FF62F8D0000-0x00007FF62FC21000-memory.dmp upx behavioral2/memory/3144-132-0x00007FF7E4F60000-0x00007FF7E52B1000-memory.dmp upx behavioral2/memory/4648-133-0x00007FF730C20000-0x00007FF730F71000-memory.dmp upx behavioral2/memory/1396-148-0x00007FF7C37D0000-0x00007FF7C3B21000-memory.dmp upx behavioral2/memory/2468-149-0x00007FF795140000-0x00007FF795491000-memory.dmp upx behavioral2/memory/816-147-0x00007FF72D300000-0x00007FF72D651000-memory.dmp upx behavioral2/memory/4512-150-0x00007FF6C82C0000-0x00007FF6C8611000-memory.dmp upx behavioral2/memory/4596-209-0x00007FF6B0960000-0x00007FF6B0CB1000-memory.dmp upx behavioral2/memory/3040-211-0x00007FF6CCB80000-0x00007FF6CCED1000-memory.dmp upx behavioral2/memory/3144-213-0x00007FF7E4F60000-0x00007FF7E52B1000-memory.dmp upx behavioral2/memory/1296-215-0x00007FF6E6E60000-0x00007FF6E71B1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\qNivVtG.exe 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\UXNlubQ.exe 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AneVIkp.exe 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\wSJURPA.exe 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YArcfJh.exe 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WlLweSX.exe 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\exhDQTx.exe 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KSDyqZp.exe 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HPrEamr.exe 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PBBfqnp.exe 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\grifmNx.exe 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fegQgSL.exe 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\eroeGdX.exe 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cPELJOm.exe 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\biDaVYe.exe 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QKtcyYg.exe 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\OTbTBIy.exe 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\wLtExFK.exe 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zJnWWGR.exe 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JzahhfW.exe 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ygAAAVI.exe 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4512 wrote to memory of 3040 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4512 wrote to memory of 3040 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4512 wrote to memory of 4596 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4512 wrote to memory of 4596 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4512 wrote to memory of 1296 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4512 wrote to memory of 1296 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4512 wrote to memory of 3144 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4512 wrote to memory of 3144 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4512 wrote to memory of 4648 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4512 wrote to memory of 4648 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4512 wrote to memory of 2596 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4512 wrote to memory of 2596 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4512 wrote to memory of 4064 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4512 wrote to memory of 4064 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4512 wrote to memory of 1392 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4512 wrote to memory of 1392 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4512 wrote to memory of 3328 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4512 wrote to memory of 3328 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4512 wrote to memory of 2692 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4512 wrote to memory of 2692 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4512 wrote to memory of 2324 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4512 wrote to memory of 2324 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4512 wrote to memory of 2724 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4512 wrote to memory of 2724 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4512 wrote to memory of 3064 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4512 wrote to memory of 3064 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4512 wrote to memory of 5012 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4512 wrote to memory of 5012 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4512 wrote to memory of 892 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4512 wrote to memory of 892 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4512 wrote to memory of 880 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4512 wrote to memory of 880 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4512 wrote to memory of 2656 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4512 wrote to memory of 2656 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4512 wrote to memory of 4008 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4512 wrote to memory of 4008 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4512 wrote to memory of 816 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4512 wrote to memory of 816 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4512 wrote to memory of 1396 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4512 wrote to memory of 1396 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4512 wrote to memory of 2468 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4512 wrote to memory of 2468 4512 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\System\OTbTBIy.exeC:\Windows\System\OTbTBIy.exe2⤵
- Executes dropped EXE
PID:3040
-
-
C:\Windows\System\AneVIkp.exeC:\Windows\System\AneVIkp.exe2⤵
- Executes dropped EXE
PID:4596
-
-
C:\Windows\System\wLtExFK.exeC:\Windows\System\wLtExFK.exe2⤵
- Executes dropped EXE
PID:1296
-
-
C:\Windows\System\zJnWWGR.exeC:\Windows\System\zJnWWGR.exe2⤵
- Executes dropped EXE
PID:3144
-
-
C:\Windows\System\JzahhfW.exeC:\Windows\System\JzahhfW.exe2⤵
- Executes dropped EXE
PID:4648
-
-
C:\Windows\System\PBBfqnp.exeC:\Windows\System\PBBfqnp.exe2⤵
- Executes dropped EXE
PID:2596
-
-
C:\Windows\System\eroeGdX.exeC:\Windows\System\eroeGdX.exe2⤵
- Executes dropped EXE
PID:4064
-
-
C:\Windows\System\cPELJOm.exeC:\Windows\System\cPELJOm.exe2⤵
- Executes dropped EXE
PID:1392
-
-
C:\Windows\System\wSJURPA.exeC:\Windows\System\wSJURPA.exe2⤵
- Executes dropped EXE
PID:3328
-
-
C:\Windows\System\exhDQTx.exeC:\Windows\System\exhDQTx.exe2⤵
- Executes dropped EXE
PID:2692
-
-
C:\Windows\System\KSDyqZp.exeC:\Windows\System\KSDyqZp.exe2⤵
- Executes dropped EXE
PID:2324
-
-
C:\Windows\System\biDaVYe.exeC:\Windows\System\biDaVYe.exe2⤵
- Executes dropped EXE
PID:2724
-
-
C:\Windows\System\QKtcyYg.exeC:\Windows\System\QKtcyYg.exe2⤵
- Executes dropped EXE
PID:3064
-
-
C:\Windows\System\YArcfJh.exeC:\Windows\System\YArcfJh.exe2⤵
- Executes dropped EXE
PID:5012
-
-
C:\Windows\System\WlLweSX.exeC:\Windows\System\WlLweSX.exe2⤵
- Executes dropped EXE
PID:892
-
-
C:\Windows\System\grifmNx.exeC:\Windows\System\grifmNx.exe2⤵
- Executes dropped EXE
PID:880
-
-
C:\Windows\System\qNivVtG.exeC:\Windows\System\qNivVtG.exe2⤵
- Executes dropped EXE
PID:2656
-
-
C:\Windows\System\UXNlubQ.exeC:\Windows\System\UXNlubQ.exe2⤵
- Executes dropped EXE
PID:4008
-
-
C:\Windows\System\ygAAAVI.exeC:\Windows\System\ygAAAVI.exe2⤵
- Executes dropped EXE
PID:816
-
-
C:\Windows\System\HPrEamr.exeC:\Windows\System\HPrEamr.exe2⤵
- Executes dropped EXE
PID:1396
-
-
C:\Windows\System\fegQgSL.exeC:\Windows\System\fegQgSL.exe2⤵
- Executes dropped EXE
PID:2468
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5e90417be32cd711df563188503c6905a
SHA1018f3bb24deefb352c98456d2acf173da23d3cbe
SHA2565a460bfa45866c8fb0442cbacb7455c1dba760d47420b2545d90df6110c9969c
SHA512980d9b21db80b05d1905ba312c4eb66f74d9ce5c3bd56356f2588638b7c584d558d67a659d28e61da320f064ff871cd2e47d15ab35b6a6331768062b6f15ac90
-
Filesize
5.2MB
MD57d5b9e99133e5b91e6e8ddc418904738
SHA1a59c579c386a6ff2eb187998a4287716017182ca
SHA25620c91a7449e1c523567276f5a2e825486e6d521feecb584d457f31e1c75ae964
SHA51225b2b1c29cb1a3104d161c5e4f2c512a01bcf5662f6596bed351cda71ee51adca780ed1aca9eab39fadeb713ae8e1c8444e137e7a24b4ece2494f0eb4f07176a
-
Filesize
5.2MB
MD5475f01fdac8328d4aa305e1b6b1ee269
SHA1c36073afa06a32d03ff1da6cc879928cd22aedb3
SHA256f0c845c2fba97fc3d009348d70f8fd4c581c2fb52620496aff0abf255a3b3459
SHA512c1087ef157960ada6fdc80bfc0f11f623883b1e7c0dd90893e40b29f3ebfcfbdd1803d879294381f73c6e8fd72335da438ad73c9bf69f67559a6df9028f53dd5
-
Filesize
5.2MB
MD5a4dba1adabeb197d46ff27c2fbfd44b8
SHA191592e678f7d04156be59d8fb6aca22fdb9fb932
SHA2565d511d97dcdd28d2fcda23940f752ee6c237740e7ea952831f5ab4c1d5702c19
SHA512c73f0ae815a70e72804fd74524b205ee99add95bb675d2bff686def96e98fcfec776b331f6b20ee27a6bd91b44fe34260cb5a3f520db2f88cba4740b26dae242
-
Filesize
5.2MB
MD569a07a11ce7a919cb85324bd4082ba6e
SHA16189db492f48f0886511a10d13ee83be47a3790a
SHA256bfb9eb1cc33adfcc7d07fd3cecd1e723dbd8ebcd4859f90d427517a2fcf9bebf
SHA512d12487f25a77c4ceae0a8eacdfac35fada048884041c7ace79cda7570e9dfc733feba6f7c65c2f480df51f5f0863263d263e0bd34acd0b20f0af70193c485a05
-
Filesize
5.2MB
MD551d318a1e6360cb524ba0afca8111be4
SHA13c03c9279e8f145a4bc75f697e3658d502ab4597
SHA256844bd8870dcaf99f66a7b9b1426842e1eb9209674f47857ff34ad6c4f4b6a6f0
SHA5121c97d2580a2f14ba969a1ad4aa5555947f0bbe2bd49c4e6542e6752574252bcc72f3ba338e0f95167b03bbd42c08b18a6b2c0bffec015fa97aabb10c3a0b4df7
-
Filesize
5.2MB
MD53d9c75ae44aa52251c6d21bda49f453b
SHA1228fe30c193a62361b2621a0701655772bd055f2
SHA256c645ae438b3573180a80321fa29e5c74577d4f563f9de38c8735cb7f24b072a9
SHA51243b9c84f659756059936fb73138b3d74d6b987adffdf209338a0d9ce83cb4e29da589756bb432c817d9dafbf371ede87060acc7e8aa53a7d136eb75d20c4157a
-
Filesize
5.2MB
MD5825c35dc2e54af5497116c807710fc39
SHA15339da8c4ae611a0c8bb76d22fe15f1e09208c5c
SHA256e8cf1b9358c28525ac1ca2e103e3c8977058b41303bdd9d5b5e36db0cfe89922
SHA5126d200841c86e05a9eb6f0ab7cb95975450424b57398a27745ad0edfee3e40ed472cb53c7d67baac913eea80845320d53a1649bce9a9978e7a770524f2859bdaa
-
Filesize
5.2MB
MD5483b49990dff74cfc382116be40a093e
SHA18236406e87009c9d0527f126b1984237c5439715
SHA256ec8593258cbf5650f9038fd0ac8cfd3ccfd3057e5f0df5baef4b3b7c0f049f3d
SHA512b9017a2618c5b963448ae559fe9e94aa4087d037423193feb0ec3ea3947883523b5a4c2cadedd90af418ae384bf888e0f38501d38897074996b4437d3f72f39c
-
Filesize
5.2MB
MD57564318b7f346f3affb4060cce664bbe
SHA118958334231c5dd4f198bfca9fd37773c71cd8b5
SHA2562182a855ed92446ce53ed242392ca92c6083577e78700e9d6b842fd8aeee53af
SHA512a1e48eed57edebd80de7ddf32eae9691e4673f5d729988d37a082e9fb33a2e6122d97903acbab2fa1af73a938b0a985d81364678a0bbff74223b8a9d943d5eb7
-
Filesize
5.2MB
MD5aecb1343d3de3857e7c088ff2fbbd8a0
SHA1890c325ae4c41344fab28ce6bcee32a5982cba61
SHA256c1e437d569d12a8ef1c277ea894278bcda046efbcbb57b829799463fc6bb48a4
SHA512d6b182abc861df213a323cbc27fc76c5625a4a6d2411576964f17690ba7f1b60c6a5c8c1ae8995dd409783e929882c0e69f27f43b72545952abf6128bb04e819
-
Filesize
5.2MB
MD5e5f28dfc080ce8fa225dcf57ff4b682f
SHA18c09b9bc2323b125daab41774c31d9e67422c69c
SHA256f7576286e9509d0d920b97d68d07f06a69eed64788074438e8420997d4f3c9b6
SHA512681246527fb24f0d359338dd000cb051bcfc862886011d2b98bf40b09bf8e81e02aa1b59d759904a8194ee30e7f645971b2c3b500d409b0df2bbf4d9cb455b8b
-
Filesize
5.2MB
MD51ae6bb531f40a5a93bda5ddc4032d721
SHA16bbf1d7ad9dabb2ff83d5f63eed12fd21fe54a13
SHA2569d1079bf2239d6950262788bd875c0064aa5956ccebed04523c26105c8286f24
SHA5124713d6c444760a36122528d0c8563e9d066766a9203493800b33ce50d0512818490636e88abfbb9bdee58920a2ef2df0c875947523adb11dbd51642edf5647bf
-
Filesize
5.2MB
MD5cb05cf88b8d14784763b970c28983b7c
SHA1374133a337edd44883bf97e30bc57fc11ed7d18d
SHA256cac6db0f3c070e21744e9d95ce59ebc1490c76e4da82827d6a9dffff3444b4e5
SHA51212ce53a3b60912c5b7445ade2113f42f75ba7527b8c13102646f3605247e60d65dc0b6417135bcd75a3793ae792884841226fe46547b0836531d9789737b4db1
-
Filesize
5.2MB
MD5bd102341ab5f1b01934a3b57badcb9b8
SHA118567166fa2c36daf427c27b52ce082bc36834a4
SHA256366c2a4ae075c44390ab4dd0581422af2b9358c3b81eb241ed0ff07c57fce03f
SHA5125c054e8776c8611947ff2506a68b0ccc854c6ded270b0fbdc3d52b737d919d55935b5e3bdc3a51bd760801537acc364f949b392c387c89e8d37fda06bd6af863
-
Filesize
5.2MB
MD5fad28099352f8040deb465e9975c3154
SHA103c838b7fa40b9d43739c3901605ed7aca0dd710
SHA2568d56c66b5e355aeacbf6c1e467826722a130afbe535a0cd2501e73d31bf6219b
SHA512baa5d40a3cfd1ec7e635ea896efbfee3d29ebb805a2a3ae321a64943f19675a03e8fb56f378019128d69d76674c9f914e83f046f87eed9e175f5aeacaa56d775
-
Filesize
5.2MB
MD512bbcce03353e3071aa93f4838241916
SHA1ff9e5e5c173f5985c3214c9c674a3159e9eceec5
SHA256eb9e83f12eb4309b58a318c51877faf202436400f329b270a0f9717f5aab5844
SHA5124dd3a36a618e54d05f719543d946b9ab74fe72b7d8df39d02fc77e43b36341334d091da0e3bbb8bef376858c5933c24ed6958a227bd96b4c28795ec212f1694d
-
Filesize
5.2MB
MD575c39046dbf7a27c5b6536c1a0b44485
SHA1f888ce953fbbe919b8281239c577ce4c6bd43f52
SHA25658bff3039ac6f10ac46e703196ff9f958c1eb5e87d625a35f3ab6ddeab6fbc3c
SHA51217329427ba17971e11350d487d660526cb63af4605db1179635b62c084562bb2ed44b43fbf9a833658f6e08369f4cd4893c38ca7cd00c7fcfdeb5496b2dfe17e
-
Filesize
5.2MB
MD5676ff169429cc7eee96ceb144b689b8d
SHA19efaa7b7b757ed2d22cb1678bc00bf952e112fec
SHA256f470596fdd30a2a55a7ed9ca4ee01a5c04d185bab900033ba1d2d1fa66bf6dee
SHA5125c2172a9ca451aa0e817b958b8e668e0d9dc853bd9250f6b10dbcc54c6b5dcdd661c89d961cad6cbbf74df5fd492823225e46b4ee94f2890d967f1964d6f4d5b
-
Filesize
5.2MB
MD55a799185050f7230f9bb4060d5099300
SHA106a9d1e2cdf3dbc91c5e0aef42e5eb2b3f2a3c8a
SHA256e7fc1eaff0337fecc573373809d7f4c42fa0cf7e974933a094556b49180a0e1a
SHA5123de049b4404223a473a94379b561881f55fb3017ace818597a2e2003c21854b7b798e242e74c6cd7162acda17ebe65cdb8cc201d68e21e27af2d37d49d005ab3
-
Filesize
5.2MB
MD587c88b1cad3cb6e1c191b6a0a641e771
SHA15558c13209f73d88480a1acb88154d9fd49bc337
SHA2560b70c167ad0819a3354501670e061925b474975e044204631455beea4d1729e9
SHA5124ca5fb69da362bae5b8d9f91d0d3ef7fae29ad6bb8f27d935011e646e462ee214d83c13820b9e73949a3301bb99f8db1a59692b1f431ca2c2284bbfd8614f1d4