Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/08/2024, 11:31
Behavioral task
behavioral1
Sample
2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240729-en
General
-
Target
2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
98ff4715111192d602e4f7b8c47f7ac4
-
SHA1
2c59b306d9874214eed68165242d1840a277543f
-
SHA256
0abd00e3fbd2f2341b01cc1c148b7cc9b8aa496baf5815aee28660fd22886018
-
SHA512
b5a2b7f767c5880f32403d7a152747781eafc647830222622fcc46c92d2c49f85d6bcbb87c824888e6764c3c81aa9e444d419fb676248007d467802e09e459cb
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lU:RWWBibf56utgpPFotBER/mQ32lU4
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00080000000234e6-5.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e7-10.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ea-21.dat cobalt_reflective_dll behavioral2/files/0x00070000000234eb-26.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ef-47.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f3-72.dat cobalt_reflective_dll behavioral2/files/0x00080000000234e4-87.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f5-103.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f7-108.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f6-106.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f4-97.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f2-77.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f1-75.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ed-65.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f0-63.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ee-57.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ec-53.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e9-31.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e8-27.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f8-131.dat cobalt_reflective_dll behavioral2/files/0x00070000000234fa-133.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/4092-73-0x00007FF64D510000-0x00007FF64D861000-memory.dmp xmrig behavioral2/memory/4164-95-0x00007FF7EB560000-0x00007FF7EB8B1000-memory.dmp xmrig behavioral2/memory/2684-111-0x00007FF71AC50000-0x00007FF71AFA1000-memory.dmp xmrig behavioral2/memory/2828-115-0x00007FF6EB850000-0x00007FF6EBBA1000-memory.dmp xmrig behavioral2/memory/2024-116-0x00007FF66F7E0000-0x00007FF66FB31000-memory.dmp xmrig behavioral2/memory/1808-114-0x00007FF64E3C0000-0x00007FF64E711000-memory.dmp xmrig behavioral2/memory/904-113-0x00007FF644E20000-0x00007FF645171000-memory.dmp xmrig behavioral2/memory/232-112-0x00007FF679590000-0x00007FF6798E1000-memory.dmp xmrig behavioral2/memory/1944-110-0x00007FF771010000-0x00007FF771361000-memory.dmp xmrig behavioral2/memory/4964-105-0x00007FF776FA0000-0x00007FF7772F1000-memory.dmp xmrig behavioral2/memory/3024-102-0x00007FF6E7DC0000-0x00007FF6E8111000-memory.dmp xmrig behavioral2/memory/2428-74-0x00007FF7513D0000-0x00007FF751721000-memory.dmp xmrig behavioral2/memory/1540-71-0x00007FF76D450000-0x00007FF76D7A1000-memory.dmp xmrig behavioral2/memory/2904-49-0x00007FF71AE50000-0x00007FF71B1A1000-memory.dmp xmrig behavioral2/memory/1444-48-0x00007FF722F70000-0x00007FF7232C1000-memory.dmp xmrig behavioral2/memory/2548-123-0x00007FF7389A0000-0x00007FF738CF1000-memory.dmp xmrig behavioral2/memory/3048-120-0x00007FF7A08B0000-0x00007FF7A0C01000-memory.dmp xmrig behavioral2/memory/2280-119-0x00007FF66AFD0000-0x00007FF66B321000-memory.dmp xmrig behavioral2/memory/3920-117-0x00007FF603E80000-0x00007FF6041D1000-memory.dmp xmrig behavioral2/memory/2452-139-0x00007FF7D4F80000-0x00007FF7D52D1000-memory.dmp xmrig behavioral2/memory/3972-148-0x00007FF731260000-0x00007FF7315B1000-memory.dmp xmrig behavioral2/memory/3920-149-0x00007FF603E80000-0x00007FF6041D1000-memory.dmp xmrig behavioral2/memory/3920-150-0x00007FF603E80000-0x00007FF6041D1000-memory.dmp xmrig behavioral2/memory/4632-165-0x00007FF6884D0000-0x00007FF688821000-memory.dmp xmrig behavioral2/memory/2280-212-0x00007FF66AFD0000-0x00007FF66B321000-memory.dmp xmrig behavioral2/memory/3048-214-0x00007FF7A08B0000-0x00007FF7A0C01000-memory.dmp xmrig behavioral2/memory/4164-216-0x00007FF7EB560000-0x00007FF7EB8B1000-memory.dmp xmrig behavioral2/memory/2548-218-0x00007FF7389A0000-0x00007FF738CF1000-memory.dmp xmrig behavioral2/memory/1444-221-0x00007FF722F70000-0x00007FF7232C1000-memory.dmp xmrig behavioral2/memory/2904-222-0x00007FF71AE50000-0x00007FF71B1A1000-memory.dmp xmrig behavioral2/memory/1540-224-0x00007FF76D450000-0x00007FF76D7A1000-memory.dmp xmrig behavioral2/memory/4092-232-0x00007FF64D510000-0x00007FF64D861000-memory.dmp xmrig behavioral2/memory/4964-231-0x00007FF776FA0000-0x00007FF7772F1000-memory.dmp xmrig behavioral2/memory/3024-227-0x00007FF6E7DC0000-0x00007FF6E8111000-memory.dmp xmrig behavioral2/memory/2428-229-0x00007FF7513D0000-0x00007FF751721000-memory.dmp xmrig behavioral2/memory/2828-240-0x00007FF6EB850000-0x00007FF6EBBA1000-memory.dmp xmrig behavioral2/memory/904-251-0x00007FF644E20000-0x00007FF645171000-memory.dmp xmrig behavioral2/memory/2024-250-0x00007FF66F7E0000-0x00007FF66FB31000-memory.dmp xmrig behavioral2/memory/1808-247-0x00007FF64E3C0000-0x00007FF64E711000-memory.dmp xmrig behavioral2/memory/1944-246-0x00007FF771010000-0x00007FF771361000-memory.dmp xmrig behavioral2/memory/2452-243-0x00007FF7D4F80000-0x00007FF7D52D1000-memory.dmp xmrig behavioral2/memory/2684-242-0x00007FF71AC50000-0x00007FF71AFA1000-memory.dmp xmrig behavioral2/memory/232-253-0x00007FF679590000-0x00007FF6798E1000-memory.dmp xmrig behavioral2/memory/3972-257-0x00007FF731260000-0x00007FF7315B1000-memory.dmp xmrig behavioral2/memory/4632-259-0x00007FF6884D0000-0x00007FF688821000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2280 KAuynYm.exe 3048 uHAsVSo.exe 2548 sBiyzSd.exe 1444 yhFkjlV.exe 4164 CjZtxuu.exe 2904 yifKjbf.exe 3024 hfXHkKs.exe 1540 KnIRYnG.exe 4092 KjeVnkq.exe 4964 UxicEcz.exe 2428 gsCfSJb.exe 1944 JRWeJcM.exe 2452 LtcWpag.exe 2684 quTckqn.exe 2828 NAiniAS.exe 232 BeIQzws.exe 904 ndFMAlO.exe 2024 zFYoJrr.exe 1808 qdsYLeZ.exe 3972 ULEyfUT.exe 4632 INgnIow.exe -
resource yara_rule behavioral2/memory/3920-0-0x00007FF603E80000-0x00007FF6041D1000-memory.dmp upx behavioral2/files/0x00080000000234e6-5.dat upx behavioral2/memory/2280-7-0x00007FF66AFD0000-0x00007FF66B321000-memory.dmp upx behavioral2/files/0x00070000000234e7-10.dat upx behavioral2/files/0x00070000000234ea-21.dat upx behavioral2/files/0x00070000000234eb-26.dat upx behavioral2/files/0x00070000000234ef-47.dat upx behavioral2/memory/4092-73-0x00007FF64D510000-0x00007FF64D861000-memory.dmp upx behavioral2/files/0x00070000000234f3-72.dat upx behavioral2/files/0x00080000000234e4-87.dat upx behavioral2/memory/4164-95-0x00007FF7EB560000-0x00007FF7EB8B1000-memory.dmp upx behavioral2/files/0x00070000000234f5-103.dat upx behavioral2/memory/2684-111-0x00007FF71AC50000-0x00007FF71AFA1000-memory.dmp upx behavioral2/memory/2828-115-0x00007FF6EB850000-0x00007FF6EBBA1000-memory.dmp upx behavioral2/memory/2024-116-0x00007FF66F7E0000-0x00007FF66FB31000-memory.dmp upx behavioral2/memory/1808-114-0x00007FF64E3C0000-0x00007FF64E711000-memory.dmp upx behavioral2/memory/904-113-0x00007FF644E20000-0x00007FF645171000-memory.dmp upx behavioral2/memory/232-112-0x00007FF679590000-0x00007FF6798E1000-memory.dmp upx behavioral2/memory/1944-110-0x00007FF771010000-0x00007FF771361000-memory.dmp upx behavioral2/files/0x00070000000234f7-108.dat upx behavioral2/files/0x00070000000234f6-106.dat upx behavioral2/memory/4964-105-0x00007FF776FA0000-0x00007FF7772F1000-memory.dmp upx behavioral2/memory/3024-102-0x00007FF6E7DC0000-0x00007FF6E8111000-memory.dmp upx behavioral2/files/0x00070000000234f4-97.dat upx behavioral2/memory/2452-83-0x00007FF7D4F80000-0x00007FF7D52D1000-memory.dmp upx behavioral2/files/0x00070000000234f2-77.dat upx behavioral2/files/0x00070000000234f1-75.dat upx behavioral2/memory/2428-74-0x00007FF7513D0000-0x00007FF751721000-memory.dmp upx behavioral2/memory/1540-71-0x00007FF76D450000-0x00007FF76D7A1000-memory.dmp upx behavioral2/files/0x00070000000234ed-65.dat upx behavioral2/files/0x00070000000234f0-63.dat upx behavioral2/files/0x00070000000234ee-57.dat upx behavioral2/memory/2904-49-0x00007FF71AE50000-0x00007FF71B1A1000-memory.dmp upx behavioral2/memory/1444-48-0x00007FF722F70000-0x00007FF7232C1000-memory.dmp upx behavioral2/files/0x00070000000234ec-53.dat upx behavioral2/memory/2548-38-0x00007FF7389A0000-0x00007FF738CF1000-memory.dmp upx behavioral2/files/0x00070000000234e9-31.dat upx behavioral2/files/0x00070000000234e8-27.dat upx behavioral2/memory/3048-16-0x00007FF7A08B0000-0x00007FF7A0C01000-memory.dmp upx behavioral2/memory/2548-123-0x00007FF7389A0000-0x00007FF738CF1000-memory.dmp upx behavioral2/files/0x00070000000234f8-131.dat upx behavioral2/memory/3972-134-0x00007FF731260000-0x00007FF7315B1000-memory.dmp upx behavioral2/files/0x00070000000234fa-133.dat upx behavioral2/memory/3048-120-0x00007FF7A08B0000-0x00007FF7A0C01000-memory.dmp upx behavioral2/memory/2280-119-0x00007FF66AFD0000-0x00007FF66B321000-memory.dmp upx behavioral2/memory/3920-117-0x00007FF603E80000-0x00007FF6041D1000-memory.dmp upx behavioral2/memory/2452-139-0x00007FF7D4F80000-0x00007FF7D52D1000-memory.dmp upx behavioral2/memory/4632-138-0x00007FF6884D0000-0x00007FF688821000-memory.dmp upx behavioral2/memory/3972-148-0x00007FF731260000-0x00007FF7315B1000-memory.dmp upx behavioral2/memory/3920-149-0x00007FF603E80000-0x00007FF6041D1000-memory.dmp upx behavioral2/memory/3920-150-0x00007FF603E80000-0x00007FF6041D1000-memory.dmp upx behavioral2/memory/4632-165-0x00007FF6884D0000-0x00007FF688821000-memory.dmp upx behavioral2/memory/2280-212-0x00007FF66AFD0000-0x00007FF66B321000-memory.dmp upx behavioral2/memory/3048-214-0x00007FF7A08B0000-0x00007FF7A0C01000-memory.dmp upx behavioral2/memory/4164-216-0x00007FF7EB560000-0x00007FF7EB8B1000-memory.dmp upx behavioral2/memory/2548-218-0x00007FF7389A0000-0x00007FF738CF1000-memory.dmp upx behavioral2/memory/1444-221-0x00007FF722F70000-0x00007FF7232C1000-memory.dmp upx behavioral2/memory/2904-222-0x00007FF71AE50000-0x00007FF71B1A1000-memory.dmp upx behavioral2/memory/1540-224-0x00007FF76D450000-0x00007FF76D7A1000-memory.dmp upx behavioral2/memory/4092-232-0x00007FF64D510000-0x00007FF64D861000-memory.dmp upx behavioral2/memory/4964-231-0x00007FF776FA0000-0x00007FF7772F1000-memory.dmp upx behavioral2/memory/3024-227-0x00007FF6E7DC0000-0x00007FF6E8111000-memory.dmp upx behavioral2/memory/2428-229-0x00007FF7513D0000-0x00007FF751721000-memory.dmp upx behavioral2/memory/2828-240-0x00007FF6EB850000-0x00007FF6EBBA1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\yhFkjlV.exe 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KnIRYnG.exe 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KAuynYm.exe 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uHAsVSo.exe 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CjZtxuu.exe 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\sBiyzSd.exe 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zFYoJrr.exe 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qdsYLeZ.exe 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\INgnIow.exe 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yifKjbf.exe 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KjeVnkq.exe 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\UxicEcz.exe 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JRWeJcM.exe 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gsCfSJb.exe 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NAiniAS.exe 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BeIQzws.exe 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ULEyfUT.exe 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hfXHkKs.exe 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LtcWpag.exe 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\quTckqn.exe 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ndFMAlO.exe 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3920 wrote to memory of 2280 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3920 wrote to memory of 2280 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3920 wrote to memory of 3048 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3920 wrote to memory of 3048 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3920 wrote to memory of 4164 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3920 wrote to memory of 4164 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3920 wrote to memory of 2548 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3920 wrote to memory of 2548 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3920 wrote to memory of 1444 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3920 wrote to memory of 1444 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3920 wrote to memory of 2904 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3920 wrote to memory of 2904 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3920 wrote to memory of 3024 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3920 wrote to memory of 3024 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3920 wrote to memory of 2428 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3920 wrote to memory of 2428 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3920 wrote to memory of 1540 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3920 wrote to memory of 1540 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3920 wrote to memory of 4092 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3920 wrote to memory of 4092 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3920 wrote to memory of 4964 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3920 wrote to memory of 4964 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3920 wrote to memory of 1944 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3920 wrote to memory of 1944 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3920 wrote to memory of 2452 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3920 wrote to memory of 2452 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3920 wrote to memory of 2684 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3920 wrote to memory of 2684 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3920 wrote to memory of 2828 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3920 wrote to memory of 2828 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3920 wrote to memory of 232 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3920 wrote to memory of 232 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3920 wrote to memory of 904 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3920 wrote to memory of 904 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3920 wrote to memory of 2024 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3920 wrote to memory of 2024 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3920 wrote to memory of 1808 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3920 wrote to memory of 1808 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3920 wrote to memory of 3972 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3920 wrote to memory of 3972 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3920 wrote to memory of 4632 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3920 wrote to memory of 4632 3920 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\System\KAuynYm.exeC:\Windows\System\KAuynYm.exe2⤵
- Executes dropped EXE
PID:2280
-
-
C:\Windows\System\uHAsVSo.exeC:\Windows\System\uHAsVSo.exe2⤵
- Executes dropped EXE
PID:3048
-
-
C:\Windows\System\CjZtxuu.exeC:\Windows\System\CjZtxuu.exe2⤵
- Executes dropped EXE
PID:4164
-
-
C:\Windows\System\sBiyzSd.exeC:\Windows\System\sBiyzSd.exe2⤵
- Executes dropped EXE
PID:2548
-
-
C:\Windows\System\yhFkjlV.exeC:\Windows\System\yhFkjlV.exe2⤵
- Executes dropped EXE
PID:1444
-
-
C:\Windows\System\yifKjbf.exeC:\Windows\System\yifKjbf.exe2⤵
- Executes dropped EXE
PID:2904
-
-
C:\Windows\System\hfXHkKs.exeC:\Windows\System\hfXHkKs.exe2⤵
- Executes dropped EXE
PID:3024
-
-
C:\Windows\System\gsCfSJb.exeC:\Windows\System\gsCfSJb.exe2⤵
- Executes dropped EXE
PID:2428
-
-
C:\Windows\System\KnIRYnG.exeC:\Windows\System\KnIRYnG.exe2⤵
- Executes dropped EXE
PID:1540
-
-
C:\Windows\System\KjeVnkq.exeC:\Windows\System\KjeVnkq.exe2⤵
- Executes dropped EXE
PID:4092
-
-
C:\Windows\System\UxicEcz.exeC:\Windows\System\UxicEcz.exe2⤵
- Executes dropped EXE
PID:4964
-
-
C:\Windows\System\JRWeJcM.exeC:\Windows\System\JRWeJcM.exe2⤵
- Executes dropped EXE
PID:1944
-
-
C:\Windows\System\LtcWpag.exeC:\Windows\System\LtcWpag.exe2⤵
- Executes dropped EXE
PID:2452
-
-
C:\Windows\System\quTckqn.exeC:\Windows\System\quTckqn.exe2⤵
- Executes dropped EXE
PID:2684
-
-
C:\Windows\System\NAiniAS.exeC:\Windows\System\NAiniAS.exe2⤵
- Executes dropped EXE
PID:2828
-
-
C:\Windows\System\BeIQzws.exeC:\Windows\System\BeIQzws.exe2⤵
- Executes dropped EXE
PID:232
-
-
C:\Windows\System\ndFMAlO.exeC:\Windows\System\ndFMAlO.exe2⤵
- Executes dropped EXE
PID:904
-
-
C:\Windows\System\zFYoJrr.exeC:\Windows\System\zFYoJrr.exe2⤵
- Executes dropped EXE
PID:2024
-
-
C:\Windows\System\qdsYLeZ.exeC:\Windows\System\qdsYLeZ.exe2⤵
- Executes dropped EXE
PID:1808
-
-
C:\Windows\System\ULEyfUT.exeC:\Windows\System\ULEyfUT.exe2⤵
- Executes dropped EXE
PID:3972
-
-
C:\Windows\System\INgnIow.exeC:\Windows\System\INgnIow.exe2⤵
- Executes dropped EXE
PID:4632
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD52bf8317abc2f6f15c1de78021c9ddba0
SHA10b86b4fef721fe3655535f59fc5e5d8ab2882316
SHA2569fe605be21587f7a152de202fb28763244aca1a51a314fee6e823f3a655a0df0
SHA512bd5b7e11f0be78d8d680ab7dfc5a05de113375cc42ae76bff36118821a1c656b61ad68d19870a64cad7c1cb4d02302a3506c378a2e2a98e18316a14affde8e76
-
Filesize
5.2MB
MD586bc8592c2c2ff64672f10b594d9f885
SHA19a727a3952f9947aae93116a6699519825dde5f1
SHA256f5a32fa8d2a3f7a1c11608b9c4a56c34e321aa764d5a55633b908ca79162be21
SHA512c22103d4f7d8ff31b23c4c740428471fa91bc3abaad3d4793ef0922f415c2f29464987500f75436b116790c19a791cb1da97e826dc1fe4282cfc5d7fe8b18ad1
-
Filesize
5.2MB
MD5699749cf57ea252f3e0e3246208da1a7
SHA130c43b44cbdcfbd60a9d4b9e1fda06a22e08343f
SHA2565ef48c5ec581dd3a74fca9f2adea3100d4af4b88e62ab305f6f639811169fbfd
SHA512832f86adb414cfc85b7b803d4231cc28c447907bb86b174007943fdf9788a307e1c499435256f5e76f6291adadf27b52a1631fb19992a1b668ad4c11fc4c3f7c
-
Filesize
5.2MB
MD58ef18321d29b04e494de0a2fa142bc61
SHA17e14863d73c457d28a36e29ff669a8e433125b72
SHA256459fb2193b9f84c41302806c469cf23ddbdfa898bad65c2275f6c7612414d30b
SHA512db53b13ee9c892694ffc93454dd1dd4efa03f88ffe7cf0544b04c92bea18d9e15ec6f5c2cc77c483680989edddb440e36334e412fb5c8fc1784fd490832abee3
-
Filesize
5.2MB
MD540d7e3f646140fe01261ee768effd858
SHA1f38b5233fcd49ebdcbb4eb1b6a6a49a0c85beae7
SHA25682fac0c5afc69223384fed7699c8f908d363fbe16a2b5119ca5d7345d93d6ab2
SHA51251151049506bedae7a5609803793a2144919be8f17207960f208a41f294a35358f9f7d133ccfc65f50829d16ce0d30ae8faf5bfcd8484776f4a76a85526f5e34
-
Filesize
5.2MB
MD53629d8c7a2887794edff449048e43417
SHA165e0e7919f7fad85ac13d2a28e89861ef25e56da
SHA2561f029897b35a3da868c05b99cf4000062894483d019b5e37a7b4e46ac913d5e6
SHA512177a39d5a4db0699286d4d5ae5208ab44db9adec735e5b97cb6efcc24fbd354db5614711e23dcb10b41291052b8e7452cfdf8a4b9ae59411a2e32560068c2830
-
Filesize
5.2MB
MD5afc94d1d58b51486fa6cb09f18c9df97
SHA1f695f1f2778790e57f9faab5a565aa5b1eecc560
SHA25607f97e3595092f9e37e0bff9ac922fa6b76bdcef867252e585e33f55e479c6fa
SHA512950a5b1ae4436f2e1063555df243c17b3a2f2829590c1be812d1e7d45a3e3caca55fe68a6613429dafc6a7d03302449a7e237fac37f7cb3d09dad1525b86d807
-
Filesize
5.2MB
MD52180fa4fc8a4aa12796834db70905d0c
SHA1c4f3d3e9a7af1384ab95c43833796be96e2f7a8b
SHA2566ec15a6c44afc2cbfe041c1d311d39ef7e7891613a39adb38071d3e2bacdb6b5
SHA5126a6db1e575202d868c0837fa555f057263c34c2aed2258892991f1524831726bd12dd6302b509ba7c8bbf584d327d1c5df4a3f9efc45e1faa25d485bdcf65453
-
Filesize
5.2MB
MD5e128478ecf832152df62a7c86c7515cf
SHA1175c8d7e7c927397ab9514fa76a55f31cb2d6fc8
SHA256db826293033db6b8ea09ec6f5ed88163b6a8f6fb0d1977a68f32d006fd32d303
SHA512ba7cac607eb76c6915e12bf6c32fcc07c48edc87b036a183f793f49fda1314b7b77b88124eb90ad1eecf575441aa2dd2d838f0fda80c4a225395a1952f8bbcc9
-
Filesize
5.2MB
MD52a06e3d9da8268e4a0a69b8e4d6a4b08
SHA1253243e060d3d41b71a5d0424f0dbdfb94c30e56
SHA256d961bd91fc50183c5c426e17ee36536d5e28f1047f4380d3245bc6903e70e7b9
SHA51280637b36472c688ce4f6a975bb57e00449c5da460df4230bf1d7bb4e8d84acc70cf78028a96715798e24f5dea80a6cbdc66e16d5c8a7cf32371d53c77df32dbf
-
Filesize
5.2MB
MD561ebbd4ca547d615682bd6980cae1f61
SHA19afdd28c48bfb915fd52b0e99c1063ab15cca7dc
SHA256a06d97c8c9288dd66728d13cda0f1af7d354cd58fa55cf019ed97c920353c911
SHA512324ffe5fb737bb88a6872fca5d75e257af895f5da6c4bc7de66180d5ae6fdffc1ac1898bac8c91179d19f2e690f2048c533cd246aca55ed387829e7654cbd862
-
Filesize
5.2MB
MD56bd622c869b4e68e1040480ada4ce7cf
SHA1854bd88eff9bf2b33c355ff4b219c8159f5d9661
SHA25687f6b4cf421974f40363bccf3db8138655f4fa5e43aac50fe9dd36b31aba1bd3
SHA512c6b56a62199529779c93fb8c61b6f240419317b42001ec8ad64e24f350c0275cc2857ae045e4f3d63e78adde3d0f7123cb5e7a060939523e4df3f4cd2591cfc8
-
Filesize
5.2MB
MD54f3a875943e8669f346b4ee73079a926
SHA1115c235b833a3f1a7a2f5da7e250ba9204855435
SHA2562f33a5e09dcef367985d261986150607778d9282d4923d80f70d2b6c94fd3528
SHA51258cae4168b1bedd745ba0fec428f682df5ab19661a20f2108031cc475dcdfd4dab77c3b96ecc26a9fdd40488beaa70ad55bd82b7f7b215878a182d77baee027d
-
Filesize
5.2MB
MD595e2dc953453a8ce578dbc81d4beeb5e
SHA1a578a326ee8c3c93d4cc727d8600f0ec26d6ec0d
SHA256df59d9591a1a6c7208a6d67c76c78fa2b2f6a142d80aee99b58fbe06dfe490db
SHA512dbae7894133d280412eb338e038956f88ce80e29d0f6e5dbdc69bb2d4fb9be59c38e9695f8e00713e77484ac0048723c6b547ae4a90c672fbfca89938e7ac0d5
-
Filesize
5.2MB
MD52b789311f549076804cc7dd5537df3dc
SHA1be0276206b27edd515b02c1d64cfb40ab9d6cdf7
SHA256b25015b873cd6b6b91c0c5fff7d31c3d691843b53bd416024863755df3939a77
SHA5125b91aa628e0a53beba118dfd5cc4069f65b0244002c48ddfdda0144825a87ca15eb6f2e2c1b36d440fc2d2d2d6576d22f06531baec097dd80e5454eff1860185
-
Filesize
5.2MB
MD5c5a007fd35fc7ec5d56aaa61dbbec59d
SHA1543611004b4cc8eb71231d88c1dc6eba427e9b90
SHA25654d0a650e630e7ce7abd375df9fc097b9ffb1a34186e6bf9f81d4537e69fdd5c
SHA512662e45b0cfc308267137d22ad1c3c64d81484e0671de3b9d7b990fa68f48e4f75e8eede58bfe72d3b9acb2cc45489e175b1496d730e0fb29ad3684487ffc9af6
-
Filesize
5.2MB
MD51c2df070020fe9686d855a33ab48172d
SHA19552543dce8f0b05f5a0cc9a78cfc65f69f7e036
SHA256b7f615cea8568862042d8c71fbfe469563e709143a37b3dc828f1c77d56ab765
SHA5125d02cdf21623c6c4f4f1c595709faa29ca2525dc2468f4351c3bf4f3b4b4b5561c190a70019bfcab2053119a90397b58667c2ce4238e9ddb650d7be516b9766d
-
Filesize
5.2MB
MD52ad2d25d23ac78b50ac6106a26dd2d7a
SHA1040351943ecfd0c1bea086b3ae885d7031d3f4a2
SHA256c1d58be9c4b0e2bc73c9fe5a8d1cf23fb8a92d1621fd4fb877ea08f9c2001707
SHA5124e793167e1309aa0e1ae3a80ddd592e7f74b7372aad00136ebc83017dd650cda9410501a61628dd31cf753513686336cd4df31fe2bccc17ea2151aefa687d429
-
Filesize
5.2MB
MD5f66e7a268f630eb4cf136e06ade0ddac
SHA12679483459daecebb0760f941ac90f9b47a0b0c7
SHA256973266bfd758dfcd36947ab7f2e41bbd7e6f51c9f3b618d43b6c49b0ce355017
SHA512c68cad259342df486fcc07a97b892f82244db00b21457d075ed295e1ed8dd539ff65db2873c509e258950b762bf19af8f7b0af52a2a06bf44f7bf8e439ccfa45
-
Filesize
5.2MB
MD5fb882e9c0844356a0f55de96078f9913
SHA14d0cf7f33234817cf74c25c32cd4095ebe7f59ee
SHA2560390f96ec9b1ac20a3547d02fa0c0c0353a761dee3c5c32c15b68f0273514ad9
SHA512adf6d29d636f8c7997ac4acf420bf10a0954aff9fdf50d47ad88ceba1d36f4481b7234422dfe61c8b9fbd9c00e58d0bc5f9f3aa9563ecdce8d54718b9bf85b58
-
Filesize
5.2MB
MD56427295dce47b1af149c516d2b5f50ef
SHA1ea583e9599687cbe6309c0d3e33fe964ccaf5bc6
SHA2569fbb8ab5e23e7ba0471ba2147f4598562cca7055c1c7d3a4a3f57ce066376893
SHA5128a63f0c9c2238b1f9a241ca015e4e2ae1d8ba986ad86aa0db7e0aa25de841df2cba912b278702385ccb35cc3119957492cfc8eb23d7d8e203abcdbca35fd012c