Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-08-18...at.exe

windows7-x64

10

2024-08-18...at.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/08/2024, 00:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-18_45f066add633849d906229f65f4e5302_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.7MB

  • MD5

    45f066add633849d906229f65f4e5302

  • SHA1

    0d42cc4b30fa2449068c853bc5bbfe98508d1442

  • SHA256

    1e88611707576ec671867cb181a51f9ec80b2e9c3d29c3907bc11cb91f86e9f4

  • SHA512

    0b05f77eb9714f32198694fe44ecf6398d503d7c019e5166441d60f0cb0984fb2ad30579c5e4b27161e1f41b0935ef0a4d5963a8a04564db56ae1d79d6944373

  • SSDEEP

    98304:GemTLkNdfE0pZaN56utgpPFotBER/mQ32lUn:J+156utgpPF8u/7n

Score
10/10
cobaltstrikexmrig0backdoorminertrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 21 IoCs
    miner
  • Executes dropped EXE 21 IoCs
  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-18_45f066add633849d906229f65f4e5302_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-18_45f066add633849d906229f65f4e5302_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Windows\System\YgWNcVz.exe
      C:\Windows\System\YgWNcVz.exe
      2⤵
      • Executes dropped EXE
      PID:2304
    • C:\Windows\System\CYSgMlJ.exe
      C:\Windows\System\CYSgMlJ.exe
      2⤵
      • Executes dropped EXE
      PID:4876
    • C:\Windows\System\ujdJpnZ.exe
      C:\Windows\System\ujdJpnZ.exe
      2⤵
      • Executes dropped EXE
      PID:4404
    • C:\Windows\System\xcFmyAq.exe
      C:\Windows\System\xcFmyAq.exe
      2⤵
      • Executes dropped EXE
      PID:2160
    • C:\Windows\System\gwVqIvj.exe
      C:\Windows\System\gwVqIvj.exe
      2⤵
      • Executes dropped EXE
      PID:5020
    • C:\Windows\System\XByDtFv.exe
      C:\Windows\System\XByDtFv.exe
      2⤵
      • Executes dropped EXE
      PID:2116
    • C:\Windows\System\OBvSAJA.exe
      C:\Windows\System\OBvSAJA.exe
      2⤵
      • Executes dropped EXE
      PID:5004
    • C:\Windows\System\eBetAUd.exe
      C:\Windows\System\eBetAUd.exe
      2⤵
      • Executes dropped EXE
      PID:2636
    • C:\Windows\System\UJrAkfL.exe
      C:\Windows\System\UJrAkfL.exe
      2⤵
      • Executes dropped EXE
      PID:3084
    • C:\Windows\System\TfpqOxO.exe
      C:\Windows\System\TfpqOxO.exe
      2⤵
      • Executes dropped EXE
      PID:4960
    • C:\Windows\System\OXgFGNi.exe
      C:\Windows\System\OXgFGNi.exe
      2⤵
      • Executes dropped EXE
      PID:716
    • C:\Windows\System\QUHnWAM.exe
      C:\Windows\System\QUHnWAM.exe
      2⤵
      • Executes dropped EXE
      PID:2232
    • C:\Windows\System\lzIiNGA.exe
      C:\Windows\System\lzIiNGA.exe
      2⤵
      • Executes dropped EXE
      PID:1532
    • C:\Windows\System\BVUxKdL.exe
      C:\Windows\System\BVUxKdL.exe
      2⤵
      • Executes dropped EXE
      PID:4260
    • C:\Windows\System\MLCXwKy.exe
      C:\Windows\System\MLCXwKy.exe
      2⤵
      • Executes dropped EXE
      PID:4756
    • C:\Windows\System\nZlcVXA.exe
      C:\Windows\System\nZlcVXA.exe
      2⤵
      • Executes dropped EXE
      PID:4208
    • C:\Windows\System\QDiqnIv.exe
      C:\Windows\System\QDiqnIv.exe
      2⤵
      • Executes dropped EXE
      PID:1112
    • C:\Windows\System\NnNqEWy.exe
      C:\Windows\System\NnNqEWy.exe
      2⤵
      • Executes dropped EXE
      PID:2068
    • C:\Windows\System\jNeuhvM.exe
      C:\Windows\System\jNeuhvM.exe
      2⤵
      • Executes dropped EXE
      PID:3616
    • C:\Windows\System\ZMfXUjS.exe
      C:\Windows\System\ZMfXUjS.exe
      2⤵
      • Executes dropped EXE
      PID:1744
    • C:\Windows\System\ZQQvDCp.exe
      C:\Windows\System\ZQQvDCp.exe
      2⤵
      • Executes dropped EXE
      PID:3176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System\BVUxKdL.exe
    Filesize

    5.7MB

    MD5

    dfe8b43d493835d15c3d46f4f0f15d55

    SHA1

    b4d31859bb3a0a6da5920870a18e5f0df66073be

    SHA256

    9d2feea1016b3048d4c2af87cd32e258bc40fe17f26801f4ff63effd045d8155

    SHA512

    58e85022c4f25ee3e39aee9383cfe50577eb9f65d6cabf5cd7a66de671d1812aac5c15a779c2d072cf79f17ca342345db72921e7b8ae03eac51f62c2245edd33

    Download Submit

  • C:\Windows\System\CYSgMlJ.exe
    Filesize

    5.7MB

    MD5

    b66ed54d0dcf8dde12b623531f771031

    SHA1

    7e26e17f36b6a40bb6c45a31685df42f444a466c

    SHA256

    3a546bbda62e6e8beda670079f7666c65330979e05ed02ba3397e3f1b5ddf057

    SHA512

    5e33b0b9f4c3d71ea3324f5906f7ccc255c76d57bb90dc87b8269209d9cc70a2173dcdbb619193adcc420d5f9c252ffefc8f12727a4d206e5e2beb8110cd0407

    Download Submit

  • C:\Windows\System\MLCXwKy.exe
    Filesize

    5.7MB

    MD5

    894f29db0ed5c0ed7478ecb43fbe9db0

    SHA1

    2348987ec53ceaa8fbdd5520e3c3dca1a136ad61

    SHA256

    462ac8b36eeaa478cead609e3e75993446b193f40aae89a414909b3683053951

    SHA512

    a21eb5487d5c40467196f45d1b7ce62570d02f253f562a54dc2440a26417727e35e21e3b28d468db93b77dceb1e869e1f7a01fc98923fbd384f7ae43f2844c93

    Download Submit

  • C:\Windows\System\NnNqEWy.exe
    Filesize

    5.7MB

    MD5

    6a3d2490c71785f92b5d6872f483a09d

    SHA1

    b4f1e1faab40a109284e0b5a42b3332ca1098211

    SHA256

    60dcf5399fca2cd85188b6c20d52d118484fe134655a73e9fb950a61c248d251

    SHA512

    25b627bc1a5b27e925ab0ecf912bfc4550e4723df811ef29e7b32433b3aa5196be4a71223e903db5a7446355c82c80bf019a77f287c880f5cc22598eeb3bfe87

    Download Submit

  • C:\Windows\System\OBvSAJA.exe
    Filesize

    5.7MB

    MD5

    73a335a04113a7dd1e43f43cc47b7092

    SHA1

    2d5b6d0543f9a0acd4bec7159238a1ff0aebe91c

    SHA256

    fc8619ee6ea1f44035519e043d1583efe2e22de8d8263267d3ce68b9e81b1a18

    SHA512

    2b54758629dcfc2523077dac84c3de3240bc4d4b18ac25123369d2aaf4af65bd46b4c50c772e85162137a5c6272430162b5217eac08b608fe4629e41d2ef2272

    Download Submit

  • C:\Windows\System\OXgFGNi.exe
    Filesize

    5.7MB

    MD5

    29ee965938f901ac9335d5ab5888d319

    SHA1

    d0b4e8dfe3c168974879cf958f21e7758468030d

    SHA256

    9eebf78348a94e77ac55a0797fa452eb2703fedbe503bb4cb25abd3fc57a9451

    SHA512

    c3302664e5fe66a76c68e316fb25ff438d2111b3160a04edb9806bd7b38b19b7d32729a1ed86e4898fcc8292c4ea5c214a8d8135c4cd9f1ff044b614546dd917

    Download Submit

  • C:\Windows\System\QDiqnIv.exe
    Filesize

    5.7MB

    MD5

    910dbc7d6db431654ee40935455751a3

    SHA1

    3e327a815b69f527a4699403d16baa7f0f54622d

    SHA256

    4300e1552609605b210640005020e411774acd000d0b65ecaffbdb131600a1fe

    SHA512

    60d98aed55ad69e48aeb31fcb94f2bef449aacb652fffaa07ad595acbabb5397f45370790e2170b87b1216d75a74ed320b668acbf8f29fd1164668d4d97d1259

    Download Submit

  • C:\Windows\System\QUHnWAM.exe
    Filesize

    5.7MB

    MD5

    83367e4427de872445363b3a4295246a

    SHA1

    fa37237f3ffe74e80313817e798d2236fb79c796

    SHA256

    81fa276ebf990ec9c08430b0d378fcb09a9efb15f079e1cec7f0c819cd482523

    SHA512

    318d08893b18d764e063e21e5756d2c052b33c8c16da3fd3ff4403894ab88d4bfe305a057f13153857dcb27680934785aadbd54a22783c7a79a9c35b5f7b3be3

    Download Submit

  • C:\Windows\System\TfpqOxO.exe
    Filesize

    5.7MB

    MD5

    f596d84228b9c67e8c3eb9779d4bb0dc

    SHA1

    5be4daad9001d505c45f0589cf5777b5affd3387

    SHA256

    ad8e4c36c8acc138025fec83879a49150e735a5dc312fd1ac11ef296e29d32c4

    SHA512

    aa707366bd1f6a44bca3ae05a92b04bb23827ff0a1096fd45edc1f1834560aa30e05c3eada65efbcb5697da6d862bb0f9f6ce3bfd7165d820d0f7e33f6e194be

    Download Submit

  • C:\Windows\System\UJrAkfL.exe
    Filesize

    5.7MB

    MD5

    d5f3b574871b91f5ded2ff8d6295e9cd

    SHA1

    aaea18274f42d5afb9452b9d0c55b81877971fd4

    SHA256

    1ee7b4e30aa04852d7047cf847a7251199c58a8a06a11eff320c0fcb82e7fd40

    SHA512

    5fc766f1f2bdb8be34c80d589354de3e43114afacb3630adc664bd932ad791369db0fe3b862035eaf1f77427812d4de89e8e11ecb2cd5e95b706c686eebfa8ba

    Download Submit

  • C:\Windows\System\XByDtFv.exe
    Filesize

    5.7MB

    MD5

    1b50a71262b3c4fc3ebf3e83c5da2d0c

    SHA1

    19dbeb8325d216ae9fb1092f5332f6ab67b67067

    SHA256

    50b3a19dd581f5886369e3387d0603a89715622ca0e3389ba32dc3c3aca50116

    SHA512

    5b0c5002ae931259db54533b0d949cf9f96e409b9fdf28cb547b3e777a1df23472e99f5689995dcc36059fd0a277d952732cf4c1a3df73a9b116ad50978319f9

    Download Submit

  • C:\Windows\System\YgWNcVz.exe
    Filesize

    5.7MB

    MD5

    5b1b24d9075f321ed1b3ab31841e199e

    SHA1

    e8204e26ae5a7e5fe6f0574bba16ef311eeacfe4

    SHA256

    d2259c95f0e89df062edaaa50f5bb707b399795f43e9757f0f7c6c19f7812152

    SHA512

    9a6577c32af77ffb8a2ab755b32dd54758e6dc57bfe19966db3aadb1fea3e813c268220ed64b64c152b86864d627be059924fdc89bcfe4c22a5a5f1884451ec5

    Download Submit

  • C:\Windows\System\ZMfXUjS.exe
    Filesize

    5.7MB

    MD5

    142ed8e1723400cea3de000b246bfce9

    SHA1

    fcbf5ab89ff7c2a586f111febedc663038be5b71

    SHA256

    925c287ebda85cc3874e790457e3c5fe18977790c60bec9b7dcc059e8c726bca

    SHA512

    a91582d3b50be29d58031a27beccbd79976b72e80ffaa7eca695c068d2a02948b6c9027cd045e46d4e765346ecd46f512886c9799f30b84d6524d8acbf7bae26

    Download Submit

  • C:\Windows\System\ZQQvDCp.exe
    Filesize

    5.7MB

    MD5

    876807ab38cf3914e0185949a91c8323

    SHA1

    ce8e8f2960606158d8d04408b430d46323486cf4

    SHA256

    898a779de13aad3d43deb7ee6ac8917bf36012d1aeb7da21b0a0ec944cad1b75

    SHA512

    3d2e1539066af932c8416b2745998061e3ad647d4ad28ab5883e8274147d6ea64751809ab7c7afc9169c664dc87c891e472fbab50dcec0f9b57a3c4868d1c355

    Download Submit

  • C:\Windows\System\eBetAUd.exe
    Filesize

    5.7MB

    MD5

    16492146073a5f53ff06890029b8f37f

    SHA1

    5de2ecd38bd1b28b59a7819109992fc10cc1ba87

    SHA256

    99561b52ecd6bd6db180fb47c9ef77f276e03872988e5de1e59eaa742e902232

    SHA512

    1eb77c18d67f9d2b43a03f5aa0c95cafd6efdd59fc4d5bfdf70d6e866481ebd13ae89a6a1386e47d23bb98488e0a1732fa02e9c7096326f2436e48d38124600f

    Download Submit

  • C:\Windows\System\gwVqIvj.exe
    Filesize

    5.7MB

    MD5

    ae362eedd8abf0cd718360bd105424b5

    SHA1

    88caee43138bc2773656a0a01d4be845ef40f0b7

    SHA256

    0120c0769f39f38cd883c82b599927cd61f3dae2423b3e26855ce5dfc2d366ce

    SHA512

    8197d6a54a32a1170227ce32385065b674ee5de2990d0d3f175415fa6c9e3cc43c8497fc071fa08cc271197ca3175117de62382249e5d7ffb1d19e374c9dd2f3

    Download Submit

  • C:\Windows\System\jNeuhvM.exe
    Filesize

    5.7MB

    MD5

    e1ade1c413ff37b4a47cb0715eca66e7

    SHA1

    74825cbd640c5ac08487445bf4869562f8d54fe7

    SHA256

    d1d9ea30f54ebfaf5f477ca5ae02e8afb46b2d0af2d26654db37f9e678a81338

    SHA512

    301a26353009b61f2db12a61982e095ff503f17db5d0adca29b21a194edafd9ad853edce70c8f988cc2e3402d02e2215a4838942aabc253124d852b0df8276bc

    Download Submit

  • C:\Windows\System\lzIiNGA.exe
    Filesize

    5.7MB

    MD5

    264e815b144fb019033bd856570fb059

    SHA1

    82b4728a6126c6dede23bf435531c8b02bda9429

    SHA256

    3d8382a46028356343e49cd73c06da5c9c1e4c2a0f1e6a23a73035616d7e381a

    SHA512

    7b7418ab2e97e8ec52d7f2e66f698c2a025b9a76a33f700723bd9bb9254bf216eb536955ff5999a48cc6a71f9e0b26ff08bb695571e5a2c58655331ec6810608

    Download Submit

  • C:\Windows\System\nZlcVXA.exe
    Filesize

    5.7MB

    MD5

    311dfb633c56f084b8617f354ea828cc

    SHA1

    5a16af4ae256a6b8172ec0debf1140c1c245471a

    SHA256

    fec1c8181f7c54263b25e16258f2a7cd2b6cd50da5d2e1db346aca5e057d8250

    SHA512

    0508bc2b2be18ee2d277c80c2ec715402f54b7d37e2714370c80477ecc034589e98eb73fce94ea9314c718c9d89e4da79d4b6e288fd7fa9ff73c2c08a1784dad

    Download Submit

  • C:\Windows\System\ujdJpnZ.exe
    Filesize

    5.7MB

    MD5

    6087e5d842e9eccc6f50fc1cdd984c67

    SHA1

    b743f13f12e228a4ff29c06fde021db400e3d17c

    SHA256

    065869447d5ee5fd64c1893bb184a1b4fd54c8d9b4fab3fbe9dd64ce6f05d102

    SHA512

    60a619d354490600c79776971c1ae1ed3145b0c05b14987fab9a8a7f00c0baa06c92e9a2f4ef5f563133b5ddf9ad3aa16c9451c26800be32203de8cdd7b0920b

    Download Submit

  • C:\Windows\System\xcFmyAq.exe
    Filesize

    5.7MB

    MD5

    54af54402a1c0e4c1fed056356e2d1cc

    SHA1

    9e2e66318d022b0844b7d1fb34852171f4eafa8b

    SHA256

    8687bb71f29db8ba5c93837dcbf420ab4cd59d1782a9dcb614d476f18dbf5d22

    SHA512

    e0d92d2039aec398e5a2939adf31317eae10c3ce9fbbc645ecce0d020723410c90bb61a373bf2655fea1f3971869859ce14beb86d0eaea939f113f83ffb62dc6

    Download Submit

  • memory/2460-0-0x00000000001F0000-0x0000000000200000-memory.dmp

    Filesize

    64KB

    Download