Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-09-16...ch.exe

windows7-x64

3

2024-09-16...ch.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    92s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/09/2024, 12:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-16_e7868ad754ed1bf83e38c5edf18d2da1_cobalt-strike_cobaltstrike_poet-rat_snatch.exe

  • Size

    5.0MB

  • MD5

    e7868ad754ed1bf83e38c5edf18d2da1

  • SHA1

    529970ff4e8064a73d1bdee563eef9fc994cf465

  • SHA256

    0ce28ae1e2df442978432b4c2ba72c494cc3f5d6f70af1629158c966861b34a3

  • SHA512

    d3770952c58775bc7ce9dcc2b202ffdfb2980f102f892d01b6dffbeb7618fac97ba962b145f8a89cb8e9fb64793a94548630bf06a6d71ce5e41f04e3bc0dca9e

  • SSDEEP

    49152:r56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6liK1uOCeXvpnk:r56utgpPFotBER/mQ32lUC

Score
3/10
discovery

Malware Config

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-16_e7868ad754ed1bf83e38c5edf18d2da1_cobalt-strike_cobaltstrike_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-16_e7868ad754ed1bf83e38c5edf18d2da1_cobalt-strike_cobaltstrike_poet-rat_snatch.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4740

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a79eb5d720fd4849a451e5c838a3b6e9&localId=w:5A295BCA-DFF9-2E0C-2E68-966309597EF6&deviceId=6755474747387675&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a79eb5d720fd4849a451e5c838a3b6e9&localId=w:5A295BCA-DFF9-2E0C-2E68-966309597EF6&deviceId=6755474747387675&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=16C97A7240A0693102616E8E414068C2; domain=.bing.com; expires=Sat, 11-Oct-2025 12:05:04 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: EE259F9DB013470285F7BBFB5D2BA91C Ref B: LON04EDGE1019 Ref C: 2024-09-16T12:05:04Z
    date: Mon, 16 Sep 2024 12:05:04 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a79eb5d720fd4849a451e5c838a3b6e9&localId=w:5A295BCA-DFF9-2E0C-2E68-966309597EF6&deviceId=6755474747387675&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a79eb5d720fd4849a451e5c838a3b6e9&localId=w:5A295BCA-DFF9-2E0C-2E68-966309597EF6&deviceId=6755474747387675&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=16C97A7240A0693102616E8E414068C2
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=WuG_GXSLYhim7cB6unHM7yYCHQILJNTJz7ZUfWblh34; domain=.bing.com; expires=Sat, 11-Oct-2025 12:05:04 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 443F97F1A6B74A9F950AA99D24A91654 Ref B: LON04EDGE1019 Ref C: 2024-09-16T12:05:04Z
    date: Mon, 16 Sep 2024 12:05:04 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a79eb5d720fd4849a451e5c838a3b6e9&localId=w:5A295BCA-DFF9-2E0C-2E68-966309597EF6&deviceId=6755474747387675&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a79eb5d720fd4849a451e5c838a3b6e9&localId=w:5A295BCA-DFF9-2E0C-2E68-966309597EF6&deviceId=6755474747387675&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=16C97A7240A0693102616E8E414068C2; MSPTC=WuG_GXSLYhim7cB6unHM7yYCHQILJNTJz7ZUfWblh34
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 4701B9EA90D748728F236F1753488E5B Ref B: LON04EDGE1019 Ref C: 2024-09-16T12:05:04Z
    date: Mon, 16 Sep 2024 12:05:04 GMT
  • flag-us
    DNS
    72.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    s3.us-east-2.amazonaws.com
    2024-09-16_e7868ad754ed1bf83e38c5edf18d2da1_cobalt-strike_cobaltstrike_poet-rat_snatch.exe
    Remote address:
    8.8.8.8:53
    Request
    s3.us-east-2.amazonaws.com
    IN A
    Response
    s3.us-east-2.amazonaws.com
    IN A
    52.219.228.41
    s3.us-east-2.amazonaws.com
    IN A
    52.219.176.177
    s3.us-east-2.amazonaws.com
    IN A
    52.219.98.249
    s3.us-east-2.amazonaws.com
    IN A
    52.219.96.154
    s3.us-east-2.amazonaws.com
    IN A
    16.12.65.9
    s3.us-east-2.amazonaws.com
    IN A
    52.219.142.25
    s3.us-east-2.amazonaws.com
    IN A
    52.219.109.145
    s3.us-east-2.amazonaws.com
    IN A
    52.219.93.113
  • flag-us
    DNS
    41.228.219.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.228.219.52.in-addr.arpa
    IN PTR
    Response
    41.228.219.52.in-addr.arpa
    IN PTR
    s3 us-east-2 amazonawscom
  • flag-us
    DNS
    46.9.84.99.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    46.9.84.99.in-addr.arpa
    IN PTR
    Response
    46.9.84.99.in-addr.arpa
    IN PTR
    server-99-84-9-46lhr62r cloudfrontnet
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    107.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    107.12.20.2.in-addr.arpa
    IN PTR
    Response
    107.12.20.2.in-addr.arpa
    IN PTR
    a2-20-12-107deploystaticakamaitechnologiescom
  • flag-us
    DNS
    25.140.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    25.140.123.92.in-addr.arpa
    IN PTR
    Response
    25.140.123.92.in-addr.arpa
    IN PTR
    a92-123-140-25deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 150.171.28.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a79eb5d720fd4849a451e5c838a3b6e9&localId=w:5A295BCA-DFF9-2E0C-2E68-966309597EF6&deviceId=6755474747387675&anid=
    tls, http2
    2.0kB
     9.4kB
     22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a79eb5d720fd4849a451e5c838a3b6e9&localId=w:5A295BCA-DFF9-2E0C-2E68-966309597EF6&deviceId=6755474747387675&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a79eb5d720fd4849a451e5c838a3b6e9&localId=w:5A295BCA-DFF9-2E0C-2E68-966309597EF6&deviceId=6755474747387675&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a79eb5d720fd4849a451e5c838a3b6e9&localId=w:5A295BCA-DFF9-2E0C-2E68-966309597EF6&deviceId=6755474747387675&anid=

    HTTP Response

    204
  • 52.219.228.41:443
    s3.us-east-2.amazonaws.com
    tls
    2024-09-16_e7868ad754ed1bf83e38c5edf18d2da1_cobalt-strike_cobaltstrike_poet-rat_snatch.exe
    1.2kB
     7.8kB
     15
    18
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     148 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    72.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    72.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    88.156.103.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    88.156.103.20.in-addr.arpa

  • 8.8.8.8:53
    s3.us-east-2.amazonaws.com
    dns
    2024-09-16_e7868ad754ed1bf83e38c5edf18d2da1_cobalt-strike_cobaltstrike_poet-rat_snatch.exe
    72 B
     200 B
     1
    1

    DNS Request

    s3.us-east-2.amazonaws.com

    DNS Response

    52.219.228.41
    52.219.176.177
    52.219.98.249
    52.219.96.154
    16.12.65.9
    52.219.142.25
    52.219.109.145
    52.219.93.113

  • 8.8.8.8:53
    41.228.219.52.in-addr.arpa
    dns
    72 B
     112 B
     1
    1

    DNS Request

    41.228.219.52.in-addr.arpa

  • 8.8.8.8:53
    46.9.84.99.in-addr.arpa
    dns
    69 B
     123 B
     1
    1

    DNS Request

    46.9.84.99.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    107.12.20.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    107.12.20.2.in-addr.arpa

  • 8.8.8.8:53
    25.140.123.92.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    25.140.123.92.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.