Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/09/2024, 15:59
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-23_7cbe4acc2760708e7190b160585eee77_cobalt-strike_poet-rat_snatch.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-23_7cbe4acc2760708e7190b160585eee77_cobalt-strike_poet-rat_snatch.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-23_7cbe4acc2760708e7190b160585eee77_cobalt-strike_poet-rat_snatch.exe
-
Size
22.4MB
-
MD5
7cbe4acc2760708e7190b160585eee77
-
SHA1
01e7fece2462724c7ce6d5a9152500a09dfcd667
-
SHA256
1402b75764fd726cf62364af9d6bf9449e3415682e8d0ecbc017deb8b23808a9
-
SHA512
c5495047b8fc4d4c81323f63a4e8feca77090f1fcb4ecbc53496c1fd609a3676fd339e9147647ce75d9e3640f3c285cb19f0988d08486077020765872e5c9200
-
SSDEEP
393216:692DO8D1/gzQnSegNPCQM2/psErTmlJhjePxnIGuYebQZ:G2D4zQnSxJCQHscmNePxnlDebQ
Malware Config
Signatures
-
An open source browser data exporter written in golang. 9 IoCs
resource yara_rule behavioral2/memory/3400-5-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3400-12-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3400-13-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3400-16-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3400-15-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3400-14-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3400-36-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3400-39-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3400-174-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata -
HackBrowserData
An open source golang web browser extractor.
-
Executes dropped EXE 2 IoCs
pid Process 4480 script_cookie_encrypted.exe 3704 rate.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 api.ipify.org 12 api.ipify.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4480 set thread context of 3400 4480 script_cookie_encrypted.exe 88 PID 3704 set thread context of 3956 3704 rate.exe 95 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jsc.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 2024-09-23_7cbe4acc2760708e7190b160585eee77_cobalt-strike_poet-rat_snatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 2024-09-23_7cbe4acc2760708e7190b160585eee77_cobalt-strike_poet-rat_snatch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C 2024-09-23_7cbe4acc2760708e7190b160585eee77_cobalt-strike_poet-rat_snatch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4480 script_cookie_encrypted.exe Token: SeDebugPrivilege 3956 jsc.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 4904 wrote to memory of 4480 4904 2024-09-23_7cbe4acc2760708e7190b160585eee77_cobalt-strike_poet-rat_snatch.exe 83 PID 4904 wrote to memory of 4480 4904 2024-09-23_7cbe4acc2760708e7190b160585eee77_cobalt-strike_poet-rat_snatch.exe 83 PID 4480 wrote to memory of 3400 4480 script_cookie_encrypted.exe 88 PID 4480 wrote to memory of 3400 4480 script_cookie_encrypted.exe 88 PID 4480 wrote to memory of 3400 4480 script_cookie_encrypted.exe 88 PID 4480 wrote to memory of 3400 4480 script_cookie_encrypted.exe 88 PID 4480 wrote to memory of 3400 4480 script_cookie_encrypted.exe 88 PID 4480 wrote to memory of 3400 4480 script_cookie_encrypted.exe 88 PID 4480 wrote to memory of 3400 4480 script_cookie_encrypted.exe 88 PID 4480 wrote to memory of 3400 4480 script_cookie_encrypted.exe 88 PID 4480 wrote to memory of 3400 4480 script_cookie_encrypted.exe 88 PID 4480 wrote to memory of 3400 4480 script_cookie_encrypted.exe 88 PID 4480 wrote to memory of 3400 4480 script_cookie_encrypted.exe 88 PID 4480 wrote to memory of 3400 4480 script_cookie_encrypted.exe 88 PID 4904 wrote to memory of 3704 4904 2024-09-23_7cbe4acc2760708e7190b160585eee77_cobalt-strike_poet-rat_snatch.exe 90 PID 4904 wrote to memory of 3704 4904 2024-09-23_7cbe4acc2760708e7190b160585eee77_cobalt-strike_poet-rat_snatch.exe 90 PID 3704 wrote to memory of 3956 3704 rate.exe 95 PID 3704 wrote to memory of 3956 3704 rate.exe 95 PID 3704 wrote to memory of 3956 3704 rate.exe 95 PID 3704 wrote to memory of 3956 3704 rate.exe 95 PID 3704 wrote to memory of 3956 3704 rate.exe 95 PID 3704 wrote to memory of 3956 3704 rate.exe 95 PID 3704 wrote to memory of 3956 3704 rate.exe 95 PID 3704 wrote to memory of 3956 3704 rate.exe 95 PID 3704 wrote to memory of 4272 3704 rate.exe 96 PID 3704 wrote to memory of 4272 3704 rate.exe 96 PID 3704 wrote to memory of 4272 3704 rate.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-23_7cbe4acc2760708e7190b160585eee77_cobalt-strike_poet-rat_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-23_7cbe4acc2760708e7190b160585eee77_cobalt-strike_poet-rat_snatch.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\script_cookie_encrypted.exeC:\Users\Admin\script_cookie_encrypted.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"3⤵PID:3400
-
-
-
C:\Users\Admin\rate.exeC:\Users\Admin\rate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵PID:4272
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD59f36605efba98dab15728fe8b5538aa0
SHA16a7cff514ae159a59b70f27dde52a3a5dd01b1c8
SHA2569c283f6e81028b9eb0760d918ee4bc0aa256ed3b926393c1734c760c4bd724fd
SHA5121893aa3d1abcf7f9e83911468fa2eeb2ad1d7e23f4586bd6c4d76f9f96a645c15e63e44da55700347165e97b6ac412e6d495b81c3da9faa61d617c7a71a7404c
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
3.6MB
MD50c8bc5317e4b23f1e6dd3a2b7af70255
SHA149dd70a5dfb41a77806f0abb0b9f54d0cd01d652
SHA256af847306fa5457d15f4d378e2622f6ff3f92c9a093810f760bf1f3cc91aacb7f
SHA512e95a567a70df88ac1226fd4973a6103f195c38f1790750047feead51b186434d88ab5a525c77cbe509f6fa8d8c90b77fac9daf2a48d31f85db12ab1b11863878
-
Filesize
11.2MB
MD5b50c04edf22d51016e00d6f385b41cc7
SHA122295a90e102a3ffdada9f52230fb9e604bac281
SHA2562a7cae1fd866ff4f11e5c41c428b9b3c1078df3b523706d8a5145c55bd359ba9
SHA512a574405593129fd729d8bf5fdcf6813cb68870cbb1124969def626db06069ccb2e18841c73ca5f34f71d33b4edd9c1982b6282a6f3e66b645e1043eff45f1f73