Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2025, 00:01
Behavioral task
behavioral1
Sample
2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20241010-en
General
-
Target
2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.7MB
-
MD5
cd0fdc0fc5e1a52796ff0154f43fc48f
-
SHA1
b6b2d83482cc7b825a19e45cc5e55df495c3bc5a
-
SHA256
5e39928e422dd757d749cef86afd8115ea9655eafb1de52c092911de9444bbce
-
SHA512
5131cc1130371dfb544ebdad4895e3bf77c6c96e77a62ea16c09809e41676650e7f7a0b82e45b8a5f92958ae5532ea5d8e98be3d80762ffe56ff6fa923b1b376
-
SSDEEP
98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUT:j+R56utgpPF8u/7T
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0008000000023c94-5.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9b-7.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9c-14.dat cobalt_reflective_dll behavioral2/files/0x0008000000023c9f-29.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca0-38.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca2-40.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9e-36.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9d-28.dat cobalt_reflective_dll behavioral2/files/0x0008000000023c98-76.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca9-96.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca8-93.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca7-90.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca6-71.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca5-65.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca4-62.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca3-59.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cae-104.dat cobalt_reflective_dll behavioral2/files/0x0007000000023caa-105.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb0-117.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb1-118.dat cobalt_reflective_dll behavioral2/files/0x0007000000023caf-115.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 43 IoCs
resource yara_rule behavioral2/memory/532-0-0x00007FF79CDE0000-0x00007FF79D12D000-memory.dmp xmrig behavioral2/files/0x0008000000023c94-5.dat xmrig behavioral2/files/0x0007000000023c9b-7.dat xmrig behavioral2/files/0x0007000000023c9c-14.dat xmrig behavioral2/memory/3604-24-0x00007FF7FE520000-0x00007FF7FE86D000-memory.dmp xmrig behavioral2/files/0x0008000000023c9f-29.dat xmrig behavioral2/files/0x0007000000023ca0-38.dat xmrig behavioral2/files/0x0007000000023ca2-40.dat xmrig behavioral2/memory/5076-32-0x00007FF642DD0000-0x00007FF64311D000-memory.dmp xmrig behavioral2/files/0x0007000000023c9e-36.dat xmrig behavioral2/files/0x0007000000023c9d-28.dat xmrig behavioral2/memory/4516-63-0x00007FF66F5C0000-0x00007FF66F90D000-memory.dmp xmrig behavioral2/files/0x0008000000023c98-76.dat xmrig behavioral2/memory/640-86-0x00007FF60E850000-0x00007FF60EB9D000-memory.dmp xmrig behavioral2/memory/1444-97-0x00007FF62D6D0000-0x00007FF62DA1D000-memory.dmp xmrig behavioral2/files/0x0007000000023ca9-96.dat xmrig behavioral2/memory/4500-94-0x00007FF74D220000-0x00007FF74D56D000-memory.dmp xmrig behavioral2/files/0x0007000000023ca8-93.dat xmrig behavioral2/memory/4968-91-0x00007FF77CD30000-0x00007FF77D07D000-memory.dmp xmrig behavioral2/files/0x0007000000023ca7-90.dat xmrig behavioral2/memory/1632-52-0x00007FF6A22C0000-0x00007FF6A260D000-memory.dmp xmrig behavioral2/memory/3424-74-0x00007FF779780000-0x00007FF779ACD000-memory.dmp xmrig behavioral2/files/0x0007000000023ca6-71.dat xmrig behavioral2/memory/2628-66-0x00007FF6B0EB0000-0x00007FF6B11FD000-memory.dmp xmrig behavioral2/files/0x0007000000023ca5-65.dat xmrig behavioral2/files/0x0007000000023ca4-62.dat xmrig behavioral2/memory/2040-60-0x00007FF7C7720000-0x00007FF7C7A6D000-memory.dmp xmrig behavioral2/files/0x0007000000023ca3-59.dat xmrig behavioral2/memory/3588-57-0x00007FF772BF0000-0x00007FF772F3D000-memory.dmp xmrig behavioral2/memory/1804-48-0x00007FF7F73A0000-0x00007FF7F76ED000-memory.dmp xmrig behavioral2/memory/2708-42-0x00007FF7BC910000-0x00007FF7BCC5D000-memory.dmp xmrig behavioral2/memory/452-16-0x00007FF6E56D0000-0x00007FF6E5A1D000-memory.dmp xmrig behavioral2/memory/4324-10-0x00007FF6C6160000-0x00007FF6C64AD000-memory.dmp xmrig behavioral2/files/0x0007000000023cae-104.dat xmrig behavioral2/files/0x0007000000023caa-105.dat xmrig behavioral2/files/0x0007000000023cb0-117.dat xmrig behavioral2/files/0x0007000000023cb1-118.dat xmrig behavioral2/files/0x0007000000023caf-115.dat xmrig behavioral2/memory/976-125-0x00007FF7C5630000-0x00007FF7C597D000-memory.dmp xmrig behavioral2/memory/3340-122-0x00007FF637770000-0x00007FF637ABD000-memory.dmp xmrig behavioral2/memory/1184-120-0x00007FF65C570000-0x00007FF65C8BD000-memory.dmp xmrig behavioral2/memory/1244-113-0x00007FF660250000-0x00007FF66059D000-memory.dmp xmrig behavioral2/memory/1732-106-0x00007FF6CB590000-0x00007FF6CB8DD000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4324 OnCOLYU.exe 452 HyipBbk.exe 3604 bADVfoI.exe 5076 qUGsWXy.exe 2708 fRNGBtB.exe 3588 ORLbwtk.exe 1804 BMcNeCQ.exe 1632 BlkieLE.exe 2040 lkVwFTK.exe 4516 OOywpsm.exe 2628 DBrVLcU.exe 3424 ugcgSOv.exe 640 QItJhCh.exe 4968 LBZmfep.exe 4500 MTjBbvP.exe 1444 jEXhWxc.exe 1732 WQPGzfQ.exe 1244 MkxrIMp.exe 1184 EEojKRP.exe 3340 WmyVMla.exe 976 Qehxfaz.exe -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\ORLbwtk.exe 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BMcNeCQ.exe 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WQPGzfQ.exe 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EEojKRP.exe 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WmyVMla.exe 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qUGsWXy.exe 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HyipBbk.exe 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bADVfoI.exe 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lkVwFTK.exe 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LBZmfep.exe 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MTjBbvP.exe 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jEXhWxc.exe 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\Qehxfaz.exe 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\OnCOLYU.exe 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BlkieLE.exe 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MkxrIMp.exe 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fRNGBtB.exe 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DBrVLcU.exe 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ugcgSOv.exe 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QItJhCh.exe 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\OOywpsm.exe 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 532 wrote to memory of 4324 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 532 wrote to memory of 4324 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 532 wrote to memory of 452 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 532 wrote to memory of 452 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 532 wrote to memory of 3604 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 532 wrote to memory of 3604 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 532 wrote to memory of 5076 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 532 wrote to memory of 5076 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 532 wrote to memory of 3588 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 532 wrote to memory of 3588 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 532 wrote to memory of 2708 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 532 wrote to memory of 2708 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 532 wrote to memory of 1804 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 532 wrote to memory of 1804 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 532 wrote to memory of 1632 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 532 wrote to memory of 1632 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 532 wrote to memory of 2040 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 532 wrote to memory of 2040 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 532 wrote to memory of 4516 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 532 wrote to memory of 4516 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 532 wrote to memory of 2628 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 532 wrote to memory of 2628 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 532 wrote to memory of 3424 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 532 wrote to memory of 3424 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 532 wrote to memory of 640 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 532 wrote to memory of 640 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 532 wrote to memory of 4968 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 532 wrote to memory of 4968 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 532 wrote to memory of 4500 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 532 wrote to memory of 4500 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 532 wrote to memory of 1444 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 532 wrote to memory of 1444 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 532 wrote to memory of 1732 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 532 wrote to memory of 1732 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 532 wrote to memory of 1244 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 532 wrote to memory of 1244 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 532 wrote to memory of 1184 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 532 wrote to memory of 1184 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 532 wrote to memory of 3340 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 532 wrote to memory of 3340 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 532 wrote to memory of 976 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 532 wrote to memory of 976 532 2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-20_cd0fdc0fc5e1a52796ff0154f43fc48f_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\System\OnCOLYU.exeC:\Windows\System\OnCOLYU.exe2⤵
- Executes dropped EXE
PID:4324
-
-
C:\Windows\System\HyipBbk.exeC:\Windows\System\HyipBbk.exe2⤵
- Executes dropped EXE
PID:452
-
-
C:\Windows\System\bADVfoI.exeC:\Windows\System\bADVfoI.exe2⤵
- Executes dropped EXE
PID:3604
-
-
C:\Windows\System\qUGsWXy.exeC:\Windows\System\qUGsWXy.exe2⤵
- Executes dropped EXE
PID:5076
-
-
C:\Windows\System\ORLbwtk.exeC:\Windows\System\ORLbwtk.exe2⤵
- Executes dropped EXE
PID:3588
-
-
C:\Windows\System\fRNGBtB.exeC:\Windows\System\fRNGBtB.exe2⤵
- Executes dropped EXE
PID:2708
-
-
C:\Windows\System\BMcNeCQ.exeC:\Windows\System\BMcNeCQ.exe2⤵
- Executes dropped EXE
PID:1804
-
-
C:\Windows\System\BlkieLE.exeC:\Windows\System\BlkieLE.exe2⤵
- Executes dropped EXE
PID:1632
-
-
C:\Windows\System\lkVwFTK.exeC:\Windows\System\lkVwFTK.exe2⤵
- Executes dropped EXE
PID:2040
-
-
C:\Windows\System\OOywpsm.exeC:\Windows\System\OOywpsm.exe2⤵
- Executes dropped EXE
PID:4516
-
-
C:\Windows\System\DBrVLcU.exeC:\Windows\System\DBrVLcU.exe2⤵
- Executes dropped EXE
PID:2628
-
-
C:\Windows\System\ugcgSOv.exeC:\Windows\System\ugcgSOv.exe2⤵
- Executes dropped EXE
PID:3424
-
-
C:\Windows\System\QItJhCh.exeC:\Windows\System\QItJhCh.exe2⤵
- Executes dropped EXE
PID:640
-
-
C:\Windows\System\LBZmfep.exeC:\Windows\System\LBZmfep.exe2⤵
- Executes dropped EXE
PID:4968
-
-
C:\Windows\System\MTjBbvP.exeC:\Windows\System\MTjBbvP.exe2⤵
- Executes dropped EXE
PID:4500
-
-
C:\Windows\System\jEXhWxc.exeC:\Windows\System\jEXhWxc.exe2⤵
- Executes dropped EXE
PID:1444
-
-
C:\Windows\System\WQPGzfQ.exeC:\Windows\System\WQPGzfQ.exe2⤵
- Executes dropped EXE
PID:1732
-
-
C:\Windows\System\MkxrIMp.exeC:\Windows\System\MkxrIMp.exe2⤵
- Executes dropped EXE
PID:1244
-
-
C:\Windows\System\EEojKRP.exeC:\Windows\System\EEojKRP.exe2⤵
- Executes dropped EXE
PID:1184
-
-
C:\Windows\System\WmyVMla.exeC:\Windows\System\WmyVMla.exe2⤵
- Executes dropped EXE
PID:3340
-
-
C:\Windows\System\Qehxfaz.exeC:\Windows\System\Qehxfaz.exe2⤵
- Executes dropped EXE
PID:976
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.7MB
MD5aa60258d05650bde59680c31f1c72f90
SHA1d1a3ff1611997e9b01b4898fe5f6bf2e66d43b1a
SHA2562f05c3dcd92a5d2f18a6613c9a347ce747dbeb604804d415a08398e373a75174
SHA512df59cbccf503f790a5b429f21e32955c7fbeba9819bfc097282eac5e875b2bbfe197da93f0c482376904e7415d098a3d0050e8726e85e35c55e8f9761fa3e9eb
-
Filesize
5.7MB
MD5e0d48fc6c91a001a0b55dc4c32f18cef
SHA14f8f75aef409550826c6608c4b0d50e7b0212ce7
SHA256c73c1c05bcd929632c32b83aeb2d707147ab901cbdb9342409cb986fcf885620
SHA5128b4b2ec2f351e3e5e8438919d2d513c9cb280a680b5b01cd7913768426e4e1db7e6ead24c5c8b412023e78269e5d10f1c6ab03ffe3aede0268c38a857188d027
-
Filesize
5.7MB
MD5362d8c689d00b68c0d38a57d8a28db2c
SHA17b9e64f8118eff9df3e6c5a0885557c154f396cb
SHA25629bdee33af24837d54e3f00e194e0b8ce4eae7276265970bc186294d862ae1c0
SHA51286e37b68691fbb0a05848a718171b4dbaa972ec09f40357d681ceccdfc04b200f56f3ff6fef1bae453ba8027cfc1a3a2f9ed531c9ad395f9f52022e3fe451a39
-
Filesize
5.7MB
MD56b9a7d0613d23a9900005e8747710557
SHA121b09f2508e6aab3a11b393e007a5d2df26af34f
SHA256d38c4a2e7d5858ef1808319dc44706930ee128ab668682c5410432cb2cbfb4cb
SHA512ed2b0d1e5be079bf1989fd06a11a5117e0b3ad45e678b9337b0ff82791ae59447c5438106f316e740c162229e7c49e8f16e87c192536f952050554f6c68612be
-
Filesize
5.7MB
MD5b6d74ad99f8f1b77e392ba0253739799
SHA1bc1533e4ea43631d646e11dcdbcfa0ff4653b631
SHA2569bfce362bd5c2d597807a741dd885856632a173810470dc63f402ef0ba128942
SHA512b457c035b8e36baa27e490ec03914b30d5148b3767a8e064356d99a85c96edcfd038eab727f4f688cef75ac0715fefd4741434e36cce58c85e139784b4a62d08
-
Filesize
5.7MB
MD5fe8520f2616f97275e22fa15d3979e1f
SHA17a56d1073c2578c8e65cd08821f7ec5493b07279
SHA256fbdc0b0afdf8db504ef533cb5cdce9b16a1e6c31f0ea1c7f31a54b1cfcaec7df
SHA512724e37cb7822f53965c2ad5cee4ac5da42bf8a52bf2e516a949b8b29d2780aeda5c4600e9a408ba6c59428243c3021158b5b7dae328353fa1ceb332948846aa9
-
Filesize
5.7MB
MD5d3aba101c386c8a6596953f64e3507ef
SHA12a316b3b190261c65c602d7d5a0d2fb159920124
SHA2562105d4424f1eb67b7f0ee29ebc0d8103c2acb8fa54494056cb9fc333d9d972c6
SHA512791a2ee95082008e8ad0184f8bebd20b2bf98c85a5c18ee5844a19a43fe23e9d8de2e7777356d15d0a2b85a1de21fe8f26e2f8742b48a4d0acb1babd0356dae9
-
Filesize
5.7MB
MD527ab3a56f9962b3c70634a80a137ef5f
SHA1a3a50de15f1673eeb8330ed355f3970172274d1e
SHA256a614f0259e58f519dabb0a629e88fe3fc37efb8bdba7e314745d125732bc522f
SHA51202dc0c243be6ac2b9cb299ca46a99ec1f2ce63e9753f2445bbf837d0257a58b87c4697bd0e8339acb1c90b168a9fc4686930c993ea2ac214f435bec13c59c6e5
-
Filesize
5.7MB
MD598899dbc230ae55e011b9d02f59aaeab
SHA1a00bdecc518ce6e24c9c1531fdf17c928f6bf9a5
SHA25628c7cc4e04a65ff7b18c3e0de019a8b1df1083b984ed7db594890ed8b66081d6
SHA5127ed396ea1b70b00d2219dab99f5f98b483f478c81e4f19a83c2b8f1b67c44444368e8aa00144fbe7db3bdb83c7a3b2daf26de339d512db050d40b793c087c62d
-
Filesize
5.7MB
MD5ba0d3d66344e120e5214bd4fa9ee01e5
SHA1322202d8297ee895eaba48a16a1cc200039b8a14
SHA256f2f96d3e5d78bc159ea794ba09de879b073200d061fef31d64b3d5a5c7d99e18
SHA512adbb07cbc05d6aa6e9ae60b90e2b02ede828c644969f7c679cedf3998f6ef5959791dc902d1660c52ef76b277403943850a49047a4a7954ff84bdec3fe33904d
-
Filesize
5.7MB
MD51fd681f2b12e985206d5fd4206b17610
SHA1e0f6c9b02ec96e812f93e2786cb7b130ea5a5e48
SHA256ea02b29c4212dd232191eebabc72e23e64541b23213f994f4a8c5e7e228cd1c8
SHA51270f95ab839fd2ce261b00041800b23bdf249ed0bdc897c4f8d504c73eecd325687d6fcea3ebf623c77da2122ec636e7860fabe2a227cdbb25de92f189b18e6ae
-
Filesize
5.7MB
MD5e69014825ef75943954db34963625333
SHA18fbfc202268019155ef4b29c4306ba2b825770a9
SHA25657b50e7a2340870893186fb13ef5fa7f6d8ddeac4e8eb4a733aa9f8e80586959
SHA512790bc51775c9fa2daae8d57c7fb79453f5983c7e2ecad7b5223494565ceb1666c91dcb9d888f67db203a039bd2e33dd00764c2f8eb788fdcfaaac508320887eb
-
Filesize
5.7MB
MD599a78929e8d1aaf8792d7f4efe2d8cc6
SHA1e3d03dc0e0f3f180a65862d47a6ae549b575bfba
SHA256c5882b90223c84e6e02381cde49504a88f4af8ab0d65762458aca8f0f8467e32
SHA512b43740c52874006fea80291da6c7d353caefd2ad52f054adf3a3b8752132b6016e633ef0bb3682e52809dd455e3adb2ff22e05a651f450ae8e484d468e56448c
-
Filesize
5.7MB
MD578bd1b8a7c72a44c88b0a02143dbe4d9
SHA10ab41c85029f5503df8fbd5b3cfade3442f6814a
SHA2569cd535d5e7ca8293c2e89c82a156359f1764a695e40ce8f41b54cf18b1003be1
SHA512c71022c64e597c939093aabd356187c47c9c5a3aedc47130b8c2f17979b345533a2a85192683e6b02a1adba338e7106c0c9f0b628d15c562d38d83689daa53b3
-
Filesize
5.7MB
MD56a33de5504effcaee0a276db6f3919ad
SHA190d86b95877110f9cbc005a33f30ec41c0ef8cf4
SHA25638f10fb8163888d898ec10054fad2a8d05c1b5168eec265ca3f015126669c855
SHA5122f51ce8f96c93614de50784c021f57132c9d799032b1cfe5526aaa791445b5fa72ab39a9a4fb82f565becdcd9f1978a5560012d460584e089f1573903dcfce49
-
Filesize
5.7MB
MD5b6a92daada0df2afb9020729e93c8b25
SHA1eb3fc16c5fe63c024d70d71e8b7aa2cce390a6db
SHA25663db9b7837a9872fa9c51cc144d1a3e1e2d956e8ab13bbe16115f4006601e35e
SHA512735112cf7f1ece4c3d13caa8ee701f0169865d005d3732aeab18e5deb48b59bb4a834a8e223dbb267d0d7726a23126349a30168e8ad5b51c296249cea30daf22
-
Filesize
5.7MB
MD5698b8f62c89b14a08552cf81903bd3dc
SHA1508058d64a1635e77a31964acf5a8d5e509d234d
SHA2566845568b52c63973b30e1c08166c19eebb689b96278904a560fffa381dbd4246
SHA512a0016ff2f7f9d6aee6d584f4be068ee39da63d42cf4e81221721b25d9b37fe5b1064d97dfbc83939e11fead04b0ebbf7cc5b7945b2e3965cd31d293136fb844f
-
Filesize
5.7MB
MD59b77a6f29566ba62dc7ee79e98495691
SHA155c13e7a5b3b8b76299749fc5f0aef646f221f4e
SHA256a783f2f778ba1d7236ec4269ddf11774a3a2e152b550f53f82e1e89e640414a8
SHA512760054bad24a23541a54f2c16ffa60c12b126718adf679892f9755bf9f02992b74a318ab8e67d596dfcc546ab97d01eaabea7032299692a7e4aecc7d6814198e
-
Filesize
5.7MB
MD5925577f68d1ef471d0e105316888d30c
SHA18cade88627c4b493bd93b6574bd2e2703de731eb
SHA2565201fdda1ab96dadd7bb45e83365cbeb801408832fa83cbfd37dbff3548fe7f3
SHA512985d52cfcc8f199590d460af884471e3b1fc54ee13026cea46b853e94b252048dc9c40775cde59d4a574621cc2cf5a05f85496e4693f0b941a09657ae5a42bab
-
Filesize
5.7MB
MD5ef965b83b4f4be0cdb1924f8187abafe
SHA118fc74540838707654b09a803ee5053ea2e3d497
SHA2564459975443c2b0a56b7700d381336ae0e778d264fa6186db6a11bb454af5793e
SHA512882f7c8f31d4ce00f2975ae01c2a371841ff8adfb423cb8a12e8c5baea9470ae3f8fd163e08a7fe0b85e36273b8d22e56846271869a0ecfec94b5c93a7a8f878
-
Filesize
5.7MB
MD5a480a0c2338c04e4186bf836f2344adb
SHA1d37a4b9dd9ff5f376b393ca63425c89e24a9b6b8
SHA2565390d25b2ca46844430343fc8e55ab16d1a757869ac0d80f924ab6bd9dd91d54
SHA512350db7d3c0f01f10d33f8dc6a78dc271e9dc0204fc432b83bd225dbb47f5be9fc20fa478d72f9aa879444a9d08e333ed9763bdbacff4c13223ef253697f88867