Malware Analysis Report

2024-10-16 03:04

Sample ID 240621-bvwjpavcnf
Target 2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat
SHA256 c68d7515ba1519c19288e506934fd4dc80b276eb6c79e3ab306251b4a54f415f
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c68d7515ba1519c19288e506934fd4dc80b276eb6c79e3ab306251b4a54f415f

Threat Level: Known bad

The file 2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

XMRig Miner payload

Cobaltstrike

xmrig

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-21 01:28

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 01:28

Reported

2024-06-21 01:31

Platform

win7-20240611-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\mAYUYfm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DMQFLnZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sWgQEES.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NnStjif.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YjjZFGp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bONywxC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KIKmyYh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\POOoTCn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vOcLCwK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Bwiivnu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gsaILxd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sJjeXMd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kmjXUwv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JiwUZwH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\swfbiSu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NLrDjyY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mXsqVIq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cQRbHny.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HUDXtxa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hjVLloy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UHzxTPU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sWgQEES.exe
PID 2236 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sWgQEES.exe
PID 2236 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sWgQEES.exe
PID 2236 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HUDXtxa.exe
PID 2236 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HUDXtxa.exe
PID 2236 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HUDXtxa.exe
PID 2236 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JiwUZwH.exe
PID 2236 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JiwUZwH.exe
PID 2236 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JiwUZwH.exe
PID 2236 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Bwiivnu.exe
PID 2236 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Bwiivnu.exe
PID 2236 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Bwiivnu.exe
PID 2236 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gsaILxd.exe
PID 2236 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gsaILxd.exe
PID 2236 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gsaILxd.exe
PID 2236 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\swfbiSu.exe
PID 2236 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\swfbiSu.exe
PID 2236 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\swfbiSu.exe
PID 2236 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NLrDjyY.exe
PID 2236 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NLrDjyY.exe
PID 2236 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NLrDjyY.exe
PID 2236 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sJjeXMd.exe
PID 2236 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sJjeXMd.exe
PID 2236 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sJjeXMd.exe
PID 2236 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bONywxC.exe
PID 2236 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bONywxC.exe
PID 2236 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bONywxC.exe
PID 2236 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hjVLloy.exe
PID 2236 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hjVLloy.exe
PID 2236 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hjVLloy.exe
PID 2236 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UHzxTPU.exe
PID 2236 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UHzxTPU.exe
PID 2236 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UHzxTPU.exe
PID 2236 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kmjXUwv.exe
PID 2236 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kmjXUwv.exe
PID 2236 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kmjXUwv.exe
PID 2236 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mXsqVIq.exe
PID 2236 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mXsqVIq.exe
PID 2236 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mXsqVIq.exe
PID 2236 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NnStjif.exe
PID 2236 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NnStjif.exe
PID 2236 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NnStjif.exe
PID 2236 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KIKmyYh.exe
PID 2236 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KIKmyYh.exe
PID 2236 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KIKmyYh.exe
PID 2236 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YjjZFGp.exe
PID 2236 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YjjZFGp.exe
PID 2236 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YjjZFGp.exe
PID 2236 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\POOoTCn.exe
PID 2236 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\POOoTCn.exe
PID 2236 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\POOoTCn.exe
PID 2236 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mAYUYfm.exe
PID 2236 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mAYUYfm.exe
PID 2236 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mAYUYfm.exe
PID 2236 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DMQFLnZ.exe
PID 2236 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DMQFLnZ.exe
PID 2236 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DMQFLnZ.exe
PID 2236 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vOcLCwK.exe
PID 2236 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vOcLCwK.exe
PID 2236 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vOcLCwK.exe
PID 2236 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cQRbHny.exe
PID 2236 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cQRbHny.exe
PID 2236 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cQRbHny.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\sWgQEES.exe

C:\Windows\System\sWgQEES.exe

C:\Windows\System\HUDXtxa.exe

C:\Windows\System\HUDXtxa.exe

C:\Windows\System\JiwUZwH.exe

C:\Windows\System\JiwUZwH.exe

C:\Windows\System\Bwiivnu.exe

C:\Windows\System\Bwiivnu.exe

C:\Windows\System\gsaILxd.exe

C:\Windows\System\gsaILxd.exe

C:\Windows\System\swfbiSu.exe

C:\Windows\System\swfbiSu.exe

C:\Windows\System\NLrDjyY.exe

C:\Windows\System\NLrDjyY.exe

C:\Windows\System\sJjeXMd.exe

C:\Windows\System\sJjeXMd.exe

C:\Windows\System\bONywxC.exe

C:\Windows\System\bONywxC.exe

C:\Windows\System\hjVLloy.exe

C:\Windows\System\hjVLloy.exe

C:\Windows\System\UHzxTPU.exe

C:\Windows\System\UHzxTPU.exe

C:\Windows\System\kmjXUwv.exe

C:\Windows\System\kmjXUwv.exe

C:\Windows\System\mXsqVIq.exe

C:\Windows\System\mXsqVIq.exe

C:\Windows\System\NnStjif.exe

C:\Windows\System\NnStjif.exe

C:\Windows\System\KIKmyYh.exe

C:\Windows\System\KIKmyYh.exe

C:\Windows\System\YjjZFGp.exe

C:\Windows\System\YjjZFGp.exe

C:\Windows\System\POOoTCn.exe

C:\Windows\System\POOoTCn.exe

C:\Windows\System\mAYUYfm.exe

C:\Windows\System\mAYUYfm.exe

C:\Windows\System\DMQFLnZ.exe

C:\Windows\System\DMQFLnZ.exe

C:\Windows\System\vOcLCwK.exe

C:\Windows\System\vOcLCwK.exe

C:\Windows\System\cQRbHny.exe

C:\Windows\System\cQRbHny.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2236-0-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2236-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\sWgQEES.exe

MD5 2eb5619b37cde30c7fa1619e47d17037
SHA1 a79e8c9230d82fac28459d36133aa91b00fa68e3
SHA256 d8b2f200217508a938e76b0cd59cb7c93370da133e4e0e3fbdd750892540153e
SHA512 b9a378828bc73b0a6171efa5527c8e9098f7031971625d0811a6a77f6966d156ab5577906b32b09647a439fdcdb368418de312b8ba9e8845256d6cabba3b53c3

memory/2236-6-0x000000013FD60000-0x00000001400B4000-memory.dmp

\Windows\system\HUDXtxa.exe

MD5 108eeb01c7b190dcd7eae42562c7db3f
SHA1 2f55c057cf03e48c8f1f0fe4e7ca34fe70505d4f
SHA256 ed781dfa2d523fa5fd4a0f1b98290ea8926698acf5cdaf4380ad5cc91ff15028
SHA512 ff9360062597182cd893defe7f7eb85c76f12b90536d456c4df39bb207302dc0c661f9e014c35d5f0dcc54d7a382b249fde361a0e59ba10bfb27945548131670

C:\Windows\system\Bwiivnu.exe

MD5 e51bba14f97172d7e96a26c03baa8e15
SHA1 b163a342e0174a26c72bb7d93afe437ba3bf5110
SHA256 517b83c0e080fe1fbb1a5c91101b94bcff1351fb957ce1d3e46f2e8b3f31b4d2
SHA512 2be096ccf4c3154143cd29ad3f4cdae009be422b7ef917a8b2f10b9e3c41fd55c446cd1800912d929ff5b7913b43876e5b4c5a0bafbd5c5cc4752263342a75d6

C:\Windows\system\JiwUZwH.exe

MD5 dbbcdbabdaa7f1ecf8f6b7e63894b51f
SHA1 a59df9d4e16f81db04b5e8a97460876ca6735ab2
SHA256 b2ed0d36e6ebf4208c9a6dd6265ef96e0cf6fb8e687f024b13f73a259208ccbd
SHA512 4d444a4235ef03c2d3a2ac1c35bb38392b609d12266c7a48dc0659b9ee1c804409d9c1f43a394cff905673c3833d86311e23bc5c93a72e8bffdbc73e3be8bf35

memory/2800-27-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2116-29-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/2024-15-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/1828-26-0x000000013F990000-0x000000013FCE4000-memory.dmp

memory/2236-23-0x000000013FDD0000-0x0000000140124000-memory.dmp

memory/2236-20-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2236-19-0x000000013FFC0000-0x0000000140314000-memory.dmp

C:\Windows\system\swfbiSu.exe

MD5 cf3efa9ac70e862deee3ca85a8abb349
SHA1 60297f9dab1c14cf893c56104bef641c62a6c01a
SHA256 9fd31da4f165b8f736da6220b2cc0459269648133100afc7d58dbf982fc59198
SHA512 82f2f4a6e3554065428374892291a8d0c4e69af7c64bab669f9a60a0e473417233bd6b9b9cd100e619c686ade942185997dc0c73fafb68ec058a9bb3a07ef37f

memory/2628-40-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2788-49-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2532-56-0x000000013F7E0000-0x000000013FB34000-memory.dmp

C:\Windows\system\hjVLloy.exe

MD5 68fdba6f5643de809e5632281a68abc2
SHA1 e28f5d7fa637c0e0ca6f9f232356b33b0c2a4fd6
SHA256 4e45e93dc52898bbb896f8a9ab3c8d58906f7f8740e30959565b10b2adb73a4b
SHA512 b949ae50db52635c550a074aae2709f49d146605b37bad854df4d0778738abbd4832d74bf86ad112756c11b032be32975d123bc6f012be8137505f5fdac8508e

memory/2548-70-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/1828-82-0x000000013F990000-0x000000013FCE4000-memory.dmp

C:\Windows\system\UHzxTPU.exe

MD5 1ad46ef17d8815cb2895623eb68fd429
SHA1 cf7e0bfc23b06422b1f3fceabceb3a94499c1ad3
SHA256 6d867d8189f29382c69f903835a00eb1a5f8a3cdda8270845f91afed7e92ab56
SHA512 ebffb24208a6f9f61c94ec9618092dc88e8ab6ade92483a51c56cf14f37999736c3e0d1294cd3720ac9a5099fae06705b47499169a0c6e7fd036cd9b5905d983

memory/2236-98-0x0000000002300000-0x0000000002654000-memory.dmp

C:\Windows\system\DMQFLnZ.exe

MD5 3edb2bb20128c6afc6e21a7babf046ab
SHA1 b2a96aca24b2a0a00ac8280eb5c280fc232f2c1d
SHA256 d9350053b6db0d17def091fed9646a8b1c9fbd34acce854a755fdce64378c976
SHA512 360c5228fb2e5297174f414716f579277c9e730a085402c5d29a2afb74bd60b76f9356389a2134b2bdafdb847bd9137cbe0fef9278ee7f1295ff1797a97a7c8c

\Windows\system\cQRbHny.exe

MD5 fdcada326ae62d8be12996c7f3606422
SHA1 d6941cc65783c68a18a81f62bf9fe02caa2c7fc2
SHA256 040a75b1f1a4b24954ce636325d813ab0d69fce08a87ca230706f52f2877db55
SHA512 3f27b73cecf52aeb9558de792025fcc706471748d6c4bcc990722ef6561485b7855b566af05acdaa86281ecf8ed495a1ab7936c1c62cd669625fdb07f0912995

C:\Windows\system\vOcLCwK.exe

MD5 982805cc1e2dd63646ace1f4f91681a1
SHA1 00e213b40d08596157afbf60cdf174b0ca948853
SHA256 ff7121fa20167ce986345c7e0487447a19d20f35f98d8c057fffdaff82e6bf66
SHA512 c990acfbd1969fe3bf068c75e8ba5dacd0eccf8bb2e1570063961ae0e6831521ec750f0beec3a25a2f806a725f4df2bbaf44331c56bdab366b70957d6b90cd1c

C:\Windows\system\mAYUYfm.exe

MD5 f502f0491572b62485b7e42ba1ce8cab
SHA1 392f0f79b5ab77d725a12065290faa95cd5e744e
SHA256 a5c991c5f29c6e31244a1d8ea5fba9f8e9407feb67e2dea04048b206cd29d324
SHA512 639117ef1f38d439ed86a65d618f02efe994ada394b05a88e8a2e66a4542562d4b5c606d30fead7ffa2b511ef93288c2e59f31f8afab600cf976f3116c2cb8cb

C:\Windows\system\POOoTCn.exe

MD5 9b16cb61db539fb98bad8d72d5e6d0f4
SHA1 7285d7599d5d23179117bd1fced479c68f5b997c
SHA256 bc9465533285ce966ef96ec44147869a55a7728f7a6e7490480378f3bbfd1dc0
SHA512 c838b2c8e2bc85c3ec37a31a27e958dad455c75b95d8a791571624a17e47ade30c0096bfd232b829ee3594c60ffd491a47cc54d9ab9fc39e9a93f8cd56d23365

C:\Windows\system\YjjZFGp.exe

MD5 46b8a1e57a9054685f19a2e65b89b5dd
SHA1 af7b74f25289a63cfd91c1c32d72fad740e7ab98
SHA256 990fa5b42bc49bd95da71e87f3d66f169185762156be31100a662b0aed70acde
SHA512 a0a35e4864ae1853671d9a8548eb5ed246a3a501b7ef6c3b6f58dc3ab67fc4f3f7e4de3f61f236ca09b1146571389d172ab00e128d8a8250dd6f60e07c6232e8

memory/2236-106-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2628-105-0x000000013F790000-0x000000013FAE4000-memory.dmp

C:\Windows\system\KIKmyYh.exe

MD5 b6330aed4615404fe60abb720019622a
SHA1 dd476608628be6943380900acae2595cd5be6c4e
SHA256 b8e138b442e02c91f28c9589cd5b86e5e24539cc0b2359b0db9e7dac79dd1686
SHA512 dd3862fb81bce11eae787e9da1636dc64adb6d0dd7bf9605dc18ef7cce3030ca65ace38f9715d7105030767e02c2bafbdae5babed06bce847763031fc23e9e93

memory/2936-91-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2116-90-0x000000013FDD0000-0x0000000140124000-memory.dmp

C:\Windows\system\mXsqVIq.exe

MD5 75b818da5ba7258692cfb735a97c826b
SHA1 27254e2d7343f8fd31305088b9e0990f09d722a9
SHA256 b69af1326ad663aa68dc0707a93e2068ddf8ec9c05d6a28bf5b6728bd0f690ba
SHA512 d7ff4a5186cba6731567394440b9401ce5da10ce1ac143517f2005132c330e10a9c8c137efdfa410fae4656fd7cbdac875b3df4c0031c8638c87c06849f4e03e

memory/2236-86-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2460-99-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2348-75-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

C:\Windows\system\NnStjif.exe

MD5 41bda7d18255d5ac46d14b88863003f5
SHA1 1431374959de2f1b0964ca31580040a04b8cdc0e
SHA256 d3091f60486e553a82a7843caa78c636398e82bcb922df7e66847b07ca031a61
SHA512 1b78ed4d15136955b81d5f3de5ae000da09005d76b88911334e5374a8a1f3743121fcd787b77908078fe73cb1ac21d1576cef09b6c55663f7014ac1318044c54

memory/2536-84-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2236-83-0x000000013F1C0000-0x000000013F514000-memory.dmp

C:\Windows\system\kmjXUwv.exe

MD5 13239c2b4eda05c724954537eb5d3417
SHA1 b23ba8693e1115fecc6d0c00be518a3cb4a3e321
SHA256 292c6e22e7923849d54ce9841add7dc2dbd702c03c324773520ff2ba8fdf895f
SHA512 08d580c33511b3d24a31b32522186016d538a4766a267a09ea5baeb865d6c9454bf7d1a31cfe686256a8ca2efe97aca62289e378848c4c4130cee56a3c358bad

memory/2024-69-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2640-63-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2236-62-0x000000013F8E0000-0x000000013FC34000-memory.dmp

C:\Windows\system\bONywxC.exe

MD5 6024fd787beb58f1a78e56e0e3faeae3
SHA1 06f80c5032d4878d9ad9d96515232fcf62eef439
SHA256 9ebae468625f746a0eeec68198905913698c4c132c4753ec070b7719680babdc
SHA512 71e3557d3a9684a65cb82ff2ce17b862ca8547ae4224023902029dfa778f1bfaa846be823f0d0e6dc33b63e3afa7a9e652449602f76d266f477fd089696cb743

memory/2236-55-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2236-48-0x000000013F120000-0x000000013F474000-memory.dmp

C:\Windows\system\sJjeXMd.exe

MD5 4db1472ad2e0a0dd03872024250964e0
SHA1 8d00b84a1436e43de0080e95c274c43825a4b75c
SHA256 c3f9a5be336bdf4cfe8cf883516f3fe2eff8b47ae5374d7d799e55eb17614f09
SHA512 0cd4df279e093cdbab03f1ce45d566ee9517b10f2be1a853f46ec75451487e4c70f1177d32000aa5658d5d49ecb56390ab5d2759caef17101c040bd515c512b7

C:\Windows\system\NLrDjyY.exe

MD5 1fef5c8ea6f4ddc5538c61018019ff9b
SHA1 d31fc875dbfc24c23c854be7c74834d1823a3548
SHA256 4a9ce8038adb5f962837bf9740cee09442ffd5a21a360385ac769a7a00be75e6
SHA512 e985ce431f02d9fc53076ba7434e9fc2d0174ee011778cc8fd014749d912cbf71fa502a01c9b0551f0d33d4315005fb1ad20dd2056940161f3b693c7085ff0c8

memory/2236-39-0x0000000002300000-0x0000000002654000-memory.dmp

memory/3060-35-0x000000013FB90000-0x000000013FEE4000-memory.dmp

C:\Windows\system\gsaILxd.exe

MD5 e70e3c43e6a0df8b69cec5e43d5d2f01
SHA1 9999c95020174f9aea57f884af1338fdd97df075
SHA256 acfc59bc29cb87b611aea503919bb86525aaaa6efb55008b33ba155ae254bd5a
SHA512 b2931862dce5d63df980597673c773f20efed2294f34a5c83fd19d4eeb4c717c0b55b2ec91cef3bcbe43095bb747e17258b69fee2a268719b780cc495366ebd9

memory/2236-137-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2348-138-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2236-139-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2936-140-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2236-141-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2236-142-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2024-143-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2800-145-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/1828-144-0x000000013F990000-0x000000013FCE4000-memory.dmp

memory/3060-146-0x000000013FB90000-0x000000013FEE4000-memory.dmp

memory/2628-147-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2788-148-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2532-149-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/2640-150-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2548-151-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/2348-153-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2536-152-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2460-155-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2936-154-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2116-156-0x000000013FDD0000-0x0000000140124000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 01:28

Reported

2024-06-21 01:31

Platform

win10v2004-20240611-en

Max time kernel

139s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3840,i,17949988676391029604,13756926835471203788,262144 --variations-seed-version --mojo-platform-channel-handle=1008 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3404-0-0x00007FF794A80000-0x00007FF794DD4000-memory.dmp