Malware Analysis Report

2024-10-16 03:04

Sample ID 240621-bwbkxayfnm
Target 2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat
SHA256 d1d6c78b34c977692ff8dbf99314a2aa7eeba7540b65ad06f61b1f9f0bb8db2a
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d1d6c78b34c977692ff8dbf99314a2aa7eeba7540b65ad06f61b1f9f0bb8db2a

Threat Level: Known bad

The file 2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

Cobaltstrike

xmrig

Cobalt Strike reflective loader

XMRig Miner payload

Cobaltstrike family

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-21 01:29

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 01:29

Reported

2024-06-21 01:31

Platform

win7-20240611-en

Max time kernel

136s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\EHeJnIV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cdoNxdH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wGAqGSY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YFFnWDC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\borPMtu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QgJnyKv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UpZlHRf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BbQwlQI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ySVJWRc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VrZyPDZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qdZqRok.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pbYLTAV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sdzlDsg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JkJXiYj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oxhLHSY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\viDnTWx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cGEuAol.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WZNKtys.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vCjykyK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cVLaSPQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vMYgkmo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wGAqGSY.exe
PID 1672 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wGAqGSY.exe
PID 1672 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wGAqGSY.exe
PID 1672 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sdzlDsg.exe
PID 1672 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sdzlDsg.exe
PID 1672 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sdzlDsg.exe
PID 1672 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YFFnWDC.exe
PID 1672 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YFFnWDC.exe
PID 1672 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YFFnWDC.exe
PID 1672 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cGEuAol.exe
PID 1672 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cGEuAol.exe
PID 1672 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cGEuAol.exe
PID 1672 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BbQwlQI.exe
PID 1672 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BbQwlQI.exe
PID 1672 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BbQwlQI.exe
PID 1672 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WZNKtys.exe
PID 1672 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WZNKtys.exe
PID 1672 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WZNKtys.exe
PID 1672 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ySVJWRc.exe
PID 1672 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ySVJWRc.exe
PID 1672 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ySVJWRc.exe
PID 1672 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JkJXiYj.exe
PID 1672 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JkJXiYj.exe
PID 1672 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JkJXiYj.exe
PID 1672 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vCjykyK.exe
PID 1672 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vCjykyK.exe
PID 1672 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vCjykyK.exe
PID 1672 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\borPMtu.exe
PID 1672 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\borPMtu.exe
PID 1672 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\borPMtu.exe
PID 1672 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oxhLHSY.exe
PID 1672 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oxhLHSY.exe
PID 1672 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oxhLHSY.exe
PID 1672 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VrZyPDZ.exe
PID 1672 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VrZyPDZ.exe
PID 1672 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VrZyPDZ.exe
PID 1672 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cVLaSPQ.exe
PID 1672 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cVLaSPQ.exe
PID 1672 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cVLaSPQ.exe
PID 1672 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qdZqRok.exe
PID 1672 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qdZqRok.exe
PID 1672 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qdZqRok.exe
PID 1672 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QgJnyKv.exe
PID 1672 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QgJnyKv.exe
PID 1672 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QgJnyKv.exe
PID 1672 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vMYgkmo.exe
PID 1672 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vMYgkmo.exe
PID 1672 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vMYgkmo.exe
PID 1672 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UpZlHRf.exe
PID 1672 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UpZlHRf.exe
PID 1672 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UpZlHRf.exe
PID 1672 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pbYLTAV.exe
PID 1672 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pbYLTAV.exe
PID 1672 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pbYLTAV.exe
PID 1672 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\viDnTWx.exe
PID 1672 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\viDnTWx.exe
PID 1672 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\viDnTWx.exe
PID 1672 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EHeJnIV.exe
PID 1672 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EHeJnIV.exe
PID 1672 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EHeJnIV.exe
PID 1672 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cdoNxdH.exe
PID 1672 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cdoNxdH.exe
PID 1672 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cdoNxdH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\wGAqGSY.exe

C:\Windows\System\wGAqGSY.exe

C:\Windows\System\sdzlDsg.exe

C:\Windows\System\sdzlDsg.exe

C:\Windows\System\YFFnWDC.exe

C:\Windows\System\YFFnWDC.exe

C:\Windows\System\cGEuAol.exe

C:\Windows\System\cGEuAol.exe

C:\Windows\System\BbQwlQI.exe

C:\Windows\System\BbQwlQI.exe

C:\Windows\System\WZNKtys.exe

C:\Windows\System\WZNKtys.exe

C:\Windows\System\ySVJWRc.exe

C:\Windows\System\ySVJWRc.exe

C:\Windows\System\JkJXiYj.exe

C:\Windows\System\JkJXiYj.exe

C:\Windows\System\vCjykyK.exe

C:\Windows\System\vCjykyK.exe

C:\Windows\System\borPMtu.exe

C:\Windows\System\borPMtu.exe

C:\Windows\System\oxhLHSY.exe

C:\Windows\System\oxhLHSY.exe

C:\Windows\System\VrZyPDZ.exe

C:\Windows\System\VrZyPDZ.exe

C:\Windows\System\cVLaSPQ.exe

C:\Windows\System\cVLaSPQ.exe

C:\Windows\System\qdZqRok.exe

C:\Windows\System\qdZqRok.exe

C:\Windows\System\QgJnyKv.exe

C:\Windows\System\QgJnyKv.exe

C:\Windows\System\vMYgkmo.exe

C:\Windows\System\vMYgkmo.exe

C:\Windows\System\UpZlHRf.exe

C:\Windows\System\UpZlHRf.exe

C:\Windows\System\pbYLTAV.exe

C:\Windows\System\pbYLTAV.exe

C:\Windows\System\viDnTWx.exe

C:\Windows\System\viDnTWx.exe

C:\Windows\System\EHeJnIV.exe

C:\Windows\System\EHeJnIV.exe

C:\Windows\System\cdoNxdH.exe

C:\Windows\System\cdoNxdH.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1672-0-0x000000013FB30000-0x000000013FE84000-memory.dmp

memory/1672-1-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\wGAqGSY.exe

MD5 3c59e5d52c5103c6a6cb57f4532b30b8
SHA1 99845df034d01451c8fe0f4217df5477c522e8de
SHA256 bfa6ebf325e9764216d2f4abb931cf5a92e4a213d9a93f94175227a935e48d6f
SHA512 464f59c44dbd8b6a51d959b455cf82fd92cc46d8fb55ba3e9fe77143bb4eb20fb445221bfd2eee20e35599fecea68021701320634e8bbdcef49c11caaeff724e

memory/2404-7-0x000000013F420000-0x000000013F774000-memory.dmp

\Windows\system\sdzlDsg.exe

MD5 32596b4ee0b0095361cdc421281e4fec
SHA1 f99476eee51553dac6367e56277ccc6ea5325d7b
SHA256 0593c6fdbb7e1c9c9c07f043efb3ffa366d6f5bcbc95626b594055c57669825e
SHA512 53dc82952e43b034f2bb114f2c59079046f583e96c68a38e8f93e935b1fa92fdbb625501f9e67316b3ab1dac8c74db234c27b2127483fe4c6b123784860a9c99

C:\Windows\system\YFFnWDC.exe

MD5 ee543fce0cdea78eab668eefc4dff79c
SHA1 acb4ca68b60db1d3972f4856714d4e17ac10f2ae
SHA256 45ff12458a816f91e8eb599b413f456de1d3dc63f994257cb6725ef737014718
SHA512 1b17ed1dfd87155afd7d3985807fbd62e14c9d02bb31a8ea3dcefc7e987c9040ea1703f6939010035c9a314cedd762be10d66502792fdeb3c415766feab15206

memory/1672-13-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/2608-21-0x000000013FEB0000-0x0000000140204000-memory.dmp

\Windows\system\cGEuAol.exe

MD5 366512aee1cb9854a327c841b8daaef2
SHA1 46a4c7fdd802cdbe34fd17b0c7b9cccf3ba651a9
SHA256 4463b9407d0316f80a73674bdce42ac5d67114b5ed6cf10f0ddd74a7f68120c1
SHA512 3d854b34cff10459ecc725fc24d5869cb79ada64e5ccbef239b5cc90adc4a8460e7885a1d0d34d4bee8f6196001913a349a70f7a0f6138360c5bc744c89267de

memory/2636-27-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/1672-24-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/1672-19-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2088-15-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/1672-29-0x000000013FB30000-0x000000013FE84000-memory.dmp

\Windows\system\BbQwlQI.exe

MD5 df8f5492f42c8b066cca50365baeb91c
SHA1 627ee6dd27e486e2f005196b3ae044431a708a00
SHA256 b569388442696d9d99228acb0bff2bb3d9883675acb47f8946c39bb26a6e3378
SHA512 d6f7848a339ec71d19c9f4d7a01a9bf1d7f4a445e35a713dfdcf42eacddbf1888ae8a7a57fadff15d399c2cf153417b622b21412fcff3c857de239f087c11019

memory/2596-38-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/1672-36-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/2404-35-0x000000013F420000-0x000000013F774000-memory.dmp

\Windows\system\WZNKtys.exe

MD5 81cc69ac52c4f757571d6623a9f94905
SHA1 d851704004b557ebbe083ac80f056bd8f3476a9a
SHA256 c80a80566f64fa4db814084eba33ccf1424411588691cb883ac6108e9f0d9ae2
SHA512 d0c51ff8b526225d2272642f730911a07eeac79f9f0a01d31225aba4f5ae2c9977dde8a4aa18d585cb1796171a9b7d8d0e74284a64d427af93c4a58ea6825d7b

memory/1672-44-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/2896-45-0x000000013FE00000-0x0000000140154000-memory.dmp

C:\Windows\system\ySVJWRc.exe

MD5 464f35c074519465792d27513a59e5c7
SHA1 13ee519f84507f6dd7ee50c597147faaac07e228
SHA256 1df910be5d17a72540afae9692879e6658910a229a88e4709d4be29c499e192a
SHA512 ce9040260c00360bd7745730fbada666d1bbc9ed4db7508e5d1e1b759d8bf242a29fa47d5a24cb0c3d4687713b80e9455c4c54a9c9068e517449276be3592452

memory/2652-50-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2608-51-0x000000013FEB0000-0x0000000140204000-memory.dmp

\Windows\system\JkJXiYj.exe

MD5 15ac002e83af25a0f2a3a905d1df6780
SHA1 89cad02e76e373738ff4d30a961215d5ed066603
SHA256 4a76704d948377fe87d7294b0ac0cde6e909a85bb993a537440552860bef0f72
SHA512 1eaccadfd64cc35c7dd24bd4c16b4c773641b87f03aa3da2ed7f76408e5b96fdd7afcf69641a5aa2a65ae520e745f424bacd4fe3015c27337c509545438da127

\Windows\system\vCjykyK.exe

MD5 a4ac12137c6b73cd0b63db27e49f470a
SHA1 c9f8aded023af3880a020c7b4742db9c26323970
SHA256 49537dc05d2592e543e2e881771353d299347ff9ed0ba693ebac4dea765291e5
SHA512 c5a3dd3582e37758befcb526bb63ac614803970ddc6b04f98a77b96cff87c314914b10008bc321cc006d2e0e26db99fe53c427b3d6c65f74c0d87306f0ff2179

\Windows\system\borPMtu.exe

MD5 3adb4225a28c6dcd5c4ae4e76f091927
SHA1 632784a9c791ea31abd42898f0f5cecbcbafc7bc
SHA256 99757655053a54fca48f997324cb39a301ca7c9e3bf315f293446b5af9d20835
SHA512 0e3e7497572bbb8d604bbb45c61abccf8a00ccc6d56d167c40b0f352772043c277c6807831e4410613bea533d197af44ebef0cead3c973ecb569bc1d26e783de

memory/1672-69-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2396-71-0x000000013F540000-0x000000013F894000-memory.dmp

memory/1672-72-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/2340-73-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2636-63-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/2508-61-0x000000013F790000-0x000000013FAE4000-memory.dmp

C:\Windows\system\oxhLHSY.exe

MD5 97815a8ac2d3059f7379432337752a88
SHA1 5db0681066b1f917a06af83b1889862970e62ed0
SHA256 c889f95c2415e265bc5a412acd64a62e253668330577e80542d725313a517569
SHA512 ef36f6aea744c3347c093452ca8827447d0747f14312190763d0a993967b488c6368bdf9b0dad5213dc42b521d877c58922a881db93bd6bacdb2f778bd77d059

memory/680-78-0x000000013F490000-0x000000013F7E4000-memory.dmp

C:\Windows\system\VrZyPDZ.exe

MD5 90014b4d653d5e1196ceb256254db594
SHA1 086abf31574ebc638432d04c12076eb3c5b8aa90
SHA256 c132ba42a18c1115c338d5fe3c127e25fa024aa8fd13c1f5c4e130c754d39547
SHA512 c3c6c2e89094c22d5522c6b3131931a81d761d6c1db11588456f9f90254f23ff9df808b58d6445683add13b8402d6c928aa96c77ba83acb4c354544e6bfbff97

\Windows\system\cVLaSPQ.exe

MD5 556fb14bda8f2f957d7b1d5cf879cdaa
SHA1 8a0bb0777ba364d495ec29da9cc6e85a4c404ace
SHA256 c522ab2a38d891b5637fb6157c952b48e08a82bad937f5aa124ec834b4c23fa1
SHA512 bb7a0933a5e4122f932228e09d5d793c657ab3f1acf649931dc5e4f39efb827ded812afed348765a04e1a1527003caada6347bfb4a446ca66ae079e4b27c1657

memory/1672-88-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/2652-95-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2856-94-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/1672-93-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2800-92-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/1672-91-0x0000000002380000-0x00000000026D4000-memory.dmp

C:\Windows\system\qdZqRok.exe

MD5 423457b9dcfefe3ede0e7b4aeeb10bc3
SHA1 cf96f4cb799537e7e142aecb4e879749cb58a2b1
SHA256 8a0c97180710646d1bdd2e456b4dbd3a083eda4a2afcff860c13491696da5b18
SHA512 48d47ada5bc7d0227cbce99ffe53a349542432189db8445ebbb6fd51c124068e4fd3c89ff79f063a254af585ef588b36dabaf86ae1b27c582216186cc34b9e9a

memory/1672-101-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/2548-102-0x000000013FC60000-0x000000013FFB4000-memory.dmp

\Windows\system\QgJnyKv.exe

MD5 c2e7e6d041d6bb57dd815a5fc07d710c
SHA1 5f546d32f1fbc631abdee0195dd0ff5dd92ac72d
SHA256 db0e7cb2d6182e805612a1161066faa329e78bca7165932341379f8c939a46e1
SHA512 7cbeb2f8e02f968e33efacc3ce734164e781d0d8b399a8838cde2482c03d3698d57a1f71851de10bf285c009a22a1b25bab236dba713d4735ab49cc19cd8445d

C:\Windows\system\vMYgkmo.exe

MD5 79d09c9c339d65660218f2ea74f0542b
SHA1 ba94d55d596c528bd2c1b8c6809337d601720ece
SHA256 828e5e1b640c64f9ca12950549d5f1fc3258ef809fd6e5cae26d1523ba9af65a
SHA512 76b1cecfb83a9c01e3dba6672476c00c8942b4532a3beab9006519e606fae46adfba50b7c8c2bd094e7acb012e75e0c3df50822cb670767fcf7064e0cfa1d8e8

\Windows\system\UpZlHRf.exe

MD5 e49a6a5ae7b2ab3eaab0215642aaad24
SHA1 6c21336da9fbf96d13a6289b9f696f4cb2256aee
SHA256 958a860f14eae46f3498f77ae643eb4a2ca17dbccfe50ba06fc96e0219b126aa
SHA512 f76344473e3b5141eabe4530931a6d7a0c246de85bf73e76d2451744847a75d02545490364169cd9c2744643333cfefa61a51c98795170e13224066bd2485c7a

C:\Windows\system\EHeJnIV.exe

MD5 7eacbbf4c4568f2acf358bb641e6b07e
SHA1 e62ea949feb412e65413bbcedb22305e93df4eac
SHA256 9c9f285beb2b30bc69babc0ea7be58302df559632601dbbc041ebd00cc11f44f
SHA512 9757a73d6f486ad8170019ebf69608b08ec0c9a9aa7b3e0bd5bb6a995cd3996a9b48ce19160102cc93db9cbf216ebd63c8d488e891377c00fbb14d2ec0660e24

\Windows\system\cdoNxdH.exe

MD5 92722e20dd79a47bed1833f7dc52cbc3
SHA1 66e63ddac1063a5485087dadf7030d69df64328f
SHA256 e99860bcfecaa3bdeeac0a2feeab6b532e9d53db605276a42a22fd20a1d7db61
SHA512 98ed7c0d1544f52dd3493905dc1ee0b8b245ae02ca4eddfcf394df6d64a52e55192f1cbf4ff52982aa3325d6d0d7bed364f936708b7694818bc83afd095f5b44

C:\Windows\system\viDnTWx.exe

MD5 feee2935e1da0228f68bb4d842ba2d8e
SHA1 77f8d473cbe2cfa224131cf3dc0799c298cec996
SHA256 52240336ad8316c7419ff99b4ce35c2c766ac89bd13950caf00b8aad2074d149
SHA512 d2be827f5b1c690c0af25139c2fa987847e8403e62303965e45c233ac47454bb5d3c6196c7849d0c3ec8d4f08010eecc86da3c93ff018f0552f61a20057aa2c4

C:\Windows\system\pbYLTAV.exe

MD5 445fc4e8a26d8718ea6cbfb68dfa7553
SHA1 bd74ba57e3c0ad1188accd3119d6ff67659b22b2
SHA256 3d183f709caeff539029a3789fa3121c9b5154696ad885f0289176f27584043a
SHA512 7723174b9ea9e12a7710bc5fa697a564563be6676304a6bd1657577ac912413bb9bb000e7a0e7f0075ccfbda58014625b3fa0ec3199eba334b19cd02403929af

memory/1672-136-0x000000013F540000-0x000000013F894000-memory.dmp

memory/680-138-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/1672-139-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/2404-140-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2088-141-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2608-142-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2636-143-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/1672-144-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/1672-145-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/2596-146-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2896-147-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2652-148-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2508-149-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2340-150-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2396-151-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2800-152-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/680-153-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2856-154-0x000000013FEF0000-0x0000000140244000-memory.dmp

memory/2548-155-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 01:29

Reported

2024-06-21 01:31

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4696,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4184 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/400-0-0x00007FF736EC0000-0x00007FF737214000-memory.dmp