Malware Analysis Report

2024-10-16 03:04

Sample ID 240621-bwrbcsyfnr
Target 2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat
SHA256 0db514c278ce33edc92c89465960b9f80a2294a04561a437978ee1a99e747043
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0db514c278ce33edc92c89465960b9f80a2294a04561a437978ee1a99e747043

Threat Level: Known bad

The file 2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

Cobaltstrike

XMRig Miner payload

xmrig

Cobalt Strike reflective loader

Xmrig family

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-21 01:29

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 01:29

Reported

2024-06-21 01:32

Platform

win7-20240221-en

Max time kernel

141s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\pdFgWjN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uMbGIGy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zPHJAmj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WJxkRXh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LiDGMeO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PiRSICm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OtxkzXC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NsTUXwS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RMnvqFN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ssrgRUM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OltEWvF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lClYssN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UvXhigw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dbLqHJn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\brAxUYb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GNqbaYA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SHSmUdj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CHVvqVD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wMgvtTA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bRxatSJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sqhlyof.exe C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dbLqHJn.exe
PID 2156 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dbLqHJn.exe
PID 2156 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dbLqHJn.exe
PID 2156 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OtxkzXC.exe
PID 2156 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OtxkzXC.exe
PID 2156 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OtxkzXC.exe
PID 2156 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\brAxUYb.exe
PID 2156 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\brAxUYb.exe
PID 2156 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\brAxUYb.exe
PID 2156 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NsTUXwS.exe
PID 2156 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NsTUXwS.exe
PID 2156 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NsTUXwS.exe
PID 2156 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GNqbaYA.exe
PID 2156 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GNqbaYA.exe
PID 2156 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GNqbaYA.exe
PID 2156 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bRxatSJ.exe
PID 2156 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bRxatSJ.exe
PID 2156 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bRxatSJ.exe
PID 2156 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SHSmUdj.exe
PID 2156 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SHSmUdj.exe
PID 2156 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SHSmUdj.exe
PID 2156 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sqhlyof.exe
PID 2156 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sqhlyof.exe
PID 2156 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sqhlyof.exe
PID 2156 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RMnvqFN.exe
PID 2156 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RMnvqFN.exe
PID 2156 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RMnvqFN.exe
PID 2156 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CHVvqVD.exe
PID 2156 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CHVvqVD.exe
PID 2156 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CHVvqVD.exe
PID 2156 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ssrgRUM.exe
PID 2156 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ssrgRUM.exe
PID 2156 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ssrgRUM.exe
PID 2156 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OltEWvF.exe
PID 2156 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OltEWvF.exe
PID 2156 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OltEWvF.exe
PID 2156 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pdFgWjN.exe
PID 2156 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pdFgWjN.exe
PID 2156 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pdFgWjN.exe
PID 2156 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lClYssN.exe
PID 2156 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lClYssN.exe
PID 2156 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lClYssN.exe
PID 2156 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uMbGIGy.exe
PID 2156 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uMbGIGy.exe
PID 2156 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uMbGIGy.exe
PID 2156 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zPHJAmj.exe
PID 2156 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zPHJAmj.exe
PID 2156 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zPHJAmj.exe
PID 2156 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UvXhigw.exe
PID 2156 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UvXhigw.exe
PID 2156 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UvXhigw.exe
PID 2156 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wMgvtTA.exe
PID 2156 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wMgvtTA.exe
PID 2156 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wMgvtTA.exe
PID 2156 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WJxkRXh.exe
PID 2156 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WJxkRXh.exe
PID 2156 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WJxkRXh.exe
PID 2156 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LiDGMeO.exe
PID 2156 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LiDGMeO.exe
PID 2156 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LiDGMeO.exe
PID 2156 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PiRSICm.exe
PID 2156 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PiRSICm.exe
PID 2156 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PiRSICm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\dbLqHJn.exe

C:\Windows\System\dbLqHJn.exe

C:\Windows\System\OtxkzXC.exe

C:\Windows\System\OtxkzXC.exe

C:\Windows\System\brAxUYb.exe

C:\Windows\System\brAxUYb.exe

C:\Windows\System\NsTUXwS.exe

C:\Windows\System\NsTUXwS.exe

C:\Windows\System\GNqbaYA.exe

C:\Windows\System\GNqbaYA.exe

C:\Windows\System\bRxatSJ.exe

C:\Windows\System\bRxatSJ.exe

C:\Windows\System\SHSmUdj.exe

C:\Windows\System\SHSmUdj.exe

C:\Windows\System\sqhlyof.exe

C:\Windows\System\sqhlyof.exe

C:\Windows\System\RMnvqFN.exe

C:\Windows\System\RMnvqFN.exe

C:\Windows\System\CHVvqVD.exe

C:\Windows\System\CHVvqVD.exe

C:\Windows\System\ssrgRUM.exe

C:\Windows\System\ssrgRUM.exe

C:\Windows\System\OltEWvF.exe

C:\Windows\System\OltEWvF.exe

C:\Windows\System\pdFgWjN.exe

C:\Windows\System\pdFgWjN.exe

C:\Windows\System\lClYssN.exe

C:\Windows\System\lClYssN.exe

C:\Windows\System\uMbGIGy.exe

C:\Windows\System\uMbGIGy.exe

C:\Windows\System\zPHJAmj.exe

C:\Windows\System\zPHJAmj.exe

C:\Windows\System\UvXhigw.exe

C:\Windows\System\UvXhigw.exe

C:\Windows\System\wMgvtTA.exe

C:\Windows\System\wMgvtTA.exe

C:\Windows\System\WJxkRXh.exe

C:\Windows\System\WJxkRXh.exe

C:\Windows\System\LiDGMeO.exe

C:\Windows\System\LiDGMeO.exe

C:\Windows\System\PiRSICm.exe

C:\Windows\System\PiRSICm.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2156-0-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2156-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\dbLqHJn.exe

MD5 dac80ffe36922f27168a5c6c409313e7
SHA1 6775b3c2fd6c766fca84eba60aa52d2c41bba1da
SHA256 6b6aa4c2b057a31f3db63e29f78ee88cc6afc885a40b6378fd0066f3e14ddf98
SHA512 0de27d68461371ee820d2faf2ac95dd69817d08edf052b4d8cfc95cc15ca25c8f7a8b1220d91199c1bf31f03f0997e9784a297f2c1cad93dfe25f2f5beebcbb0

memory/2156-7-0x0000000002500000-0x0000000002854000-memory.dmp

\Windows\system\OtxkzXC.exe

MD5 9b2af408f7b304bba48d7b66b9965452
SHA1 62069b4c54c11bd83ce28b13e8fc508bfa902795
SHA256 8130c8e3d9261f3595a2fc4743a3ccf2c8911a50e8ddadbe976c2858a4e81e73
SHA512 f93537b13fb1071dbfc3183088fcd2ab5d00563a7d8406c301cb887e06b1c11a3abc3978c6ef7f90c19a7563a01bc628718474a12ec73ed031078b17e214e91e

memory/2992-24-0x000000013F920000-0x000000013FC74000-memory.dmp

C:\Windows\system\brAxUYb.exe

MD5 ed8d325217a084349a8611528ec3827f
SHA1 2ae6548851bb7055e2ffac4e1ffdb9ba7aac04fd
SHA256 b93a26ec826a87ca80970a70eea717c6cbd4cdddb63c6540b9a1053f74133612
SHA512 b7a4cbb82ab311513d7a02015cfcfc2200b2b00015233bd7baa4722d191d4ad7057011f03a76fd32192ca39e6ec161b265bb29c09e1c1e02d4ee2b8848e56c24

memory/2572-39-0x000000013F050000-0x000000013F3A4000-memory.dmp

C:\Windows\system\GNqbaYA.exe

MD5 4787397790ce2858035c4124a6b1b47b
SHA1 4a73268b0ff1928c53f61baa4f6598fcca55ccd7
SHA256 947b0280d8869d15edd8be49fd1015ddf6706138fd6e196ca8ea66a647e5494b
SHA512 eae658454d52b1b4a99bc48e919b5ab7ecbff8b37ca063a45b56213d47c7531458d8de13f909d5ae5c40f47538e142c0439c46c436ecd3f0f7bdf1d6cf1bad1d

memory/2420-42-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2632-27-0x000000013F5D0000-0x000000013F924000-memory.dmp

C:\Windows\system\NsTUXwS.exe

MD5 99537afb964f5eda63b93a520ad532d7
SHA1 4f0fa1cc9bfa9743e620acecd97db249839aaa00
SHA256 c4b666560d012adf78d07b0b6f69a378b62816d47eb0910c3cf34c3b57cab014
SHA512 b2ac5f4cc8af2b2b804bcb922621da7e2e6ab587e0ab04aa0ad68ccc2075c5d6e49e1f420fcb914d0515cea183a43c1b080ed2501a3ff02b9d3ec1e8db440bd4

\Windows\system\SHSmUdj.exe

MD5 657bbb8eb6dd69298619faab33709e9f
SHA1 cb1ed71aa508c7a0cf9d6b7f4a2a08b6e6a8fd11
SHA256 6ba5398f2cb659aea1267e5bef1d401c9796ffe51e28c50ee9cdbdbe553c20dc
SHA512 62c158c58e3e591ac40c76c2a283632bfccdf630c158b1b725d0576eb0f734619fe03181588926c1fd0fd8938d14edcc21616d79eaad63ac071f6dc174289b62

C:\Windows\system\sqhlyof.exe

MD5 24e5c49970fe885b6937ad70518bb890
SHA1 9bb686c711695a230f8acfb8b901f72e264d959b
SHA256 ffb1e143e7b21f23203da3c1a905c7950e2d6ae980565188c96f1167b8b81083
SHA512 bfd8d4035814282b5f03346d195127141426a827a9595fd961e886fc74e76e102d9bd162bfc3602efe79d9948c8a69a01c83594c38f1840d8a8e0c42f594560d

memory/2576-51-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2424-57-0x000000013FFB0000-0x0000000140304000-memory.dmp

C:\Windows\system\RMnvqFN.exe

MD5 81df26cb4ce904a2a6a01ee8fc6c61ed
SHA1 7cb40f900d81e823f005559550f623320425bd27
SHA256 d5229fb39197b9b513151c039142dec07bd3ce1698d95343b90a366490b92704
SHA512 e0e0f74e05c9d3cedd87c52e26299225c2b3ffac009f126d277a81d73de1f9c7987b4e17d573dbd68ad4f5b8e1b22185b86a638aede3eae6acf760b0bbc8d446

memory/1184-72-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2156-71-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2992-86-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2296-80-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2780-88-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/2156-79-0x0000000002500000-0x0000000002854000-memory.dmp

memory/2156-87-0x0000000002500000-0x0000000002854000-memory.dmp

memory/2552-78-0x000000013F360000-0x000000013F6B4000-memory.dmp

C:\Windows\system\OltEWvF.exe

MD5 8cbecfc63e4bbc3173721a050d615a71
SHA1 9d4092e5ec7144a8205ce656977f1c7195cd25cb
SHA256 770edf0cc923a7d259a638ce2a9a40f68f05625e38d7839831cb7a8ac228f1ee
SHA512 fa0c3ece3108ebde863872e2c0bdeda220adf24385f55e0cc797e5cde5163c38c0420dfc3040aa89a94b3c41cf40cfa52679501b36ea8ab8c1263b3edd70ae69

C:\Windows\system\ssrgRUM.exe

MD5 c657dfb8b8382fe0751d8a84e1178c37
SHA1 3766553f58d0dcd17b8b0c90967d8fee2cd867f2
SHA256 9556bb09e72de010f111d0258df2b534209421af057b2cc4b35f211dc62cdfb5
SHA512 f561864f2992404286f25361e8ae327ddeb271774f5ecfd2bd0cdaec57f2c2853542a30497110fa3556c2eed0848ef867aec1cda31af070973d732ec18743abf

memory/2532-63-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2156-62-0x000000013F180000-0x000000013F4D4000-memory.dmp

C:\Windows\system\CHVvqVD.exe

MD5 585cb515c12711ecaf91c34ab4aa8b32
SHA1 5038e7fc4350f0aa77acd86cc74d5912a1b5ae5d
SHA256 8acda6e29b35aeaeb79b871e58d51568772f2240d07a057f44927cdd572d9569
SHA512 cb15c7790f0bad024e2fec149386da02134cd5aba3f152193c4033e46316e0540f1a241eaf11398e5dfc9d82bd29cc92e87896666f36dcf99b5ad0e32cfe0d56

memory/2156-50-0x0000000002500000-0x0000000002854000-memory.dmp

memory/2156-49-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2156-44-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2156-38-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2552-16-0x000000013F360000-0x000000013F6B4000-memory.dmp

C:\Windows\system\bRxatSJ.exe

MD5 cdcbf62b4a780cfdad009703098b5f8f
SHA1 243b93a498126130227d7bf624bc1805d150b7da
SHA256 115e11384521fcb0d88c6f448eb9ba4630d2d8d199e86c9029c7cd5d82a39cfe
SHA512 09ff0227232dd8626be0b13b7dd03202bdba117b4d325e3187d8162aa21b52cbcd97e1b9aa5cc772b2d6940e84834f032ec7c4e3502b9d35afaa0e3a723f6452

memory/2156-36-0x0000000002500000-0x0000000002854000-memory.dmp

memory/2516-35-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2156-33-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2156-11-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2572-89-0x000000013F050000-0x000000013F3A4000-memory.dmp

\Windows\system\pdFgWjN.exe

MD5 25a85ce80a8a7761f24e804e629bbee8
SHA1 e445d7ddd8151c087b4b2d45fad175838abb3b85
SHA256 a92f99abaa0b85a0799c33e10027bcfba835e63eee5dc328d68afdb3f37955c5
SHA512 6c0c38d953d8799d8798eb8c2ef156ced1b24bddc6eaf39d3a2ee8a79ee5c917868d978fb09c0a520cdda3a28fdd78801f5fbe8bb4f37b0c77016603f922b39a

C:\Windows\system\lClYssN.exe

MD5 f944d658ae93f9c4871b67baa3157efb
SHA1 ff14bf431abefdc338b1140cc4a55937c3e08c17
SHA256 e779611578a7eb05cbc68196dab58317629596278c64cebd34a2cea84270e30f
SHA512 15e125e530ef7fc073b75c114eb6a912e3699c52e8efe99dc0ac32cef4b117680535afd259313f0a724944c35c8edc22a9ec7db109361112224f2640e0be121f

memory/1928-101-0x000000013FAC0000-0x000000013FE14000-memory.dmp

\Windows\system\uMbGIGy.exe

MD5 6bf7dd45b0f4c2cc4478ed680195d394
SHA1 6a904b262bef0f4808f98692ff589a7ae71356d4
SHA256 850c66d3f36aacd356b71f875e994c8261e7651127799206961bc8ba72e1de54
SHA512 553a8f6af5e96897f23ae24ebf4c01f5e7e2145c6f918dbe3c6b7a57230f07b6aa99f3e48840ba3f7e963bd34b33b0dd7a90fe286aefaa855f70f342123ef9a3

memory/2424-110-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/1908-107-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2576-106-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2156-99-0x0000000002500000-0x0000000002854000-memory.dmp

memory/2420-93-0x000000013F900000-0x000000013FC54000-memory.dmp

C:\Windows\system\zPHJAmj.exe

MD5 41fd275e9511855c914ed40ce95fecc5
SHA1 c6afb011ec7cd9b12138f57ded67f25b3b9addee
SHA256 9feb019df5ba6f79dec35dfa58228cb986a3a25ce3c2d8e8aae2b121f8894253
SHA512 44502df8c3fe7f0994ed6027d4acfefeb2857c9f9492307b8194c6d21ecd368c6da67cbf2dfd8d08cf2b822ae247d87c3e0e29ad81b539ac7f2420897ba6090f

C:\Windows\system\UvXhigw.exe

MD5 ad0e29f106787b947ae22da6e6855407
SHA1 05f4ca518966b0969bfef39c7755040c52ca59f0
SHA256 a2dc14bd61664c5c155985dd6e7a7a3e83739a277858465152e2883c3b78b32c
SHA512 e9e3dfb9124bb8ece97b1ee6c8839ecf5f49b5894de74c7daf3722f184766c5e6439f8d15021d75d589cfdc8cedbfa9fa75b778ad945a78a4133ce523ddcad4f

\Windows\system\wMgvtTA.exe

MD5 35f1bf06da6fd9eb4d3466d1bfcb6cf2
SHA1 6d18a36a107ceb73f6969875cdaadd4311aa8e93
SHA256 f0df65c2f79275b2b4986c40696929aba98f203bddf52c59e1357c76a5df603e
SHA512 e08f4462983c8b06d489d3c4d279b9543bf2360c12097a6f0a9f4709c8144d073bfb8d62d8438f1c69e7fa1e1ef74e0586685f0fdad55970beae9fc44b6e465f

\Windows\system\PiRSICm.exe

MD5 e767501f6b569b2e000ac322d47371f2
SHA1 63cb77fdaa5c1d001627bb64f5b955507d8130ab
SHA256 85278d4af18695127da4e0435caa97e006334026627360919ddb7a24646d0a46
SHA512 09179da5b9922c9d2c5715074e288982216c0a545c6f6412181d93e96d80620017e9d2bca55b978671075375b9982677446e647b6c24d596ed6827bd9474aed0

\Windows\system\LiDGMeO.exe

MD5 30682e0ccdf7a24b521873f876338102
SHA1 cb28ae9157644fa03ada50cbd95db0c1129291b9
SHA256 b2513cc42dc53f846feb9afcf11bcc4f9a9f3fc78d164a6467e03c4675bd9046
SHA512 9daec8775f386587c9b59add75781a8d954f015ff794810fc5cdb85b57543c3411ff0024ecd0c9c5ad48fb9ddc121332fe9be3eeb7680c4a9adc63d0e8932114

memory/2532-141-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2156-139-0x000000013F180000-0x000000013F4D4000-memory.dmp

C:\Windows\system\WJxkRXh.exe

MD5 825db4e9cf71b474a0a7afaf007c3955
SHA1 9eccb922d94f71c52819744697edfc5fd00a44a0
SHA256 af710d4f784c5740a57883621ff81b2375c253a4f99c7dda9786094425ad579a
SHA512 093c2a7dd2354c30086fe1dc0fa86704e7e0fdbff1612f2de55102620aa0f5f05a206176ccaa825e98a31aea4e71bfd5aa5de0a929c5ac644689b358654adf51

memory/2156-142-0x0000000002500000-0x0000000002854000-memory.dmp

memory/2156-143-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2552-144-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2632-145-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2992-146-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2516-147-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2572-148-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2420-149-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2576-150-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2532-151-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/1184-152-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2296-153-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2780-155-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/2424-154-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/1928-156-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/1908-157-0x000000013F0D0000-0x000000013F424000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 01:29

Reported

2024-06-21 01:32

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe"

Network

Files

memory/2256-0-0x00007FF616720000-0x00007FF616A74000-memory.dmp