Malware Analysis Report

2024-10-23 18:49

Sample ID 240628-abma8szdjg
Target 2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat
SHA256 b501f3100bfac73023d7772e7fec733787acf11561c6c0bd6c0f34ba0682ae58
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b501f3100bfac73023d7772e7fec733787acf11561c6c0bd6c0f34ba0682ae58

Threat Level: Known bad

The file 2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Xmrig family

xmrig

Cobaltstrike family

XMRig Miner payload

Detects Reflective DLL injection artifacts

Cobaltstrike

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-28 00:02

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 00:02

Reported

2024-06-28 00:04

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\DFHEDmv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Wloeezj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GKlAixp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bCgKacg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZuJDENN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KjatxbA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tAAXhKS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SEXMdTw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZcFAASW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aqAnxVr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RUmRLbR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SaVDShz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\heawLuc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wcTqzAn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bOjnijp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zagAOab.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LNPwPcB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\StulbEu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lMfFUdk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lEjoXtk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PXDakyW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 380 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bOjnijp.exe
PID 380 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bOjnijp.exe
PID 380 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LNPwPcB.exe
PID 380 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LNPwPcB.exe
PID 380 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DFHEDmv.exe
PID 380 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DFHEDmv.exe
PID 380 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SEXMdTw.exe
PID 380 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SEXMdTw.exe
PID 380 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZcFAASW.exe
PID 380 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZcFAASW.exe
PID 380 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aqAnxVr.exe
PID 380 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aqAnxVr.exe
PID 380 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\StulbEu.exe
PID 380 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\StulbEu.exe
PID 380 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lMfFUdk.exe
PID 380 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lMfFUdk.exe
PID 380 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Wloeezj.exe
PID 380 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Wloeezj.exe
PID 380 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GKlAixp.exe
PID 380 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GKlAixp.exe
PID 380 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bCgKacg.exe
PID 380 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bCgKacg.exe
PID 380 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lEjoXtk.exe
PID 380 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lEjoXtk.exe
PID 380 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RUmRLbR.exe
PID 380 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RUmRLbR.exe
PID 380 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SaVDShz.exe
PID 380 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SaVDShz.exe
PID 380 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zagAOab.exe
PID 380 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zagAOab.exe
PID 380 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PXDakyW.exe
PID 380 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PXDakyW.exe
PID 380 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\heawLuc.exe
PID 380 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\heawLuc.exe
PID 380 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZuJDENN.exe
PID 380 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZuJDENN.exe
PID 380 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KjatxbA.exe
PID 380 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KjatxbA.exe
PID 380 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tAAXhKS.exe
PID 380 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tAAXhKS.exe
PID 380 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wcTqzAn.exe
PID 380 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wcTqzAn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\bOjnijp.exe

C:\Windows\System\bOjnijp.exe

C:\Windows\System\LNPwPcB.exe

C:\Windows\System\LNPwPcB.exe

C:\Windows\System\DFHEDmv.exe

C:\Windows\System\DFHEDmv.exe

C:\Windows\System\SEXMdTw.exe

C:\Windows\System\SEXMdTw.exe

C:\Windows\System\ZcFAASW.exe

C:\Windows\System\ZcFAASW.exe

C:\Windows\System\aqAnxVr.exe

C:\Windows\System\aqAnxVr.exe

C:\Windows\System\StulbEu.exe

C:\Windows\System\StulbEu.exe

C:\Windows\System\lMfFUdk.exe

C:\Windows\System\lMfFUdk.exe

C:\Windows\System\Wloeezj.exe

C:\Windows\System\Wloeezj.exe

C:\Windows\System\GKlAixp.exe

C:\Windows\System\GKlAixp.exe

C:\Windows\System\bCgKacg.exe

C:\Windows\System\bCgKacg.exe

C:\Windows\System\lEjoXtk.exe

C:\Windows\System\lEjoXtk.exe

C:\Windows\System\RUmRLbR.exe

C:\Windows\System\RUmRLbR.exe

C:\Windows\System\SaVDShz.exe

C:\Windows\System\SaVDShz.exe

C:\Windows\System\zagAOab.exe

C:\Windows\System\zagAOab.exe

C:\Windows\System\PXDakyW.exe

C:\Windows\System\PXDakyW.exe

C:\Windows\System\heawLuc.exe

C:\Windows\System\heawLuc.exe

C:\Windows\System\ZuJDENN.exe

C:\Windows\System\ZuJDENN.exe

C:\Windows\System\KjatxbA.exe

C:\Windows\System\KjatxbA.exe

C:\Windows\System\tAAXhKS.exe

C:\Windows\System\tAAXhKS.exe

C:\Windows\System\wcTqzAn.exe

C:\Windows\System\wcTqzAn.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 40.119.249.228:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

memory/380-0-0x00007FF799DB0000-0x00007FF79A104000-memory.dmp

memory/380-1-0x000002803DF50000-0x000002803DF60000-memory.dmp

C:\Windows\System\bOjnijp.exe

MD5 86725d7c403593bf38fb1173cbc52824
SHA1 9c272993fb86fe906fa1c210d8a36702f956ee7a
SHA256 3556bff6bca69f179b9a1d842ecf26cd86ff86834a516b89bb519ccf3d28b876
SHA512 004d19350b0607890c14faf1608b9c68005cbff80dfc9abce30a9c666d4f08868026fc20a4772e85e0abe13d86cc1f281914904b22aa39170fec409d681fc887

memory/3820-7-0x00007FF7B77E0000-0x00007FF7B7B34000-memory.dmp

C:\Windows\System\LNPwPcB.exe

MD5 3b86323c4e790e08e4dc0b16481934ca
SHA1 f37ecf2714ae888e22f4828392d59ab816fc999d
SHA256 5c3e95af2a205bd529d5f106266fc274690039094dedd20d31e26f048e74a199
SHA512 ea7f04e801b7d9daa20b1a0fb5b7067a4aad143bc0ab29cb2126a4a5069e567e05d70b99d59c44ca052e9249b598f81e6cfcccf7c100f998cb939053a1fa0c99

memory/3988-12-0x00007FF647C60000-0x00007FF647FB4000-memory.dmp

C:\Windows\System\DFHEDmv.exe

MD5 3ae9f7afeca901af6f3eecb50547ee35
SHA1 718e45016eb114e2f16cafe538ec715e61c56e38
SHA256 f992bf32a14d8f4908fe24b0a7f26141d8ff9862ad6d85adc82ed645988ad591
SHA512 1addcebacf1927eea4e5920673ea5af9760aab151f39942cea38abce5bb7b9a7718aacb7e769093cd9a7239e432996c3bba5986cce6dd798a609068f37d1f8c0

memory/4392-20-0x00007FF73FF50000-0x00007FF7402A4000-memory.dmp

C:\Windows\System\SEXMdTw.exe

MD5 e9eeb70be3f2276819cc347c0eba6b98
SHA1 c7630c92f2ae380e4d772ffc45424d4d32354c2b
SHA256 81acd64e0666d4c80b783116911cee4e63e563ca66a031e36b03db4211c12fd3
SHA512 9d4fc8598333aff6b33dba3c7fc2c18b0d747d9fdd91d9673a1acd89e878eb8a609cde1cabfea8a1433e8880ee434ae6271f54fd2099ddf1f91f3afe125cdc51

memory/5020-24-0x00007FF6CBE20000-0x00007FF6CC174000-memory.dmp

C:\Windows\System\ZcFAASW.exe

MD5 878e6934e17d7ad9f5562708bab9dda2
SHA1 702876682dadf5aed440a52c24a9c473ad0d46c4
SHA256 fa4a7be3abf5abf440b0daae8a6a68e0b71f2bda8901f6dee9d97ebf0d391711
SHA512 911089f78f7bd7fc5a176c2778ca1f6d640ad61f795b6a2e8f39fcbda16172e1870ab2df900976d381294884f7bcbd23e42872aa54cbf9468edb1b4be7752eda

memory/3164-31-0x00007FF6E4C70000-0x00007FF6E4FC4000-memory.dmp

C:\Windows\System\aqAnxVr.exe

MD5 d6cc3b0635997fc24d34cfde15225248
SHA1 3fed23a5bd353cb3d6aaf4a940817ab208dad16d
SHA256 df71e2d158496c2ba327f26674d17992d59420481a8f249746d621c6a4d7c072
SHA512 e522f45bc6ae1dab991491d36bb96867bcdd21b2a73f3b8fd59b49b3069b0bb1b45ab63f907140172f2a8bc4b07cf974bd1897bd2dd0bbac051c444632d6b079

memory/4000-36-0x00007FF6B5770000-0x00007FF6B5AC4000-memory.dmp

C:\Windows\System\StulbEu.exe

MD5 cc551ad7ac3e3951d62398640d2f161f
SHA1 f4e4f7ae629baf1074277faffe493522bf56dec9
SHA256 424a7c5e777b64fca324e19cb17643c631fda6d7b28864456120e5ea8f6e4e94
SHA512 387d295d59bf134b333e2d0cb40e3200203d8d0efc0d90f62651620f4a2e332af79b88041137d87f4483234b43c101f4c5c47a8f227069e4c8afa86af42a04e3

C:\Windows\System\lMfFUdk.exe

MD5 0e461985b9a1c46ca8e42d4a7c03afac
SHA1 ae72de69e92f10b96bb6b63d12fa77049c5db1b8
SHA256 37350a892a335b6dde24ba3db4e936a8c0f6070d107d0195b6b2af71dacc7a25
SHA512 8b192efaa77d775556a8e1bd89edd135238da592521b40473071504d813ff6f60896c6d8321359764e774cf23a2a34912ad6d68c62a340d9d126fe317c325dec

memory/3196-48-0x00007FF68C7F0000-0x00007FF68CB44000-memory.dmp

memory/4200-43-0x00007FF604550000-0x00007FF6048A4000-memory.dmp

C:\Windows\System\Wloeezj.exe

MD5 81abf6d8880400abdee73eaeea8a194f
SHA1 a2d13da37dbd8ce54dbfa882cee3ed1b3f8bc253
SHA256 ba11904a9c7335fe9b328d3a7b108b2f828742462eb1acbf04fb8636ddd99236
SHA512 17c0da93790ad62f9d3976b59fa4ce44177868201614d990aad18b2e326de130108f3f5755f46b3584b0846b4a8cd3ba6c068dcf42c2b42a100643381c35e610

memory/1564-56-0x00007FF7DBA40000-0x00007FF7DBD94000-memory.dmp

C:\Windows\System\GKlAixp.exe

MD5 0c4204ec30834d561264ba54049aa26d
SHA1 86b90460229a08eace2511c3f10c7e8d0fffce05
SHA256 27ec6be70a1ad19bb396b2e2b1d8a8305f8a9a1c2c611a85f06f461e82eec265
SHA512 a2669e4acb2b9138fd14d67211e110577db407be7b0b6311398bf52ec68152f941dffe9707d05916dc5948065da3bfc626d7d7cb68fe8a7710af37d410534d7a

C:\Windows\System\bCgKacg.exe

MD5 dc7a3b19e847ce5c72716ecd2ec85083
SHA1 e2aad7dccd82a4a6ccc2a120df6fb7734e13eb1d
SHA256 41f69669c4fbb92f29d3a57a9a47a5acfafdea5e24ad497ba699d28d9d08a17e
SHA512 cdf491b8779fb04778d98a0c4c843699a66818429033a6b4719a7f640a2c9ee1c6491a7ffa9835cdbbdb8273f75245626a40b21529d9bed526762b173f622cc8

memory/1264-73-0x00007FF682460000-0x00007FF6827B4000-memory.dmp

C:\Windows\System\lEjoXtk.exe

MD5 38fc4870401f53485d11dd3d8c346a07
SHA1 8f71019c4382d905d2b2cd76bd48d9bcf72bc0e1
SHA256 c410e1da37eb340b2ee7c8d2ad18df2964786c6b057150f0a2d45221b943e1be
SHA512 16e8b724c56fb90ec1d8e8e89adf2e61cec47a43c8867a79440c1c17f48b2ed8348ea5786346af040c260ab1a85ff0fa304c7351eabe905d481f9c7f79d3b29f

memory/2324-74-0x00007FF6FBBF0000-0x00007FF6FBF44000-memory.dmp

memory/3820-71-0x00007FF7B77E0000-0x00007FF7B7B34000-memory.dmp

memory/2172-65-0x00007FF72CB30000-0x00007FF72CE84000-memory.dmp

memory/380-62-0x00007FF799DB0000-0x00007FF79A104000-memory.dmp

C:\Windows\System\RUmRLbR.exe

MD5 8059c8d877a91c8a0ed35d201d107ac5
SHA1 caa9126e8d8d911f42fa4620197bbeed9f71abcf
SHA256 bc6a9fe53b371528b3cf013c622f7080411e94129b774d17cdcd2be04a7d70be
SHA512 e37f63db1a5cc9609a2aa4c360faed55578e5926cf56f1dd5dc25abab87b7539c317193eb24810e2bf003484e92de740f7c6dce2d6d6e454527e5cbd9065306b

memory/3988-82-0x00007FF647C60000-0x00007FF647FB4000-memory.dmp

memory/3472-85-0x00007FF6C0450000-0x00007FF6C07A4000-memory.dmp

C:\Windows\System\SaVDShz.exe

MD5 7b7de6a298491cc6be09a825c8fe8688
SHA1 53ce3caa8220bace6aafad13896ef2adce5e4949
SHA256 0c91cd3e2be69e2f0e88d947705a22161ec9a8587019b6934bd74ecfe90d36c0
SHA512 39e94a3013a8fc0a55329791b1e5f9d1fcc51639b28f167df58772e5d01ea10d0a469e37d0d6049c7a76aca65811305acf3b8cf28c6cfe6b2ec94ab2ed10b3cc

C:\Windows\System\zagAOab.exe

MD5 bb8d02853f85b7bf5f7cab33748912bc
SHA1 0df6fbcc98ab3a874d9f51dff72068af54b3a29e
SHA256 ee88ad88aff3348e7c44543c58438f6311cb1ab5c88230e7f64e1d8708a89711
SHA512 a7b749da164bb04fd11018d7a9845d9c19ff566dac9f7bf22cd4036a17224f044d47d3b6235db877c9fe3e3260c99bc6c84394750bcfd0426562f206bd5e6290

memory/5020-95-0x00007FF6CBE20000-0x00007FF6CC174000-memory.dmp

memory/2056-96-0x00007FF662100000-0x00007FF662454000-memory.dmp

memory/1624-90-0x00007FF7EEB70000-0x00007FF7EEEC4000-memory.dmp

memory/4392-89-0x00007FF73FF50000-0x00007FF7402A4000-memory.dmp

C:\Windows\System\PXDakyW.exe

MD5 8045228cdc6e928c3e92e287d207a163
SHA1 2e9feeac06a4cf77999f30a0191683be133f02d1
SHA256 78a60e9c93691c2d3bb1500e013f1f788ab9164185b456e7e4e2080c3fa6b125
SHA512 521844d5ce0effafc4966edc487b16ec07c581b3e11c79cf00b33a1235ad055655233b62686e06fc177e1d132e5c14d1c5ddb5fbb36b8e89b01c05530a3f134a

memory/4316-102-0x00007FF60EB60000-0x00007FF60EEB4000-memory.dmp

memory/3164-101-0x00007FF6E4C70000-0x00007FF6E4FC4000-memory.dmp

C:\Windows\System\heawLuc.exe

MD5 19bee620104d5c6f7365bd157d0bc828
SHA1 fcf2c1b330cd47eec726fe5be2dc318a05e67dad
SHA256 6623fd8ea026fc55e905bd7de26763ea67d9144565851b52c49aaa4410a424a0
SHA512 5e88814edaf89b989aeff400dcfeedf2c3c73ced50c602dccea860dfb6ee87fed95f4095a2a48f9a2cbc73293917d590ed3b33c5436007b12c445728e313334c

memory/528-111-0x00007FF618750000-0x00007FF618AA4000-memory.dmp

C:\Windows\System\ZuJDENN.exe

MD5 24c12d470a0770703461d47feda16b6b
SHA1 453a1d74ad68b327fd3607a57a03a53be19534aa
SHA256 1fdd6a88e7a5def776af3fd33a51fb6dd751f72c22670a8b6c68831d2ec4f398
SHA512 096deed53d2d64bf782fc764e7dd8a14aaba524580c3e4e3c4e1f81c19f8493ffd1fc0318b2c0f1a547f5703c7d24ee2a0df0ae04b4009a63d38fb0ed4061aa3

memory/4000-110-0x00007FF6B5770000-0x00007FF6B5AC4000-memory.dmp

memory/4200-116-0x00007FF604550000-0x00007FF6048A4000-memory.dmp

memory/828-118-0x00007FF64ACB0000-0x00007FF64B004000-memory.dmp

C:\Windows\System\KjatxbA.exe

MD5 27a5ddfcf7ac976e3affd020bacb13db
SHA1 7b329de25b78543ee62276a439cc5cce124253da
SHA256 1c6d68748c56f569820fe8b94db6ad7fd9a6f2f6c43b16291a6e11af75abafcf
SHA512 60ef7db1d30092868536410a8f44e4b6d3ed4b9781106e330643e1ebea42ed9f2ac5da2b4af91536730535c8cc900d72283a61205d3e3376de0db24f12094130

memory/3196-124-0x00007FF68C7F0000-0x00007FF68CB44000-memory.dmp

memory/928-125-0x00007FF621FD0000-0x00007FF622324000-memory.dmp

C:\Windows\System\tAAXhKS.exe

MD5 dc13784d02fcb98df4af6bc10712bd82
SHA1 3cf1c34f983444ec32a41ddf01a6426b52454554
SHA256 8ac197e6a0cd3323c0ee0da9575cf83d50ca5fe1dd30246a80e00d33d54f96f2
SHA512 bc56fd544b44084949bbe389a47300dea2ce82af593ba7ded8d1ed7b644e713f82bd474915ea30485feb91cf80914c896141aae04ff4c50c46054a37d7c71b32

C:\Windows\System\wcTqzAn.exe

MD5 167c49133913898bc81bd834ffeab5f5
SHA1 04a4cc5ba715f0752ce85469c65c6924a54421f9
SHA256 1a49548285d55c854c410c5a38d704abdd239d4016abcef747a409bce5652f72
SHA512 9537c862e5c4dca0390920cdb6afb662f5a70bf24b03e9978540bb17a4bfc67e83bc12899d9f81c7a897c4e83ed602b3714cbf28e2fb0b8bffd6428fa13b6aa5

memory/1564-135-0x00007FF7DBA40000-0x00007FF7DBD94000-memory.dmp

memory/1312-136-0x00007FF61CCE0000-0x00007FF61D034000-memory.dmp

memory/1672-137-0x00007FF6083D0000-0x00007FF608724000-memory.dmp

memory/2324-138-0x00007FF6FBBF0000-0x00007FF6FBF44000-memory.dmp

memory/2056-139-0x00007FF662100000-0x00007FF662454000-memory.dmp

memory/4316-140-0x00007FF60EB60000-0x00007FF60EEB4000-memory.dmp

memory/828-141-0x00007FF64ACB0000-0x00007FF64B004000-memory.dmp

memory/928-142-0x00007FF621FD0000-0x00007FF622324000-memory.dmp

memory/3820-143-0x00007FF7B77E0000-0x00007FF7B7B34000-memory.dmp

memory/3988-144-0x00007FF647C60000-0x00007FF647FB4000-memory.dmp

memory/4392-145-0x00007FF73FF50000-0x00007FF7402A4000-memory.dmp

memory/5020-146-0x00007FF6CBE20000-0x00007FF6CC174000-memory.dmp

memory/3164-147-0x00007FF6E4C70000-0x00007FF6E4FC4000-memory.dmp

memory/4000-148-0x00007FF6B5770000-0x00007FF6B5AC4000-memory.dmp

memory/4200-149-0x00007FF604550000-0x00007FF6048A4000-memory.dmp

memory/3196-150-0x00007FF68C7F0000-0x00007FF68CB44000-memory.dmp

memory/1564-151-0x00007FF7DBA40000-0x00007FF7DBD94000-memory.dmp

memory/2172-152-0x00007FF72CB30000-0x00007FF72CE84000-memory.dmp

memory/1264-153-0x00007FF682460000-0x00007FF6827B4000-memory.dmp

memory/2324-154-0x00007FF6FBBF0000-0x00007FF6FBF44000-memory.dmp

memory/3472-155-0x00007FF6C0450000-0x00007FF6C07A4000-memory.dmp

memory/1624-156-0x00007FF7EEB70000-0x00007FF7EEEC4000-memory.dmp

memory/2056-157-0x00007FF662100000-0x00007FF662454000-memory.dmp

memory/4316-158-0x00007FF60EB60000-0x00007FF60EEB4000-memory.dmp

memory/528-159-0x00007FF618750000-0x00007FF618AA4000-memory.dmp

memory/828-160-0x00007FF64ACB0000-0x00007FF64B004000-memory.dmp

memory/928-161-0x00007FF621FD0000-0x00007FF622324000-memory.dmp

memory/1672-162-0x00007FF6083D0000-0x00007FF608724000-memory.dmp

memory/1312-163-0x00007FF61CCE0000-0x00007FF61D034000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 00:02

Reported

2024-06-28 00:04

Platform

win7-20240419-en

Max time kernel

135s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\VOgZmbs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qNPZMCd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cyevwoA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mQStkON.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YePAPIE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kwlBJrK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JIxBjWt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TFmBXTG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EqAlnhl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GrPOdOT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cBxOxZh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ujUsZtM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lenyjLB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QdUFpYp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ljLTzpX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rfVwMtM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JBIFflc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XZWzjof.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KMWGrVX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AtDCTMr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZJagHJi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1028 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YePAPIE.exe
PID 1028 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YePAPIE.exe
PID 1028 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YePAPIE.exe
PID 1028 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rfVwMtM.exe
PID 1028 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rfVwMtM.exe
PID 1028 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rfVwMtM.exe
PID 1028 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VOgZmbs.exe
PID 1028 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VOgZmbs.exe
PID 1028 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VOgZmbs.exe
PID 1028 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kwlBJrK.exe
PID 1028 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kwlBJrK.exe
PID 1028 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kwlBJrK.exe
PID 1028 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JBIFflc.exe
PID 1028 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JBIFflc.exe
PID 1028 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JBIFflc.exe
PID 1028 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XZWzjof.exe
PID 1028 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XZWzjof.exe
PID 1028 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XZWzjof.exe
PID 1028 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JIxBjWt.exe
PID 1028 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JIxBjWt.exe
PID 1028 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JIxBjWt.exe
PID 1028 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TFmBXTG.exe
PID 1028 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TFmBXTG.exe
PID 1028 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TFmBXTG.exe
PID 1028 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cBxOxZh.exe
PID 1028 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cBxOxZh.exe
PID 1028 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cBxOxZh.exe
PID 1028 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ujUsZtM.exe
PID 1028 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ujUsZtM.exe
PID 1028 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ujUsZtM.exe
PID 1028 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EqAlnhl.exe
PID 1028 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EqAlnhl.exe
PID 1028 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EqAlnhl.exe
PID 1028 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lenyjLB.exe
PID 1028 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lenyjLB.exe
PID 1028 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lenyjLB.exe
PID 1028 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KMWGrVX.exe
PID 1028 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KMWGrVX.exe
PID 1028 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KMWGrVX.exe
PID 1028 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qNPZMCd.exe
PID 1028 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qNPZMCd.exe
PID 1028 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qNPZMCd.exe
PID 1028 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AtDCTMr.exe
PID 1028 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AtDCTMr.exe
PID 1028 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AtDCTMr.exe
PID 1028 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GrPOdOT.exe
PID 1028 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GrPOdOT.exe
PID 1028 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GrPOdOT.exe
PID 1028 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QdUFpYp.exe
PID 1028 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QdUFpYp.exe
PID 1028 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QdUFpYp.exe
PID 1028 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cyevwoA.exe
PID 1028 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cyevwoA.exe
PID 1028 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cyevwoA.exe
PID 1028 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZJagHJi.exe
PID 1028 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZJagHJi.exe
PID 1028 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZJagHJi.exe
PID 1028 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mQStkON.exe
PID 1028 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mQStkON.exe
PID 1028 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mQStkON.exe
PID 1028 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ljLTzpX.exe
PID 1028 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ljLTzpX.exe
PID 1028 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ljLTzpX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_2d406d9f1318c70a630caebc5f9cd253_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\YePAPIE.exe

C:\Windows\System\YePAPIE.exe

C:\Windows\System\rfVwMtM.exe

C:\Windows\System\rfVwMtM.exe

C:\Windows\System\VOgZmbs.exe

C:\Windows\System\VOgZmbs.exe

C:\Windows\System\kwlBJrK.exe

C:\Windows\System\kwlBJrK.exe

C:\Windows\System\JBIFflc.exe

C:\Windows\System\JBIFflc.exe

C:\Windows\System\XZWzjof.exe

C:\Windows\System\XZWzjof.exe

C:\Windows\System\JIxBjWt.exe

C:\Windows\System\JIxBjWt.exe

C:\Windows\System\TFmBXTG.exe

C:\Windows\System\TFmBXTG.exe

C:\Windows\System\cBxOxZh.exe

C:\Windows\System\cBxOxZh.exe

C:\Windows\System\ujUsZtM.exe

C:\Windows\System\ujUsZtM.exe

C:\Windows\System\EqAlnhl.exe

C:\Windows\System\EqAlnhl.exe

C:\Windows\System\lenyjLB.exe

C:\Windows\System\lenyjLB.exe

C:\Windows\System\KMWGrVX.exe

C:\Windows\System\KMWGrVX.exe

C:\Windows\System\qNPZMCd.exe

C:\Windows\System\qNPZMCd.exe

C:\Windows\System\AtDCTMr.exe

C:\Windows\System\AtDCTMr.exe

C:\Windows\System\GrPOdOT.exe

C:\Windows\System\GrPOdOT.exe

C:\Windows\System\QdUFpYp.exe

C:\Windows\System\QdUFpYp.exe

C:\Windows\System\cyevwoA.exe

C:\Windows\System\cyevwoA.exe

C:\Windows\System\ZJagHJi.exe

C:\Windows\System\ZJagHJi.exe

C:\Windows\System\mQStkON.exe

C:\Windows\System\mQStkON.exe

C:\Windows\System\ljLTzpX.exe

C:\Windows\System\ljLTzpX.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1028-0-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/1028-1-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Windows\system\YePAPIE.exe

MD5 4a2e29d92118c84fd7e26080a75ad32b
SHA1 96c9c8a52c80215d20da2b7f4f708e5e7456c92a
SHA256 56f2692ea1fc9377861723ba10ed3c4db5f3c1203861b390f8fa7e88fc8d8606
SHA512 e716bb2117bc4c404e43a5dc5bcf7b10f866897d5af0a3c2277952d391956b0041b7dc89c7c376243afe7053778b1b9537caaa7ceb57153f40db234f996a0fb0

C:\Windows\system\VOgZmbs.exe

MD5 9f1249d2415f5edcde72833cc21f0f9a
SHA1 70dab8b1b9be297aec44c71b3ed279342f985175
SHA256 c34d3b61b1738ed442b84383f8ba14b12106f2c12e942c3eeebbccc2f6a08b5f
SHA512 895b5d327eab27821f2d755c8e2b5a09999f3fb5fb261e22720620c05a90672f41de39c2f59985e712dbd9e670abfcf990e0b65b0e8d76012eb769b8e69b8e0d

\Windows\system\rfVwMtM.exe

MD5 5d3520957469a213ad4098cfbd559940
SHA1 623d3b705baefcbdda03fa65e7fb98f12f4ea6a4
SHA256 3293404f98406007efa20f9112a4493860d50d2eb54f7a850d53cf054ea7a3de
SHA512 52b0431fe93709925095645c778d7b4387966b936ca8c35521fb4b81e31fe1b791d396821ce025601905c825891a56e4f0916974621069077bca034de83e7061

memory/1028-21-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2652-23-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2012-22-0x000000013FC40000-0x000000013FF94000-memory.dmp

memory/1028-20-0x0000000002250000-0x00000000025A4000-memory.dmp

memory/1028-28-0x0000000002250000-0x00000000025A4000-memory.dmp

C:\Windows\system\kwlBJrK.exe

MD5 9c8a4aa17afdb30105e4f23ced8c2f10
SHA1 85339b7dc00cd2db8fc7d4166638854243c0c77b
SHA256 787456210248d9692d0ec8eeaabc34dadb93e186c69bf83da0a0f597dfe7c98b
SHA512 54b9bd41d768a2b2b70e924511966c107b050c2fba645c86036d45e8d85ed21ed44a7073a0e2b95b5bd107d5ac1a44467c30560d36e4c5ba6ac0016e089d6fd6

\Windows\system\XZWzjof.exe

MD5 9f99fc51cf4374b71853e0bf199d6cb6
SHA1 2c881758c6ae6d81c09660b47b6815fe5ef27c7f
SHA256 954196210b5c99cb5bff4eb1e31dd8791c578f875d01266f8235f1b811cd2b2c
SHA512 bbbb275202891abcfa11fa2f7db496a4a9f843087afd409fc0081eae7c4801f60f91e221e48d72a9d2a8232c91969d1c3b969db60093fc4edb20b3bb4494586a

\Windows\system\JBIFflc.exe

MD5 42ebb672a8365fa71ae98c3cbb6ae738
SHA1 6dae2744b9eec1bb47b5107c1a7494080d46d998
SHA256 98c835449098415470837969a938a80a03e2416c80a99d70b4a4cbb487ece1c2
SHA512 be19f151805dafdcca8a0b9c9e895e5b07ec050252b9b2b5548ea7fa4b6cc1acee7cf21ddeabd091811d0f8a577f93afbffad09899bc174d72706fa1941456aa

memory/2656-41-0x000000013F600000-0x000000013F954000-memory.dmp

memory/1028-46-0x000000013F380000-0x000000013F6D4000-memory.dmp

\Windows\system\JIxBjWt.exe

MD5 80a25897db053e80099428309f1394c7
SHA1 584a54c255ce6a3d9c79ba1db648bf92e65e5545
SHA256 19636999665e57ed3051029643a15fe755d3afd96821394cbba1171fcafba658
SHA512 3339473de5932b7392af446e005e845e936ea000313acf26b9562e42ea6483ee6cb14fbb04c7b0ca0f450e30ad523325fbdcf4d1aa649316734e9d03f88f8b4b

memory/2628-44-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/1028-43-0x0000000002250000-0x00000000025A4000-memory.dmp

memory/1028-40-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2816-37-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/1740-18-0x000000013F620000-0x000000013F974000-memory.dmp

memory/1028-15-0x000000013F620000-0x000000013F974000-memory.dmp

\Windows\system\TFmBXTG.exe

MD5 125ef8396756ec72c9a594f44bcaf72a
SHA1 b725c398514d865cf6e71ce62a46dc795f276c7a
SHA256 64bda3eba7d6563fe6d27251a32d768d41b6d8858a78657b8238727dbf652f69
SHA512 d1fc1076d24c2e49482bc9b7c6a42d78cec2a5c6946bee6b41af87e545e680b7c3b6d42a535a79d25a714e6facf040fad021c831be630488b753d68d9dddfbaa

C:\Windows\system\cBxOxZh.exe

MD5 c1e46e114a530c5e3e6cfdd4caaacc43
SHA1 f3255a28fbec310c7b62aa2f438d3d6916b5ab1a
SHA256 82bc03ea8f5c71377129c44c668ade232c9ccf722a913991aa78df6f77e67770
SHA512 b3988e27f034ccd606dc7f968c78c5dd7488aba34085d20789e809d31fbf3fc0b0283521e3fc2d06ebc0996f420abe08f3f824a7c193ec6e172549fc7f616f82

memory/2540-57-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

\Windows\system\ujUsZtM.exe

MD5 13ad8ab197b488c9e92a9f5390c8c262
SHA1 7c276e6943f2167cf9a688a8f69d9562049316ce
SHA256 7577e6b79d98c5b640a8c577ebd544668552d4703b1cf1b1105b4091e4800dde
SHA512 d2ea6b3a0df38b419325e56a489cb686812d743780090954538a05d67dbc0ee46f2fb4a4a15f14c5c6a1558b62af2e4444c5db0d2430a72ea0eab95fdd807745

memory/1028-55-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/1028-68-0x000000013FD40000-0x0000000140094000-memory.dmp

\Windows\system\EqAlnhl.exe

MD5 aa854a3fbd0e5039d85ef1c6a554588a
SHA1 961f781651a4ab7b10d6355e81496ed3efa1549c
SHA256 9533e04069be095abc4726e97b00c215059adb1889aea0df0d8da85e75f91209
SHA512 67f89c761e1209842b28076d87cdfef2d1d1b8c3134f7907f4cf4b683520e6dfe3442d061966c18edd7ef8cac3c08a28220a22fe3ed7c597e6e8cdede39c5652

memory/2872-51-0x000000013F380000-0x000000013F6D4000-memory.dmp

\Windows\system\AtDCTMr.exe

MD5 9846901833aef7fc5a5ec1376a09808e
SHA1 a1d7e6b64a35195e83fbb516534289d7463fcd40
SHA256 21dd7f2b2e371bc9bd0a5ee1dd45e50e7343c32cd59b67a8f0d05833a2f5eeda
SHA512 9962aaa94c53a164faab54d60ab57f6ce26ab4c5adb6ff555d02da18a59044138dfef73c24c4ea330fed184fabd44c9b6305335a83c3fd0c6d8ff7a0ee5303f7

\Windows\system\GrPOdOT.exe

MD5 63ecb1456bfb210ca61de609eecfe0f3
SHA1 138afce48fceae2ae8660c9a96189aaa1ac032e6
SHA256 430bd625afb3d6f8e7e5782231f8ddca807626d700df9b8846764542eca29c25
SHA512 938a173c124834bd9302db663b521e909de1056e9d79b8551ff9396e95f7c5e48e9df3b8db7aabf93f3d20f14a789e1f4e6fca4d68b0e12d5f79223c027a1bf2

C:\Windows\system\ZJagHJi.exe

MD5 6ac36276726e844f16197e2cec5e2cd9
SHA1 c4a3ec4b8cec3d93fe514a696d37b87d00e69800
SHA256 2be6c8dcf36e190011df1fff833d5d7f9c20aa14b65a953915a507d298f2a105
SHA512 73633a21f5d2c8edd99878c8730697d25a79752416a5ca10cd0de2cb9cee9d4cc4b6f7ec9e5278806f609f2bf1a83782b61e826ed9834a256014044b7553e17d

C:\Windows\system\QdUFpYp.exe

MD5 32aa2c5a15a460f20709fa527ec3a9cb
SHA1 873da4c2322b19837cf936758641ea37719c66ed
SHA256 6fac3369d2b05dda3b43251be34d96559fff6bcacabc3cb98d93003bbe642944
SHA512 066327ce81a342f50498d16d2a485110b23d5caf0456b9e6b83789e59d85021185fba0e771aad61d09aec0f0afc0292bf6d829bfaea63afc0a55e72163f12f49

\Windows\system\cyevwoA.exe

MD5 04626313ab0c01c8434b46f2e40f105d
SHA1 4d2f14c24b28e0a2d69d6b3e670d47b844ff3def
SHA256 e318e1d84e48fd696588e5a67af419d27f4f208c07240e07e6470a56d5d54cdd
SHA512 8452a3d2c1beeb5044a9cee9abd46967dfd7e78b0ede36432ef2fb547c2b2ab80a2802766623015c826869207cdd33cbb591c392d5c68b5777834c1c92dc06e9

memory/2908-130-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/1028-129-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/1028-133-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/1028-134-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/3044-132-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/1028-131-0x0000000002250000-0x00000000025A4000-memory.dmp

C:\Windows\system\mQStkON.exe

MD5 c759e4f00ae7ece2a20fb8ff9e0e472f
SHA1 ac98da93e6ef5f5ed570cf468d90af82fc97aab6
SHA256 f3013fad9dcb2f8ec3fe360393104744839b3f3c5a1e6d9fc6da5c755aff6958
SHA512 9aca99614bb1bcfe07ecca2d170fcca18f07cd23f0fce33edbe6550fc0a159812779f1d438140f09b5e634acb46e65b04c562586ee872e82d8a1b29ae37fbb9a

memory/2868-122-0x000000013F380000-0x000000013F6D4000-memory.dmp

C:\Windows\system\ljLTzpX.exe

MD5 13f1b11165fc84b417ae4bbce301d35c
SHA1 0370a9d8169729a93a6eed0a1bf775c2b2cfaa3e
SHA256 f2244f36b3dd01d7b49c440a620b08d4a605769001896165616609b24524d5a6
SHA512 de8d7da0a2e4ce20e0f7805a2c53e9ebc989dc2a90afcd758120a8f8ed4470f33f4f8bff9339fd5bb485f89d8c312c838968ef5218214694e2c967dfcb748d9b

memory/2692-116-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/316-120-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/1160-119-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/1028-101-0x000000013F6B0000-0x000000013FA04000-memory.dmp

\Windows\system\qNPZMCd.exe

MD5 dbfaac8c8ba94151de1b2f178eaad647
SHA1 ba0810428d81548c671a4a5ecaed2c60a19341c6
SHA256 17c087909ec390bebfbecc14f1f43a332dabf64a44e53ac88c6bf2b8d2c33053
SHA512 2c722c926a96d621ff6072660bd3238bbd0752c41bb202c1715238b518f89c98ca0805e1c097b84519954287178aae25d251d06af0d97b3dc8e269ec29a92c9a

C:\Windows\system\KMWGrVX.exe

MD5 9f175a2fac2c024ad67c2b5b29d224b7
SHA1 74457d45e3f0abfe81318837e91a97643b904898
SHA256 ce1b034a7beb5c8a10f93fe5662d0f6c5366249589ba77449a45b08eaa3839e9
SHA512 e80cc693be25ef88488b53524a53203a3c79ea233997f8d71f892c3fbc4811a0ade9ac233627bbece6d0cfedc381f0a7abcad4c1d4b97f1d6b593107e0f7b254

C:\Windows\system\lenyjLB.exe

MD5 01d8d21c8cc43f8ae21ffbe1d41ac44f
SHA1 9eab48366f84a4da8b75795eb8687e5fd51d107d
SHA256 a30d746ecf1cb771403b0d21578334a95f8c6c66fd7e7b4ec64abb3da5f52524
SHA512 8e8e9a6bc89388d24c2173900cb436b6e20135036815f1830438f84b82b2169ce94b6ba4f9870f38cf48f5eb9d8af2523145f309ef0544a0864a788466c57ec4

memory/2816-135-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2540-136-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/1028-138-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/1028-137-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2652-141-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2012-140-0x000000013FC40000-0x000000013FF94000-memory.dmp

memory/1740-139-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2656-143-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2628-144-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2816-142-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2872-145-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/2692-147-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2540-146-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/1160-148-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/316-149-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2868-150-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/3044-151-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2908-152-0x000000013F8A0000-0x000000013FBF4000-memory.dmp