Malware Analysis Report

2024-10-24 18:12

Sample ID 240629-h2ja9swemm
Target 2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat
SHA256 c4931b0c9169da8f10f0b5f9e93be3ab97b708f218ed08eecebac7d88fa5219e
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4931b0c9169da8f10f0b5f9e93be3ab97b708f218ed08eecebac7d88fa5219e

Threat Level: Known bad

The file 2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

xmrig

Xmrig family

XMRig Miner payload

Cobaltstrike family

Cobalt Strike reflective loader

Cobaltstrike

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-29 07:13

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 07:13

Reported

2024-06-29 07:16

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\LbLJjZd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GCdPALE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VqNNWAy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yPkriQW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pnPLTsL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\COgCAhj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pZBgwYI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pVFVnBx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JiUgRBV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JpHzPmI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nrcJMmP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DEHhtpq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MDTEtKa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nJiFnEG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uqPBaZu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KFDHgCH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sKDadii.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EAtZYgm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gCQRnca.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KxmnWLo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jGXyrnZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4656 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pVFVnBx.exe
PID 4656 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pVFVnBx.exe
PID 4656 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LbLJjZd.exe
PID 4656 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LbLJjZd.exe
PID 4656 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EAtZYgm.exe
PID 4656 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EAtZYgm.exe
PID 4656 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JiUgRBV.exe
PID 4656 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JiUgRBV.exe
PID 4656 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uqPBaZu.exe
PID 4656 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uqPBaZu.exe
PID 4656 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JpHzPmI.exe
PID 4656 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JpHzPmI.exe
PID 4656 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nrcJMmP.exe
PID 4656 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nrcJMmP.exe
PID 4656 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GCdPALE.exe
PID 4656 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GCdPALE.exe
PID 4656 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gCQRnca.exe
PID 4656 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gCQRnca.exe
PID 4656 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VqNNWAy.exe
PID 4656 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VqNNWAy.exe
PID 4656 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KFDHgCH.exe
PID 4656 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KFDHgCH.exe
PID 4656 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yPkriQW.exe
PID 4656 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yPkriQW.exe
PID 4656 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KxmnWLo.exe
PID 4656 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KxmnWLo.exe
PID 4656 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pnPLTsL.exe
PID 4656 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pnPLTsL.exe
PID 4656 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DEHhtpq.exe
PID 4656 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DEHhtpq.exe
PID 4656 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MDTEtKa.exe
PID 4656 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MDTEtKa.exe
PID 4656 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sKDadii.exe
PID 4656 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sKDadii.exe
PID 4656 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\COgCAhj.exe
PID 4656 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\COgCAhj.exe
PID 4656 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pZBgwYI.exe
PID 4656 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pZBgwYI.exe
PID 4656 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jGXyrnZ.exe
PID 4656 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jGXyrnZ.exe
PID 4656 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nJiFnEG.exe
PID 4656 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nJiFnEG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\pVFVnBx.exe

C:\Windows\System\pVFVnBx.exe

C:\Windows\System\LbLJjZd.exe

C:\Windows\System\LbLJjZd.exe

C:\Windows\System\EAtZYgm.exe

C:\Windows\System\EAtZYgm.exe

C:\Windows\System\JiUgRBV.exe

C:\Windows\System\JiUgRBV.exe

C:\Windows\System\uqPBaZu.exe

C:\Windows\System\uqPBaZu.exe

C:\Windows\System\JpHzPmI.exe

C:\Windows\System\JpHzPmI.exe

C:\Windows\System\nrcJMmP.exe

C:\Windows\System\nrcJMmP.exe

C:\Windows\System\GCdPALE.exe

C:\Windows\System\GCdPALE.exe

C:\Windows\System\gCQRnca.exe

C:\Windows\System\gCQRnca.exe

C:\Windows\System\VqNNWAy.exe

C:\Windows\System\VqNNWAy.exe

C:\Windows\System\KFDHgCH.exe

C:\Windows\System\KFDHgCH.exe

C:\Windows\System\yPkriQW.exe

C:\Windows\System\yPkriQW.exe

C:\Windows\System\KxmnWLo.exe

C:\Windows\System\KxmnWLo.exe

C:\Windows\System\pnPLTsL.exe

C:\Windows\System\pnPLTsL.exe

C:\Windows\System\DEHhtpq.exe

C:\Windows\System\DEHhtpq.exe

C:\Windows\System\MDTEtKa.exe

C:\Windows\System\MDTEtKa.exe

C:\Windows\System\sKDadii.exe

C:\Windows\System\sKDadii.exe

C:\Windows\System\COgCAhj.exe

C:\Windows\System\COgCAhj.exe

C:\Windows\System\pZBgwYI.exe

C:\Windows\System\pZBgwYI.exe

C:\Windows\System\jGXyrnZ.exe

C:\Windows\System\jGXyrnZ.exe

C:\Windows\System\nJiFnEG.exe

C:\Windows\System\nJiFnEG.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 107.116.69.13.in-addr.arpa udp

Files

memory/4656-0-0x00007FF68C950000-0x00007FF68CCA4000-memory.dmp

memory/4656-1-0x000001E0951C0000-0x000001E0951D0000-memory.dmp

C:\Windows\System\pVFVnBx.exe

MD5 0cb8236fa760807baf70dfb52e810fcc
SHA1 92bcd12ba5211aadcfeff1f8bcc4684bc965cb7b
SHA256 eb5cddbd9fdcf864d80c63096865da7c29940479d497027f5801b5057dd17fb1
SHA512 ef717dafe3adecd4c377aaa40a7dc3707f495447f7180ee4ad00987c2fdf0dd71cf328b95004385ce61147feea8e9956b2da02de17ef11d2fa0f814a447cd5fa

memory/1912-7-0x00007FF7C8180000-0x00007FF7C84D4000-memory.dmp

C:\Windows\System\LbLJjZd.exe

MD5 393bcdd69f0a17c58320bb13c7a49a24
SHA1 8ed3ed6ea37c878920637156da9b8f75b460e7de
SHA256 916c2594325dfa58b65a79133aa4f1f3a47acdfd0a08ce24da858a1bcb110c3b
SHA512 c38608cab6cc2c4707baa2782f82a63776845403e6d5efece976e23ce3aacb36f34ade2745c162a4fa07a0df5d71b8995f300d09d1a85e39c3a54bbef45f1d66

C:\Windows\System\EAtZYgm.exe

MD5 2a4128de3f58a330f9b7271e020fd67d
SHA1 2e5a0f42ca90732e702097f90c068d5d1d7c013c
SHA256 44edbe91e877bdd5697db7a94ffb8ab2b789f6040c3afe5092580d27a565244b
SHA512 0da927d6906a0d4ddf42a3de3b4b62ca01c3361d1b342641f53aac630d542c94c67049cc0258be4e136d9e0beb9a1d0aceec962be2740e23442fb99e5b7125df

memory/392-14-0x00007FF78EC90000-0x00007FF78EFE4000-memory.dmp

memory/1692-22-0x00007FF6934C0000-0x00007FF693814000-memory.dmp

C:\Windows\System\JiUgRBV.exe

MD5 66f4d81e853e1dbe339c6816df0f3e5e
SHA1 69b3757299a6bfa1161e9e9963b697d0d618dcce
SHA256 b96b510156e20145187548be01f6d13244663999e14bf9a3dc61eb3652e6baa5
SHA512 c477bdfc92f1c7704f095b7f36b0e32dc65569e5a36233ebf5d0a4ad3faf268490b34fc806a3d0b17625577b81fa9d6e12a2612bd64cec9ec617a4aa2de637da

memory/3948-28-0x00007FF76E4E0000-0x00007FF76E834000-memory.dmp

C:\Windows\System\uqPBaZu.exe

MD5 f654450369542b9308a5d8e5d342f2fe
SHA1 e4757071c965536e34a120f48d38c48c3a95a51e
SHA256 e4e15d95d06879464b20203de427a58d696a83e019cc75998373b6c7a0cbf5c5
SHA512 da70d57e563cfb18c70ce84ab12e7c788fa05c885ff386e83d4fc5a8d97f94e76128193dba771f26fe38d8ef792a94e37f032bc0f9d2946b53976e4d2bd97fab

memory/3092-33-0x00007FF6FE2E0000-0x00007FF6FE634000-memory.dmp

C:\Windows\System\JpHzPmI.exe

MD5 87e96e8e6301c36e3d8c591da0961a56
SHA1 a654bd2e84cbc3af6b0ad4628897620320f19c78
SHA256 830fa537ee2d356fedb8387e25daf401569a7a4687ad8e72c791173c188521c0
SHA512 d0aa6fc64c9bafe0821217e2316363f22509fe38c44ab98fc7cac66ce5eeebfdc8ee58f5bc96667b6b053cd7c732acb4872d2ad9a0309de4ea6e5f8c245c5494

memory/4588-38-0x00007FF635C30000-0x00007FF635F84000-memory.dmp

C:\Windows\System\nrcJMmP.exe

MD5 1696ba875fd731db368e3a5b93e14343
SHA1 43116988fcb1f60e126329cec2bca87093dcdc24
SHA256 9774320237e96520097acf1155cddd95789642b24f2f38f5f4e8492c3f613636
SHA512 b9a6740667185710727662a498dba55e6be8de90ce7fa5b65950c04bb666500520ce9da3f8cfade8843f3d0a6ed0941dc77d899860a9a422dfd6cd14569f803d

memory/828-45-0x00007FF6C5A20000-0x00007FF6C5D74000-memory.dmp

C:\Windows\System\GCdPALE.exe

MD5 d49203160f3fb2fe99b88c6b9ba0ef04
SHA1 7dcd9180b60006814e9fd47b2b583393115b7b17
SHA256 e4fbc815134b15f1e887e2438e0893da932397b0c6ad0010125932275f80c227
SHA512 50269cfe1c9c91fbc61e0998fd27dd918eac937d52f0f3cabf3fde94cb30e5b1df83c98be2c91b3eddc70399180f5aa201692a95384344d0854c0ce11233cca7

C:\Windows\System\gCQRnca.exe

MD5 51a184102a353690074dca64207f4282
SHA1 1e2c9fbb5b525985a93b05d93096b47a8e058afb
SHA256 7f8cd6d70ac4c43ba5bb3749e40305f520a11a010cf9601e556c6efc4575992b
SHA512 725c700c2190492df95ebeef5281263b892d23c94e431090bc72f049e11450cad12e44b0a0c9f6a9f86908b0b9532701a6c9ac73d180a69b0aad79add6dd89e7

C:\Windows\System\VqNNWAy.exe

MD5 41f04889c933a49a45a95735753d135b
SHA1 02f278281a669a45da128f970e4ea8bf1a0ddb33
SHA256 1af0a6c9b359c05607fa670368dbc735633c4c099f3066cc330a694a9d2d78e1
SHA512 690f636f1e0e8f363f8375306e293988c2d76286b1897d285a3e4767d6f3d7d974b81f1b0f320d328d59fc86c5955cf16b71dc79c9e95c7a1dbb6b799f4158e7

C:\Windows\System\yPkriQW.exe

MD5 9507f5a39180c1c4d2661f0ab6ad018a
SHA1 411fc4fd24d7ea4c3244e0064755d8006c5b1ac2
SHA256 8af81b4a2a52e273af2d4d5c5329e143586eba0bc482a05f2d92bdeaa4ed8fdf
SHA512 961438d62ba77a16ad1216c5b84a7bf6324a9c59cdf62d9789d7abfffe4d8f5f442b62410e0929ac1f9a3d68763450c38a2fc996ec81afd799a19d6e5f886f5d

memory/1912-72-0x00007FF7C8180000-0x00007FF7C84D4000-memory.dmp

memory/1020-78-0x00007FF70C0E0000-0x00007FF70C434000-memory.dmp

memory/392-82-0x00007FF78EC90000-0x00007FF78EFE4000-memory.dmp

C:\Windows\System\KxmnWLo.exe

MD5 4cfa7ef7f7c5ac0f1b74cbfed5f1fefb
SHA1 3976d5845d4d0a9307ba734e148d11556b2c685d
SHA256 530260916d149b2235950919b83529e3ee6ec84aac93c8f6572bd716cfc7a8fc
SHA512 fac3766408190cf68759c1b040079179e8d7527dbe50fb07739df541f5de16fc487cbe62da17ed31875235cac2d65ec23003f7900fb80e367cc4d1dfd2b60da8

memory/1032-79-0x00007FF63E2E0000-0x00007FF63E634000-memory.dmp

C:\Windows\System\KFDHgCH.exe

MD5 3af1ddfd18b4ecd47b19297aeabc893c
SHA1 a10f718afd4f32b1fea11526f2cb52431369efc1
SHA256 5bc913fafee7b55fda1accdffa58e5b786a52137f5f15ce8e474a36c64ea1db0
SHA512 6c25d98d9e737b961d68469e5736dd0d394399664818f281aa6e1a07b17ef1da290d74d041abf6c14a8fcf0e9e250a8bd64bac2668a40c4bb36091944ae52d09

memory/4960-73-0x00007FF73CCC0000-0x00007FF73D014000-memory.dmp

memory/4512-63-0x00007FF715FB0000-0x00007FF716304000-memory.dmp

memory/4656-62-0x00007FF68C950000-0x00007FF68CCA4000-memory.dmp

memory/3652-58-0x00007FF719550000-0x00007FF7198A4000-memory.dmp

memory/1540-50-0x00007FF6B3BC0000-0x00007FF6B3F14000-memory.dmp

C:\Windows\System\pnPLTsL.exe

MD5 a60911704dc961348a94596e47ecf61c
SHA1 cbc7d93725d1011c72cf399ed18e624d3cfe4099
SHA256 465d9954a11a6bd0acdfc91ed25926ce748a8f3f8f652eccf0e982a46285da4b
SHA512 08f01106b2fd5f6cd641cab857c63e8396db54de8edc4248e6536233ca385eb375c5b038b99a0c141bf4b93d6d88fa8535e478c9d2740638fe537584de2ac359

memory/4160-92-0x00007FF69FBF0000-0x00007FF69FF44000-memory.dmp

C:\Windows\System\MDTEtKa.exe

MD5 199fcbd5ad1b9686d080282846ebb5ea
SHA1 36edf29efedf3c1f650d925b9e9f2629d1cd5766
SHA256 d895f3e741c79ec9031020b68c89bf2da3017c5a16a545606a2d84b6e683d8d2
SHA512 dc8ff0979e089102a2ccf63754359cfd00b742924884fcff92195648fa4e87d763bd624d6524475f9bf40d7761e8b6643aef09639bc7361979442901aaecd2b4

C:\Windows\System\COgCAhj.exe

MD5 b7c6e641a96cc5ac471dc908cb945861
SHA1 e9a67770284f2b97b5381bda11f271c3aa14e8a4
SHA256 f8c228888b0966029f0b88ddab9a13e298c0ab4a6210ad285ca7daac42928d00
SHA512 ea746377d65706edfc10429c969f57e9716a6f9dc74cae2465a3e4f103d88cbe35c91f568f7cb8fe47399e412c12aca5d9a1307e62190dbfe562dc0148fc9606

C:\Windows\System\pZBgwYI.exe

MD5 17072263cd5231ae3a43267230a732ab
SHA1 04523bb50aad4e95058ccd2e25daa529c39ec0f7
SHA256 30d4075ce85b427dc87642d69be7d5f802fd010d6a701b0c15b47229833e98bd
SHA512 bf2f9192fd270ddb410d7c0a8eb0a564c12b071a1979d0c8335a07cbac3c10cc30366fac5ec5b00c4150cba84ef5cb406af728ee7ca6f7ae37ff88c896274ab7

memory/4496-116-0x00007FF6824C0000-0x00007FF682814000-memory.dmp

C:\Windows\System\jGXyrnZ.exe

MD5 78e836fed31e7f094ab868b12397d9bd
SHA1 5b5f370a2dbe0aafa3b1151ddde2304be5df739f
SHA256 a169bd3f7225f2a408d70303bd9d028d4b70576a4bfadd37952a4146af6d6127
SHA512 a0328de15042581c2e2f53dd3219d1d1ae245d06893027b270d845dbe42ca2f34d62612a6f1c60ee84cd0942e131f5ed8faf8dae3390b9dbf2fd0ef2d837bfa8

C:\Windows\System\nJiFnEG.exe

MD5 3d874dcc0e7ef7a861ac5993bade7aef
SHA1 a60a5bad5deeb922e16c4794e03ed8cb9fe7ae15
SHA256 f1cc7ac401b903c4e40fc67e37331d52ec49ef68c48834e9a06fdb2fa4989865
SHA512 0ea03321fb054ba3defa9297c22bef80942f5f3e49e2893637cd0ec7ad10ccd12bac0e071b02811d63a5df53bcdc438a087d2acc325c91a18cfa92c2be3a017a

memory/2252-128-0x00007FF79FB50000-0x00007FF79FEA4000-memory.dmp

memory/4512-129-0x00007FF715FB0000-0x00007FF716304000-memory.dmp

memory/1808-127-0x00007FF69FC40000-0x00007FF69FF94000-memory.dmp

memory/3652-125-0x00007FF719550000-0x00007FF7198A4000-memory.dmp

memory/1540-124-0x00007FF6B3BC0000-0x00007FF6B3F14000-memory.dmp

memory/4468-121-0x00007FF74D900000-0x00007FF74DC54000-memory.dmp

memory/4208-112-0x00007FF7C86B0000-0x00007FF7C8A04000-memory.dmp

memory/2116-105-0x00007FF643060000-0x00007FF6433B4000-memory.dmp

C:\Windows\System\sKDadii.exe

MD5 8e2713b04b3c4ec0fdd5d772e6eb62e5
SHA1 3f0a1c0bf1f07a4a80511ac29962e34ed83cd29b
SHA256 951c08882e255f0be9f13d9689f0ac903673764908fe48d5802927d6431076a8
SHA512 8ce56d38c958ced2e1eaf0af69aad6e61ad3a6fdb59eb3ddd8c803b4b9a25e65086d236b7a1725abb31e0bc978654167bb66beae6db7fadcff7bfcc037cd9623

memory/3572-96-0x00007FF776D60000-0x00007FF7770B4000-memory.dmp

C:\Windows\System\DEHhtpq.exe

MD5 eb83ff4b7c34c75b39773db4d4b9ad22
SHA1 70e632a22ada4eb9a52c1a3032b49dc919b0a19c
SHA256 6f0a2cf73ef7e2e87c5b982d1a6229fd9b83f093fea65ae65b0d9d8f3f5e17ed
SHA512 7c882e7328c25f268444730c740611f232bb6e6366142bba1468a53b85f10d71e2f87b16dd57768d3b028430055879a4abd17f8ac70d9c1ad4551ca6ed35f5a8

memory/4960-134-0x00007FF73CCC0000-0x00007FF73D014000-memory.dmp

memory/1020-135-0x00007FF70C0E0000-0x00007FF70C434000-memory.dmp

memory/1032-136-0x00007FF63E2E0000-0x00007FF63E634000-memory.dmp

memory/3572-137-0x00007FF776D60000-0x00007FF7770B4000-memory.dmp

memory/2116-138-0x00007FF643060000-0x00007FF6433B4000-memory.dmp

memory/1808-139-0x00007FF69FC40000-0x00007FF69FF94000-memory.dmp

memory/2252-140-0x00007FF79FB50000-0x00007FF79FEA4000-memory.dmp

memory/1912-141-0x00007FF7C8180000-0x00007FF7C84D4000-memory.dmp

memory/392-142-0x00007FF78EC90000-0x00007FF78EFE4000-memory.dmp

memory/1692-143-0x00007FF6934C0000-0x00007FF693814000-memory.dmp

memory/3948-144-0x00007FF76E4E0000-0x00007FF76E834000-memory.dmp

memory/3092-145-0x00007FF6FE2E0000-0x00007FF6FE634000-memory.dmp

memory/4588-146-0x00007FF635C30000-0x00007FF635F84000-memory.dmp

memory/828-147-0x00007FF6C5A20000-0x00007FF6C5D74000-memory.dmp

memory/1540-148-0x00007FF6B3BC0000-0x00007FF6B3F14000-memory.dmp

memory/3652-149-0x00007FF719550000-0x00007FF7198A4000-memory.dmp

memory/4512-150-0x00007FF715FB0000-0x00007FF716304000-memory.dmp

memory/4960-152-0x00007FF73CCC0000-0x00007FF73D014000-memory.dmp

memory/1020-151-0x00007FF70C0E0000-0x00007FF70C434000-memory.dmp

memory/1032-153-0x00007FF63E2E0000-0x00007FF63E634000-memory.dmp

memory/4160-154-0x00007FF69FBF0000-0x00007FF69FF44000-memory.dmp

memory/3572-155-0x00007FF776D60000-0x00007FF7770B4000-memory.dmp

memory/4208-156-0x00007FF7C86B0000-0x00007FF7C8A04000-memory.dmp

memory/4496-157-0x00007FF6824C0000-0x00007FF682814000-memory.dmp

memory/4468-158-0x00007FF74D900000-0x00007FF74DC54000-memory.dmp

memory/2116-159-0x00007FF643060000-0x00007FF6433B4000-memory.dmp

memory/2252-160-0x00007FF79FB50000-0x00007FF79FEA4000-memory.dmp

memory/1808-161-0x00007FF69FC40000-0x00007FF69FF94000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 07:13

Reported

2024-06-29 07:16

Platform

win7-20231129-en

Max time kernel

142s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\uAqnesV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FoFHiAI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lcEBHha.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OAulvUe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VoyPyzN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qoewEss.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yWsKOHF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LBkAdjY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TSBGHnS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iIJCBHU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WJYBfOz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EOyXfek.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FdIrGuX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QWTLgqY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nQiPpLg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BbNDbxq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JhrSGUR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AVWukrP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OgVTsSx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TehwbPF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cphnbke.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iIJCBHU.exe
PID 2180 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iIJCBHU.exe
PID 2180 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iIJCBHU.exe
PID 2180 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WJYBfOz.exe
PID 2180 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WJYBfOz.exe
PID 2180 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WJYBfOz.exe
PID 2180 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nQiPpLg.exe
PID 2180 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nQiPpLg.exe
PID 2180 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nQiPpLg.exe
PID 2180 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BbNDbxq.exe
PID 2180 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BbNDbxq.exe
PID 2180 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BbNDbxq.exe
PID 2180 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OgVTsSx.exe
PID 2180 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OgVTsSx.exe
PID 2180 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OgVTsSx.exe
PID 2180 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EOyXfek.exe
PID 2180 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EOyXfek.exe
PID 2180 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EOyXfek.exe
PID 2180 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TehwbPF.exe
PID 2180 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TehwbPF.exe
PID 2180 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TehwbPF.exe
PID 2180 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VoyPyzN.exe
PID 2180 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VoyPyzN.exe
PID 2180 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VoyPyzN.exe
PID 2180 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cphnbke.exe
PID 2180 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cphnbke.exe
PID 2180 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cphnbke.exe
PID 2180 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qoewEss.exe
PID 2180 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qoewEss.exe
PID 2180 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qoewEss.exe
PID 2180 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JhrSGUR.exe
PID 2180 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JhrSGUR.exe
PID 2180 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JhrSGUR.exe
PID 2180 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yWsKOHF.exe
PID 2180 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yWsKOHF.exe
PID 2180 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yWsKOHF.exe
PID 2180 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FoFHiAI.exe
PID 2180 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FoFHiAI.exe
PID 2180 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FoFHiAI.exe
PID 2180 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lcEBHha.exe
PID 2180 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lcEBHha.exe
PID 2180 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lcEBHha.exe
PID 2180 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OAulvUe.exe
PID 2180 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OAulvUe.exe
PID 2180 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OAulvUe.exe
PID 2180 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uAqnesV.exe
PID 2180 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uAqnesV.exe
PID 2180 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uAqnesV.exe
PID 2180 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LBkAdjY.exe
PID 2180 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LBkAdjY.exe
PID 2180 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LBkAdjY.exe
PID 2180 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AVWukrP.exe
PID 2180 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AVWukrP.exe
PID 2180 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AVWukrP.exe
PID 2180 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TSBGHnS.exe
PID 2180 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TSBGHnS.exe
PID 2180 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TSBGHnS.exe
PID 2180 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FdIrGuX.exe
PID 2180 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FdIrGuX.exe
PID 2180 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FdIrGuX.exe
PID 2180 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QWTLgqY.exe
PID 2180 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QWTLgqY.exe
PID 2180 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QWTLgqY.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\iIJCBHU.exe

C:\Windows\System\iIJCBHU.exe

C:\Windows\System\WJYBfOz.exe

C:\Windows\System\WJYBfOz.exe

C:\Windows\System\nQiPpLg.exe

C:\Windows\System\nQiPpLg.exe

C:\Windows\System\BbNDbxq.exe

C:\Windows\System\BbNDbxq.exe

C:\Windows\System\OgVTsSx.exe

C:\Windows\System\OgVTsSx.exe

C:\Windows\System\EOyXfek.exe

C:\Windows\System\EOyXfek.exe

C:\Windows\System\TehwbPF.exe

C:\Windows\System\TehwbPF.exe

C:\Windows\System\VoyPyzN.exe

C:\Windows\System\VoyPyzN.exe

C:\Windows\System\cphnbke.exe

C:\Windows\System\cphnbke.exe

C:\Windows\System\qoewEss.exe

C:\Windows\System\qoewEss.exe

C:\Windows\System\JhrSGUR.exe

C:\Windows\System\JhrSGUR.exe

C:\Windows\System\yWsKOHF.exe

C:\Windows\System\yWsKOHF.exe

C:\Windows\System\FoFHiAI.exe

C:\Windows\System\FoFHiAI.exe

C:\Windows\System\lcEBHha.exe

C:\Windows\System\lcEBHha.exe

C:\Windows\System\OAulvUe.exe

C:\Windows\System\OAulvUe.exe

C:\Windows\System\uAqnesV.exe

C:\Windows\System\uAqnesV.exe

C:\Windows\System\LBkAdjY.exe

C:\Windows\System\LBkAdjY.exe

C:\Windows\System\AVWukrP.exe

C:\Windows\System\AVWukrP.exe

C:\Windows\System\TSBGHnS.exe

C:\Windows\System\TSBGHnS.exe

C:\Windows\System\FdIrGuX.exe

C:\Windows\System\FdIrGuX.exe

C:\Windows\System\QWTLgqY.exe

C:\Windows\System\QWTLgqY.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2180-0-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2180-1-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\iIJCBHU.exe

MD5 272bb3a8be26a11dbcf56746f901aedd
SHA1 ac1fe87cfd1e98e6cce25d5580e96cf54aa9aa32
SHA256 69de1a01234ed44ce534e4da6a068a023ab7a3360ca1cf33a0cc126768ed2347
SHA512 e2146a1791a102a7951bd1a4f5cfd2ee6436d6a42517fc3ffef49975142550496cf89e595bd09c31cbc23d2f6a2367d53604245cb1fb0565dcc4a43f9c56b58d

\Windows\system\WJYBfOz.exe

MD5 7ed498940599314868cfb8a29c77aa6e
SHA1 b97be523d2c336d55009f72850af172b4be7e88e
SHA256 97d54eae6803fded1a7aeb93c89c87bd963409487e341f51adf27f69dcb986ac
SHA512 cdf1d706c4aaafb375130e3e64a7883b23849d5901ee7ae5e5122f96996ece2c4d6c7a55e04a1ec58d2af0fc3eba5512e1988f47ced3724214629ba3b891a86a

memory/2368-8-0x000000013FC50000-0x000000013FFA4000-memory.dmp

\Windows\system\nQiPpLg.exe

MD5 9ced39ed0114cf4818be0563c20731ad
SHA1 57ea43ff7f4ed0e061d5a6c8253f4d4258a041df
SHA256 93bcc2db46656a0907989ae914d99a10bb7b8d714f2e07224b3212fdea88cae0
SHA512 b01b8edda451b388e6a3b6a36bb049140f2b5a71314b3268c25267d9d3052fe4169ba37b55954f4268d810abbb6881a6403cb9cd2b240e52ed46eaa036b60f33

memory/2180-13-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2260-21-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2180-19-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2908-17-0x000000013F910000-0x000000013FC64000-memory.dmp

C:\Windows\system\BbNDbxq.exe

MD5 081a45261dfa1ec07dc51d0f7f478f01
SHA1 7f4a5c0b8e4e40bc855c233b21dd350578a2d468
SHA256 309df7724bf06567365dce0d044b32632c03b9f5fcd5f26806d0e2244447542b
SHA512 a7009cbf47a546e2de223e5ec572d555fe6c4a22d0afba5d9f48294e89f9a2cf24d5a744a453144613998d6c5444c1acc75ed746a4219e0ab3be0e1e6a12e226

memory/2584-29-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2180-28-0x000000013FE90000-0x00000001401E4000-memory.dmp

C:\Windows\system\OgVTsSx.exe

MD5 146cd89ba6d1382eb6de3b63029f82d1
SHA1 dd746e5135dca17407780a08542daf34ca9e4f09
SHA256 179c79b1fe4e966ada7560bcdee6c24f533659a8d9312d1586bfe2bd61288d83
SHA512 ecdcaf57c31857eaf8e9a5ea8e550f4f893f6401d3ce28c44a37703a9148ea63878bc584adfd804f8747ca6c1469c5bf6d17a62615eb718e9a7f4a118df91290

C:\Windows\system\EOyXfek.exe

MD5 9db1ca31b832b71d55988dfd8bbe5601
SHA1 3c5c16de8e4ae22c70133d98128fde41d0fc711a
SHA256 f5f9a6bb0339c12d69f88a26826aff7270c16cfc9cd1232b38f98f9f3883e679
SHA512 cc2d5a5901c5718c765f03f0578ada6bac6bb14a3240fb222c4a3f718ef7b6f9d948a089c48681b1edd82ce70d9874ecce1d883c09f46770c4a25bb66063ce4c

memory/2180-39-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2580-40-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2696-35-0x000000013F9B0000-0x000000013FD04000-memory.dmp

memory/2180-34-0x000000013F9B0000-0x000000013FD04000-memory.dmp

C:\Windows\system\VoyPyzN.exe

MD5 b4082ebd5e1f857d20f6b5fadf56b110
SHA1 b087945b163c550015d9e89a4c7164134c0e1bc1
SHA256 7dd1e16ae87e0827f4d9461256c8f8c3a3dffadb1f98ba204a6d3d1511ccf652
SHA512 70c50c7c67bbff5377b31eab483e9c22ebabb9a9a8bd0185fc8d176e62f5e27b2c0326310bbaeec5e828ef039e39d98a15d4c9059652b31b3fc22ff83b2b85c4

memory/2568-56-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2792-49-0x000000013F030000-0x000000013F384000-memory.dmp

C:\Windows\system\qoewEss.exe

MD5 1a52af58ddc8c683383c3ff77a3a5458
SHA1 b809d8a3d68d8af984277e93dfb6e5184ddb5998
SHA256 4d4d094fbf8dce651fc8257d8bdbd272ca3de67f139b52da3a2026d8ca4ecfe3
SHA512 1df5b1faa969ac4802008d87faf8e23e9dff8abdfc6737ab54119198fa093218b70a0033b3c64b81dbac346b921b752a3b3f86ac0254244048491121350aa3b2

memory/2464-63-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2576-71-0x000000013FFF0000-0x0000000140344000-memory.dmp

C:\Windows\system\JhrSGUR.exe

MD5 4f7f11449f5b302e5708d784d65322c0
SHA1 bc4a9178d7442ac9a496fa2797b28bb1dba2b821
SHA256 9efebc672a49bd9dd885388fc65a342fae340423dcf3df55613c1b4ee87baffe
SHA512 d626153fad91acff0cd6edecb6d208dd5a107ce235a2aeddf87e61bb3e5c76ca4cab9d84c73a56887aea8315c4a46a446e00f8d3490ec4c9a3f436735edf2fa4

memory/3012-78-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2180-77-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2180-70-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2180-62-0x000000013F140000-0x000000013F494000-memory.dmp

C:\Windows\system\cphnbke.exe

MD5 f0eed6c2fdbe16e7f9b323e3fbf4517c
SHA1 188b1d61a086bed0bfad1c8bf854d1298ec249ce
SHA256 7107c08c00e62cf3037406d21ea7ba9c2c4813ac0e000025f2ee48ced88af1ee
SHA512 15078485d03114150cd228c3bbc413b34887a8c423faccfe3886748addcbc7e48b54bd86f606b50a064a121c05906278e007cfbad4d9f7284fae4404de118fd6

memory/2908-69-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2180-48-0x00000000023C0000-0x0000000002714000-memory.dmp

C:\Windows\system\TehwbPF.exe

MD5 f3651e0d458ec0b1c43fa814f789f39b
SHA1 9f3da86f32533b7334ed48285d9befed09bf8d69
SHA256 faee46a398570a570ef414daac19862c1f20f864392469a149d9209ded2ca875
SHA512 335ec972d2d84dece2adae87bef4f18247c664c4d6e9a7d815dc4070a191c809e838889b4c7e33b3c75d2e7c3bdb22bad2de0f1c9f41c65a3d1bb300ea00dd95

memory/2180-55-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2180-83-0x000000013FA90000-0x000000013FDE4000-memory.dmp

C:\Windows\system\uAqnesV.exe

MD5 96d30540a5f1476e23dcc5a777067085
SHA1 670db871d23675d1f56dc79ac9c7b8f2ec7b736c
SHA256 5707fc7f01e9b6a718f52f02113dafcd0c0ade8b23601736ec3499e4e4f1b5f0
SHA512 871b2fd1b0c5dcd025c285a46505a966eabafaaf5052abb7b4c476d79175ef4d4816921343c23a57ef46fdd0c6ac79c6e2f83dd3f5d3e48cb7c208a0110b1396

C:\Windows\system\FdIrGuX.exe

MD5 7bb70dddbb68b31bd6b3fbf1780fa30d
SHA1 80a86f5239f9d572d2e9eb7a6f3c0ebb0fbe4581
SHA256 5f5fb1331a28ef29ad338ca8e9c4603d2202846a57906c0528fd057f8fbe6d9f
SHA512 0016def87dabba17afa9b7b019bf678b8705a5f64349a5e4f8e2963e5a2108068bb74487772e0a10011332e9941d6c0fdfd751203d92561c007f0858ed8afb01

\Windows\system\QWTLgqY.exe

MD5 d39a5e2e8a73cd0062528996b3683221
SHA1 5d573bcef6f8c24f976aba636ba3415061129572
SHA256 095b785d393dd652dcf3d91bd21817020c5367af3fb76cd88d3b88885399b317
SHA512 17bd88b28a7f1fc77828cc67c04f9c41abebfeac7ad273e976c306c3ff50fd32b4a998032218651fa80f540498a3c65bfa350a52e405064beb70a2645dbdce12

C:\Windows\system\TSBGHnS.exe

MD5 e1b344d31dfba4f4796a5a37c590077e
SHA1 3c0ef42a48e00a71e814c3512ebaeb3cb5a584a9
SHA256 236833d616d6fe2b934835663b1acb66723771a811bdfd96ea2c051b5d387807
SHA512 07f0f8785b3cf09d3f6b88030bb3d7a56be87889dd83b0577a73da19156122d0d0ad0a4cd5c601666e4539879ca0e7975c9908e169246b818ff86a14d3d216ad

C:\Windows\system\LBkAdjY.exe

MD5 bdc360b5dceb28af2aa43e5679f46a1c
SHA1 8fb0f5904919ba0679c4c327b959eb8be4ec0602
SHA256 9da609963d23df2ebbe1666a049a58081bebd8b18717abb184a0f3318dfbe6fb
SHA512 8f21ece4b29d37eae7387ee36bf3e4ea575e44ad88e2fe3413dccd64a178c235ef194439744c07a462e04c950ad27b14eecec6e506fb68e11f9ce7962f38f7e6

C:\Windows\system\AVWukrP.exe

MD5 e4b31e1ffb26ed296d66422219c7b7b4
SHA1 add760fd1f53ccd07c0db1c4986035a8d94a4c6c
SHA256 806c2536496ecae21b2089afd3ae92d150b85c20bb5146f3e09cb181e91f2197
SHA512 0b5ca48c46fa2100b084ff59f23ad9170dde6f53e8f67c64ab61e834e069ca3d85e215a6495e09b36450d378daedbbe6023d6c29e453ef565d34aebe95fc19d6

memory/2180-105-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2696-104-0x000000013F9B0000-0x000000013FD04000-memory.dmp

C:\Windows\system\OAulvUe.exe

MD5 cd22a1692dccbdcfcb2011b7898d5a49
SHA1 10f3a4930be07903583fd9128e19695bb2f44576
SHA256 9d8a4848ed3fabb43bc0b618888f73c69b13523378ce7fc8c7bd816d33de2cfd
SHA512 9ece6f0b96c5875b1860d118afef3d06620e07be537f5daa02c154f6b5bf049bd44a15a33e5c4ac276e7547ba36005f2f07c20af847db75d5d2bb7af82ba598e

memory/2052-97-0x000000013F680000-0x000000013F9D4000-memory.dmp

C:\Windows\system\lcEBHha.exe

MD5 e648653cfccbe0058019c2bb76ca2985
SHA1 71c0e9aea2fe5fa1f80d87fdcd9936a65a025ce4
SHA256 ed0c34097b75c38683a465d2da728ee13b5400a6e195f1f0c49a4e345aa145b3
SHA512 466ced23f5c6f8ead8c0398b6c7d56db0b76a7aa2157c2f0b57dfb128fb1827ce41bc4fd0d58c89bd79e743d07fe06e9e64e86a7c19c4077f7245c685af06705

memory/1084-91-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/2180-90-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/2260-89-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2580-135-0x000000013F480000-0x000000013F7D4000-memory.dmp

C:\Windows\system\FoFHiAI.exe

MD5 63e9dea07ac5839f741ed21b1bb4d0d6
SHA1 be9a0ae928fc52af4abf6c3f04a300c1372f09ac
SHA256 bdf1f4aa21cdeb57a4dce5891977904bca987d66784809f732ee5badddacacc9
SHA512 a7031f4bfb39aadd4752f8048cb5bd36d710f35caee97a5d09a80fb4ae7fdbce831e0672ede188a8b48a253b468cd491e52e966740df16aff979ab6c9c317f8b

memory/2212-84-0x000000013FA90000-0x000000013FDE4000-memory.dmp

C:\Windows\system\yWsKOHF.exe

MD5 8a79ea0fcec491882b556a9971b89055
SHA1 f9ea90cc33caf7fc08da701d18c8c2a520b6e2ee
SHA256 9ebc69c94dacd41c61361d0043401ddfdf88be514bdd91ce01a03e0ee15b0ab3
SHA512 926f5e84e81a74213f95a04ef70e793a6b779404f50736e0e92296403b9ff165a293201f9d30eccfb15038e2d464cc4cb14a6fc4ccfd53b70bfeb25eb07a1a23

memory/2792-136-0x000000013F030000-0x000000013F384000-memory.dmp

memory/2180-139-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2180-140-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/3012-141-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2212-142-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/2180-143-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/1084-144-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/2180-145-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2052-146-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2180-147-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2368-148-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2908-149-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2584-150-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2260-151-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2580-152-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2696-153-0x000000013F9B0000-0x000000013FD04000-memory.dmp

memory/2568-154-0x000000013FE70000-0x00000001401C4000-memory.dmp

memory/2464-155-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2576-156-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2792-157-0x000000013F030000-0x000000013F384000-memory.dmp

memory/1084-158-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/2052-159-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2212-160-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/3012-161-0x000000013F5B0000-0x000000013F904000-memory.dmp