Malware Analysis Report

2024-10-24 18:12

Sample ID 240630-gf9ewsthke
Target 2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat
SHA256 dae583eaf154b9870a017c5c2f68ce5cc4c3ba9ac4cd097ca8b6f09a531a7fdc
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dae583eaf154b9870a017c5c2f68ce5cc4c3ba9ac4cd097ca8b6f09a531a7fdc

Threat Level: Known bad

The file 2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

xmrig

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-30 05:46

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-30 05:45

Reported

2024-06-30 05:48

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\XMgvgNU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\viRJKZJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TOTDoIC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MBIqhBq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uqsiuLj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IJNyWyd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CZodZmn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tVeIcBx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tjKiDxQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\flBdXke.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iFFrLbX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qnJzXlY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GyXxVdX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LRHyXdv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RHvqXGl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FRngiHc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LJJWmZM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YCfblCu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RWVDarU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jkTIhbx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SGFqcep.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FRngiHc.exe
PID 2160 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FRngiHc.exe
PID 2160 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tjKiDxQ.exe
PID 2160 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tjKiDxQ.exe
PID 2160 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\viRJKZJ.exe
PID 2160 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\viRJKZJ.exe
PID 2160 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\flBdXke.exe
PID 2160 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\flBdXke.exe
PID 2160 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFFrLbX.exe
PID 2160 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFFrLbX.exe
PID 2160 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LJJWmZM.exe
PID 2160 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LJJWmZM.exe
PID 2160 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YCfblCu.exe
PID 2160 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YCfblCu.exe
PID 2160 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qnJzXlY.exe
PID 2160 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qnJzXlY.exe
PID 2160 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RWVDarU.exe
PID 2160 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RWVDarU.exe
PID 2160 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TOTDoIC.exe
PID 2160 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TOTDoIC.exe
PID 2160 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GyXxVdX.exe
PID 2160 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GyXxVdX.exe
PID 2160 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MBIqhBq.exe
PID 2160 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MBIqhBq.exe
PID 2160 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IJNyWyd.exe
PID 2160 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IJNyWyd.exe
PID 2160 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jkTIhbx.exe
PID 2160 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jkTIhbx.exe
PID 2160 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CZodZmn.exe
PID 2160 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CZodZmn.exe
PID 2160 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uqsiuLj.exe
PID 2160 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uqsiuLj.exe
PID 2160 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LRHyXdv.exe
PID 2160 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LRHyXdv.exe
PID 2160 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SGFqcep.exe
PID 2160 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SGFqcep.exe
PID 2160 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RHvqXGl.exe
PID 2160 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RHvqXGl.exe
PID 2160 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XMgvgNU.exe
PID 2160 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XMgvgNU.exe
PID 2160 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tVeIcBx.exe
PID 2160 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tVeIcBx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\FRngiHc.exe

C:\Windows\System\FRngiHc.exe

C:\Windows\System\tjKiDxQ.exe

C:\Windows\System\tjKiDxQ.exe

C:\Windows\System\viRJKZJ.exe

C:\Windows\System\viRJKZJ.exe

C:\Windows\System\flBdXke.exe

C:\Windows\System\flBdXke.exe

C:\Windows\System\iFFrLbX.exe

C:\Windows\System\iFFrLbX.exe

C:\Windows\System\LJJWmZM.exe

C:\Windows\System\LJJWmZM.exe

C:\Windows\System\YCfblCu.exe

C:\Windows\System\YCfblCu.exe

C:\Windows\System\qnJzXlY.exe

C:\Windows\System\qnJzXlY.exe

C:\Windows\System\RWVDarU.exe

C:\Windows\System\RWVDarU.exe

C:\Windows\System\TOTDoIC.exe

C:\Windows\System\TOTDoIC.exe

C:\Windows\System\GyXxVdX.exe

C:\Windows\System\GyXxVdX.exe

C:\Windows\System\MBIqhBq.exe

C:\Windows\System\MBIqhBq.exe

C:\Windows\System\IJNyWyd.exe

C:\Windows\System\IJNyWyd.exe

C:\Windows\System\jkTIhbx.exe

C:\Windows\System\jkTIhbx.exe

C:\Windows\System\CZodZmn.exe

C:\Windows\System\CZodZmn.exe

C:\Windows\System\uqsiuLj.exe

C:\Windows\System\uqsiuLj.exe

C:\Windows\System\LRHyXdv.exe

C:\Windows\System\LRHyXdv.exe

C:\Windows\System\SGFqcep.exe

C:\Windows\System\SGFqcep.exe

C:\Windows\System\RHvqXGl.exe

C:\Windows\System\RHvqXGl.exe

C:\Windows\System\XMgvgNU.exe

C:\Windows\System\XMgvgNU.exe

C:\Windows\System\tVeIcBx.exe

C:\Windows\System\tVeIcBx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 48.192.11.51.in-addr.arpa udp

Files

memory/2160-0-0x00007FF701A40000-0x00007FF701D94000-memory.dmp

memory/2160-1-0x000001D0229C0000-0x000001D0229D0000-memory.dmp

C:\Windows\System\FRngiHc.exe

MD5 cf8b9c536072e9c2adc0ac7e9b17b5ee
SHA1 d548f027c103fcbbe3297606c381ce3a199a9667
SHA256 af1e2b4fc9afa85aef56a94718fea087a12553243e2d2c4908b531dbf39d9b46
SHA512 428a099a711ac905a753dcfed845027eb56a803d966681bca6dbf5762f62f65a3edae4dcc78df0331424463d47935bf87d26e4464efb30d7d54227734391992e

memory/5056-7-0x00007FF63CEB0000-0x00007FF63D204000-memory.dmp

C:\Windows\System\viRJKZJ.exe

MD5 89d5a3db6e6b0599135cb23dec996c86
SHA1 51d312d509b3e6ef7e3ba5ed591bab215041006d
SHA256 9e9d9b252e0668f8167dd628f623e36cd8f51e3e942f6d7e8e975b373a2dfec8
SHA512 c9b31ff6226199e0c4da051ed933b91a5cd6444562bb128e32fc837026b2d94ef86c7a215e7dc282c3acf99cf366b3b2afd18ba05b22f315e97346a280cb10da

C:\Windows\System\tjKiDxQ.exe

MD5 ae4e287ed5f4d8da1d1cfc47dbe48c47
SHA1 3c74c6fe601e53e8a3359deeb02e384227598af9
SHA256 15221d3db9954119e9e7f4aaa01673b3966d85061cc5065addf99664eef1ec18
SHA512 d550bbc1b29780f350cf15fb8b69e592fbc672993caa25429b3d51b212b9dbcda23b5bf8e6b27d90f13d46a5bcd6650fa26167c507bbd0204208ad29c084879b

memory/4740-14-0x00007FF765120000-0x00007FF765474000-memory.dmp

C:\Windows\System\flBdXke.exe

MD5 dcb234ef7ed53ad6dda13514e2849bee
SHA1 a1cacef38f796ccc759643b5355ddd2d58d81616
SHA256 b1be3b93b782027b473e6c7aa50847c63b4ad77ea53791f1250a92c344c67950
SHA512 0ccd6600e12babf7aba08b4bf741febf1c5177c3039a14bbae841115fc8fce71a951aacf3b54459b7f7ba105f8cac391208978b157043b9d0a8a0fe50242962c

memory/5104-27-0x00007FF746140000-0x00007FF746494000-memory.dmp

C:\Windows\System\iFFrLbX.exe

MD5 f385ae1612d0e19aa9568bc332543662
SHA1 1f07d2ebc25768520da6e5139cc0880c7d9dd941
SHA256 e3f8313bff3c5b148c0f6cfd2781cbd7d1d7562b3057666eec9ac6794d2410d7
SHA512 e4a906c020a8f4d734a1b10ae51ae527531b7d36a41a2fd02e37da56ad9de887cfc47f299509333a7a5a0285f72cf7d3fcb6819445fcd2285443b566c72dd287

memory/1524-30-0x00007FF67C190000-0x00007FF67C4E4000-memory.dmp

memory/4816-22-0x00007FF61F100000-0x00007FF61F454000-memory.dmp

C:\Windows\System\YCfblCu.exe

MD5 d5ddde8c6bd35daf8ff0d2194446c439
SHA1 74529f475697465f999143b5d400206394fbf64f
SHA256 93067b16b64777b5f943f1b375e68257d063eebd67d9e2b0d571de7c4253ed29
SHA512 b852015fee1649c6daccf6a417308986d87523eb5ef4d04d91ac9508f60a099b11e71e85c864994f6ef970403dbd63f7c6b5feb6534296f487c7dae3fceaba99

C:\Windows\System\LJJWmZM.exe

MD5 cf03975a361640412c43ed0c48d9e55e
SHA1 0fee1ee954377ffa7afc022bd9465d83b0a89811
SHA256 f956da0063363ac6c25afebe10f7c3ecbda3986e1670c796e9e479cb8fc79f02
SHA512 027e52c6472533347fa1c9b87774b0d42e819a5097d1ce8f872212010b671ef463b2f6845abc3fdaaa1eb22ab3909d364d821847a85b78d3109bcfa0278101d4

memory/3244-43-0x00007FF6F8870000-0x00007FF6F8BC4000-memory.dmp

C:\Windows\System\qnJzXlY.exe

MD5 75914cf7b1f341f0860ebd71f4251c6a
SHA1 53e61fc893bdeba0a497d5121972618dd476358a
SHA256 59871ceda7e8a18539fb725b93ecdf75d60b4eca115c8cb363304e0003b94366
SHA512 c48524268040dee5e99425b0db747a631e237d1bbe0b17f1c50126425992493f1c7c8fa0e4c8a4385bd1ec194ac6db7314487bf5274f90034e850ed01e0e4a55

memory/4576-49-0x00007FF6F25E0000-0x00007FF6F2934000-memory.dmp

C:\Windows\System\RWVDarU.exe

MD5 d05e9070b74fead9cd41593fc93024cf
SHA1 8be3bde35f35156aa0c2495e5bd8344cba21296d
SHA256 f18c273890ddfbeceb7db2cc1b9c0c209757d8e855ea2d80efd95134f965ddb8
SHA512 0846ef2a781fdf79b5f0ca189cbeb34109c9d20409547a40e1569c7836f47a7c46192c6818a5d06829e6b6a651721230e120b3e251459f913e9fbb3b2e8141dd

C:\Windows\System\TOTDoIC.exe

MD5 8847df65dd0d92dab566eeec1c52ef27
SHA1 553d6ffa79ca6900920ec394aab82c1eef60f7b7
SHA256 b5be397adeab9d56d924b2655603c795f7fd6db97577d70f66fe4d2bee31ac36
SHA512 918c3d266350090f7bec733fce0975407963319e4f93df5dd53032a2e5b63417155ff28a310117d9c879c54ca5a71c6b08cfb6fd1b96708af7d17ea948afc5f4

memory/3056-59-0x00007FF787F70000-0x00007FF7882C4000-memory.dmp

C:\Windows\System\GyXxVdX.exe

MD5 7f9af53cd53e2f640ec39902c29b661f
SHA1 cc87ad943174a96cf183c512b6df363013c08e3a
SHA256 34dd39c638ace0b2fa42bf36b6586ca6ec7fa8072b6abfe88933c4b15a39b9f4
SHA512 273c91402cd5bc15b91e2ac7b029eda4d8e00763227e01ad785cb1cdba82f73fab0fd054123350475d6c4c8392a7fd9f32ce29d6469f84c8674adf50afe8a8e0

C:\Windows\System\jkTIhbx.exe

MD5 2dd447702f5466cc1445701472f5a685
SHA1 c507735d860476e611a7ea06b73433d678a44d16
SHA256 77f778238a945a4a69b319911b99f1726d9f545b4f93c68c4bb3ba4f01eaba91
SHA512 ef67185c63a51e555b99997f4c05d661f593942e7f822feaaa80dd22a5a84581f569cd8c170cf8a2316514ab2ab0b60e75da719409e0d67ec18661ee451fe13c

C:\Windows\System\uqsiuLj.exe

MD5 590e101148df6022bfaed1ed03c3099b
SHA1 d9c77430e529fa53635139df77bcb3e4a5d51522
SHA256 2c8e47c6b44b9f8909894b2b6c300d86fb4ab67fd516231de044fea1afe9e14b
SHA512 2ed62faade74cc428186218812a4df61af506be262fee346563484495fc0dc9f2ed46f3a39af35a64c682180b7889da4a3d2fbf63a41ba02553b90d74772872d

C:\Windows\System\RHvqXGl.exe

MD5 65105ae46e1930d8986da63a4804b76c
SHA1 6b6e71597fa7f538f0220932010ebac34e84383b
SHA256 8a9a50a8b1a22b5c9e60314d862936449e16586e6669a8d7dddb52db61492933
SHA512 2bb10422fff5a4d212baafa95c1914a53146307d10bee26072591c89ae41baef4d291fdc79b7068b2cfecd6e690b75a1f2f74544304d6cd663fdaec679f59556

C:\Windows\System\tVeIcBx.exe

MD5 dcc98e0e17d43fdd196b513fe905eeb2
SHA1 a99f0f10a6d81f0a1aed715eaae0c50ac305f3d2
SHA256 c423076a0cfd16814d56ac4cd3e14514d63fec4250bd402c28d81acc7c438c42
SHA512 5fbc54fe4aaed829c2194eac9675fc8999c555b9541986d5788d919714f095178d327f253132992079e5e4246cc25866fe32f919807f6e240a60529f1f9d8a91

C:\Windows\System\XMgvgNU.exe

MD5 706fbf9521dda484c547bc53e70c482b
SHA1 dd6c2a1f957d9ce2af1f29a5721a23d3d835ecbb
SHA256 948d2e5fe038006626106c98b3ad649a393a00f1bf9a022a4ced0517c2db9ed6
SHA512 e13ec6f153e384a037ae96d22f149e518fd4032c9076db3323a31bb2886b7cf1961c3ae56a170e72b706bfff4e6248c82741f1ce5cc72b33fac4d73d98b9be97

C:\Windows\System\SGFqcep.exe

MD5 256b1a15787e4a380ef977258ab5061f
SHA1 d8ab54128e2c20d0efc3633db17c7d3502db57ad
SHA256 a04c20239fd56182ed26933e68f7583f5089d373de0c69023268db444fb803aa
SHA512 51ba94d494d977d94368852ad1fde3f558118041f554a16aebe50bb94462b288d7c253ed11fc4028e2a5c5e3c156840bf54a525db351469218bcf61d1e2da777

C:\Windows\System\LRHyXdv.exe

MD5 6b5a7903dcbc7ed152921739986ffbdf
SHA1 df48432386828a095146c6830a046352c269d49b
SHA256 78cfca2fe8e75f1a7fb38b18de7c66e0e133da50d025bc38ae60ee4bb44131fe
SHA512 028b515573a0a91b8f355cbf0da961f0e4e779d4a4dcf7a03640caf6408996ce97ae256dc6cc61c7bf7f485a9d72348fcbb012d62cdf8de9e270b5eaf1a9fbaa

C:\Windows\System\CZodZmn.exe

MD5 f3f6b3eea6cbf00474e2fe806ef8c58d
SHA1 d4fb74278e518f8df2694a83361a5e7124e43dbd
SHA256 3f03f6fda85dc284c0502db80a229e2ab732bb4da4b5301343cd544e9861fc74
SHA512 571791188319e0ad61683dc4b51d2a931ea04ea337ab63f8c3e1302da81e335b502d8d77d392a968a1d3cbf9e63468172e4002364a10ea71f684366133b24e32

C:\Windows\System\IJNyWyd.exe

MD5 a346222c88ee2df031fd9b28e6402162
SHA1 4b5b9c723c3857e39a907992faadd87e8ac67a26
SHA256 5e8f2bc6ef42c927d31a5733188b341fbfcc787c6fbad0a16dc5ffc0e5e33796
SHA512 3e5874eef8949fa2e2cefd8b021ed61ca1a0db5d3856f730af5859a4ac9ecdb80c256c2409f667e0d14f5613933ffc73549d18e30dbbc450ffd42814fa6fcb70

C:\Windows\System\MBIqhBq.exe

MD5 d914795c0ce77812a276ed1b258230d2
SHA1 43f3bc813523531d3d369df7626a94b7cc7cb717
SHA256 f3eac2a51c5f7233e155e92e22660c3607ded4eb41f15b792c7ebd55962acfac
SHA512 a5b7b79fe7dc6c3830d00a0866427badcd78f7183bbdc8363e5adb498a5397206398fc55ef4203d5c2e4a7e4015ea0fb4483035801aeafcdc714a188b2301a09

memory/2256-60-0x00007FF6BD590000-0x00007FF6BD8E4000-memory.dmp

memory/3956-51-0x00007FF7FE1E0000-0x00007FF7FE534000-memory.dmp

memory/1408-117-0x00007FF614780000-0x00007FF614AD4000-memory.dmp

memory/4860-119-0x00007FF734260000-0x00007FF7345B4000-memory.dmp

memory/3564-118-0x00007FF6901D0000-0x00007FF690524000-memory.dmp

memory/1232-120-0x00007FF7B9A10000-0x00007FF7B9D64000-memory.dmp

memory/4268-121-0x00007FF7205D0000-0x00007FF720924000-memory.dmp

memory/3260-122-0x00007FF74AFF0000-0x00007FF74B344000-memory.dmp

memory/3020-123-0x00007FF61A5B0000-0x00007FF61A904000-memory.dmp

memory/1008-125-0x00007FF665230000-0x00007FF665584000-memory.dmp

memory/3992-124-0x00007FF6A7C20000-0x00007FF6A7F74000-memory.dmp

memory/3928-126-0x00007FF76D3E0000-0x00007FF76D734000-memory.dmp

memory/3100-127-0x00007FF72DB30000-0x00007FF72DE84000-memory.dmp

memory/2160-128-0x00007FF701A40000-0x00007FF701D94000-memory.dmp

memory/5056-129-0x00007FF63CEB0000-0x00007FF63D204000-memory.dmp

memory/4740-130-0x00007FF765120000-0x00007FF765474000-memory.dmp

memory/5104-131-0x00007FF746140000-0x00007FF746494000-memory.dmp

memory/1524-132-0x00007FF67C190000-0x00007FF67C4E4000-memory.dmp

memory/2256-133-0x00007FF6BD590000-0x00007FF6BD8E4000-memory.dmp

memory/5056-134-0x00007FF63CEB0000-0x00007FF63D204000-memory.dmp

memory/4740-135-0x00007FF765120000-0x00007FF765474000-memory.dmp

memory/4816-136-0x00007FF61F100000-0x00007FF61F454000-memory.dmp

memory/5104-137-0x00007FF746140000-0x00007FF746494000-memory.dmp

memory/1524-138-0x00007FF67C190000-0x00007FF67C4E4000-memory.dmp

memory/3244-139-0x00007FF6F8870000-0x00007FF6F8BC4000-memory.dmp

memory/4576-140-0x00007FF6F25E0000-0x00007FF6F2934000-memory.dmp

memory/3956-141-0x00007FF7FE1E0000-0x00007FF7FE534000-memory.dmp

memory/3056-142-0x00007FF787F70000-0x00007FF7882C4000-memory.dmp

memory/2256-143-0x00007FF6BD590000-0x00007FF6BD8E4000-memory.dmp

memory/1408-144-0x00007FF614780000-0x00007FF614AD4000-memory.dmp

memory/3564-145-0x00007FF6901D0000-0x00007FF690524000-memory.dmp

memory/4860-146-0x00007FF734260000-0x00007FF7345B4000-memory.dmp

memory/1232-147-0x00007FF7B9A10000-0x00007FF7B9D64000-memory.dmp

memory/4268-148-0x00007FF7205D0000-0x00007FF720924000-memory.dmp

memory/3260-149-0x00007FF74AFF0000-0x00007FF74B344000-memory.dmp

memory/3020-150-0x00007FF61A5B0000-0x00007FF61A904000-memory.dmp

memory/3992-151-0x00007FF6A7C20000-0x00007FF6A7F74000-memory.dmp

memory/3928-153-0x00007FF76D3E0000-0x00007FF76D734000-memory.dmp

memory/1008-152-0x00007FF665230000-0x00007FF665584000-memory.dmp

memory/3100-154-0x00007FF72DB30000-0x00007FF72DE84000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-30 05:45

Reported

2024-06-30 05:48

Platform

win7-20240611-en

Max time kernel

141s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\xlQTCIs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SeIxpud.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YgQDaaC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MbMItbI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HfOebwj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lSMefcg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CgLBPgk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MyqeAGG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HcyRjQP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\icXlUqg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uICHBIQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\favdYfU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CBxmCsr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZARaBWb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PmWouZS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ORhrsUl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VJaiUNj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kerYiqd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DtEfeXD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JzniQrA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HfCnfEZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2764 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CgLBPgk.exe
PID 2764 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CgLBPgk.exe
PID 2764 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CgLBPgk.exe
PID 2764 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZARaBWb.exe
PID 2764 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZARaBWb.exe
PID 2764 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZARaBWb.exe
PID 2764 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MyqeAGG.exe
PID 2764 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MyqeAGG.exe
PID 2764 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MyqeAGG.exe
PID 2764 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlQTCIs.exe
PID 2764 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlQTCIs.exe
PID 2764 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlQTCIs.exe
PID 2764 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SeIxpud.exe
PID 2764 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SeIxpud.exe
PID 2764 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SeIxpud.exe
PID 2764 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JzniQrA.exe
PID 2764 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JzniQrA.exe
PID 2764 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JzniQrA.exe
PID 2764 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ORhrsUl.exe
PID 2764 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ORhrsUl.exe
PID 2764 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ORhrsUl.exe
PID 2764 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YgQDaaC.exe
PID 2764 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YgQDaaC.exe
PID 2764 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YgQDaaC.exe
PID 2764 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PmWouZS.exe
PID 2764 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PmWouZS.exe
PID 2764 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PmWouZS.exe
PID 2764 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HfCnfEZ.exe
PID 2764 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HfCnfEZ.exe
PID 2764 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HfCnfEZ.exe
PID 2764 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kerYiqd.exe
PID 2764 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kerYiqd.exe
PID 2764 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kerYiqd.exe
PID 2764 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MbMItbI.exe
PID 2764 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MbMItbI.exe
PID 2764 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MbMItbI.exe
PID 2764 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CBxmCsr.exe
PID 2764 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CBxmCsr.exe
PID 2764 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CBxmCsr.exe
PID 2764 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HfOebwj.exe
PID 2764 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HfOebwj.exe
PID 2764 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HfOebwj.exe
PID 2764 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DtEfeXD.exe
PID 2764 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DtEfeXD.exe
PID 2764 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DtEfeXD.exe
PID 2764 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lSMefcg.exe
PID 2764 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lSMefcg.exe
PID 2764 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lSMefcg.exe
PID 2764 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uICHBIQ.exe
PID 2764 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uICHBIQ.exe
PID 2764 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uICHBIQ.exe
PID 2764 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VJaiUNj.exe
PID 2764 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VJaiUNj.exe
PID 2764 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VJaiUNj.exe
PID 2764 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\favdYfU.exe
PID 2764 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\favdYfU.exe
PID 2764 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\favdYfU.exe
PID 2764 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HcyRjQP.exe
PID 2764 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HcyRjQP.exe
PID 2764 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HcyRjQP.exe
PID 2764 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\icXlUqg.exe
PID 2764 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\icXlUqg.exe
PID 2764 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\icXlUqg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\CgLBPgk.exe

C:\Windows\System\CgLBPgk.exe

C:\Windows\System\ZARaBWb.exe

C:\Windows\System\ZARaBWb.exe

C:\Windows\System\MyqeAGG.exe

C:\Windows\System\MyqeAGG.exe

C:\Windows\System\xlQTCIs.exe

C:\Windows\System\xlQTCIs.exe

C:\Windows\System\SeIxpud.exe

C:\Windows\System\SeIxpud.exe

C:\Windows\System\JzniQrA.exe

C:\Windows\System\JzniQrA.exe

C:\Windows\System\ORhrsUl.exe

C:\Windows\System\ORhrsUl.exe

C:\Windows\System\YgQDaaC.exe

C:\Windows\System\YgQDaaC.exe

C:\Windows\System\PmWouZS.exe

C:\Windows\System\PmWouZS.exe

C:\Windows\System\HfCnfEZ.exe

C:\Windows\System\HfCnfEZ.exe

C:\Windows\System\kerYiqd.exe

C:\Windows\System\kerYiqd.exe

C:\Windows\System\MbMItbI.exe

C:\Windows\System\MbMItbI.exe

C:\Windows\System\CBxmCsr.exe

C:\Windows\System\CBxmCsr.exe

C:\Windows\System\HfOebwj.exe

C:\Windows\System\HfOebwj.exe

C:\Windows\System\DtEfeXD.exe

C:\Windows\System\DtEfeXD.exe

C:\Windows\System\lSMefcg.exe

C:\Windows\System\lSMefcg.exe

C:\Windows\System\uICHBIQ.exe

C:\Windows\System\uICHBIQ.exe

C:\Windows\System\VJaiUNj.exe

C:\Windows\System\VJaiUNj.exe

C:\Windows\System\favdYfU.exe

C:\Windows\System\favdYfU.exe

C:\Windows\System\HcyRjQP.exe

C:\Windows\System\HcyRjQP.exe

C:\Windows\System\icXlUqg.exe

C:\Windows\System\icXlUqg.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2764-0-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2764-1-0x00000000002F0000-0x0000000000300000-memory.dmp

C:\Windows\system\CgLBPgk.exe

MD5 57b24f0d3abf07b55caffb5aecd2a085
SHA1 a2acf8cc57fb7c08bcae37669ce5cef21d91b52c
SHA256 77899205645ac0b81b09fb387a8281747d909c5860d9bbc5f1a85e7deed1db6c
SHA512 7df9dd39496509ef6428499c80fc5b9f8d966653342aedd84c8aa0ee468d6667357ce78efab905e4d03acdd9300425836874e302c5fdef0d37299d49d242f720

C:\Windows\system\MyqeAGG.exe

MD5 e0a2c5b07c7287116c815da99e76bbc8
SHA1 637c81c85bc7b120713b069d4cd707121f94c73c
SHA256 020025b7b7aa1fec956dd095e52b6a3a074daa2f55cacc1c1713963f5c11d8a8
SHA512 1eb81ef3ed40f2df02520862843e0e0364be24243e8195ea5986ab3d786c6d6a34dd1f144e432bcdea9f97f5b7f70210a7cdacf6765362515464c34d9ad98696

\Windows\system\ZARaBWb.exe

MD5 e8cbfdc438ae3cfc67954264c6baad51
SHA1 a5c8650731c0c887735cd8221692509407a4ec04
SHA256 6a10913c4402c17e0d4e4ff2754bcfc5ebe8fe694942da6a390994bf084d41d1
SHA512 24b1bb40ba4e10eb1383939ba00076cfac530331936f16d11a5df2f571c90c54ced0b5a1aa8922ee3cd10a66e71762adc5d2a8e0053d2b0f41f580252f283d0f

memory/2680-19-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/2748-23-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2764-22-0x0000000002200000-0x0000000002554000-memory.dmp

memory/2764-20-0x000000013FCE0000-0x0000000140034000-memory.dmp

C:\Windows\system\xlQTCIs.exe

MD5 539287310282de032250c1eb0fc69857
SHA1 ee476585499e007ef03e1f7682b07c1ef57eea42
SHA256 6e71976577209a6ec9fb44bdf1ff2fd1b5a2ca2c19012168b10a2722c7564e41
SHA512 0c25248d522c2671a4da9fb47e795b7716d1af81fbd86b6f3dd9d20b954bb7aeb1d4988bb0450f4a129086411c79fbf3ea6f2b34a2bff35e624648d502f52be4

memory/2608-17-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2764-15-0x0000000002200000-0x0000000002554000-memory.dmp

C:\Windows\system\icXlUqg.exe

MD5 d77c84930f9aca39bef2bb3512dc4372
SHA1 0914b0d3c47c2c2c793ed683c76efd5ee598f820
SHA256 1ac90b80daf61a0ecc647131fa12f10c2087a149837aeb1da109f0470defff42
SHA512 6c3387fa4e6509c58d143831ddc20d207153e5d3c3bde266251bfa4cf5c9aec40277d157d03c6412b5f17065561846a609f3c249e81884950c6e1be237a3060e

C:\Windows\system\HcyRjQP.exe

MD5 5c4d6ade7bf4a5e10597cf80aa2de59f
SHA1 70d1dc125c918f01fe96fff13b6d6b3390314062
SHA256 e4369c4aec87861693246f1458132a941612ce6a994f2c39ea54f2750d905359
SHA512 e837dfc9d5185c5a14c409f988e851b58d03aa4ce0397f6eed37649468f53e0fd2b4960adde17d5f7f3d00692267596cf55b87df55241a2f0f4cd72437799814

C:\Windows\system\favdYfU.exe

MD5 35544b226bc2cef48a728c4b6e11412f
SHA1 8bf56346893c7fdc7e534b6f13e2cfde004bba81
SHA256 336ee5ac3be7d0510a61da6e26d55e794bd2c6ecdcebe005e4e230222a66b9c9
SHA512 15c6288cc7fcb2d4f1dc2699e85ebcffe59db341b2fb6ed8a8fda5819eedf9d898e6129877ca58b1cb443d9a436c9e86064fc14c23831aca1511081563a19c4c

C:\Windows\system\VJaiUNj.exe

MD5 18dc95a6a66082acc88c9ef38b413122
SHA1 2898f71416d742a05c578b5726ba0dee110860a5
SHA256 74023362b09a8f4e831b94a5a16fbcd50b06dcba8d1152cb532d410848a09987
SHA512 716dff7f668d8213721477867ccf57563387fff0e74c5b05a3f7043acd44dc237887774a7f2b094242438ee9b018bb49da9f1fab7ce4846f150fec30a1f65b63

C:\Windows\system\uICHBIQ.exe

MD5 1bbb41e6df7a2c64a16278b5c768e04c
SHA1 1adb12261106c86506f464dc2b34c2589ce707c0
SHA256 b15dbce16dd4f4cf9ea773c1f1169dc5b815557700ff36e31788660d819190d2
SHA512 74d0744c3f0c652484ec6193e476510d282ec2dcdba1b4a8f0393edce1ba918954691b9a4fffb8e94d54d23f22665f5ba92911cedd39753e06cc1bd2287c4988

C:\Windows\system\lSMefcg.exe

MD5 75bd20997f1137cd5dece784b00bb2fd
SHA1 c87c9aacad584bca23ee2f99360ee84bc4837352
SHA256 a7e678f068b473a63db1ab7f6cbf5da098431f5ab61d5bb26c4851c7a6f40669
SHA512 5c0dab5c54e1668af3c2f65a1e4396418fad436418ed123294b069515bbe9117c0ba688ad7586e877ff8f03927ed9d706bf861646b43e97e305f0390ec2c0a27

C:\Windows\system\DtEfeXD.exe

MD5 0aff8dfda841f2145111d51db92084d2
SHA1 86ea4c1bb45efa3b99e722d1ef3018572f685bc6
SHA256 63bfc04ff20952b3b4f13f84c5f8a9db4d4d5558dc23b10c39fd6c4a712f6327
SHA512 63d36e167311d2151a0d59842140e6bb7456ec1055110b95c2d7c65106a8c11d569b4fc33a26f662bcddf88d4a0915f1a6ebf031b908e1c354871dbe1a30fe84

memory/2500-108-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2764-107-0x0000000002200000-0x0000000002554000-memory.dmp

memory/1352-106-0x000000013FFA0000-0x00000001402F4000-memory.dmp

C:\Windows\system\HfOebwj.exe

MD5 4977c33dd5cffa10b0a5e7313eeae852
SHA1 c0f2ca53174396dd47f73462d4d3f8c4ea8b6ca3
SHA256 969f27caf4f9747cd0c4fea424bd65ca4711e65b5026e2e9e9bb92b92e415766
SHA512 678bb8af2e342ce6255ebf2288a636e90d5487e8f76b17188bf0313828986348cdc45615209e02dd6585ccb3380a18e80940d163e81e0d0556bb0c74b3de8e3f

memory/2764-100-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2492-99-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2904-98-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2648-96-0x000000013FCF0000-0x0000000140044000-memory.dmp

C:\Windows\system\CBxmCsr.exe

MD5 fa9074c09156b4a257356df2c0e72100
SHA1 f9170f87628ffcf3b36e64c725fa61f61e64551e
SHA256 588aca2977f3877c52576867e6f8a7edc08c80b5daf4408e42ec00c07b5cc3f1
SHA512 737dda5548dca9f64fad9f1fc850601e97c01e9f9b34465f5a6b46cec0320fc191daa55254063b704c6b70c4864f3b22a30c019067597cd930947b3a9e112768

memory/2696-91-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2764-90-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2816-89-0x000000013F320000-0x000000013F674000-memory.dmp

C:\Windows\system\MbMItbI.exe

MD5 8ee84bebe1821fd455f41e80564617b4
SHA1 7712f8a81b67baea5e1af7d72e3a0bc685086caa
SHA256 843cd192b9e12b90e6545c1753f9c50ace539c7d2d0156224cdaf4f6926bf6cb
SHA512 f52edecba79a969ba0ee6de955a60efc1a33e23b60da3bfc55853eb859190874c46f1de64dbeebc891ba5673d084b8ba0d95dd4e7121290ae19e0ddb1587ee8f

memory/2764-83-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2724-82-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2764-81-0x0000000002200000-0x0000000002554000-memory.dmp

memory/1648-72-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2764-71-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2764-79-0x0000000002200000-0x0000000002554000-memory.dmp

memory/2764-78-0x000000013F400000-0x000000013F754000-memory.dmp

C:\Windows\system\kerYiqd.exe

MD5 638a7b25da18c1e442864170d616c783
SHA1 48f3de0afde2c2c02233bd63701ff7cc5636924f
SHA256 e1a601107c8d58c3b308085cc2e5af01d10dfd638507ce7cc7901f2ad568fe91
SHA512 811919464e5a3fb3c58c76b4e6a83a9aaecd1f00d2f5e9c8085a2f9224debb32fdce79b6edb34311ad0af12b4db4c732af8cb6d3c72858b89cdbb7e828665b97

C:\Windows\system\HfCnfEZ.exe

MD5 ca862a5427220f3c24fc773eabc1421f
SHA1 72109c800c42e757a2e1624f083dd0255e5c6e74
SHA256 1c6c8a1774953dee72cade08754d539798c77856817cb1fab30811cad3ab8878
SHA512 99bf4b9ee02577f79601bf33ac1b8b8c57aba077e9ae06395fbf82315ee68995915b7490b87c602a487a10f6fe8f41779e4c806fea57c62e032603c00533cacb

memory/2952-65-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2764-64-0x0000000002200000-0x0000000002554000-memory.dmp

memory/2764-142-0x0000000002200000-0x0000000002554000-memory.dmp

memory/2500-56-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2764-55-0x000000013FED0000-0x0000000140224000-memory.dmp

C:\Windows\system\YgQDaaC.exe

MD5 925e87273f068ede10c53882765233e2
SHA1 7381b1c183691d58118ed86f759fbe2fb18d7dac
SHA256 0a5709d02d67204b4f8ff98e51f7667157daff381941232abb408d753ada8a72
SHA512 13f12fae5adf33bb19e789f31ea21473172b3ba1a2810718dffb0415cc5ee3438f61161af68c15b4b5860d9e85c32c1022d863c2e73c1c0bbe8c18426019f203

C:\Windows\system\PmWouZS.exe

MD5 409bf2e04205d7d42dd558dd924e49cd
SHA1 b0a9e26e71c471736ba41423a16b319a0489288b
SHA256 199ae7061b0f8f75131d167680f50506d1528a2f5f7f8d822bfe6d41703ef5d8
SHA512 b7d715140e7016ad0494883063c76307a3660a0c72c4c0a55c79c085e0d003856d2e3793565078025e229b1574ac3b959280491a590abfe48b74d54a4802cf84

memory/2524-51-0x000000013FB30000-0x000000013FE84000-memory.dmp

memory/2764-50-0x000000013FB30000-0x000000013FE84000-memory.dmp

memory/2492-42-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2764-41-0x000000013FB80000-0x000000013FED4000-memory.dmp

C:\Windows\system\ORhrsUl.exe

MD5 0e8cdd31bd79f5df0799a0b3555f0761
SHA1 8867650b03cd9457288d4530c7d26850f583e2b7
SHA256 fad806662b8a1322e4fe99d8bc7fd1b94332393949e601be0f2d28e4d6e30d3f
SHA512 f55454764d1072f27b920f72f14af95e03d7e7132b30b17d7fef37c0bc17a02b32aca082d7b4780ada759882fc4c7f036c9ec22b1ab8a0a7bd60fb5430e3a185

C:\Windows\system\JzniQrA.exe

MD5 cf55aa446c05380d40ec2bdab46aa8fb
SHA1 ab5d399291a6a4909bd4daec98bcd17c99f888bc
SHA256 602375141538696b5c5094d953c789c4cae49ba39a7de3f23b31a086b2a34fa7
SHA512 58e5628ccdf4c2269a0bbbd1323ac14b6d47df0b2a88a0d145cc0a32a1dcfa481b57cca228c941e5e3a4adb6812e39412f08ee0f2f33b405d9627f46f01d8b9d

memory/2648-37-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2764-35-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2696-29-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2764-28-0x0000000002200000-0x0000000002554000-memory.dmp

C:\Windows\system\SeIxpud.exe

MD5 5f24cf88960708824a28907129c080be
SHA1 d372f35184d4d0d76550ef99afb03bc089e4a6f4
SHA256 499b315acf336aa8ea4440c7cd2aa314f9ea1755cd93a437610efba5e978231d
SHA512 ad42d2b1cce743cc9ee54d2b646bbb3c887fc25cb585e61ce5d9a92fe9d0101b23a2037f945585b11e35d6953e9c98d4c3f1cbc2a616bc3f1ad9e2eeeedf77be

memory/2764-143-0x0000000002200000-0x0000000002554000-memory.dmp

memory/2764-144-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2764-145-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2608-146-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2680-147-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/2748-148-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2696-149-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2648-150-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2524-151-0x000000013FB30000-0x000000013FE84000-memory.dmp

memory/2492-152-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2952-154-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2500-153-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/1648-155-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2724-156-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2816-157-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2904-158-0x000000013F040000-0x000000013F394000-memory.dmp

memory/1352-159-0x000000013FFA0000-0x00000001402F4000-memory.dmp