Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-08-2024 21:43
Behavioral task
behavioral1
Sample
2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240705-en
General
-
Target
2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
57e09187c49574ec42bf2d3c5d963c35
-
SHA1
1e9440d172a8bb7b3d47214d64d890788f44b9af
-
SHA256
353b6fb0219aab7e8d52e3660c2f631f35331760da779259bdd02904b7d742a6
-
SHA512
e0eb2457afe6429f39152729bdb6a251c5a977eec28f825be166625109bf6176d47fc1d831213d57c17f20f8314b8774177653e2c995a673b7155ff9931fec52
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lG:RWWBibf56utgpPFotBER/mQ32lU6
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00070000000234be-8.dat cobalt_reflective_dll behavioral2/files/0x00080000000234bd-11.dat cobalt_reflective_dll behavioral2/files/0x00070000000234c0-28.dat cobalt_reflective_dll behavioral2/files/0x00070000000234c1-34.dat cobalt_reflective_dll behavioral2/files/0x00070000000234bf-24.dat cobalt_reflective_dll behavioral2/files/0x00080000000234b7-6.dat cobalt_reflective_dll behavioral2/files/0x00070000000234c2-41.dat cobalt_reflective_dll behavioral2/files/0x00080000000234bb-48.dat cobalt_reflective_dll behavioral2/files/0x00070000000234c3-51.dat cobalt_reflective_dll behavioral2/files/0x00070000000234c4-59.dat cobalt_reflective_dll behavioral2/files/0x00070000000234c5-66.dat cobalt_reflective_dll behavioral2/files/0x00070000000234c6-70.dat cobalt_reflective_dll behavioral2/files/0x00070000000234c7-79.dat cobalt_reflective_dll behavioral2/files/0x00070000000234c8-85.dat cobalt_reflective_dll behavioral2/files/0x00070000000234c9-92.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ca-98.dat cobalt_reflective_dll behavioral2/files/0x00080000000234cd-109.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d1-127.dat cobalt_reflective_dll behavioral2/files/0x00090000000234cb-118.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d0-128.dat cobalt_reflective_dll behavioral2/files/0x00080000000234cf-115.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 48 IoCs
resource yara_rule behavioral2/memory/3912-20-0x00007FF7E1720000-0x00007FF7E1A71000-memory.dmp xmrig behavioral2/memory/2684-37-0x00007FF6E10D0000-0x00007FF6E1421000-memory.dmp xmrig behavioral2/memory/2756-38-0x00007FF6E4DD0000-0x00007FF6E5121000-memory.dmp xmrig behavioral2/memory/2880-36-0x00007FF79B5A0000-0x00007FF79B8F1000-memory.dmp xmrig behavioral2/memory/3348-10-0x00007FF755160000-0x00007FF7554B1000-memory.dmp xmrig behavioral2/memory/4524-57-0x00007FF657EA0000-0x00007FF6581F1000-memory.dmp xmrig behavioral2/memory/3328-55-0x00007FF618E10000-0x00007FF619161000-memory.dmp xmrig behavioral2/memory/4520-68-0x00007FF680540000-0x00007FF680891000-memory.dmp xmrig behavioral2/memory/2896-74-0x00007FF6832A0000-0x00007FF6835F1000-memory.dmp xmrig behavioral2/memory/412-76-0x00007FF75F5F0000-0x00007FF75F941000-memory.dmp xmrig behavioral2/memory/3348-75-0x00007FF755160000-0x00007FF7554B1000-memory.dmp xmrig behavioral2/memory/4556-95-0x00007FF6246C0000-0x00007FF624A11000-memory.dmp xmrig behavioral2/memory/2840-89-0x00007FF7D6AD0000-0x00007FF7D6E21000-memory.dmp xmrig behavioral2/memory/2084-80-0x00007FF6C8950000-0x00007FF6C8CA1000-memory.dmp xmrig behavioral2/memory/868-104-0x00007FF78B9F0000-0x00007FF78BD41000-memory.dmp xmrig behavioral2/memory/3328-112-0x00007FF618E10000-0x00007FF619161000-memory.dmp xmrig behavioral2/memory/2896-132-0x00007FF6832A0000-0x00007FF6835F1000-memory.dmp xmrig behavioral2/memory/3464-136-0x00007FF639740000-0x00007FF639A91000-memory.dmp xmrig behavioral2/memory/3336-138-0x00007FF75E2B0000-0x00007FF75E601000-memory.dmp xmrig behavioral2/memory/2792-151-0x00007FF71AE40000-0x00007FF71B191000-memory.dmp xmrig behavioral2/memory/2900-153-0x00007FF731300000-0x00007FF731651000-memory.dmp xmrig behavioral2/memory/3836-152-0x00007FF721150000-0x00007FF7214A1000-memory.dmp xmrig behavioral2/memory/4024-154-0x00007FF76C1C0000-0x00007FF76C511000-memory.dmp xmrig behavioral2/memory/3556-150-0x00007FF6CB6D0000-0x00007FF6CBA21000-memory.dmp xmrig behavioral2/memory/528-147-0x00007FF6315C0000-0x00007FF631911000-memory.dmp xmrig behavioral2/memory/2896-155-0x00007FF6832A0000-0x00007FF6835F1000-memory.dmp xmrig behavioral2/memory/2896-175-0x00007FF6832A0000-0x00007FF6835F1000-memory.dmp xmrig behavioral2/memory/3348-201-0x00007FF755160000-0x00007FF7554B1000-memory.dmp xmrig behavioral2/memory/2084-203-0x00007FF6C8950000-0x00007FF6C8CA1000-memory.dmp xmrig behavioral2/memory/3912-205-0x00007FF7E1720000-0x00007FF7E1A71000-memory.dmp xmrig behavioral2/memory/2880-207-0x00007FF79B5A0000-0x00007FF79B8F1000-memory.dmp xmrig behavioral2/memory/2684-209-0x00007FF6E10D0000-0x00007FF6E1421000-memory.dmp xmrig behavioral2/memory/2756-211-0x00007FF6E4DD0000-0x00007FF6E5121000-memory.dmp xmrig behavioral2/memory/868-215-0x00007FF78B9F0000-0x00007FF78BD41000-memory.dmp xmrig behavioral2/memory/4524-217-0x00007FF657EA0000-0x00007FF6581F1000-memory.dmp xmrig behavioral2/memory/3328-219-0x00007FF618E10000-0x00007FF619161000-memory.dmp xmrig behavioral2/memory/4520-222-0x00007FF680540000-0x00007FF680891000-memory.dmp xmrig behavioral2/memory/3464-223-0x00007FF639740000-0x00007FF639A91000-memory.dmp xmrig behavioral2/memory/412-226-0x00007FF75F5F0000-0x00007FF75F941000-memory.dmp xmrig behavioral2/memory/528-232-0x00007FF6315C0000-0x00007FF631911000-memory.dmp xmrig behavioral2/memory/2840-234-0x00007FF7D6AD0000-0x00007FF7D6E21000-memory.dmp xmrig behavioral2/memory/4556-236-0x00007FF6246C0000-0x00007FF624A11000-memory.dmp xmrig behavioral2/memory/3556-238-0x00007FF6CB6D0000-0x00007FF6CBA21000-memory.dmp xmrig behavioral2/memory/2900-240-0x00007FF731300000-0x00007FF731651000-memory.dmp xmrig behavioral2/memory/2792-242-0x00007FF71AE40000-0x00007FF71B191000-memory.dmp xmrig behavioral2/memory/3836-244-0x00007FF721150000-0x00007FF7214A1000-memory.dmp xmrig behavioral2/memory/4024-246-0x00007FF76C1C0000-0x00007FF76C511000-memory.dmp xmrig behavioral2/memory/3336-248-0x00007FF75E2B0000-0x00007FF75E601000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 3348 JHOtLra.exe 2084 zfZqYfo.exe 3912 muQVkcZ.exe 2880 xpXaodb.exe 2684 EkyyyzH.exe 2756 hCELsed.exe 868 FkznUwC.exe 3328 gnKZinp.exe 4524 DhfywGF.exe 3464 pxgCrZv.exe 4520 pcYwxyE.exe 412 mpzikQM.exe 528 wQTsALv.exe 2840 TxvQeVL.exe 4556 qlkFcPl.exe 3556 GyUSZAf.exe 2792 hquZEjj.exe 3836 mczeItP.exe 2900 qiDeCoa.exe 4024 gVZKfGj.exe 3336 PiVvFkf.exe -
resource yara_rule behavioral2/memory/2896-0-0x00007FF6832A0000-0x00007FF6835F1000-memory.dmp upx behavioral2/files/0x00070000000234be-8.dat upx behavioral2/files/0x00080000000234bd-11.dat upx behavioral2/memory/2084-15-0x00007FF6C8950000-0x00007FF6C8CA1000-memory.dmp upx behavioral2/memory/3912-20-0x00007FF7E1720000-0x00007FF7E1A71000-memory.dmp upx behavioral2/files/0x00070000000234c0-28.dat upx behavioral2/files/0x00070000000234c1-34.dat upx behavioral2/memory/2684-37-0x00007FF6E10D0000-0x00007FF6E1421000-memory.dmp upx behavioral2/memory/2756-38-0x00007FF6E4DD0000-0x00007FF6E5121000-memory.dmp upx behavioral2/memory/2880-36-0x00007FF79B5A0000-0x00007FF79B8F1000-memory.dmp upx behavioral2/files/0x00070000000234bf-24.dat upx behavioral2/memory/3348-10-0x00007FF755160000-0x00007FF7554B1000-memory.dmp upx behavioral2/files/0x00080000000234b7-6.dat upx behavioral2/files/0x00070000000234c2-41.dat upx behavioral2/files/0x00080000000234bb-48.dat upx behavioral2/files/0x00070000000234c3-51.dat upx behavioral2/files/0x00070000000234c4-59.dat upx behavioral2/memory/3464-60-0x00007FF639740000-0x00007FF639A91000-memory.dmp upx behavioral2/files/0x00070000000234c5-66.dat upx behavioral2/memory/4524-57-0x00007FF657EA0000-0x00007FF6581F1000-memory.dmp upx behavioral2/memory/3328-55-0x00007FF618E10000-0x00007FF619161000-memory.dmp upx behavioral2/memory/868-43-0x00007FF78B9F0000-0x00007FF78BD41000-memory.dmp upx behavioral2/files/0x00070000000234c6-70.dat upx behavioral2/memory/4520-68-0x00007FF680540000-0x00007FF680891000-memory.dmp upx behavioral2/memory/2896-74-0x00007FF6832A0000-0x00007FF6835F1000-memory.dmp upx behavioral2/memory/412-76-0x00007FF75F5F0000-0x00007FF75F941000-memory.dmp upx behavioral2/memory/3348-75-0x00007FF755160000-0x00007FF7554B1000-memory.dmp upx behavioral2/files/0x00070000000234c7-79.dat upx behavioral2/memory/528-81-0x00007FF6315C0000-0x00007FF631911000-memory.dmp upx behavioral2/files/0x00070000000234c8-85.dat upx behavioral2/files/0x00070000000234c9-92.dat upx behavioral2/memory/4556-95-0x00007FF6246C0000-0x00007FF624A11000-memory.dmp upx behavioral2/memory/2840-89-0x00007FF7D6AD0000-0x00007FF7D6E21000-memory.dmp upx behavioral2/memory/2084-80-0x00007FF6C8950000-0x00007FF6C8CA1000-memory.dmp upx behavioral2/files/0x00070000000234ca-98.dat upx behavioral2/memory/3556-103-0x00007FF6CB6D0000-0x00007FF6CBA21000-memory.dmp upx behavioral2/memory/868-104-0x00007FF78B9F0000-0x00007FF78BD41000-memory.dmp upx behavioral2/files/0x00080000000234cd-109.dat upx behavioral2/memory/3836-119-0x00007FF721150000-0x00007FF7214A1000-memory.dmp upx behavioral2/memory/4024-120-0x00007FF76C1C0000-0x00007FF76C511000-memory.dmp upx behavioral2/memory/2900-125-0x00007FF731300000-0x00007FF731651000-memory.dmp upx behavioral2/files/0x00070000000234d1-127.dat upx behavioral2/files/0x00090000000234cb-118.dat upx behavioral2/files/0x00070000000234d0-128.dat upx behavioral2/files/0x00080000000234cf-115.dat upx behavioral2/memory/3328-112-0x00007FF618E10000-0x00007FF619161000-memory.dmp upx behavioral2/memory/2792-107-0x00007FF71AE40000-0x00007FF71B191000-memory.dmp upx behavioral2/memory/2896-132-0x00007FF6832A0000-0x00007FF6835F1000-memory.dmp upx behavioral2/memory/3464-136-0x00007FF639740000-0x00007FF639A91000-memory.dmp upx behavioral2/memory/3336-138-0x00007FF75E2B0000-0x00007FF75E601000-memory.dmp upx behavioral2/memory/2792-151-0x00007FF71AE40000-0x00007FF71B191000-memory.dmp upx behavioral2/memory/2900-153-0x00007FF731300000-0x00007FF731651000-memory.dmp upx behavioral2/memory/3836-152-0x00007FF721150000-0x00007FF7214A1000-memory.dmp upx behavioral2/memory/4024-154-0x00007FF76C1C0000-0x00007FF76C511000-memory.dmp upx behavioral2/memory/3556-150-0x00007FF6CB6D0000-0x00007FF6CBA21000-memory.dmp upx behavioral2/memory/528-147-0x00007FF6315C0000-0x00007FF631911000-memory.dmp upx behavioral2/memory/2896-155-0x00007FF6832A0000-0x00007FF6835F1000-memory.dmp upx behavioral2/memory/2896-175-0x00007FF6832A0000-0x00007FF6835F1000-memory.dmp upx behavioral2/memory/3348-201-0x00007FF755160000-0x00007FF7554B1000-memory.dmp upx behavioral2/memory/2084-203-0x00007FF6C8950000-0x00007FF6C8CA1000-memory.dmp upx behavioral2/memory/3912-205-0x00007FF7E1720000-0x00007FF7E1A71000-memory.dmp upx behavioral2/memory/2880-207-0x00007FF79B5A0000-0x00007FF79B8F1000-memory.dmp upx behavioral2/memory/2684-209-0x00007FF6E10D0000-0x00007FF6E1421000-memory.dmp upx behavioral2/memory/2756-211-0x00007FF6E4DD0000-0x00007FF6E5121000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\zfZqYfo.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\muQVkcZ.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gnKZinp.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mpzikQM.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TxvQeVL.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PiVvFkf.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xpXaodb.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FkznUwC.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DhfywGF.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\pcYwxyE.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\wQTsALv.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gVZKfGj.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JHOtLra.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EkyyyzH.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qlkFcPl.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hquZEjj.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mczeItP.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hCELsed.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\pxgCrZv.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GyUSZAf.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qiDeCoa.exe 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2896 wrote to memory of 3348 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 2896 wrote to memory of 3348 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 2896 wrote to memory of 2084 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 2896 wrote to memory of 2084 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 2896 wrote to memory of 3912 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2896 wrote to memory of 3912 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2896 wrote to memory of 2880 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2896 wrote to memory of 2880 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2896 wrote to memory of 2684 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2896 wrote to memory of 2684 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2896 wrote to memory of 2756 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2896 wrote to memory of 2756 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2896 wrote to memory of 868 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2896 wrote to memory of 868 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2896 wrote to memory of 3328 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2896 wrote to memory of 3328 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2896 wrote to memory of 4524 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2896 wrote to memory of 4524 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2896 wrote to memory of 3464 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2896 wrote to memory of 3464 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2896 wrote to memory of 4520 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2896 wrote to memory of 4520 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2896 wrote to memory of 412 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2896 wrote to memory of 412 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2896 wrote to memory of 528 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2896 wrote to memory of 528 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2896 wrote to memory of 2840 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2896 wrote to memory of 2840 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2896 wrote to memory of 4556 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2896 wrote to memory of 4556 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2896 wrote to memory of 3556 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2896 wrote to memory of 3556 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2896 wrote to memory of 2792 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2896 wrote to memory of 2792 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2896 wrote to memory of 3836 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2896 wrote to memory of 3836 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2896 wrote to memory of 2900 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2896 wrote to memory of 2900 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2896 wrote to memory of 4024 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 2896 wrote to memory of 4024 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 2896 wrote to memory of 3336 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 2896 wrote to memory of 3336 2896 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\System\JHOtLra.exeC:\Windows\System\JHOtLra.exe2⤵
- Executes dropped EXE
PID:3348
-
-
C:\Windows\System\zfZqYfo.exeC:\Windows\System\zfZqYfo.exe2⤵
- Executes dropped EXE
PID:2084
-
-
C:\Windows\System\muQVkcZ.exeC:\Windows\System\muQVkcZ.exe2⤵
- Executes dropped EXE
PID:3912
-
-
C:\Windows\System\xpXaodb.exeC:\Windows\System\xpXaodb.exe2⤵
- Executes dropped EXE
PID:2880
-
-
C:\Windows\System\EkyyyzH.exeC:\Windows\System\EkyyyzH.exe2⤵
- Executes dropped EXE
PID:2684
-
-
C:\Windows\System\hCELsed.exeC:\Windows\System\hCELsed.exe2⤵
- Executes dropped EXE
PID:2756
-
-
C:\Windows\System\FkznUwC.exeC:\Windows\System\FkznUwC.exe2⤵
- Executes dropped EXE
PID:868
-
-
C:\Windows\System\gnKZinp.exeC:\Windows\System\gnKZinp.exe2⤵
- Executes dropped EXE
PID:3328
-
-
C:\Windows\System\DhfywGF.exeC:\Windows\System\DhfywGF.exe2⤵
- Executes dropped EXE
PID:4524
-
-
C:\Windows\System\pxgCrZv.exeC:\Windows\System\pxgCrZv.exe2⤵
- Executes dropped EXE
PID:3464
-
-
C:\Windows\System\pcYwxyE.exeC:\Windows\System\pcYwxyE.exe2⤵
- Executes dropped EXE
PID:4520
-
-
C:\Windows\System\mpzikQM.exeC:\Windows\System\mpzikQM.exe2⤵
- Executes dropped EXE
PID:412
-
-
C:\Windows\System\wQTsALv.exeC:\Windows\System\wQTsALv.exe2⤵
- Executes dropped EXE
PID:528
-
-
C:\Windows\System\TxvQeVL.exeC:\Windows\System\TxvQeVL.exe2⤵
- Executes dropped EXE
PID:2840
-
-
C:\Windows\System\qlkFcPl.exeC:\Windows\System\qlkFcPl.exe2⤵
- Executes dropped EXE
PID:4556
-
-
C:\Windows\System\GyUSZAf.exeC:\Windows\System\GyUSZAf.exe2⤵
- Executes dropped EXE
PID:3556
-
-
C:\Windows\System\hquZEjj.exeC:\Windows\System\hquZEjj.exe2⤵
- Executes dropped EXE
PID:2792
-
-
C:\Windows\System\mczeItP.exeC:\Windows\System\mczeItP.exe2⤵
- Executes dropped EXE
PID:3836
-
-
C:\Windows\System\qiDeCoa.exeC:\Windows\System\qiDeCoa.exe2⤵
- Executes dropped EXE
PID:2900
-
-
C:\Windows\System\gVZKfGj.exeC:\Windows\System\gVZKfGj.exe2⤵
- Executes dropped EXE
PID:4024
-
-
C:\Windows\System\PiVvFkf.exeC:\Windows\System\PiVvFkf.exe2⤵
- Executes dropped EXE
PID:3336
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD536457a1f0e991aaa986c4dc0c354a68e
SHA1066bb234bd01f4d1b9341bb9825ed2449bf1ac83
SHA256c4baeefeb95a76e7de1a2062a9a43eb313f8d754701758b5dec753f6be8896ae
SHA5126bb66dce1650cdf6c2e737f07e76365200a941be6e3e7da6900cbbde2c197bc66a98ce02a3370ad78bd3bb96391681820d1fe5947fa74179c9cafb45af3392e0
-
Filesize
5.2MB
MD55ad199d468eecb9aec1b53e86827590a
SHA1c526f25369a79f4a30787758026b82372321c9ab
SHA256473a12a90ff0463443e61f65617a3b046597ef7670a51ff37ff630a9d44fa8d4
SHA51259e8bc9b16fd69738b53f1fb6af791c804b70ab88ee9fdebb4aee98a27cf1f5cde6e7afa89644d028179f6aac11bd57f76570f9fd810bce3c0dfcece91c7335d
-
Filesize
5.2MB
MD51391ddc7d1ddba53c168b6022fdb3583
SHA146921b0cd92131da1715018c7f9bfcaafd7ef386
SHA2567692034f7ec5db23195fdec3d97f69bf9e5d4ad7efeac3f7f754adf1e8124ae6
SHA51204b222afaf8f2a07ba821e377c8b4102310a0bcb9e3c5e26c642d8be5fdc8f08b0f0ccbcf8c5d3a91dbf3e6de50ce7e04fc9d4bbc6e08f87b6dc16ce2de5e3c0
-
Filesize
5.2MB
MD5a8563224ac1046cc9b8730b709712476
SHA1942345b6be2d2da493fb5a16731e432f65f651cc
SHA25689dce75e7c569a74aecef52ff7d7f47dc577575c0df475bf5cddca978c2dc501
SHA512efce7b10073ebc47a7d60306fb79eed800d9e9808d4f9a4a0155ef97960c74240d4645cac510b711c4b6cd34279b69cd303742a04acd5ffe05e044faf36aa4ce
-
Filesize
5.2MB
MD5ef9b72f89ccfcae1542ad2487f4f490f
SHA14936cb5922f3667f28b3b39862213c408b6f11b6
SHA256bc80634215b2019a170f0b80e50d5672a3f967fa2f98ad6391cb9cb1687d4b9d
SHA5125b1c7e08bc369a1a1f2c683f3e0b9aebff65fc88fa85af2eb8ce5308bcede473f34f938ed86a3fed57a4380853b26f3d261508833ece5e77323e10a7027fdb40
-
Filesize
5.2MB
MD5c15e8fd2287c39dd19d8c0930c694c5e
SHA16b44aa852c520fb2841494be1cd14bfdb411ead8
SHA25609b9d2b2df8550184112f9d4282da645c38474ee363f88d0e534e78d92f84685
SHA512c9fdb0e18f19362a78fa569d36896dbfae1362cc0f64daa688ea6729eda5d6a961d7df9e7737a89f02f185cc4ebda34787d01adba8a446b182a3433802d07cb1
-
Filesize
5.2MB
MD519781a01a092d8b924d87e4df7cf112d
SHA182c00507b8c887f2b8aacca1ce6494b4a9d5607f
SHA256c911ce0bb89900ba8e42e332ff48fb83424f209805c52d73d89f781306331a3e
SHA51253ef87aa733826e724ea667ccea24e64e50fccc4e977327d8f86fbe2c4392f3f32523ff18404388104c73c0e12bad6ef0922bce14b1179288ab8763511d135f0
-
Filesize
5.2MB
MD5d21c48c998b4b5838b666a7c0b8d9995
SHA11454b8b5ef86a949ec99c58bd92b7bb349af51f1
SHA2569e7dfc00327e5cecf7a51484d6ecda6beeca9c91504777be5e2ccb0d9626ff52
SHA51213fb3cdfa65d3d700dfb6ef8b1978e39e52f33b0695039562442f35e8a5c768673cd8e4859bbd7852e406d1cac8ced6b014497eb052cae56a573ea71bb6d74b3
-
Filesize
5.2MB
MD5710df90c2dccd757a5dd0d8b8d0ea0a2
SHA1dd286c0212274c31595a36154ad48bead1497ce4
SHA25654800950ca7376ba115abee773cd7dc51edd114a9a681036ba1eae196a011804
SHA512c651cb11d6aac8020d6d514ef8a72a88788817726b0d7359e653b7f2d905e4b271d68431cb4291acdb4c49f88392c54773fc38d9c123298a59c33b1c76a947c1
-
Filesize
5.2MB
MD58ffcabb9ad126cb507c6489e4e330955
SHA1f35518511ad03f814812b7adebcf32a8aa76d71d
SHA256d638a82423ca8254baae021937222626bc2e2ad1df5472a1c5b8b85f575f38f0
SHA512cfc5cef1806662f4333dc277fc627d9d9ae365deb2d3e505c6545909a3170461b86862d67bc68ade24ca8ab6f42023abbfff068e6164cd961dae4ca81b5fe168
-
Filesize
5.2MB
MD5e226b0d3d1c8d5167e550d74c144a4de
SHA15314285144475db5dd6d2c17a890141fd6f88070
SHA256380983f259ce20013a056046822fac868eec1fa91c47c142a435c37ca555fb81
SHA5121c8142aba4e3547732e8afa48a1029e2ec04811a348f05fc51c9f781841f7085825f0b421698defbb0eaa33f073d6aba22ac65762a412b626417c19b4404e0e6
-
Filesize
5.2MB
MD5b92b87b037fc488ddc07ea15af6cc2d6
SHA136adc32e172c1f490e3623830e49bc015872c937
SHA2564a6d51b284ad5ae1c41c2bf42c02493b481fd42c8aa7613722b9096865c72d92
SHA512b8f15ac97fb1fc83954082239d5b90d52ced36aa1215d23b3602716d929c8016a7c554b12b175c324be424351a4f7dfea3ae5f194ceb576e1093823d6acaecb3
-
Filesize
5.2MB
MD576390b7e774ccde1904407735dd5edc8
SHA198d0676b8d6391512b6a708a1cbc8ba4da78c923
SHA2568fb23a20861fd2a321a56557fc47209034abf26e7bd22ece1ec5a52d80480cdc
SHA5124b369b6d24a3ff326b2d3eda20de8cbfb221d6a6231681677af0a90b9fe26b55a45588241f82975c52998b57adc167132221106c8e94bd977035147a3358dadd
-
Filesize
5.2MB
MD522381b981a21324df9ce8015e38c046d
SHA12e4cadb009c9dde8874af0f72d3e5964a2ba739c
SHA25649db7d633d1ba2c235a42e8ee171e14c0ee31315a28a84d6386f8a744b7da9cd
SHA512672b98c6a1b059656fcdc5f8dd161f1ccda85778db6fe09674ca613b7650115d228e84256908261222c8dbe92c63a7624a6ec36b95dbd8958a5bc288400fe372
-
Filesize
5.2MB
MD57d5d946fbeafc926ea5931534ed5fda9
SHA19238f7989dc6560bddb1b03fd190ab637b894d3a
SHA256a37e99d6f5bd59f113be7c74f45c632352cde87134570dc42fcb47bc1f67190a
SHA51220fc24cd1f665c92bb99c30f601b3059e96c7d63d6bbbdede7a2ef5de93bd6859c2fd772e1a85a741bd4955a669111e8f7b7e0a564e631e12bcb382c9bc6e9f4
-
Filesize
5.2MB
MD521986ce871d88e22e6bfcd86f240277e
SHA14d7e85696d8372c2ff2c80303c968887c493ea43
SHA2562c4498eb46097582bf4d0279a3d6951a46fb4a72c640f0af5bce96823c83593d
SHA512f7d2e329e852392a5c9afa7900b66e6de997eb62dc4f7b279cd4dcc618c8ae45d6e9a67c8edea5d87d4157d8a18a956c155489be5a0c91248c9b15f873445bbe
-
Filesize
5.2MB
MD5187ce331885a0b436384bb9405837e55
SHA18a1c4a28b36bd23eb011691825851b134ee918bf
SHA2566a99155df0d8a76fd61535ba1a7c73d603d0d168e9da6bf07bacd5c73198970c
SHA5120cf6414c279e2fea85fd1bc2c7c949bb901f26bf05184a2349f99f3b986ead009807431ce824d5367c26dcff585b1bd8b4c76cca67321158087a09bdc970617b
-
Filesize
5.2MB
MD58eb3995bc074a32846c4fe098deeda30
SHA103ff968bb17a756e7e2d3c7ab6f790ef273673e8
SHA25690d2013c9388a9d12449c3f10e7a1d820c701380f21da858e8939977cd00b87c
SHA512486d53115ff602b77540a47f782711d3ea57a9966f3e4e711fbb7ff03cfc57d2df4acac4994e9abb4c657c2596968a727d5166b0c2f134b71e429abda0d83e9f
-
Filesize
5.2MB
MD5ea6ae35fcf879e444591ff494baad5d3
SHA16be922624a3bb34a07544b15d8f8e207e870640f
SHA256dccb3c4e235e86898ffcc9a7493d683ad8523cdfdff2225ff5e37222fcf09894
SHA512b3502a8efb761b6d6176163e3b9c285cebcb10204fbbb915e98c913b52a6ba3685c70b6a31f5572b95794240117622b370971c68d2d517589c7cfd90c7a1a2c8
-
Filesize
5.2MB
MD529b703740e5166968a950cfd66b39df4
SHA16a3e907e029124285afa8003918c70239161f335
SHA25685b529f42333daba4b5012d840d441a4ed6d48a277c6a136ba78d08c146f97b5
SHA512e03516a20eb950ace84c63e2303148d54aa10ecb14de629c27c8c11265ea14b301eb737e2ace4ae63d64d2d82d06037dda02fa9257f1ae1e232c9fae9c70aa9a
-
Filesize
5.2MB
MD5aa0993cdee237f3ba1bfaca6d76ad704
SHA116729b73c6bd77ed625ea914cff3c74b95263114
SHA256e086102dbc03515d985449bd13a00afc2e5cf2ca97d6d919bce2d44d89bb9872
SHA51273dd3df4eba8006d9d771866268f906948024b940bf220209d025e21a789c644fb13d45aa8ac274572a8b1d4300390f76ba511ed8d481917102d95aea45654bc