Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-08-2024 21:45
Behavioral task
behavioral1
Sample
2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240704-en
General
-
Target
2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.9MB
-
MD5
b03db4a7953dcae769c5f18c8bd22fa5
-
SHA1
d31b7435699badc73281d3e4339348fd7203adcd
-
SHA256
decc8358c64788a64472e275f44a37e54535c98243f884874bcd39ca549ef70b
-
SHA512
6853ecd3e166379df63bec1b7a9a486b9d3808aa37ccbfb6ad228095f1d4e26b746eb35f32f0856e0bee0eba7752d662e2628ae367d807ec66dc5a3e4966b474
-
SSDEEP
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lU9:T+856utgpPF8u/79
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00090000000233d4-5.dat cobalt_reflective_dll behavioral2/files/0x0007000000023437-10.dat cobalt_reflective_dll behavioral2/files/0x0008000000023436-12.dat cobalt_reflective_dll behavioral2/files/0x0008000000023434-22.dat cobalt_reflective_dll behavioral2/files/0x0007000000023438-29.dat cobalt_reflective_dll behavioral2/files/0x000700000002343a-41.dat cobalt_reflective_dll behavioral2/files/0x000700000002343c-55.dat cobalt_reflective_dll behavioral2/files/0x0007000000023440-72.dat cobalt_reflective_dll behavioral2/files/0x0007000000023441-79.dat cobalt_reflective_dll behavioral2/files/0x0007000000023448-114.dat cobalt_reflective_dll behavioral2/files/0x0007000000023447-112.dat cobalt_reflective_dll behavioral2/files/0x0007000000023446-109.dat cobalt_reflective_dll behavioral2/files/0x0007000000023445-105.dat cobalt_reflective_dll behavioral2/files/0x0007000000023444-100.dat cobalt_reflective_dll behavioral2/files/0x0007000000023443-95.dat cobalt_reflective_dll behavioral2/files/0x0007000000023442-87.dat cobalt_reflective_dll behavioral2/files/0x000700000002343f-73.dat cobalt_reflective_dll behavioral2/files/0x000700000002343e-68.dat cobalt_reflective_dll behavioral2/files/0x000700000002343d-63.dat cobalt_reflective_dll behavioral2/files/0x000700000002343b-53.dat cobalt_reflective_dll behavioral2/files/0x0007000000023439-39.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 64 IoCs
resource yara_rule behavioral2/memory/4316-0-0x00007FF6AC6D0000-0x00007FF6ACA24000-memory.dmp xmrig behavioral2/files/0x00090000000233d4-5.dat xmrig behavioral2/files/0x0007000000023437-10.dat xmrig behavioral2/files/0x0008000000023436-12.dat xmrig behavioral2/memory/3556-14-0x00007FF6A1640000-0x00007FF6A1994000-memory.dmp xmrig behavioral2/memory/4480-7-0x00007FF621B00000-0x00007FF621E54000-memory.dmp xmrig behavioral2/files/0x0008000000023434-22.dat xmrig behavioral2/files/0x0007000000023438-29.dat xmrig behavioral2/files/0x000700000002343a-41.dat xmrig behavioral2/memory/532-45-0x00007FF6D8DE0000-0x00007FF6D9134000-memory.dmp xmrig behavioral2/memory/2528-51-0x00007FF681620000-0x00007FF681974000-memory.dmp xmrig behavioral2/files/0x000700000002343c-55.dat xmrig behavioral2/files/0x0007000000023440-72.dat xmrig behavioral2/files/0x0007000000023441-79.dat xmrig behavioral2/files/0x0007000000023448-114.dat xmrig behavioral2/files/0x0007000000023447-112.dat xmrig behavioral2/files/0x0007000000023446-109.dat xmrig behavioral2/files/0x0007000000023445-105.dat xmrig behavioral2/files/0x0007000000023444-100.dat xmrig behavioral2/files/0x0007000000023443-95.dat xmrig behavioral2/files/0x0007000000023442-87.dat xmrig behavioral2/files/0x000700000002343f-73.dat xmrig behavioral2/files/0x000700000002343e-68.dat xmrig behavioral2/files/0x000700000002343d-63.dat xmrig behavioral2/files/0x000700000002343b-53.dat xmrig behavioral2/memory/4484-52-0x00007FF7A91E0000-0x00007FF7A9534000-memory.dmp xmrig behavioral2/memory/336-50-0x00007FF624D20000-0x00007FF625074000-memory.dmp xmrig behavioral2/files/0x0007000000023439-39.dat xmrig behavioral2/memory/3832-34-0x00007FF77E7B0000-0x00007FF77EB04000-memory.dmp xmrig behavioral2/memory/4044-25-0x00007FF62B970000-0x00007FF62BCC4000-memory.dmp xmrig behavioral2/memory/2520-20-0x00007FF6E9430000-0x00007FF6E9784000-memory.dmp xmrig behavioral2/memory/3308-116-0x00007FF7F3280000-0x00007FF7F35D4000-memory.dmp xmrig behavioral2/memory/1988-118-0x00007FF768090000-0x00007FF7683E4000-memory.dmp xmrig behavioral2/memory/2460-117-0x00007FF7BA3B0000-0x00007FF7BA704000-memory.dmp xmrig behavioral2/memory/864-119-0x00007FF6AE210000-0x00007FF6AE564000-memory.dmp xmrig behavioral2/memory/2784-120-0x00007FF70F020000-0x00007FF70F374000-memory.dmp xmrig behavioral2/memory/1688-121-0x00007FF751EB0000-0x00007FF752204000-memory.dmp xmrig behavioral2/memory/2252-122-0x00007FF6EECE0000-0x00007FF6EF034000-memory.dmp xmrig behavioral2/memory/2224-123-0x00007FF75C600000-0x00007FF75C954000-memory.dmp xmrig behavioral2/memory/4704-125-0x00007FF7654A0000-0x00007FF7657F4000-memory.dmp xmrig behavioral2/memory/2592-126-0x00007FF6A07B0000-0x00007FF6A0B04000-memory.dmp xmrig behavioral2/memory/692-127-0x00007FF6BB370000-0x00007FF6BB6C4000-memory.dmp xmrig behavioral2/memory/2540-124-0x00007FF6C9CF0000-0x00007FF6CA044000-memory.dmp xmrig behavioral2/memory/4316-128-0x00007FF6AC6D0000-0x00007FF6ACA24000-memory.dmp xmrig behavioral2/memory/4480-129-0x00007FF621B00000-0x00007FF621E54000-memory.dmp xmrig behavioral2/memory/3556-130-0x00007FF6A1640000-0x00007FF6A1994000-memory.dmp xmrig behavioral2/memory/4044-131-0x00007FF62B970000-0x00007FF62BCC4000-memory.dmp xmrig behavioral2/memory/2528-132-0x00007FF681620000-0x00007FF681974000-memory.dmp xmrig behavioral2/memory/4484-133-0x00007FF7A91E0000-0x00007FF7A9534000-memory.dmp xmrig behavioral2/memory/4480-134-0x00007FF621B00000-0x00007FF621E54000-memory.dmp xmrig behavioral2/memory/3556-135-0x00007FF6A1640000-0x00007FF6A1994000-memory.dmp xmrig behavioral2/memory/2520-136-0x00007FF6E9430000-0x00007FF6E9784000-memory.dmp xmrig behavioral2/memory/4044-137-0x00007FF62B970000-0x00007FF62BCC4000-memory.dmp xmrig behavioral2/memory/3832-138-0x00007FF77E7B0000-0x00007FF77EB04000-memory.dmp xmrig behavioral2/memory/336-139-0x00007FF624D20000-0x00007FF625074000-memory.dmp xmrig behavioral2/memory/532-140-0x00007FF6D8DE0000-0x00007FF6D9134000-memory.dmp xmrig behavioral2/memory/2528-141-0x00007FF681620000-0x00007FF681974000-memory.dmp xmrig behavioral2/memory/4484-142-0x00007FF7A91E0000-0x00007FF7A9534000-memory.dmp xmrig behavioral2/memory/3308-145-0x00007FF7F3280000-0x00007FF7F35D4000-memory.dmp xmrig behavioral2/memory/2460-144-0x00007FF7BA3B0000-0x00007FF7BA704000-memory.dmp xmrig behavioral2/memory/1988-143-0x00007FF768090000-0x00007FF7683E4000-memory.dmp xmrig behavioral2/memory/2224-149-0x00007FF75C600000-0x00007FF75C954000-memory.dmp xmrig behavioral2/memory/2784-153-0x00007FF70F020000-0x00007FF70F374000-memory.dmp xmrig behavioral2/memory/1688-152-0x00007FF751EB0000-0x00007FF752204000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4480 BRbMtpb.exe 3556 ctIuIXW.exe 2520 TCSTLmd.exe 4044 NJTjTfM.exe 3832 twUcmzh.exe 532 vDVUfpP.exe 336 SRDdYxX.exe 4484 VvXLRaz.exe 2528 ybKDqBK.exe 3308 VUrdOAe.exe 2460 vudpxRY.exe 1988 KpLSRAd.exe 864 UPVqkzA.exe 2784 beRqKCv.exe 1688 dLtkLxJ.exe 2252 JUfaPZf.exe 2224 QOrdMNL.exe 2540 JtuahZi.exe 4704 lOmQOQV.exe 2592 BVOPPmu.exe 692 CODvXEw.exe -
resource yara_rule behavioral2/memory/4316-0-0x00007FF6AC6D0000-0x00007FF6ACA24000-memory.dmp upx behavioral2/files/0x00090000000233d4-5.dat upx behavioral2/files/0x0007000000023437-10.dat upx behavioral2/files/0x0008000000023436-12.dat upx behavioral2/memory/3556-14-0x00007FF6A1640000-0x00007FF6A1994000-memory.dmp upx behavioral2/memory/4480-7-0x00007FF621B00000-0x00007FF621E54000-memory.dmp upx behavioral2/files/0x0008000000023434-22.dat upx behavioral2/files/0x0007000000023438-29.dat upx behavioral2/files/0x000700000002343a-41.dat upx behavioral2/memory/532-45-0x00007FF6D8DE0000-0x00007FF6D9134000-memory.dmp upx behavioral2/memory/2528-51-0x00007FF681620000-0x00007FF681974000-memory.dmp upx behavioral2/files/0x000700000002343c-55.dat upx behavioral2/files/0x0007000000023440-72.dat upx behavioral2/files/0x0007000000023441-79.dat upx behavioral2/files/0x0007000000023448-114.dat upx behavioral2/files/0x0007000000023447-112.dat upx behavioral2/files/0x0007000000023446-109.dat upx behavioral2/files/0x0007000000023445-105.dat upx behavioral2/files/0x0007000000023444-100.dat upx behavioral2/files/0x0007000000023443-95.dat upx behavioral2/files/0x0007000000023442-87.dat upx behavioral2/files/0x000700000002343f-73.dat upx behavioral2/files/0x000700000002343e-68.dat upx behavioral2/files/0x000700000002343d-63.dat upx behavioral2/files/0x000700000002343b-53.dat upx behavioral2/memory/4484-52-0x00007FF7A91E0000-0x00007FF7A9534000-memory.dmp upx behavioral2/memory/336-50-0x00007FF624D20000-0x00007FF625074000-memory.dmp upx behavioral2/files/0x0007000000023439-39.dat upx behavioral2/memory/3832-34-0x00007FF77E7B0000-0x00007FF77EB04000-memory.dmp upx behavioral2/memory/4044-25-0x00007FF62B970000-0x00007FF62BCC4000-memory.dmp upx behavioral2/memory/2520-20-0x00007FF6E9430000-0x00007FF6E9784000-memory.dmp upx behavioral2/memory/3308-116-0x00007FF7F3280000-0x00007FF7F35D4000-memory.dmp upx behavioral2/memory/1988-118-0x00007FF768090000-0x00007FF7683E4000-memory.dmp upx behavioral2/memory/2460-117-0x00007FF7BA3B0000-0x00007FF7BA704000-memory.dmp upx behavioral2/memory/864-119-0x00007FF6AE210000-0x00007FF6AE564000-memory.dmp upx behavioral2/memory/2784-120-0x00007FF70F020000-0x00007FF70F374000-memory.dmp upx behavioral2/memory/1688-121-0x00007FF751EB0000-0x00007FF752204000-memory.dmp upx behavioral2/memory/2252-122-0x00007FF6EECE0000-0x00007FF6EF034000-memory.dmp upx behavioral2/memory/2224-123-0x00007FF75C600000-0x00007FF75C954000-memory.dmp upx behavioral2/memory/4704-125-0x00007FF7654A0000-0x00007FF7657F4000-memory.dmp upx behavioral2/memory/2592-126-0x00007FF6A07B0000-0x00007FF6A0B04000-memory.dmp upx behavioral2/memory/692-127-0x00007FF6BB370000-0x00007FF6BB6C4000-memory.dmp upx behavioral2/memory/2540-124-0x00007FF6C9CF0000-0x00007FF6CA044000-memory.dmp upx behavioral2/memory/4316-128-0x00007FF6AC6D0000-0x00007FF6ACA24000-memory.dmp upx behavioral2/memory/4480-129-0x00007FF621B00000-0x00007FF621E54000-memory.dmp upx behavioral2/memory/3556-130-0x00007FF6A1640000-0x00007FF6A1994000-memory.dmp upx behavioral2/memory/4044-131-0x00007FF62B970000-0x00007FF62BCC4000-memory.dmp upx behavioral2/memory/2528-132-0x00007FF681620000-0x00007FF681974000-memory.dmp upx behavioral2/memory/4484-133-0x00007FF7A91E0000-0x00007FF7A9534000-memory.dmp upx behavioral2/memory/4480-134-0x00007FF621B00000-0x00007FF621E54000-memory.dmp upx behavioral2/memory/3556-135-0x00007FF6A1640000-0x00007FF6A1994000-memory.dmp upx behavioral2/memory/2520-136-0x00007FF6E9430000-0x00007FF6E9784000-memory.dmp upx behavioral2/memory/4044-137-0x00007FF62B970000-0x00007FF62BCC4000-memory.dmp upx behavioral2/memory/3832-138-0x00007FF77E7B0000-0x00007FF77EB04000-memory.dmp upx behavioral2/memory/336-139-0x00007FF624D20000-0x00007FF625074000-memory.dmp upx behavioral2/memory/532-140-0x00007FF6D8DE0000-0x00007FF6D9134000-memory.dmp upx behavioral2/memory/2528-141-0x00007FF681620000-0x00007FF681974000-memory.dmp upx behavioral2/memory/4484-142-0x00007FF7A91E0000-0x00007FF7A9534000-memory.dmp upx behavioral2/memory/3308-145-0x00007FF7F3280000-0x00007FF7F35D4000-memory.dmp upx behavioral2/memory/2460-144-0x00007FF7BA3B0000-0x00007FF7BA704000-memory.dmp upx behavioral2/memory/1988-143-0x00007FF768090000-0x00007FF7683E4000-memory.dmp upx behavioral2/memory/2224-149-0x00007FF75C600000-0x00007FF75C954000-memory.dmp upx behavioral2/memory/2784-153-0x00007FF70F020000-0x00007FF70F374000-memory.dmp upx behavioral2/memory/1688-152-0x00007FF751EB0000-0x00007FF752204000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\twUcmzh.exe 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ybKDqBK.exe 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\beRqKCv.exe 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QOrdMNL.exe 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TCSTLmd.exe 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VvXLRaz.exe 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BRbMtpb.exe 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VUrdOAe.exe 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vudpxRY.exe 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\UPVqkzA.exe 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dLtkLxJ.exe 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JtuahZi.exe 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BVOPPmu.exe 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ctIuIXW.exe 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NJTjTfM.exe 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vDVUfpP.exe 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SRDdYxX.exe 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KpLSRAd.exe 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JUfaPZf.exe 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lOmQOQV.exe 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CODvXEw.exe 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4316 wrote to memory of 4480 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 4316 wrote to memory of 4480 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 4316 wrote to memory of 3556 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4316 wrote to memory of 3556 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4316 wrote to memory of 2520 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4316 wrote to memory of 2520 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4316 wrote to memory of 4044 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4316 wrote to memory of 4044 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4316 wrote to memory of 3832 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4316 wrote to memory of 3832 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4316 wrote to memory of 532 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4316 wrote to memory of 532 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4316 wrote to memory of 336 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4316 wrote to memory of 336 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4316 wrote to memory of 4484 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4316 wrote to memory of 4484 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4316 wrote to memory of 2528 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4316 wrote to memory of 2528 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4316 wrote to memory of 3308 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4316 wrote to memory of 3308 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4316 wrote to memory of 2460 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4316 wrote to memory of 2460 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4316 wrote to memory of 1988 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4316 wrote to memory of 1988 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4316 wrote to memory of 864 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4316 wrote to memory of 864 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4316 wrote to memory of 2784 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4316 wrote to memory of 2784 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4316 wrote to memory of 1688 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4316 wrote to memory of 1688 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4316 wrote to memory of 2252 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4316 wrote to memory of 2252 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4316 wrote to memory of 2224 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4316 wrote to memory of 2224 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4316 wrote to memory of 2540 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4316 wrote to memory of 2540 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4316 wrote to memory of 4704 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4316 wrote to memory of 4704 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4316 wrote to memory of 2592 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4316 wrote to memory of 2592 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4316 wrote to memory of 692 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4316 wrote to memory of 692 4316 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\System\BRbMtpb.exeC:\Windows\System\BRbMtpb.exe2⤵
- Executes dropped EXE
PID:4480
-
-
C:\Windows\System\ctIuIXW.exeC:\Windows\System\ctIuIXW.exe2⤵
- Executes dropped EXE
PID:3556
-
-
C:\Windows\System\TCSTLmd.exeC:\Windows\System\TCSTLmd.exe2⤵
- Executes dropped EXE
PID:2520
-
-
C:\Windows\System\NJTjTfM.exeC:\Windows\System\NJTjTfM.exe2⤵
- Executes dropped EXE
PID:4044
-
-
C:\Windows\System\twUcmzh.exeC:\Windows\System\twUcmzh.exe2⤵
- Executes dropped EXE
PID:3832
-
-
C:\Windows\System\vDVUfpP.exeC:\Windows\System\vDVUfpP.exe2⤵
- Executes dropped EXE
PID:532
-
-
C:\Windows\System\SRDdYxX.exeC:\Windows\System\SRDdYxX.exe2⤵
- Executes dropped EXE
PID:336
-
-
C:\Windows\System\VvXLRaz.exeC:\Windows\System\VvXLRaz.exe2⤵
- Executes dropped EXE
PID:4484
-
-
C:\Windows\System\ybKDqBK.exeC:\Windows\System\ybKDqBK.exe2⤵
- Executes dropped EXE
PID:2528
-
-
C:\Windows\System\VUrdOAe.exeC:\Windows\System\VUrdOAe.exe2⤵
- Executes dropped EXE
PID:3308
-
-
C:\Windows\System\vudpxRY.exeC:\Windows\System\vudpxRY.exe2⤵
- Executes dropped EXE
PID:2460
-
-
C:\Windows\System\KpLSRAd.exeC:\Windows\System\KpLSRAd.exe2⤵
- Executes dropped EXE
PID:1988
-
-
C:\Windows\System\UPVqkzA.exeC:\Windows\System\UPVqkzA.exe2⤵
- Executes dropped EXE
PID:864
-
-
C:\Windows\System\beRqKCv.exeC:\Windows\System\beRqKCv.exe2⤵
- Executes dropped EXE
PID:2784
-
-
C:\Windows\System\dLtkLxJ.exeC:\Windows\System\dLtkLxJ.exe2⤵
- Executes dropped EXE
PID:1688
-
-
C:\Windows\System\JUfaPZf.exeC:\Windows\System\JUfaPZf.exe2⤵
- Executes dropped EXE
PID:2252
-
-
C:\Windows\System\QOrdMNL.exeC:\Windows\System\QOrdMNL.exe2⤵
- Executes dropped EXE
PID:2224
-
-
C:\Windows\System\JtuahZi.exeC:\Windows\System\JtuahZi.exe2⤵
- Executes dropped EXE
PID:2540
-
-
C:\Windows\System\lOmQOQV.exeC:\Windows\System\lOmQOQV.exe2⤵
- Executes dropped EXE
PID:4704
-
-
C:\Windows\System\BVOPPmu.exeC:\Windows\System\BVOPPmu.exe2⤵
- Executes dropped EXE
PID:2592
-
-
C:\Windows\System\CODvXEw.exeC:\Windows\System\CODvXEw.exe2⤵
- Executes dropped EXE
PID:692
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD5980919e13763f9dcee616641f5890b48
SHA190619b5e41bb82c411c53cf56db4983e534c3c51
SHA256f6c8adfa9678efc19dbb8cec1bc703fa069d9f842e62f19ac338fbf936248f18
SHA5122a819d80dee22171de26cc1957bfc61c53e700da5ab2e4bc2c4cad706ad6f460bf354f2a362e00ebae609b14dc0bc2150b41108a27f3ad569e63241001f1cc84
-
Filesize
5.9MB
MD5218b9bff4b73bb87e15bca449744f753
SHA102a62c31192c5c4b6fb910d5013b6f0dd2c0aedf
SHA2567ac60d8210fe3ff49891c968141a0b99dc09b50107af84688bd3abfc69654598
SHA512fd89e238bd1914072441a0934d3ceabfe260f24e28287e177a95b4a4544c68b1b6bb3cf3abbb6066647a91ef03886dbb8d1668072f78daaddb9c5070263afd56
-
Filesize
5.9MB
MD5d8a521f3ee3a2b7ca386fcf2ea8e1a26
SHA1b594cfec628c242adcdf61b61186507d6c0f550e
SHA2563320aee8de359197a15e71fe3bde63ea0e0b61650777d97f412dec3ad3878e41
SHA5127d6d4144a8afcebc357ca619e91fb8d840f5bfaa6b17d535dc8e764b0c117628aedfe93074bb6776b8cd515b8026bcae1864f50dee6db6a1355fa1323332e462
-
Filesize
5.9MB
MD5ef04b24d7ee7aa05c047dad30d32d27a
SHA1fc79c820317e183f3c17edf4f56256281726832e
SHA25671e1137a26ef392756856966f63b6a94c82307103f1afd032c0ce506c202fa69
SHA5126a7f3c8ca0f9b6d13ce6800651d689dd4565ec55a9c42d2e2b403b4b79f900824f590639d3a98893d495fa8b68d977e4074596ed1d2e4317772e8250500dbe7c
-
Filesize
5.9MB
MD50a101facd8a234e9ad79490fc87b39ae
SHA142b883befc3263cc0b304dd590dbdca94cc788e0
SHA2561f77ef9042a064be6e4468cfd26ec0b5ef512c838fe5292c4f4c319bd4d2749e
SHA512941c11912a07ee2eb19b74b39d66e49ff0cfb7ed24de8d6041840082c9fb15e529767a2404d73b49e785e2bdb292631b9ad52e6dab3df3c3f792544dc9c5b127
-
Filesize
5.9MB
MD5f7432bd74578be8c82b01f13eb03e170
SHA1c9d5ab8f9787758b5f39f1a835bf10609c278748
SHA256623c12ace32fdcaffb60fb8c66923f5773486aefd4cd56f1fa525917fb88094a
SHA512ba78430b8cd25717a6f50adef1f0b791624ddf75309fa939e47bef81ee7419b24ede2a243e4eadd4e14821ba4e9640166c9622feb68b0f141ac587432d8811c6
-
Filesize
5.9MB
MD51e5f8efe306cd1d68af79a4178b1904f
SHA1600afadfefdb6f3445d56b84390d410b2a9b5c63
SHA2560b0555d08a44e6e44e7a59c9608ac86d527b7f5f430b53e8cb923319bc259b1b
SHA512f1ab6ffe8eb650fd6b9f133f35032c73858fbfe24f554e36f14dd5b8b56f55792faf1667b22982d4832d13e55a474802269eeebce4a859f5b08a773c6e54bbf8
-
Filesize
5.9MB
MD5bc0146e09ce9c5d841667bfea058c23e
SHA198cf4e1ba734a8a9ffc859fc06235e18e090ad74
SHA256261301dbab13a05b4f3c86ccd9b674f0b27cda7920d693fbf9e74882c109b3f5
SHA512dc87c34f8feb5a275f201a2af23d29a1f85be9997152ab3c260ffda3daf8d67c6c0ccf04111452cdabe426ac537a2058ab1d694a96405f7dbb6840a60b6d6716
-
Filesize
5.9MB
MD510617398f466a13f8a93497831187bca
SHA17b7161889b58e641013fee15257b1fd3d93a48ed
SHA256cd09df08ae97b7b372050ca94d16ace3d5566bc7e0516863212f9f1483f16cd0
SHA512c4a2348b76bb90bc8a5fdcbe34b61e4000de6cb11743fbe66c8b330c4301a9017ac946d8323dd1e67935167496906552ef412ff3490c14999b2c41ff0b8c7e00
-
Filesize
5.9MB
MD5e3de828cde67b392f7b4f4c28c0aa158
SHA1b231987e1aedfdce6c83243d3c8c757be49b5d63
SHA2564360338fe0b04b4c758e9aa042b209a76c3ef04a4cbd361170f684d9cadadc8c
SHA51241ab668d6676baec71d2643b9122e5a17895e5c5e9cd3d23637ec303fd1ca7efd775f49c789d6c00446f1cd71f3de4458d5e792d1fe2ce893121a47fb6fc3a48
-
Filesize
5.9MB
MD57f50a7d9db680d379ad0245d8828e575
SHA14e4ab4db24a24c08577c942898846e67f126ac94
SHA256111da80b07a80b24aea42c528ebfd96ba544a7d2872aa7b04df6df055f0c96df
SHA5126c22dada0f62fd54571392df1d1ef3e17443c5444ffa310200f57cc7e32a0143a87a29222a9ef8da6e732bc7d08a1c4016f09112868a510fcc7a3042cc9ff9b4
-
Filesize
5.9MB
MD59c8f82f4c5a78a348c19599782c8f890
SHA1510fdbaedb8100bd5bdace2e80dd3d3b5c0a2989
SHA2568bc061ee083cc4c1c359af3b6e14a7997521cbce2f6bfca420ca0fa40bbd0710
SHA512a6074ca833816646f5a57e61c4324e2bd1125f61888d750c52f0f893a5734a8b2ae0fcc353f5b2d3995e3b6e6c0741e14e6a935f20d282a0ce7cd27a4640b2d1
-
Filesize
5.9MB
MD5d41ff38f900f835773e7d99171e4e40e
SHA1050cdb5d0a2f989297df039361991c417692b42b
SHA2567afb291b1be9229ebba17edda084d994caff079d720839d6f9bdf370d75d7f2e
SHA5123f97710adf99132f815bc862bbcf56d8d579f6ae596e907a7e2d24eb3b306e87eb3235f5c86482df36a2a789d5c8d3cd4524bc141dcfc2d8de8c9fdc7ded902d
-
Filesize
5.9MB
MD50a6e542b6fede74a754d0df98e5c13fd
SHA1b33c000ad439cb492900099da02e551214c68ca2
SHA256073e581be93afd71524c1ff7c5373ed0215a19be7bb10797a73719f5aa9e8632
SHA5125182ccc5608aa7333fb053cb8fc5e7861d7d8159e2017f716a5c90cc87c6309aaa7856e52b3145f4776164514a89bcdb024cd52ee339570780c9503724640ceb
-
Filesize
5.9MB
MD5bb323f6136598092379ede7e3bb003fe
SHA1732247886199768c7a651b0d481bb72da0550455
SHA256d5428d4b0ea6906015e196639c418e025476de9aba18c6c73d7d8b69607cbdc2
SHA512fe71981d55ff17000c0a13b62a3ef8322085428a4bb7a3de4b47afa631ad3ef3d7298e57bb2af089bd25d0bf0fe334ab5b4738daf864d44013bd5d55fa6eb54d
-
Filesize
5.9MB
MD5ff9cbd74538db081d4a2359673229436
SHA16a4b1238e5f3b6ee48bde281b7696b649b57c86f
SHA2564b95c6d50c95d4272014a7134702532bceaba7e44a7125bb17ec0668606d9bf8
SHA512b4cd7631f1aff3f92ef3569037a7f536448d7a3368eb3c8c118f63ee0cfa5f74a1923c2d86484796a5066ac87453dcecb9662ef0136f50c2afbcd5f4aa10a6ce
-
Filesize
5.9MB
MD5c3c3c06472fbe280e231f2cc23260c28
SHA1c2d42e319ee6a6cb567d901c541711e7f29e51c6
SHA25642737c7ff0e425f30603c1f24029b81d96b29094b6159c62a3db67211de45f76
SHA5122db385a78d7f3cf2662b3d2823d975035c7a5b84db5e13784a4325bfa0f5ec07e8964422eb488e63b8b6d970ea934a04fa3ba9d5bd053bdaf59c87b07bb470c0
-
Filesize
5.9MB
MD5ca5dbe170a4cbaeebee92ed400fea303
SHA1e0092655494034651d7b6fa83ea5c069005fe8a3
SHA256f9841547d38f097d72265e86e058fe543d727e234fc4d9f45d09576ef8925846
SHA512cf2545ef155d3201d19bbd60e8b4ee802bd45ecaf104834b3f4067290aa144a03f2c9779cd12e382aded537fddf8e86b41de18fa48d9d4f1d158ee4492fccf3d
-
Filesize
5.9MB
MD556ced10a8062dbfc1b8c172aa602903b
SHA1bad63674a679f06b4dd3ae142cd9bfc12ab73ebf
SHA256aa9d5e1ce6667c09c011f10cf53a56c9c08c6688b874edda2809fc90f26abb9f
SHA512eeee4713fb35d434cabae2071ecc4859f10776c398927090e5ac7a4c03c5985e6462d42836e3a7115131c7e85d863512c8edd902fe8b37d2e80d50c651d5394f
-
Filesize
5.9MB
MD53b7d76ddb62aa8d8a49f3d084882f476
SHA1258924918bb0aa67a82c4bcc2a6eff8a42b955fb
SHA256406f95663cf2be58b7015acfe49d9cb6ebba96aaf2b0f08d326b57de7be0961f
SHA512db87b1c1b7308a422b2321459314492b47c4fc2be82bdcbd04f9a3d726586df07d12d24331db5a6e0163ff7bd307c158f0e231286ac9c464310f0e56f7471f0e
-
Filesize
5.9MB
MD512897976e05824993ee1eb8964775d2c
SHA1f84eed657db6accb8f78720443180dc9a536ddf4
SHA256d523118da644538c169dd82c754c8410230ea33b14d5728f9c7ec214f0c2c491
SHA5120eab1812e3590d79856138958f38e6eef02b5e192bb92a217ceec1a2bb0c34ce818aab5e8f8e2a106f7d51d670b050092e7f249c386e179e4fcc834f980ef1fe