Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-08-2024 21:47
Behavioral task
behavioral1
Sample
2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240708-en
General
-
Target
2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
fba34cf4973da0b771605f9dd845a1d3
-
SHA1
a739a3d2e47c9154670e5b76ca2f27a2abd30fcf
-
SHA256
de9bad680e02891cedcc3fbd0cd11d8bb088f17481020dd52b4d5d6af58bf6cd
-
SHA512
61e61bb42dbbbd8500547e8e6e4ab3a3cf811e2f4681d72ad1ab114e9d891334750079eb5fdc0d19cd32fc5acd2c04043a4c27764d54004b4d494e90a5d6fe29
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lE:RWWBibf56utgpPFotBER/mQ32lU4
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0009000000023444-5.dat cobalt_reflective_dll behavioral2/files/0x0008000000023447-13.dat cobalt_reflective_dll behavioral2/files/0x0007000000023449-30.dat cobalt_reflective_dll behavioral2/files/0x000700000002344d-40.dat cobalt_reflective_dll behavioral2/files/0x000700000002344f-59.dat cobalt_reflective_dll behavioral2/files/0x0007000000023452-69.dat cobalt_reflective_dll behavioral2/files/0x0007000000023450-75.dat cobalt_reflective_dll behavioral2/files/0x0007000000023454-91.dat cobalt_reflective_dll behavioral2/files/0x0007000000023455-89.dat cobalt_reflective_dll behavioral2/files/0x0007000000023457-105.dat cobalt_reflective_dll behavioral2/files/0x0008000000023445-110.dat cobalt_reflective_dll behavioral2/files/0x0007000000023456-108.dat cobalt_reflective_dll behavioral2/files/0x0007000000023453-84.dat cobalt_reflective_dll behavioral2/files/0x0007000000023451-77.dat cobalt_reflective_dll behavioral2/files/0x000700000002344e-70.dat cobalt_reflective_dll behavioral2/files/0x000700000002344c-47.dat cobalt_reflective_dll behavioral2/files/0x000700000002344b-43.dat cobalt_reflective_dll behavioral2/files/0x000700000002344a-34.dat cobalt_reflective_dll behavioral2/files/0x0007000000023448-15.dat cobalt_reflective_dll behavioral2/files/0x0007000000023458-119.dat cobalt_reflective_dll behavioral2/files/0x0007000000023459-124.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/1436-98-0x00007FF77E6E0000-0x00007FF77EA31000-memory.dmp xmrig behavioral2/memory/60-116-0x00007FF6CBBC0000-0x00007FF6CBF11000-memory.dmp xmrig behavioral2/memory/884-115-0x00007FF7D4BC0000-0x00007FF7D4F11000-memory.dmp xmrig behavioral2/memory/2760-112-0x00007FF784A80000-0x00007FF784DD1000-memory.dmp xmrig behavioral2/memory/2884-106-0x00007FF61ABC0000-0x00007FF61AF11000-memory.dmp xmrig behavioral2/memory/1428-104-0x00007FF6CBA70000-0x00007FF6CBDC1000-memory.dmp xmrig behavioral2/memory/4672-82-0x00007FF7D10F0000-0x00007FF7D1441000-memory.dmp xmrig behavioral2/memory/2204-37-0x00007FF77BA40000-0x00007FF77BD91000-memory.dmp xmrig behavioral2/memory/4428-26-0x00007FF7E88F0000-0x00007FF7E8C41000-memory.dmp xmrig behavioral2/memory/2460-128-0x00007FF64F610000-0x00007FF64F961000-memory.dmp xmrig behavioral2/memory/3564-127-0x00007FF7C9500000-0x00007FF7C9851000-memory.dmp xmrig behavioral2/memory/5084-134-0x00007FF6CC530000-0x00007FF6CC881000-memory.dmp xmrig behavioral2/memory/3564-129-0x00007FF7C9500000-0x00007FF7C9851000-memory.dmp xmrig behavioral2/memory/1980-137-0x00007FF617670000-0x00007FF6179C1000-memory.dmp xmrig behavioral2/memory/4000-143-0x00007FF64B8C0000-0x00007FF64BC11000-memory.dmp xmrig behavioral2/memory/3600-141-0x00007FF6C0340000-0x00007FF6C0691000-memory.dmp xmrig behavioral2/memory/4968-149-0x00007FF7BA8D0000-0x00007FF7BAC21000-memory.dmp xmrig behavioral2/memory/1520-136-0x00007FF640DE0000-0x00007FF641131000-memory.dmp xmrig behavioral2/memory/320-135-0x00007FF6D8AA0000-0x00007FF6D8DF1000-memory.dmp xmrig behavioral2/memory/1920-131-0x00007FF6BDB30000-0x00007FF6BDE81000-memory.dmp xmrig behavioral2/memory/4292-130-0x00007FF6D3C80000-0x00007FF6D3FD1000-memory.dmp xmrig behavioral2/memory/1640-139-0x00007FF63D390000-0x00007FF63D6E1000-memory.dmp xmrig behavioral2/memory/640-147-0x00007FF77FCC0000-0x00007FF780011000-memory.dmp xmrig behavioral2/memory/3564-150-0x00007FF7C9500000-0x00007FF7C9851000-memory.dmp xmrig behavioral2/memory/4292-197-0x00007FF6D3C80000-0x00007FF6D3FD1000-memory.dmp xmrig behavioral2/memory/4428-199-0x00007FF7E88F0000-0x00007FF7E8C41000-memory.dmp xmrig behavioral2/memory/1920-201-0x00007FF6BDB30000-0x00007FF6BDE81000-memory.dmp xmrig behavioral2/memory/2204-203-0x00007FF77BA40000-0x00007FF77BD91000-memory.dmp xmrig behavioral2/memory/5084-205-0x00007FF6CC530000-0x00007FF6CC881000-memory.dmp xmrig behavioral2/memory/1520-207-0x00007FF640DE0000-0x00007FF641131000-memory.dmp xmrig behavioral2/memory/320-209-0x00007FF6D8AA0000-0x00007FF6D8DF1000-memory.dmp xmrig behavioral2/memory/1980-211-0x00007FF617670000-0x00007FF6179C1000-memory.dmp xmrig behavioral2/memory/1640-217-0x00007FF63D390000-0x00007FF63D6E1000-memory.dmp xmrig behavioral2/memory/3600-219-0x00007FF6C0340000-0x00007FF6C0691000-memory.dmp xmrig behavioral2/memory/4672-221-0x00007FF7D10F0000-0x00007FF7D1441000-memory.dmp xmrig behavioral2/memory/1436-216-0x00007FF77E6E0000-0x00007FF77EA31000-memory.dmp xmrig behavioral2/memory/1428-214-0x00007FF6CBA70000-0x00007FF6CBDC1000-memory.dmp xmrig behavioral2/memory/640-227-0x00007FF77FCC0000-0x00007FF780011000-memory.dmp xmrig behavioral2/memory/4000-232-0x00007FF64B8C0000-0x00007FF64BC11000-memory.dmp xmrig behavioral2/memory/2884-233-0x00007FF61ABC0000-0x00007FF61AF11000-memory.dmp xmrig behavioral2/memory/2760-230-0x00007FF784A80000-0x00007FF784DD1000-memory.dmp xmrig behavioral2/memory/884-226-0x00007FF7D4BC0000-0x00007FF7D4F11000-memory.dmp xmrig behavioral2/memory/60-224-0x00007FF6CBBC0000-0x00007FF6CBF11000-memory.dmp xmrig behavioral2/memory/4968-236-0x00007FF7BA8D0000-0x00007FF7BAC21000-memory.dmp xmrig behavioral2/memory/2460-238-0x00007FF64F610000-0x00007FF64F961000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4292 NXWaKia.exe 1920 HSwFOCr.exe 4428 mVzEdQz.exe 2204 BlDTbzW.exe 5084 ktYcrbz.exe 320 npFIGmX.exe 1520 enidYYX.exe 1980 STPoFxy.exe 1436 yXGLWYU.exe 1640 tKeMXAf.exe 1428 nvKCmqP.exe 3600 ihygGaC.exe 4672 fDoHBjo.exe 4000 qHcBjGd.exe 2884 CxHkpFQ.exe 2760 OrRPNuY.exe 884 vHdALOT.exe 640 PwJeMzI.exe 60 KXOSlIf.exe 4968 CDykOFa.exe 2460 zzYGMmi.exe -
resource yara_rule behavioral2/memory/3564-0-0x00007FF7C9500000-0x00007FF7C9851000-memory.dmp upx behavioral2/files/0x0009000000023444-5.dat upx behavioral2/files/0x0008000000023447-13.dat upx behavioral2/files/0x0007000000023449-30.dat upx behavioral2/files/0x000700000002344d-40.dat upx behavioral2/files/0x000700000002344f-59.dat upx behavioral2/files/0x0007000000023452-69.dat upx behavioral2/files/0x0007000000023450-75.dat upx behavioral2/files/0x0007000000023454-91.dat upx behavioral2/files/0x0007000000023455-89.dat upx behavioral2/memory/1436-98-0x00007FF77E6E0000-0x00007FF77EA31000-memory.dmp upx behavioral2/files/0x0007000000023457-105.dat upx behavioral2/memory/60-116-0x00007FF6CBBC0000-0x00007FF6CBF11000-memory.dmp upx behavioral2/memory/884-115-0x00007FF7D4BC0000-0x00007FF7D4F11000-memory.dmp upx behavioral2/memory/2760-112-0x00007FF784A80000-0x00007FF784DD1000-memory.dmp upx behavioral2/files/0x0008000000023445-110.dat upx behavioral2/files/0x0007000000023456-108.dat upx behavioral2/memory/640-107-0x00007FF77FCC0000-0x00007FF780011000-memory.dmp upx behavioral2/memory/2884-106-0x00007FF61ABC0000-0x00007FF61AF11000-memory.dmp upx behavioral2/memory/1428-104-0x00007FF6CBA70000-0x00007FF6CBDC1000-memory.dmp upx behavioral2/memory/4000-88-0x00007FF64B8C0000-0x00007FF64BC11000-memory.dmp upx behavioral2/files/0x0007000000023453-84.dat upx behavioral2/memory/4672-82-0x00007FF7D10F0000-0x00007FF7D1441000-memory.dmp upx behavioral2/files/0x0007000000023451-77.dat upx behavioral2/memory/3600-74-0x00007FF6C0340000-0x00007FF6C0691000-memory.dmp upx behavioral2/memory/1640-73-0x00007FF63D390000-0x00007FF63D6E1000-memory.dmp upx behavioral2/files/0x000700000002344e-70.dat upx behavioral2/memory/1520-60-0x00007FF640DE0000-0x00007FF641131000-memory.dmp upx behavioral2/files/0x000700000002344c-47.dat upx behavioral2/memory/1980-45-0x00007FF617670000-0x00007FF6179C1000-memory.dmp upx behavioral2/memory/320-41-0x00007FF6D8AA0000-0x00007FF6D8DF1000-memory.dmp upx behavioral2/files/0x000700000002344b-43.dat upx behavioral2/memory/2204-37-0x00007FF77BA40000-0x00007FF77BD91000-memory.dmp upx behavioral2/memory/5084-35-0x00007FF6CC530000-0x00007FF6CC881000-memory.dmp upx behavioral2/files/0x000700000002344a-34.dat upx behavioral2/memory/4428-26-0x00007FF7E88F0000-0x00007FF7E8C41000-memory.dmp upx behavioral2/memory/1920-19-0x00007FF6BDB30000-0x00007FF6BDE81000-memory.dmp upx behavioral2/files/0x0007000000023448-15.dat upx behavioral2/memory/4292-7-0x00007FF6D3C80000-0x00007FF6D3FD1000-memory.dmp upx behavioral2/files/0x0007000000023458-119.dat upx behavioral2/memory/4968-120-0x00007FF7BA8D0000-0x00007FF7BAC21000-memory.dmp upx behavioral2/files/0x0007000000023459-124.dat upx behavioral2/memory/2460-128-0x00007FF64F610000-0x00007FF64F961000-memory.dmp upx behavioral2/memory/3564-127-0x00007FF7C9500000-0x00007FF7C9851000-memory.dmp upx behavioral2/memory/5084-134-0x00007FF6CC530000-0x00007FF6CC881000-memory.dmp upx behavioral2/memory/3564-129-0x00007FF7C9500000-0x00007FF7C9851000-memory.dmp upx behavioral2/memory/1980-137-0x00007FF617670000-0x00007FF6179C1000-memory.dmp upx behavioral2/memory/4000-143-0x00007FF64B8C0000-0x00007FF64BC11000-memory.dmp upx behavioral2/memory/3600-141-0x00007FF6C0340000-0x00007FF6C0691000-memory.dmp upx behavioral2/memory/4968-149-0x00007FF7BA8D0000-0x00007FF7BAC21000-memory.dmp upx behavioral2/memory/1520-136-0x00007FF640DE0000-0x00007FF641131000-memory.dmp upx behavioral2/memory/320-135-0x00007FF6D8AA0000-0x00007FF6D8DF1000-memory.dmp upx behavioral2/memory/1920-131-0x00007FF6BDB30000-0x00007FF6BDE81000-memory.dmp upx behavioral2/memory/4292-130-0x00007FF6D3C80000-0x00007FF6D3FD1000-memory.dmp upx behavioral2/memory/1640-139-0x00007FF63D390000-0x00007FF63D6E1000-memory.dmp upx behavioral2/memory/640-147-0x00007FF77FCC0000-0x00007FF780011000-memory.dmp upx behavioral2/memory/3564-150-0x00007FF7C9500000-0x00007FF7C9851000-memory.dmp upx behavioral2/memory/4292-197-0x00007FF6D3C80000-0x00007FF6D3FD1000-memory.dmp upx behavioral2/memory/4428-199-0x00007FF7E88F0000-0x00007FF7E8C41000-memory.dmp upx behavioral2/memory/1920-201-0x00007FF6BDB30000-0x00007FF6BDE81000-memory.dmp upx behavioral2/memory/2204-203-0x00007FF77BA40000-0x00007FF77BD91000-memory.dmp upx behavioral2/memory/5084-205-0x00007FF6CC530000-0x00007FF6CC881000-memory.dmp upx behavioral2/memory/1520-207-0x00007FF640DE0000-0x00007FF641131000-memory.dmp upx behavioral2/memory/320-209-0x00007FF6D8AA0000-0x00007FF6D8DF1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\CDykOFa.exe 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HSwFOCr.exe 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nvKCmqP.exe 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fDoHBjo.exe 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\npFIGmX.exe 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\enidYYX.exe 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\STPoFxy.exe 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ihygGaC.exe 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qHcBjGd.exe 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CxHkpFQ.exe 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\OrRPNuY.exe 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vHdALOT.exe 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mVzEdQz.exe 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BlDTbzW.exe 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PwJeMzI.exe 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KXOSlIf.exe 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yXGLWYU.exe 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\tKeMXAf.exe 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zzYGMmi.exe 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NXWaKia.exe 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ktYcrbz.exe 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3564 wrote to memory of 4292 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3564 wrote to memory of 4292 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3564 wrote to memory of 1920 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3564 wrote to memory of 1920 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3564 wrote to memory of 4428 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3564 wrote to memory of 4428 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3564 wrote to memory of 2204 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3564 wrote to memory of 2204 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3564 wrote to memory of 5084 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3564 wrote to memory of 5084 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3564 wrote to memory of 320 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3564 wrote to memory of 320 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3564 wrote to memory of 1520 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3564 wrote to memory of 1520 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3564 wrote to memory of 1980 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3564 wrote to memory of 1980 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3564 wrote to memory of 1436 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3564 wrote to memory of 1436 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3564 wrote to memory of 1640 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3564 wrote to memory of 1640 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3564 wrote to memory of 1428 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3564 wrote to memory of 1428 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3564 wrote to memory of 3600 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3564 wrote to memory of 3600 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3564 wrote to memory of 4672 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3564 wrote to memory of 4672 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3564 wrote to memory of 4000 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3564 wrote to memory of 4000 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3564 wrote to memory of 2884 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3564 wrote to memory of 2884 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3564 wrote to memory of 2760 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3564 wrote to memory of 2760 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3564 wrote to memory of 884 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3564 wrote to memory of 884 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3564 wrote to memory of 640 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3564 wrote to memory of 640 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3564 wrote to memory of 60 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3564 wrote to memory of 60 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3564 wrote to memory of 4968 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3564 wrote to memory of 4968 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3564 wrote to memory of 2460 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3564 wrote to memory of 2460 3564 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\System\NXWaKia.exeC:\Windows\System\NXWaKia.exe2⤵
- Executes dropped EXE
PID:4292
-
-
C:\Windows\System\HSwFOCr.exeC:\Windows\System\HSwFOCr.exe2⤵
- Executes dropped EXE
PID:1920
-
-
C:\Windows\System\mVzEdQz.exeC:\Windows\System\mVzEdQz.exe2⤵
- Executes dropped EXE
PID:4428
-
-
C:\Windows\System\BlDTbzW.exeC:\Windows\System\BlDTbzW.exe2⤵
- Executes dropped EXE
PID:2204
-
-
C:\Windows\System\ktYcrbz.exeC:\Windows\System\ktYcrbz.exe2⤵
- Executes dropped EXE
PID:5084
-
-
C:\Windows\System\npFIGmX.exeC:\Windows\System\npFIGmX.exe2⤵
- Executes dropped EXE
PID:320
-
-
C:\Windows\System\enidYYX.exeC:\Windows\System\enidYYX.exe2⤵
- Executes dropped EXE
PID:1520
-
-
C:\Windows\System\STPoFxy.exeC:\Windows\System\STPoFxy.exe2⤵
- Executes dropped EXE
PID:1980
-
-
C:\Windows\System\yXGLWYU.exeC:\Windows\System\yXGLWYU.exe2⤵
- Executes dropped EXE
PID:1436
-
-
C:\Windows\System\tKeMXAf.exeC:\Windows\System\tKeMXAf.exe2⤵
- Executes dropped EXE
PID:1640
-
-
C:\Windows\System\nvKCmqP.exeC:\Windows\System\nvKCmqP.exe2⤵
- Executes dropped EXE
PID:1428
-
-
C:\Windows\System\ihygGaC.exeC:\Windows\System\ihygGaC.exe2⤵
- Executes dropped EXE
PID:3600
-
-
C:\Windows\System\fDoHBjo.exeC:\Windows\System\fDoHBjo.exe2⤵
- Executes dropped EXE
PID:4672
-
-
C:\Windows\System\qHcBjGd.exeC:\Windows\System\qHcBjGd.exe2⤵
- Executes dropped EXE
PID:4000
-
-
C:\Windows\System\CxHkpFQ.exeC:\Windows\System\CxHkpFQ.exe2⤵
- Executes dropped EXE
PID:2884
-
-
C:\Windows\System\OrRPNuY.exeC:\Windows\System\OrRPNuY.exe2⤵
- Executes dropped EXE
PID:2760
-
-
C:\Windows\System\vHdALOT.exeC:\Windows\System\vHdALOT.exe2⤵
- Executes dropped EXE
PID:884
-
-
C:\Windows\System\PwJeMzI.exeC:\Windows\System\PwJeMzI.exe2⤵
- Executes dropped EXE
PID:640
-
-
C:\Windows\System\KXOSlIf.exeC:\Windows\System\KXOSlIf.exe2⤵
- Executes dropped EXE
PID:60
-
-
C:\Windows\System\CDykOFa.exeC:\Windows\System\CDykOFa.exe2⤵
- Executes dropped EXE
PID:4968
-
-
C:\Windows\System\zzYGMmi.exeC:\Windows\System\zzYGMmi.exe2⤵
- Executes dropped EXE
PID:2460
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5aa8d1cd263dbffe27ba626b80d68bb5d
SHA1a3adfa9f2bde39438a9cb4ddb729cc23b6566eb6
SHA25652451d4ff464ef822a44b71b9184d77e6ec608b5aa7f5ee72a95d3ff6d0c5aa8
SHA512273bbb0647e4285512f5dbc23c4e33d50b614b6cf2f78262b8c6b6c76389682621e07d55c33173ca37b1c0bc251a6c1e1adbe22705da451393b541c1079fec8b
-
Filesize
5.2MB
MD5057c809964d300cf52566b843e6277e1
SHA1a2882dd1499e95f0bfc1a98f53479935aafe860e
SHA256f1f119b80429ba4437b588b3821de3c0fe586bea8d46a092037ca512b245b3fd
SHA512da1e553692c82c586e79806acfa8c55cddd93d70d8d50609eae38095c1617009df391dcb94e1ee29d0cf2f1810926fe666bd4fef1671d53585e48218b8e42a7c
-
Filesize
5.2MB
MD51aff857f098422f78139b11fd766cfc2
SHA1de22036521d2a80583329d07dcdfd8088a63418d
SHA2562444bbec67cacd9acc7fd9e6c3a25d374a5890dec83c04fed0a952e8be2f0334
SHA5124f92df8f787fda12ee5a307cf6a15f47e84c04c95d17063555fbde230b3a4a77d7e2582a7ffd0661ec24712c68d06c4326b76efa0986dc8d945f5a1e2f403036
-
Filesize
5.2MB
MD591e4115c33dcb82b2fd97ae6c6c09b3c
SHA1f0fe10838b3bc4fe9ff91caa8154f44b8ce9dfe0
SHA25690fa58e2d75aa75bf4f6e7bea0fcdaa57bb4e4a610d7cc9ac1258745577aec90
SHA51250f6a0b786d98dd6eb313b24cd6c64ce9c440e58cec2f64848b9461caa9722804bad1656f9fafa0941fde8b5b5ab2487970007ebc3cbcde03bd5faabc2c4ccd8
-
Filesize
5.2MB
MD5c1c708f28c7edc5076ed05f317bb47f7
SHA14a995467bcc26af495ae705106c9056fb02dc95f
SHA2562e37d398e2799df94779939f2e31c7195039e36bc1ecf4c7db245a87b0e6ca4c
SHA512192f6592b2a87ba9d539bdca6d16744fca8bf29283d876e9a6dd2593f191712d07a840880ecc4216882d83ae5079b5a0210df70410b8d0dacba0cfbb2cc12ac3
-
Filesize
5.2MB
MD5b2c386ddf4b19a2421a347cda55df4d8
SHA19ea08eedd57fab4e7f003376169f10c02b285abe
SHA2563b8fa17dce4bf2a92302a1df4b7c436fe3c8e8ffd1d4571f491ac5976ec7b6cc
SHA512926e27db7b4074a90cdc637de382793df0199b43255e885c24bfb42eea642d369f3922f88c2b8cc28fa70754f24fe98e53a43aad44ed3a912a8ed5c72df953d2
-
Filesize
5.2MB
MD58e222c1604c6adc3f41c65d7e4c8def0
SHA1c29e81dad714632d506801e323630434aae996f2
SHA256ede62ef4f04006564e960a61897443b27c00fb3e50a7e4c1a94c492a04e38019
SHA51272f9cb3195a0b26a7d4c6de225ded94d9e28ff1a03cd76ad1458f6a0731b80eefdde489e12350cbaaec8994a6a6840294b3065523338bf6a37fa39c2e17fb19a
-
Filesize
5.2MB
MD5b24aa4f151fec7a0ad61c274c238ca11
SHA15f25708372b434361e9820e019023f66aa979228
SHA25664cb20d7f6b0de0f98cfbe48d4d53369f2713d229654a4f0945bcbef957bc883
SHA51216906a6105a2634af424921f520ab4b7ea5c6e389c2388d87feaae2fb712d43f864049adf2d216ebddf926f9fd927f0c2295ec36dfe76fd23632b8f54a3e8b0a
-
Filesize
5.2MB
MD503ff789df2ee08c7bfe254c48b934834
SHA1e1a18f95ca49ba46d06771239e902d3f7667073f
SHA256f7ea4c1eb19767e1a60dd3109e473ebe39f385592f8a3a0eef57fdd4ccb8b5b1
SHA512d87023ca8e5b419854ffb5ced6afc2ae9395600806f0c933cb690407c442847b6d06e4bc95f1a33fe7ae595f5703d1bef3bc93a3087be957b847c333157c75e5
-
Filesize
5.2MB
MD50cd1e939c25274ae366b0f73668203eb
SHA1ad3d2547fd34389faab335ccc633197b701fb2df
SHA256bb4f68b2f9884e4e98cf3262ac5cea388c6ad46e394ad45cf240c43ba97c3808
SHA5121ea74f25422f98445efbca3de54c669a83934a76695444e3804516d9a825c5f85961c5e1ea7424fa93e6b0b6433e5f251338bc9a0f790824e7aaaa7d317ee7e5
-
Filesize
5.2MB
MD5d1a0523ced9ec8aa1488dea9432be190
SHA13aeb573fb4f681e07d9351bb7d5cab8255bd7f02
SHA25629d5e2340467ef7da9a192e19abb987859d1f7e032c48354f80f1d5ec219dbff
SHA512fb0f5c9a757a5b0d5829b1e3ded80435b86b7609ecdb330f351776651251a72c10900998484138e21d5c849ffadbea5a8b34210d0fc3d524c2f68e563402bed9
-
Filesize
5.2MB
MD5d21695cf5a1c53854f7c2b50d3f931a2
SHA1303b11d9f9295b576755813c9ff1c1399fa6804f
SHA256620e098eae02fa2fb76e4820f5c42a095cfa5b43763750f87f14c24d938e4305
SHA5123ad1f01bf262e403bc1191f9fdb20e1fdde345b089d0c3039bcd93b75c39933cf7f9698f0566aa54884282f3ac68026fc9a6feb56af171cd5226da667b6a14da
-
Filesize
5.2MB
MD5073ad5911a2c624fcdac33527c90026a
SHA10d3b6674043b3f16299892c30916d999b1848c49
SHA25663cd3a683c7efad340df2aefc4eae560137c8eeb1998d80d169c8e2f607cc8f9
SHA512618c72d8c1c9db89026aa6284568acdee212b9ff020279e727975a37f5c5daaa0fa50c2fbcd52eb8813173ee08eaf32607fdaa21b34bf54f0ea8e097ffbcd499
-
Filesize
5.2MB
MD5031f819429cce170fbbf447c099df792
SHA1d13c4578670499437772a5dc7d138e7e274bde7b
SHA256f66c44fded9d82aacb13312236c71da4f35457a7d1d75dc7e851071beac22c09
SHA512c83cd440462b8b40c513d50b35dc450181f934ef9bef49b76553262322a584ff310cfba8a6998bbb1c8d98c902e8d38d7e392d0a98f7cd65c2c2c2d53b4c8f2c
-
Filesize
5.2MB
MD5f3181d1bed8708610394d49ec2cf268a
SHA15b69eddfa881ea00f30c008087ecc4844c281c45
SHA256d81a84b3892d1910a3fa911b241a465d050a064cb7a21d8e6de2b4206b28d03b
SHA512e6220898f7934068c31beaf56b84eca354540aeb5d4581cc1faafb8bd3583993030873d081417338ffd76737e4e36200d8517d07886968fab8abb6c6b8d5f902
-
Filesize
5.2MB
MD553d32abe752558c98d681441f387ac1c
SHA1386c9490b7d8057a069595ba9dfdfa6d2e4a62fa
SHA256ad56b3488629028083178fff32b054d2078fcc9dfeed7798de6b47424e095627
SHA51261ffb1d04488738b1372db75da82299df105b5a625033bafa2acdf6284033a8523e393f7f2898afcf2c6106f1cb154010e994cb951dda34342212139072ba380
-
Filesize
5.2MB
MD53c9088d0ec5712346713919f55ef34a4
SHA12bf2ad0a191081b54726cfa8db9e4f3474f6ad10
SHA25698ae8be8dfd99c3c0e55d1e12ccdb487410937eb9266c38a7594986c5cfbbd96
SHA512dce26d4a8d149534e9d5819d748da0e595f8b19dae11606c442062322e3ec4327757a84ec514fc0d233ea4887b187dfad1859183ee8ff4aa298ba3cbb7691c6b
-
Filesize
5.2MB
MD57fbf6a21784a5e99718e39d9097be355
SHA1ff8bba0fa540e41643f451ae6ac81da9e0a9ada4
SHA2561f51d37d307c735e8394a5ceb48f0fd1e72737d1f029322ebddd28653d5f87eb
SHA512becbf513fd0e678d85536d3dd3b3400c823f156092efea8b7ab8babd72eefd184e06bbd9e3babcd2104592ad1e86b5f73c85d57a3f8892993f8e624a736b7710
-
Filesize
5.2MB
MD56101c30bfae01ae04ea1052cb9065719
SHA185c0f536457b109ebb78c3270f8acc295ca9b4a8
SHA2567605fc0ff80ec13d585575a07fc8088f6c648357ad815a6c1ccc599e8168c117
SHA512752a09365a2723ac3372fbd43c56df2ee2f76412b13b83eb8d4be7196fb7564a78da57ae4a896db748580051ea9b65b7e4d3398079ea133995b2e3b665c9d3dd
-
Filesize
5.2MB
MD5f1616348aef8005d0322f379ceed148f
SHA187ff4e1460339cc5e3694f457b0e669da6f655de
SHA25623a45676c836473a8d9b70d5a555bf3ae26333cb759756c17b79d29cec165bed
SHA5122dee0c4278d5d40ae8b2d8708a8abc528828edb126f3999032b75db07cec2471aa5e3bcc8fc513636648b66b243385dff34a656bfb95725bd312bf84f19f1bd3
-
Filesize
5.2MB
MD588a1ed4d9923cf6df29ffee0036127bd
SHA11c737c06de75e519a8f8bbbe88e764bb35b7467f
SHA256d74eb943102a091e5076dd3133bfc1674f67e35961d6cae5405917932047c4dd
SHA512bbaef8e0e89e2e40d3aed403954e0b168822f0d66dcc91dcda85bb9366bd34d839ec4a4351473d4ecf228f2070f285609b197251bfc98156de326228e32a1318