Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-08-2024 22:42
Behavioral task
behavioral1
Sample
2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240704-en
General
-
Target
2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
72be44cf5b77de38af0f4a4f1d5fc27c
-
SHA1
d2019870129605053a63449f3d0209f5b7ea95f1
-
SHA256
0b3d9346fe4b83bb11eb7cdc4b7890910543e175aef474505fa90f61caf8ee0b
-
SHA512
e86e7e2bb2f8c0f623cd09b6ac1eea81a161368146c78cf9437e5c86cf4e52f3898226cb2973b0e808510e997718029cde8475f98d84bf2dbb2f64de17f83b08
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lr:RWWBibf56utgpPFotBER/mQ32lUf
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000c00000002347e-6.dat cobalt_reflective_dll behavioral2/files/0x00090000000234ca-11.dat cobalt_reflective_dll behavioral2/files/0x00070000000234cb-18.dat cobalt_reflective_dll behavioral2/files/0x00070000000234cc-23.dat cobalt_reflective_dll behavioral2/files/0x00070000000234cd-30.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ce-35.dat cobalt_reflective_dll behavioral2/files/0x00070000000234cf-41.dat cobalt_reflective_dll behavioral2/files/0x000a0000000234c4-46.dat cobalt_reflective_dll behavioral2/files/0x00080000000234d1-52.dat cobalt_reflective_dll behavioral2/files/0x000a00000001da30-63.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d3-68.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d5-82.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d4-79.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d7-94.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d8-109.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d9-114.dat cobalt_reflective_dll behavioral2/files/0x00070000000234dc-131.dat cobalt_reflective_dll behavioral2/files/0x00070000000234db-127.dat cobalt_reflective_dll behavioral2/files/0x00070000000234da-119.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d6-96.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d2-69.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/2216-20-0x00007FF68D520000-0x00007FF68D871000-memory.dmp xmrig behavioral2/memory/4176-14-0x00007FF69B160000-0x00007FF69B4B1000-memory.dmp xmrig behavioral2/memory/4780-26-0x00007FF718AF0000-0x00007FF718E41000-memory.dmp xmrig behavioral2/memory/2080-50-0x00007FF7B6020000-0x00007FF7B6371000-memory.dmp xmrig behavioral2/memory/3216-60-0x00007FF7BA820000-0x00007FF7BAB71000-memory.dmp xmrig behavioral2/memory/5100-71-0x00007FF6BD900000-0x00007FF6BDC51000-memory.dmp xmrig behavioral2/memory/3424-122-0x00007FF783E10000-0x00007FF784161000-memory.dmp xmrig behavioral2/memory/5088-125-0x00007FF60EF90000-0x00007FF60F2E1000-memory.dmp xmrig behavioral2/memory/2180-124-0x00007FF724610000-0x00007FF724961000-memory.dmp xmrig behavioral2/memory/3152-117-0x00007FF78D830000-0x00007FF78DB81000-memory.dmp xmrig behavioral2/memory/4944-104-0x00007FF695590000-0x00007FF6958E1000-memory.dmp xmrig behavioral2/memory/232-103-0x00007FF6DD9F0000-0x00007FF6DDD41000-memory.dmp xmrig behavioral2/memory/2972-97-0x00007FF7EC0F0000-0x00007FF7EC441000-memory.dmp xmrig behavioral2/memory/2584-78-0x00007FF7AA260000-0x00007FF7AA5B1000-memory.dmp xmrig behavioral2/memory/3216-133-0x00007FF7BA820000-0x00007FF7BAB71000-memory.dmp xmrig behavioral2/memory/4756-143-0x00007FF7D2360000-0x00007FF7D26B1000-memory.dmp xmrig behavioral2/memory/3760-149-0x00007FF786F00000-0x00007FF787251000-memory.dmp xmrig behavioral2/memory/3736-147-0x00007FF7ED950000-0x00007FF7EDCA1000-memory.dmp xmrig behavioral2/memory/2928-144-0x00007FF6D48B0000-0x00007FF6D4C01000-memory.dmp xmrig behavioral2/memory/400-148-0x00007FF7F9490000-0x00007FF7F97E1000-memory.dmp xmrig behavioral2/memory/3992-155-0x00007FF7BA020000-0x00007FF7BA371000-memory.dmp xmrig behavioral2/memory/1512-145-0x00007FF755450000-0x00007FF7557A1000-memory.dmp xmrig behavioral2/memory/1572-154-0x00007FF7F04F0000-0x00007FF7F0841000-memory.dmp xmrig behavioral2/memory/3216-156-0x00007FF7BA820000-0x00007FF7BAB71000-memory.dmp xmrig behavioral2/memory/5100-209-0x00007FF6BD900000-0x00007FF6BDC51000-memory.dmp xmrig behavioral2/memory/4176-211-0x00007FF69B160000-0x00007FF69B4B1000-memory.dmp xmrig behavioral2/memory/2216-213-0x00007FF68D520000-0x00007FF68D871000-memory.dmp xmrig behavioral2/memory/4780-215-0x00007FF718AF0000-0x00007FF718E41000-memory.dmp xmrig behavioral2/memory/2972-217-0x00007FF7EC0F0000-0x00007FF7EC441000-memory.dmp xmrig behavioral2/memory/232-219-0x00007FF6DD9F0000-0x00007FF6DDD41000-memory.dmp xmrig behavioral2/memory/2080-223-0x00007FF7B6020000-0x00007FF7B6371000-memory.dmp xmrig behavioral2/memory/5088-222-0x00007FF60EF90000-0x00007FF60F2E1000-memory.dmp xmrig behavioral2/memory/4756-231-0x00007FF7D2360000-0x00007FF7D26B1000-memory.dmp xmrig behavioral2/memory/2928-233-0x00007FF6D48B0000-0x00007FF6D4C01000-memory.dmp xmrig behavioral2/memory/2584-237-0x00007FF7AA260000-0x00007FF7AA5B1000-memory.dmp xmrig behavioral2/memory/1512-236-0x00007FF755450000-0x00007FF7557A1000-memory.dmp xmrig behavioral2/memory/3736-239-0x00007FF7ED950000-0x00007FF7EDCA1000-memory.dmp xmrig behavioral2/memory/400-241-0x00007FF7F9490000-0x00007FF7F97E1000-memory.dmp xmrig behavioral2/memory/3760-243-0x00007FF786F00000-0x00007FF787251000-memory.dmp xmrig behavioral2/memory/4944-245-0x00007FF695590000-0x00007FF6958E1000-memory.dmp xmrig behavioral2/memory/3152-247-0x00007FF78D830000-0x00007FF78DB81000-memory.dmp xmrig behavioral2/memory/3424-249-0x00007FF783E10000-0x00007FF784161000-memory.dmp xmrig behavioral2/memory/2180-251-0x00007FF724610000-0x00007FF724961000-memory.dmp xmrig behavioral2/memory/1572-253-0x00007FF7F04F0000-0x00007FF7F0841000-memory.dmp xmrig behavioral2/memory/3992-255-0x00007FF7BA020000-0x00007FF7BA371000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 5100 HAsWVnS.exe 4176 zeIgYLe.exe 2216 BEFoHCp.exe 4780 evuUUHn.exe 2972 kNOXdXt.exe 232 CCmnsfE.exe 5088 FUPBrCk.exe 2080 SENonPa.exe 4756 MoDKqhL.exe 2928 jjFEgBJ.exe 1512 xkxHpHX.exe 2584 QHjoUml.exe 3736 HPVMaxt.exe 400 vqeTyeB.exe 3760 wVupQgO.exe 4944 AAmiSAu.exe 3152 EUanQZJ.exe 3424 yvKEsAP.exe 2180 JaxpOrr.exe 1572 baujovO.exe 3992 plcLbjL.exe -
resource yara_rule behavioral2/memory/3216-0-0x00007FF7BA820000-0x00007FF7BAB71000-memory.dmp upx behavioral2/files/0x000c00000002347e-6.dat upx behavioral2/files/0x00090000000234ca-11.dat upx behavioral2/memory/5100-8-0x00007FF6BD900000-0x00007FF6BDC51000-memory.dmp upx behavioral2/files/0x00070000000234cb-18.dat upx behavioral2/memory/2216-20-0x00007FF68D520000-0x00007FF68D871000-memory.dmp upx behavioral2/memory/4176-14-0x00007FF69B160000-0x00007FF69B4B1000-memory.dmp upx behavioral2/files/0x00070000000234cc-23.dat upx behavioral2/memory/2972-31-0x00007FF7EC0F0000-0x00007FF7EC441000-memory.dmp upx behavioral2/files/0x00070000000234cd-30.dat upx behavioral2/memory/232-36-0x00007FF6DD9F0000-0x00007FF6DDD41000-memory.dmp upx behavioral2/files/0x00070000000234ce-35.dat upx behavioral2/memory/4780-26-0x00007FF718AF0000-0x00007FF718E41000-memory.dmp upx behavioral2/files/0x00070000000234cf-41.dat upx behavioral2/files/0x000a0000000234c4-46.dat upx behavioral2/memory/5088-42-0x00007FF60EF90000-0x00007FF60F2E1000-memory.dmp upx behavioral2/memory/2080-50-0x00007FF7B6020000-0x00007FF7B6371000-memory.dmp upx behavioral2/files/0x00080000000234d1-52.dat upx behavioral2/memory/4756-55-0x00007FF7D2360000-0x00007FF7D26B1000-memory.dmp upx behavioral2/memory/3216-60-0x00007FF7BA820000-0x00007FF7BAB71000-memory.dmp upx behavioral2/files/0x000a00000001da30-63.dat upx behavioral2/files/0x00070000000234d3-68.dat upx behavioral2/memory/5100-71-0x00007FF6BD900000-0x00007FF6BDC51000-memory.dmp upx behavioral2/files/0x00070000000234d5-82.dat upx behavioral2/files/0x00070000000234d4-79.dat upx behavioral2/files/0x00070000000234d7-94.dat upx behavioral2/files/0x00070000000234d8-109.dat upx behavioral2/files/0x00070000000234d9-114.dat upx behavioral2/memory/3424-122-0x00007FF783E10000-0x00007FF784161000-memory.dmp upx behavioral2/memory/5088-125-0x00007FF60EF90000-0x00007FF60F2E1000-memory.dmp upx behavioral2/files/0x00070000000234dc-131.dat upx behavioral2/memory/3992-130-0x00007FF7BA020000-0x00007FF7BA371000-memory.dmp upx behavioral2/memory/1572-129-0x00007FF7F04F0000-0x00007FF7F0841000-memory.dmp upx behavioral2/files/0x00070000000234db-127.dat upx behavioral2/memory/2180-124-0x00007FF724610000-0x00007FF724961000-memory.dmp upx behavioral2/files/0x00070000000234da-119.dat upx behavioral2/memory/3152-117-0x00007FF78D830000-0x00007FF78DB81000-memory.dmp upx behavioral2/memory/4944-104-0x00007FF695590000-0x00007FF6958E1000-memory.dmp upx behavioral2/memory/232-103-0x00007FF6DD9F0000-0x00007FF6DDD41000-memory.dmp upx behavioral2/memory/2972-97-0x00007FF7EC0F0000-0x00007FF7EC441000-memory.dmp upx behavioral2/files/0x00070000000234d6-96.dat upx behavioral2/memory/3760-93-0x00007FF786F00000-0x00007FF787251000-memory.dmp upx behavioral2/memory/400-87-0x00007FF7F9490000-0x00007FF7F97E1000-memory.dmp upx behavioral2/memory/3736-83-0x00007FF7ED950000-0x00007FF7EDCA1000-memory.dmp upx behavioral2/memory/1512-77-0x00007FF755450000-0x00007FF7557A1000-memory.dmp upx behavioral2/memory/2584-78-0x00007FF7AA260000-0x00007FF7AA5B1000-memory.dmp upx behavioral2/files/0x00070000000234d2-69.dat upx behavioral2/memory/2928-61-0x00007FF6D48B0000-0x00007FF6D4C01000-memory.dmp upx behavioral2/memory/3216-133-0x00007FF7BA820000-0x00007FF7BAB71000-memory.dmp upx behavioral2/memory/4756-143-0x00007FF7D2360000-0x00007FF7D26B1000-memory.dmp upx behavioral2/memory/3760-149-0x00007FF786F00000-0x00007FF787251000-memory.dmp upx behavioral2/memory/3736-147-0x00007FF7ED950000-0x00007FF7EDCA1000-memory.dmp upx behavioral2/memory/2928-144-0x00007FF6D48B0000-0x00007FF6D4C01000-memory.dmp upx behavioral2/memory/400-148-0x00007FF7F9490000-0x00007FF7F97E1000-memory.dmp upx behavioral2/memory/3992-155-0x00007FF7BA020000-0x00007FF7BA371000-memory.dmp upx behavioral2/memory/1512-145-0x00007FF755450000-0x00007FF7557A1000-memory.dmp upx behavioral2/memory/1572-154-0x00007FF7F04F0000-0x00007FF7F0841000-memory.dmp upx behavioral2/memory/3216-156-0x00007FF7BA820000-0x00007FF7BAB71000-memory.dmp upx behavioral2/memory/5100-209-0x00007FF6BD900000-0x00007FF6BDC51000-memory.dmp upx behavioral2/memory/4176-211-0x00007FF69B160000-0x00007FF69B4B1000-memory.dmp upx behavioral2/memory/2216-213-0x00007FF68D520000-0x00007FF68D871000-memory.dmp upx behavioral2/memory/4780-215-0x00007FF718AF0000-0x00007FF718E41000-memory.dmp upx behavioral2/memory/2972-217-0x00007FF7EC0F0000-0x00007FF7EC441000-memory.dmp upx behavioral2/memory/232-219-0x00007FF6DD9F0000-0x00007FF6DDD41000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\xkxHpHX.exe 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SENonPa.exe 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MoDKqhL.exe 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jjFEgBJ.exe 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HAsWVnS.exe 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yvKEsAP.exe 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vqeTyeB.exe 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\wVupQgO.exe 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AAmiSAu.exe 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EUanQZJ.exe 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JaxpOrr.exe 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kNOXdXt.exe 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CCmnsfE.exe 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QHjoUml.exe 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\baujovO.exe 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\plcLbjL.exe 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FUPBrCk.exe 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HPVMaxt.exe 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zeIgYLe.exe 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BEFoHCp.exe 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\evuUUHn.exe 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3216 wrote to memory of 5100 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 3216 wrote to memory of 5100 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 3216 wrote to memory of 4176 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3216 wrote to memory of 4176 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3216 wrote to memory of 2216 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3216 wrote to memory of 2216 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3216 wrote to memory of 4780 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3216 wrote to memory of 4780 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3216 wrote to memory of 2972 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3216 wrote to memory of 2972 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3216 wrote to memory of 232 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3216 wrote to memory of 232 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3216 wrote to memory of 5088 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3216 wrote to memory of 5088 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3216 wrote to memory of 2080 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3216 wrote to memory of 2080 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3216 wrote to memory of 4756 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3216 wrote to memory of 4756 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3216 wrote to memory of 2928 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3216 wrote to memory of 2928 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3216 wrote to memory of 1512 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3216 wrote to memory of 1512 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3216 wrote to memory of 2584 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3216 wrote to memory of 2584 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3216 wrote to memory of 3736 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3216 wrote to memory of 3736 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3216 wrote to memory of 400 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3216 wrote to memory of 400 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3216 wrote to memory of 3760 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3216 wrote to memory of 3760 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3216 wrote to memory of 4944 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3216 wrote to memory of 4944 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3216 wrote to memory of 3152 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3216 wrote to memory of 3152 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3216 wrote to memory of 3424 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3216 wrote to memory of 3424 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3216 wrote to memory of 2180 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3216 wrote to memory of 2180 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3216 wrote to memory of 1572 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3216 wrote to memory of 1572 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3216 wrote to memory of 3992 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 3216 wrote to memory of 3992 3216 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\System\HAsWVnS.exeC:\Windows\System\HAsWVnS.exe2⤵
- Executes dropped EXE
PID:5100
-
-
C:\Windows\System\zeIgYLe.exeC:\Windows\System\zeIgYLe.exe2⤵
- Executes dropped EXE
PID:4176
-
-
C:\Windows\System\BEFoHCp.exeC:\Windows\System\BEFoHCp.exe2⤵
- Executes dropped EXE
PID:2216
-
-
C:\Windows\System\evuUUHn.exeC:\Windows\System\evuUUHn.exe2⤵
- Executes dropped EXE
PID:4780
-
-
C:\Windows\System\kNOXdXt.exeC:\Windows\System\kNOXdXt.exe2⤵
- Executes dropped EXE
PID:2972
-
-
C:\Windows\System\CCmnsfE.exeC:\Windows\System\CCmnsfE.exe2⤵
- Executes dropped EXE
PID:232
-
-
C:\Windows\System\FUPBrCk.exeC:\Windows\System\FUPBrCk.exe2⤵
- Executes dropped EXE
PID:5088
-
-
C:\Windows\System\SENonPa.exeC:\Windows\System\SENonPa.exe2⤵
- Executes dropped EXE
PID:2080
-
-
C:\Windows\System\MoDKqhL.exeC:\Windows\System\MoDKqhL.exe2⤵
- Executes dropped EXE
PID:4756
-
-
C:\Windows\System\jjFEgBJ.exeC:\Windows\System\jjFEgBJ.exe2⤵
- Executes dropped EXE
PID:2928
-
-
C:\Windows\System\xkxHpHX.exeC:\Windows\System\xkxHpHX.exe2⤵
- Executes dropped EXE
PID:1512
-
-
C:\Windows\System\QHjoUml.exeC:\Windows\System\QHjoUml.exe2⤵
- Executes dropped EXE
PID:2584
-
-
C:\Windows\System\HPVMaxt.exeC:\Windows\System\HPVMaxt.exe2⤵
- Executes dropped EXE
PID:3736
-
-
C:\Windows\System\vqeTyeB.exeC:\Windows\System\vqeTyeB.exe2⤵
- Executes dropped EXE
PID:400
-
-
C:\Windows\System\wVupQgO.exeC:\Windows\System\wVupQgO.exe2⤵
- Executes dropped EXE
PID:3760
-
-
C:\Windows\System\AAmiSAu.exeC:\Windows\System\AAmiSAu.exe2⤵
- Executes dropped EXE
PID:4944
-
-
C:\Windows\System\EUanQZJ.exeC:\Windows\System\EUanQZJ.exe2⤵
- Executes dropped EXE
PID:3152
-
-
C:\Windows\System\yvKEsAP.exeC:\Windows\System\yvKEsAP.exe2⤵
- Executes dropped EXE
PID:3424
-
-
C:\Windows\System\JaxpOrr.exeC:\Windows\System\JaxpOrr.exe2⤵
- Executes dropped EXE
PID:2180
-
-
C:\Windows\System\baujovO.exeC:\Windows\System\baujovO.exe2⤵
- Executes dropped EXE
PID:1572
-
-
C:\Windows\System\plcLbjL.exeC:\Windows\System\plcLbjL.exe2⤵
- Executes dropped EXE
PID:3992
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD54b3b50780ccbf0ac74792d98e1889880
SHA133449485b635410c3962426e93916649045d6f91
SHA25679d9528bd0fd807b391eb77ede24474e4de58ae5327d8686ca74dbf914dfc68a
SHA5124861fb811ab4c6e336fb7d03b7552b2c727a571fb084c2f2c285cd25b0b71094304088d13ae5899bcbedc9ba5c592744b7d0161403933b6203aa6a90eb0e674a
-
Filesize
5.2MB
MD56f61b1d3518887376e55a816b9771e97
SHA178392e0da9b12d7f5aaff40bf92e0616ce9200e2
SHA256114ff9313137bf8fd7c9b3c7ce4fd21828a9465c80bd73b588fb378370cbb7d5
SHA5123550d0532361186d1833cce6865ae6a4adbabc43fd49776417cf0fa8f82eb299fd19b8eb1f9ce826d4c0fe28fda184414b5fe3d32f39c2a6185aa7476ecacb16
-
Filesize
5.2MB
MD5fb8e785a4643ff7dc6784a48b2b51975
SHA1fccb546fbd7e89bfd32e5cce66742f140155fb20
SHA256fef24bef5c76837627e07095998a7f760b2a3cdf1e54fb7fd5c96ee75a92537f
SHA512af78f0a5479ae2e96147ef86921942a8a9de056b05b1a11edff7418720aea8d5341a3fb4abea4a16612a03bc17eee2b040e1b9df7db34fcfff2797c5744903f1
-
Filesize
5.2MB
MD559b1862c42a1918f69855e80d5c4b9a7
SHA14da5ca34eebf3a062b474430ba10b511d87a3674
SHA2561b78f74206c3ca0a0fc701ba23ac22da872f7d2c7052f55b65c04d52ede0b513
SHA512af7ef001e9b623d15c91d538154de688f429f339f07ed6faa0031bbd3e4e1ca35c266d07bc6eee5c5e1357ec2823c4d7abefe07535be1ca4368bf0017cb05b96
-
Filesize
5.2MB
MD57cd51201bbad8a105f04457eded3de8f
SHA11d98dfdc4729f9e9d1b7aaa4cd36c51480dec096
SHA256b8e4f47c893dc06114d696c3d40bf0446e2ca4e28f5b2d4b330e41a9a55ce104
SHA512f6eb687afe32037b85df004ad179d88c3ad832a8b49aee6546c28b0b76e5fd6d13a34891add6c163ed9e90109abc617d53baa925c5d3e5a133c90f43068f92aa
-
Filesize
5.2MB
MD510cb11a3dd21f814b39f2adccad2b48f
SHA1c783527f8caf10d940b5920dd78214c5e14fab54
SHA256d197e045d6a5a720454b805bae7c2111a9e87d0db9da0c6b75c39a7f8816dd12
SHA512625af875c31aa3860b2be91a3334a96680a84f836ce2e84d8b1310e3879af49a1491094f3cd78b49f98d523910a30fa0bc6f401894f644f42487714af55cb360
-
Filesize
5.2MB
MD57a58de1d08edae1a793b0ef5e1bc67f7
SHA176ffb7457b357dd320891a1b804645524cf718c4
SHA2564d64297d3f35fb9eb2717727ef67de29beccfd6a51b7e22c2beb36789ef445be
SHA512b7269e8c19246446d0afc4e75424c2f0afbdf075678284a0946d4dab6d34943c5d122dc51cdc0fe5dcaf05f50ca895680f91b86a3cd7568f13155acbfa0ee03c
-
Filesize
5.2MB
MD5b45c4cabb0b28e1e01daf808bad11031
SHA15356ba454283f244d957e9a34a29d04996352d1a
SHA256b5a1e4dffc538c36f6c993ce98c2a594bf6593655437c6a55a36c73434f942c0
SHA5122600db61b6724ea17b60804cdd4fcdfcba10b4aff11356e40acaf2b0b2e229dd2a484226ede151855f437c7f657b015db3db2b10fc96ce6cfe90a9ca6607bd80
-
Filesize
5.2MB
MD5a50a1ce5743f5afb171551826401337d
SHA10643f9b5e026d2b52059302f2bea4aae0f53afb2
SHA2567f8f94744328f7d3d27017c1371ddea31298a3c77bc2d9fd05db524400c98e0d
SHA512a637393cfa52232ca558744d6100c6bdc7a02efab5cf934923b7b4a67c83c26423416a6f0201f02e8c3d7ea5b0c67b82af7a54a2340391302752eec0f68f5079
-
Filesize
5.2MB
MD5801d39e8a928454c7ec0cf2bf100ca88
SHA19656f02c9db61dd9160ea4ff3bc4965f2e49555e
SHA256b64f48417b9a0d90baefe938eb19129ca79122aa57967b89014d37fdfae1f34b
SHA51274fed1cfc959e1a612d544085484080c856dfa4c27440066c81390b7140f8167689238c408c7b380d518ac27e2f3a64b6b818399c65ecba889ca3a581817bb29
-
Filesize
5.2MB
MD544151c53552e1fd213ac72fececc7dcb
SHA1d81503550f6dc8498cbcc888fe2372beea2d1a6e
SHA256f1e6208a75fb8e321ecb38e1e91638c8fda31a1c97ce6fca82ea51e31d815f07
SHA5125b2d5f8ac80cc0369bdc1ee572eafb96a0a63998363af011d104021b3a07d4a71b7be32ab7e2a938da4de2d8c94c9f9aff38f43801d4eac83007bdda84c09196
-
Filesize
5.2MB
MD5becd7c10b8efe185f891d88f017c125f
SHA13f3034b193a8f76be2cf976295cce85f862133b3
SHA256daf82c47ff662c1f0760f9327861a4decdf455d56a8ff5ea1738b933676eb397
SHA512415bb919186bb554784a06a3a0cb977bb7102eb5acdfe3d36eaecbba6a7a286ee6526496fdbc89f7e4d47f6644fb6a893da7344e0bb40ae725127c4bf81a566d
-
Filesize
5.2MB
MD5b032c121311a54ff42fe29968a25b5a3
SHA1a7e10df02dcec2e08d0e456042da91eb33007ad9
SHA256a166efe68ef1f24228590f7e5ec5953aa1018ecacd882188f3ee71c9c87baabe
SHA5129b1339a2634fe83e16339aa964d608ae1081455156ca680ffc027a8dc07ec1244f5547ade0d0746532edd9f36e7e12304ee396939ae3f2e511a4482dca0bc5d7
-
Filesize
5.2MB
MD54fd1dafe73e791b222f7bad2bbb8f849
SHA191fd129213ed2d55bb1e8045fc0599ee6e9169c7
SHA25627273885d6a9aba203d3f30f22daae4846fa6587b755b8b3426879a540443521
SHA512f9739085ba0301395474293e1088fab7534e29b26cc7027189ced251e2a35efb8016aa5a181de3a2f6fb612b579bf95ee7fe59e963a045e50d4504df5ecdfda2
-
Filesize
5.2MB
MD5b61391ca2f3586df9be26ee50fc9994a
SHA1b6f00c5487a0247f694e6958664d713645e25860
SHA25664c0a7fb882c14fb2a93f04456a899af45abbe5b756366f559ea15a816142403
SHA512e70d1582ca2cba4990666a2e376bddcfc24da54129b6c9c5a2af116d3ae14eca835ce9b413123100d8516d15e5af129eaa0fc26374e7aec5fd3b2a6e991fcdbf
-
Filesize
5.2MB
MD56f6f2fd11940f4bf3235bdcc4fccc411
SHA15b64d0f9681d59d742817e76de6a8e5d5186826a
SHA256f6326140b5a3b4673c696d6b28bb33c0a62d059e06adf4aa38b57ad32c2f9b42
SHA512ce853aec34fa1dca0ff7b7399b2aeb3f38c84808d983c986ce1766540d65d5bf1486e8c75aaa73e6446f09fec88b07ba22f3a182517b50d9cbc11d76e666d9e0
-
Filesize
5.2MB
MD5b57a876dbfeb7aac58e3a20dd00e752b
SHA1054c00ac98c30bb101e874d280be0fb1fd5e261c
SHA2567a74030ace0ae65e736985193ef90010e9eb8dda8918b37c9a01b30ff7f6a272
SHA512776adf52ab10d78fa4e2d0d89b0ed906ef02a9094ec312605478c9fb327b4b0788c5c57ccbbe477096b02b23381cbbed68777a106914abe6fd3eabfce7e0e13f
-
Filesize
5.2MB
MD5d9dbcfd119b66d1b1341a6f57fbb2a87
SHA1bd91d39c305ce005e1fb04373740a9a130659534
SHA2569b316b55c56cfb70e53d97faa5e108c71f0f33089be94d3ab20d717f9d8b423a
SHA51219d5eb7ac332818c5276635078abb1ba4cd10a0b81e21a600111c566f8928c41128acf3c9c1d69559a7e734fe07114565a75c546fad8b2c2557d0aca947b7af1
-
Filesize
5.2MB
MD526098d4c3fc42af479bf2fa134a1a87d
SHA14a2cbab587fab5ccfebdeecd4df518abe7b13f76
SHA25655eb08016737fe41edbc16d7183215d1f897850a42647a25148899e524a9b78f
SHA5121777419ebecf19378681de2d368d24feeec4b2dd467e6381cf023f027a6b85ebc616f4eaeb633de56b688556d94948d063947e6acf758daf8a7a1a3c1d69a769
-
Filesize
5.2MB
MD5420615205d60ec790745d0776c9a540c
SHA1ad9070ca69fea902273e35d7c1c2be60ff8f0218
SHA25644afa26827fca4e4d1a879d163458e14769bb7ca3ff507049cff05411d9670af
SHA5127d8ff03290195a6bf188deae49eb9dbb7a48f3737b4226d4036426952874bce9eeb4234853e8ec150d2379ebd87d84595e51781b1d0c9cb300fe02464ee1beef
-
Filesize
5.2MB
MD55b519faa1529e293a8332347be48782d
SHA136cf33b98fc69b1ad558003105551766e7ee7b83
SHA2566c0f7278a4fe22d209b71ecf5efbc675ef98efd745ade26a9e3d8db08947f21d
SHA512ce8bf12c96ec4b15190b48400c5bf24c4a8e206da5a059b08e212a305a46fd1ea28ec39287342ee6b3462f9d327f37be44a060eb042d2ed52cecb987026f0e6e