Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-08-2024 22:44
Behavioral task
behavioral1
Sample
2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240729-en
General
-
Target
2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.9MB
-
MD5
b6aad5314a485274a54a8bf06cf311a8
-
SHA1
961636c67c3e0d015cde208c0b5e5e8b64044a31
-
SHA256
704131dad1674a92f450dcf24ae7279a5f743e0bd6d886bb3408ee17a529446e
-
SHA512
087981e3db23707e56029bd3c84a1fe01ac12124ec24732484f5dd1590cf51ae8a67bb3bed6ae4b9a7e67cdd1b9750c81b2069d445c1da12bec2df9a765dcf57
-
SSDEEP
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUX:T+856utgpPF8u/7X
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000900000002341e-5.dat cobalt_reflective_dll behavioral2/files/0x000700000002347c-9.dat cobalt_reflective_dll behavioral2/files/0x000800000002347b-11.dat cobalt_reflective_dll behavioral2/files/0x000700000002347d-25.dat cobalt_reflective_dll behavioral2/files/0x000700000002347e-32.dat cobalt_reflective_dll behavioral2/files/0x0007000000023480-46.dat cobalt_reflective_dll behavioral2/files/0x0007000000023481-50.dat cobalt_reflective_dll behavioral2/files/0x000b000000023470-52.dat cobalt_reflective_dll behavioral2/files/0x000700000002347f-38.dat cobalt_reflective_dll behavioral2/files/0x0007000000023482-58.dat cobalt_reflective_dll behavioral2/files/0x0007000000023483-66.dat cobalt_reflective_dll behavioral2/files/0x0007000000023484-72.dat cobalt_reflective_dll behavioral2/files/0x0007000000023485-78.dat cobalt_reflective_dll behavioral2/files/0x0007000000023487-90.dat cobalt_reflective_dll behavioral2/files/0x000700000002348a-113.dat cobalt_reflective_dll behavioral2/files/0x0007000000023489-111.dat cobalt_reflective_dll behavioral2/files/0x0007000000023488-97.dat cobalt_reflective_dll behavioral2/files/0x0007000000023486-86.dat cobalt_reflective_dll behavioral2/files/0x000700000002348b-117.dat cobalt_reflective_dll behavioral2/files/0x0007000000023491-122.dat cobalt_reflective_dll behavioral2/files/0x0007000000023492-126.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 64 IoCs
resource yara_rule behavioral2/memory/2444-0-0x00007FF70BFE0000-0x00007FF70C334000-memory.dmp xmrig behavioral2/files/0x000900000002341e-5.dat xmrig behavioral2/files/0x000700000002347c-9.dat xmrig behavioral2/files/0x000800000002347b-11.dat xmrig behavioral2/memory/3776-12-0x00007FF695D90000-0x00007FF6960E4000-memory.dmp xmrig behavioral2/memory/876-10-0x00007FF623DC0000-0x00007FF624114000-memory.dmp xmrig behavioral2/memory/3180-22-0x00007FF7A5C20000-0x00007FF7A5F74000-memory.dmp xmrig behavioral2/files/0x000700000002347d-25.dat xmrig behavioral2/files/0x000700000002347e-32.dat xmrig behavioral2/memory/4256-29-0x00007FF78B720000-0x00007FF78BA74000-memory.dmp xmrig behavioral2/memory/2892-43-0x00007FF68B6E0000-0x00007FF68BA34000-memory.dmp xmrig behavioral2/files/0x0007000000023480-46.dat xmrig behavioral2/files/0x0007000000023481-50.dat xmrig behavioral2/files/0x000b000000023470-52.dat xmrig behavioral2/memory/3000-51-0x00007FF7FB850000-0x00007FF7FBBA4000-memory.dmp xmrig behavioral2/memory/4144-49-0x00007FF71F710000-0x00007FF71FA64000-memory.dmp xmrig behavioral2/memory/4452-41-0x00007FF6BC110000-0x00007FF6BC464000-memory.dmp xmrig behavioral2/files/0x000700000002347f-38.dat xmrig behavioral2/memory/1212-37-0x00007FF7BE710000-0x00007FF7BEA64000-memory.dmp xmrig behavioral2/files/0x0007000000023482-58.dat xmrig behavioral2/memory/4660-62-0x00007FF7148A0000-0x00007FF714BF4000-memory.dmp xmrig behavioral2/files/0x0007000000023483-66.dat xmrig behavioral2/memory/4092-69-0x00007FF799840000-0x00007FF799B94000-memory.dmp xmrig behavioral2/memory/2444-68-0x00007FF70BFE0000-0x00007FF70C334000-memory.dmp xmrig behavioral2/files/0x0007000000023484-72.dat xmrig behavioral2/files/0x0007000000023485-78.dat xmrig behavioral2/memory/4632-85-0x00007FF6B7D20000-0x00007FF6B8074000-memory.dmp xmrig behavioral2/memory/2036-88-0x00007FF76B2D0000-0x00007FF76B624000-memory.dmp xmrig behavioral2/files/0x0007000000023487-90.dat xmrig behavioral2/memory/1116-107-0x00007FF692580000-0x00007FF6928D4000-memory.dmp xmrig behavioral2/memory/4452-109-0x00007FF6BC110000-0x00007FF6BC464000-memory.dmp xmrig behavioral2/files/0x000700000002348a-113.dat xmrig behavioral2/files/0x0007000000023489-111.dat xmrig behavioral2/memory/2824-110-0x00007FF604870000-0x00007FF604BC4000-memory.dmp xmrig behavioral2/memory/892-108-0x00007FF7089D0000-0x00007FF708D24000-memory.dmp xmrig behavioral2/memory/4840-105-0x00007FF716EA0000-0x00007FF7171F4000-memory.dmp xmrig behavioral2/memory/1212-104-0x00007FF7BE710000-0x00007FF7BEA64000-memory.dmp xmrig behavioral2/files/0x0007000000023488-97.dat xmrig behavioral2/files/0x0007000000023486-86.dat xmrig behavioral2/memory/3776-83-0x00007FF695D90000-0x00007FF6960E4000-memory.dmp xmrig behavioral2/memory/32-80-0x00007FF779130000-0x00007FF779484000-memory.dmp xmrig behavioral2/files/0x000700000002348b-117.dat xmrig behavioral2/files/0x0007000000023491-122.dat xmrig behavioral2/files/0x0007000000023492-126.dat xmrig behavioral2/memory/952-129-0x00007FF669C30000-0x00007FF669F84000-memory.dmp xmrig behavioral2/memory/3396-130-0x00007FF7B7AD0000-0x00007FF7B7E24000-memory.dmp xmrig behavioral2/memory/772-131-0x00007FF676060000-0x00007FF6763B4000-memory.dmp xmrig behavioral2/memory/2892-132-0x00007FF68B6E0000-0x00007FF68BA34000-memory.dmp xmrig behavioral2/memory/4144-133-0x00007FF71F710000-0x00007FF71FA64000-memory.dmp xmrig behavioral2/memory/3000-134-0x00007FF7FB850000-0x00007FF7FBBA4000-memory.dmp xmrig behavioral2/memory/2036-135-0x00007FF76B2D0000-0x00007FF76B624000-memory.dmp xmrig behavioral2/memory/892-136-0x00007FF7089D0000-0x00007FF708D24000-memory.dmp xmrig behavioral2/memory/2824-137-0x00007FF604870000-0x00007FF604BC4000-memory.dmp xmrig behavioral2/memory/876-138-0x00007FF623DC0000-0x00007FF624114000-memory.dmp xmrig behavioral2/memory/3776-139-0x00007FF695D90000-0x00007FF6960E4000-memory.dmp xmrig behavioral2/memory/3180-140-0x00007FF7A5C20000-0x00007FF7A5F74000-memory.dmp xmrig behavioral2/memory/4256-141-0x00007FF78B720000-0x00007FF78BA74000-memory.dmp xmrig behavioral2/memory/1212-142-0x00007FF7BE710000-0x00007FF7BEA64000-memory.dmp xmrig behavioral2/memory/4452-143-0x00007FF6BC110000-0x00007FF6BC464000-memory.dmp xmrig behavioral2/memory/3000-144-0x00007FF7FB850000-0x00007FF7FBBA4000-memory.dmp xmrig behavioral2/memory/2892-145-0x00007FF68B6E0000-0x00007FF68BA34000-memory.dmp xmrig behavioral2/memory/4144-146-0x00007FF71F710000-0x00007FF71FA64000-memory.dmp xmrig behavioral2/memory/4660-147-0x00007FF7148A0000-0x00007FF714BF4000-memory.dmp xmrig behavioral2/memory/4092-148-0x00007FF799840000-0x00007FF799B94000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 876 wLPjeBU.exe 3776 MhzDgjz.exe 3180 ptachOT.exe 4256 XgaTHQU.exe 1212 slHsgOC.exe 4452 hIHqJMV.exe 2892 onESlLv.exe 4144 dToICxR.exe 3000 WoKVkNV.exe 4660 cUUptKw.exe 4092 PrHoNbj.exe 32 yxSLxgu.exe 4632 iqgkenN.exe 2036 IRvJrBX.exe 4840 xgEkWlq.exe 1116 vkjCQZr.exe 892 TideCbH.exe 2824 akLHyLf.exe 952 XQpwsGS.exe 3396 StzVItg.exe 772 uhMDojH.exe -
resource yara_rule behavioral2/memory/2444-0-0x00007FF70BFE0000-0x00007FF70C334000-memory.dmp upx behavioral2/files/0x000900000002341e-5.dat upx behavioral2/files/0x000700000002347c-9.dat upx behavioral2/files/0x000800000002347b-11.dat upx behavioral2/memory/3776-12-0x00007FF695D90000-0x00007FF6960E4000-memory.dmp upx behavioral2/memory/876-10-0x00007FF623DC0000-0x00007FF624114000-memory.dmp upx behavioral2/memory/3180-22-0x00007FF7A5C20000-0x00007FF7A5F74000-memory.dmp upx behavioral2/files/0x000700000002347d-25.dat upx behavioral2/files/0x000700000002347e-32.dat upx behavioral2/memory/4256-29-0x00007FF78B720000-0x00007FF78BA74000-memory.dmp upx behavioral2/memory/2892-43-0x00007FF68B6E0000-0x00007FF68BA34000-memory.dmp upx behavioral2/files/0x0007000000023480-46.dat upx behavioral2/files/0x0007000000023481-50.dat upx behavioral2/files/0x000b000000023470-52.dat upx behavioral2/memory/3000-51-0x00007FF7FB850000-0x00007FF7FBBA4000-memory.dmp upx behavioral2/memory/4144-49-0x00007FF71F710000-0x00007FF71FA64000-memory.dmp upx behavioral2/memory/4452-41-0x00007FF6BC110000-0x00007FF6BC464000-memory.dmp upx behavioral2/files/0x000700000002347f-38.dat upx behavioral2/memory/1212-37-0x00007FF7BE710000-0x00007FF7BEA64000-memory.dmp upx behavioral2/files/0x0007000000023482-58.dat upx behavioral2/memory/4660-62-0x00007FF7148A0000-0x00007FF714BF4000-memory.dmp upx behavioral2/files/0x0007000000023483-66.dat upx behavioral2/memory/4092-69-0x00007FF799840000-0x00007FF799B94000-memory.dmp upx behavioral2/memory/2444-68-0x00007FF70BFE0000-0x00007FF70C334000-memory.dmp upx behavioral2/files/0x0007000000023484-72.dat upx behavioral2/files/0x0007000000023485-78.dat upx behavioral2/memory/4632-85-0x00007FF6B7D20000-0x00007FF6B8074000-memory.dmp upx behavioral2/memory/2036-88-0x00007FF76B2D0000-0x00007FF76B624000-memory.dmp upx behavioral2/files/0x0007000000023487-90.dat upx behavioral2/memory/1116-107-0x00007FF692580000-0x00007FF6928D4000-memory.dmp upx behavioral2/memory/4452-109-0x00007FF6BC110000-0x00007FF6BC464000-memory.dmp upx behavioral2/files/0x000700000002348a-113.dat upx behavioral2/files/0x0007000000023489-111.dat upx behavioral2/memory/2824-110-0x00007FF604870000-0x00007FF604BC4000-memory.dmp upx behavioral2/memory/892-108-0x00007FF7089D0000-0x00007FF708D24000-memory.dmp upx behavioral2/memory/4840-105-0x00007FF716EA0000-0x00007FF7171F4000-memory.dmp upx behavioral2/memory/1212-104-0x00007FF7BE710000-0x00007FF7BEA64000-memory.dmp upx behavioral2/files/0x0007000000023488-97.dat upx behavioral2/files/0x0007000000023486-86.dat upx behavioral2/memory/3776-83-0x00007FF695D90000-0x00007FF6960E4000-memory.dmp upx behavioral2/memory/32-80-0x00007FF779130000-0x00007FF779484000-memory.dmp upx behavioral2/files/0x000700000002348b-117.dat upx behavioral2/files/0x0007000000023491-122.dat upx behavioral2/files/0x0007000000023492-126.dat upx behavioral2/memory/952-129-0x00007FF669C30000-0x00007FF669F84000-memory.dmp upx behavioral2/memory/3396-130-0x00007FF7B7AD0000-0x00007FF7B7E24000-memory.dmp upx behavioral2/memory/772-131-0x00007FF676060000-0x00007FF6763B4000-memory.dmp upx behavioral2/memory/2892-132-0x00007FF68B6E0000-0x00007FF68BA34000-memory.dmp upx behavioral2/memory/4144-133-0x00007FF71F710000-0x00007FF71FA64000-memory.dmp upx behavioral2/memory/3000-134-0x00007FF7FB850000-0x00007FF7FBBA4000-memory.dmp upx behavioral2/memory/2036-135-0x00007FF76B2D0000-0x00007FF76B624000-memory.dmp upx behavioral2/memory/892-136-0x00007FF7089D0000-0x00007FF708D24000-memory.dmp upx behavioral2/memory/2824-137-0x00007FF604870000-0x00007FF604BC4000-memory.dmp upx behavioral2/memory/876-138-0x00007FF623DC0000-0x00007FF624114000-memory.dmp upx behavioral2/memory/3776-139-0x00007FF695D90000-0x00007FF6960E4000-memory.dmp upx behavioral2/memory/3180-140-0x00007FF7A5C20000-0x00007FF7A5F74000-memory.dmp upx behavioral2/memory/4256-141-0x00007FF78B720000-0x00007FF78BA74000-memory.dmp upx behavioral2/memory/1212-142-0x00007FF7BE710000-0x00007FF7BEA64000-memory.dmp upx behavioral2/memory/4452-143-0x00007FF6BC110000-0x00007FF6BC464000-memory.dmp upx behavioral2/memory/3000-144-0x00007FF7FB850000-0x00007FF7FBBA4000-memory.dmp upx behavioral2/memory/2892-145-0x00007FF68B6E0000-0x00007FF68BA34000-memory.dmp upx behavioral2/memory/4144-146-0x00007FF71F710000-0x00007FF71FA64000-memory.dmp upx behavioral2/memory/4660-147-0x00007FF7148A0000-0x00007FF714BF4000-memory.dmp upx behavioral2/memory/4092-148-0x00007FF799840000-0x00007FF799B94000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\vkjCQZr.exe 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TideCbH.exe 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XQpwsGS.exe 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dToICxR.exe 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\slHsgOC.exe 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\onESlLv.exe 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cUUptKw.exe 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xgEkWlq.exe 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\wLPjeBU.exe 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hIHqJMV.exe 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WoKVkNV.exe 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\iqgkenN.exe 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\akLHyLf.exe 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\StzVItg.exe 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XgaTHQU.exe 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ptachOT.exe 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PrHoNbj.exe 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yxSLxgu.exe 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\IRvJrBX.exe 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uhMDojH.exe 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MhzDgjz.exe 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2444 wrote to memory of 876 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 2444 wrote to memory of 876 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 2444 wrote to memory of 3776 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 2444 wrote to memory of 3776 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 2444 wrote to memory of 3180 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2444 wrote to memory of 3180 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2444 wrote to memory of 4256 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2444 wrote to memory of 4256 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2444 wrote to memory of 1212 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2444 wrote to memory of 1212 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2444 wrote to memory of 4452 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2444 wrote to memory of 4452 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2444 wrote to memory of 2892 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2444 wrote to memory of 2892 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2444 wrote to memory of 4144 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2444 wrote to memory of 4144 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2444 wrote to memory of 3000 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2444 wrote to memory of 3000 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2444 wrote to memory of 4660 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2444 wrote to memory of 4660 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2444 wrote to memory of 4092 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2444 wrote to memory of 4092 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2444 wrote to memory of 32 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2444 wrote to memory of 32 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2444 wrote to memory of 4632 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2444 wrote to memory of 4632 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2444 wrote to memory of 2036 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2444 wrote to memory of 2036 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2444 wrote to memory of 4840 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2444 wrote to memory of 4840 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2444 wrote to memory of 1116 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2444 wrote to memory of 1116 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2444 wrote to memory of 892 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2444 wrote to memory of 892 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2444 wrote to memory of 2824 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2444 wrote to memory of 2824 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2444 wrote to memory of 952 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2444 wrote to memory of 952 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2444 wrote to memory of 3396 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 2444 wrote to memory of 3396 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 2444 wrote to memory of 772 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 2444 wrote to memory of 772 2444 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\System\wLPjeBU.exeC:\Windows\System\wLPjeBU.exe2⤵
- Executes dropped EXE
PID:876
-
-
C:\Windows\System\MhzDgjz.exeC:\Windows\System\MhzDgjz.exe2⤵
- Executes dropped EXE
PID:3776
-
-
C:\Windows\System\ptachOT.exeC:\Windows\System\ptachOT.exe2⤵
- Executes dropped EXE
PID:3180
-
-
C:\Windows\System\XgaTHQU.exeC:\Windows\System\XgaTHQU.exe2⤵
- Executes dropped EXE
PID:4256
-
-
C:\Windows\System\slHsgOC.exeC:\Windows\System\slHsgOC.exe2⤵
- Executes dropped EXE
PID:1212
-
-
C:\Windows\System\hIHqJMV.exeC:\Windows\System\hIHqJMV.exe2⤵
- Executes dropped EXE
PID:4452
-
-
C:\Windows\System\onESlLv.exeC:\Windows\System\onESlLv.exe2⤵
- Executes dropped EXE
PID:2892
-
-
C:\Windows\System\dToICxR.exeC:\Windows\System\dToICxR.exe2⤵
- Executes dropped EXE
PID:4144
-
-
C:\Windows\System\WoKVkNV.exeC:\Windows\System\WoKVkNV.exe2⤵
- Executes dropped EXE
PID:3000
-
-
C:\Windows\System\cUUptKw.exeC:\Windows\System\cUUptKw.exe2⤵
- Executes dropped EXE
PID:4660
-
-
C:\Windows\System\PrHoNbj.exeC:\Windows\System\PrHoNbj.exe2⤵
- Executes dropped EXE
PID:4092
-
-
C:\Windows\System\yxSLxgu.exeC:\Windows\System\yxSLxgu.exe2⤵
- Executes dropped EXE
PID:32
-
-
C:\Windows\System\iqgkenN.exeC:\Windows\System\iqgkenN.exe2⤵
- Executes dropped EXE
PID:4632
-
-
C:\Windows\System\IRvJrBX.exeC:\Windows\System\IRvJrBX.exe2⤵
- Executes dropped EXE
PID:2036
-
-
C:\Windows\System\xgEkWlq.exeC:\Windows\System\xgEkWlq.exe2⤵
- Executes dropped EXE
PID:4840
-
-
C:\Windows\System\vkjCQZr.exeC:\Windows\System\vkjCQZr.exe2⤵
- Executes dropped EXE
PID:1116
-
-
C:\Windows\System\TideCbH.exeC:\Windows\System\TideCbH.exe2⤵
- Executes dropped EXE
PID:892
-
-
C:\Windows\System\akLHyLf.exeC:\Windows\System\akLHyLf.exe2⤵
- Executes dropped EXE
PID:2824
-
-
C:\Windows\System\XQpwsGS.exeC:\Windows\System\XQpwsGS.exe2⤵
- Executes dropped EXE
PID:952
-
-
C:\Windows\System\StzVItg.exeC:\Windows\System\StzVItg.exe2⤵
- Executes dropped EXE
PID:3396
-
-
C:\Windows\System\uhMDojH.exeC:\Windows\System\uhMDojH.exe2⤵
- Executes dropped EXE
PID:772
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD597418fffe22167955270099d7813f1ec
SHA132da1750d3eb7c6112a9daf42d86643c9f87d9fc
SHA256e2fa9df3a14cec7eb5c73f7131d7dfa64657aeef66b30397b0257b119136c6b6
SHA512aa9b3b398bf213d76e40cc8cf19055e13ad475eee697db78edb79cf2148b57fcf187556df3f23d8385edde33264ac05430611d4eab8ac1d262f0ab1aa16d16b2
-
Filesize
5.9MB
MD5fef8fee649c65abda4cef58ee8fc8bb9
SHA1222dbd3225a721ada66e7d7b294a565ebefe9f7a
SHA25649b15e1da3c1c4953d27342422f9f679486660a6c9e19d072cf2ba678a3c7ff0
SHA5129e75d0375903c5d26790dc7237b913f9f64956682a68701cf82dcbb48f7bb97182aac63dd1335d18b9f569e10470abc018d5270a77ba013d08e3cf47b1b4c253
-
Filesize
5.9MB
MD5cb395c85a906c7296b34cc6d49d4a1ed
SHA12a32498a17554049400672eb3912d8358f698b54
SHA25614fa3d86f88a92ff358f7342e28f00555ddd65e9bf767d5bb790f841b0f61786
SHA512ac8a77a1858d467d45959e112c8c339fdda56fcc9dba9e22d5c14a98bba86df21b55e8714b0983cd3f0a2ac91257267064a0bfcf7db1d78c1ba1a9e628763be6
-
Filesize
5.9MB
MD5d4a1c5ac1560418138548914c35401ea
SHA13001b68124278e8f04a843cb61035bd24c971285
SHA256135859db75b3369f59c9eb1d15c4c27cdf63170613dab597dcfe7a25dc01cf71
SHA512c5431e4e5a24a7eda322263c80e046c5b8914abadacc29b372f430c4ff9aed33e265d3247a29e51f6c38500f3ec404bffdb2ada32be2fd96d1717fe4c14e1765
-
Filesize
5.9MB
MD5edb21be1bf7f1ee1d0352460f4481f0b
SHA1150921974ebdaa845e981badd63ec59479f49482
SHA256f51c6c6d22182a2bf48e7b2b5658529c9b8c6337845211fdb76dbca406248464
SHA51207c6ee08850625bb5a386ad96b957bad965afbc2db42c8b5d36b2f1d475b128f4dea146256b9b604be13ecebac5927f3eef4861db0f04093bff6bb18939e2d7b
-
Filesize
5.9MB
MD515a413bebf58d741055a8c306535c495
SHA18dbab51f3a92d7689ed530877b8c00f8e0f017ee
SHA2567547b94f31f1c8f7b7d89b1bdd1b0f7102daf8fec8641365bc7b29452e970fe0
SHA512b2c2659451258e443ca4aa2a66badf1023a98ee0b508b9bfc7ea678c9ed62aad941dd788317987fdb667096bbb3c6882d2796538c08d91d474fefbd5db35447d
-
Filesize
5.9MB
MD522b12108c4a830cd626ceaba394b1f5f
SHA1ef1d832e31df2c361d64e72f7bfb14f6c2991d29
SHA2560cf7031ada24e0a41e535542d8d70005fd2a8a45f038e4af667a6c0aab06094d
SHA512ee681199436bc65e54cffd8fb3fb98fccedf00d8f10ed0cb060987bbd50a8a12f388afcae84e29f2ba7152d59814183db8c97949486871ef8461930ef0c76107
-
Filesize
5.9MB
MD5549e892470818e57ab0e12719670a725
SHA1493e2f0e844074a3eeb9726c8a8643f524b3fe2e
SHA256eb212707f5a10dbbd6707e6f80b8acbe0ae194ba84b4e8249069e18bc1fc1f03
SHA512114de65414b6444512cef3532d1258cdffaa2feff589a64f2537f393a85fd9207d1a9e8f12d9f8ab0921ea8b6c4c01ee8ec602be3bdf2b866f800f3c28d07387
-
Filesize
5.9MB
MD54ede4da8197fd27e24246c0adccb07ec
SHA118a3cb9f106867470b581f285106978201a4d2b8
SHA25649834b8c0e5c6c453cc0a0dc2f37983302add7cbe508dd7ada66358a259b0b49
SHA5129c90452299a71fccb3dad1d389af35b0ab98ba7d7c11e2a42c11c231118c103a282a933dd28c281d2dec9abddfc196a13984ec3ce3daba4d77091a0d900005c1
-
Filesize
5.9MB
MD541a944b13591ebe3f209aa9a41d72e8e
SHA16d78031012b80fc903c87658234f61cbf08313f4
SHA256c6136b46cb85c76fbe30116bfca0fbba2431c3723ebec1b513435942d789d599
SHA512b1cd8dd159c8f9982dbba0316dcff2eea1ce8f7a7dc14dd9f154e38e18095fd48fee321eea2ff23cf43ba3ddf336516b68bc063ebcd086a05e36cc2fb878db46
-
Filesize
5.9MB
MD568c75531fc2c5cf8084d48f645d0f595
SHA1372da3dca77b89c987df78f4b2909fac7956af9f
SHA256b12938c287c61b1bb1d8109e4ac8e0f139e5b8b5958c6f452f2e8b26c7a806e2
SHA51225c79ed001c474374aa4856c13e6a86d24e98076aa343915ef78e90b33c9fd7549b3aaff74884ac42ebd3c1e65298edeb33ec615a5931147b1d8d99b7723bc22
-
Filesize
5.9MB
MD542d67ea7811b295fa1f8babfb7879e46
SHA1c95ac10f6b9f10307bcce9f7e2107af7e81c344e
SHA2563ca6f28cc45d47ae55b33e036b24e962d3037b3afc7297a4744f5d2e7a7afe7b
SHA512a97423f962e048bcf7e0ef27803681e684c2d99d9136800249877f24ff537dae0ce590bb5ab40c11310e7f8385be233bc1d0a5a11fcd338003b9d0295121421b
-
Filesize
5.9MB
MD5b21147e24d8a00a3cf72c565a144e5f7
SHA12dd3b5ed807a711d80cc1376e189e5fbf00cf306
SHA256064742ce6c4342e35d8a87f3bcfca0d201204577611aeae85f553887e45455fc
SHA51216cff2b86c8970edb48c707e70f6b17bc8fc7cf1f9349d24ee69302cdd1c040268d9769b625a009936535e3b8f5f4074dca9a42e167b26437ec15f9ce6a600c5
-
Filesize
5.9MB
MD52ac655b92eac2074bdd4d94b7938545f
SHA18cdf4e82340afbbde3bcbb2d0b2ed8cbb78ab060
SHA25605417e8bb644b785902b566524644e8a0e2db10de49edd822844430c41de80fa
SHA512a0ffc4b8e30a2df43e8955c48154afac4b4551c6e48faeb479fce3e5b71730888e78c385f3c0753e73c1e1c114b36160c92d599dcd9b10070adf8bb1330a8835
-
Filesize
5.9MB
MD58a22a6c8842f9b966ad772267c691050
SHA1ec689494854f5bcaea75796480200a4d6680f852
SHA256c0710a66eb9229a42655cd09602e32ca0219d6a57acff9e3df4140b47043054c
SHA51288bbce5aedf5f9ae718ae9f35aa90ca15b0d70a699aa1a1e3c9fd85a3052887f5114aeed0216326b98ad4c5e8a3bba96bbc5278407e23a953928756209be5d6d
-
Filesize
5.9MB
MD5d3c691aa4ebce050e2ccb8c480a066e7
SHA1df41a547243070af2c8020dbcfda2c9f1f54ca67
SHA25691d92d370bfd3da00675dc86c4a0917f25a9200599c912d10f60f1bcd7694660
SHA5122737ce0fda2c05937abe39e15b527a09a4cbd29c5091632ec56d969a93660564d3361d7ad7d6a90489ed829da05a1b7412ced71c5c3e0714a4261c29f42028f4
-
Filesize
5.9MB
MD5341cf39c3a2e202c74e41ee28c5fca7f
SHA13525fe1c15fa8ac025f1edeaa91392c499e037b3
SHA256b761e7e7e24ccc75a6796c555ee50f2153bea89bcb29f32c7d5a5040ae423c6d
SHA512f587dbed29b6bb07dc81d65328b56b8ecdec30237f5d6a2f8209bf0984cff3550cafe19d3a40d3e924c0bb80910f01294fbdfb30582d51657e7ee246297438c9
-
Filesize
5.9MB
MD510cf0e24509c74412c7876eb32c8d25f
SHA1847b5a2dfa0d2c6efbb371da7a2cb592e83e6695
SHA2567e9df8a5357b8a30509f7e3eccbc092e722c7333b23f365b0a318ff583ec0aee
SHA51273ef9dc11cbb36ba28ecd328691a9cec66c02b47c042becc1ae7282e260ad149e345ee22299b787619eb4bbd60c51bf552e3c33978e8a86a30b3992881c8d428
-
Filesize
5.9MB
MD50d73daabe81b81a850bca2690b95fc93
SHA186fcd89df5d31aec41117758515d83982ec3fec6
SHA256878e18b24c69e7d9386b71185ffe0b353f633e9896b29376cfb2aa82898a4a8d
SHA5120c7710a2e45eae7b288c67fc0a2f2e47be5c351950f436d08a638e38bdb2ebef222bb4fef6d281fdfd5fd4447f114f189681522f89b1d4d63df87c5ab4b74486
-
Filesize
5.9MB
MD5bb0e966335dd46f617690d96eb8fc923
SHA1ae4c806f3c63c6c3f1ba3b5986b77a0e3d186a0a
SHA2561108f787a71afc3e504e2195ee0032ba9f438350ce4e3440b1b9afc155b35c91
SHA5126084d14ca9cdcf4f7cd82fea9ae3d941b826eed64b8d1d52b8406688e3171f3efc737cd1729ffe90e1bb110e4c0174c4bd250d5c8c3c51b09d1c224ec8aaa89a
-
Filesize
5.9MB
MD5357b3d8f3cf209d53dba92912e3ed133
SHA14d42fa7a5662a3322e70a3ac64e27f50809c4e3a
SHA256db80966613b1fd3822a8b8e8e8986b1bd4670763ab9b9fcf0f476352336237c2
SHA512bbfb41420d2724c1deeec81bc7ef9180ef70723c5f1e3518ab2aeaebd9ce3a20ae6536fbfc8bce6f4d4562078e00c8e0085ccaabd2a3edd1a5bd093927c5f48a