Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-08-2024 22:44
Behavioral task
behavioral1
Sample
2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240705-en
General
-
Target
2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
b00c27e66bc18dc83015ee120e75f4d5
-
SHA1
0ab9f6916e5675dd55f7fbc32417ff40c21e9a43
-
SHA256
e7b597e2f3f9af63796e37df453192b6f6ff4635f6dff807b200fd62319839c3
-
SHA512
8cac0e31e89ada4041e49ea06b963565953572b52bc75cb07aafabcc533a70ce90cef8b9f3e00a1c4905d32b08776bbeda0cc4cdfc630d082b0ad70c4beb902c
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l1:RWWBibf56utgpPFotBER/mQ32lUh
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0009000000023485-5.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e9-9.dat cobalt_reflective_dll behavioral2/files/0x00080000000234e8-17.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ea-22.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ec-33.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ed-38.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ee-44.dat cobalt_reflective_dll behavioral2/files/0x00070000000234eb-53.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ef-48.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f1-58.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f0-55.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f5-79.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f4-78.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f7-86.dat cobalt_reflective_dll behavioral2/files/0x00080000000234e6-117.dat cobalt_reflective_dll behavioral2/files/0x00070000000234fa-126.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f6-122.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f9-120.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f8-119.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f3-84.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f2-75.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/5096-28-0x00007FF726370000-0x00007FF7266C1000-memory.dmp xmrig behavioral2/memory/2568-11-0x00007FF7921B0000-0x00007FF792501000-memory.dmp xmrig behavioral2/memory/1472-60-0x00007FF6908F0000-0x00007FF690C41000-memory.dmp xmrig behavioral2/memory/640-71-0x00007FF63AF60000-0x00007FF63B2B1000-memory.dmp xmrig behavioral2/memory/4400-104-0x00007FF684170000-0x00007FF6844C1000-memory.dmp xmrig behavioral2/memory/1584-108-0x00007FF711FA0000-0x00007FF7122F1000-memory.dmp xmrig behavioral2/memory/4148-110-0x00007FF791520000-0x00007FF791871000-memory.dmp xmrig behavioral2/memory/2380-111-0x00007FF7DBA40000-0x00007FF7DBD91000-memory.dmp xmrig behavioral2/memory/3964-109-0x00007FF63F2C0000-0x00007FF63F611000-memory.dmp xmrig behavioral2/memory/4540-103-0x00007FF73ACD0000-0x00007FF73B021000-memory.dmp xmrig behavioral2/memory/1620-92-0x00007FF73D4F0000-0x00007FF73D841000-memory.dmp xmrig behavioral2/memory/4308-68-0x00007FF62C8A0000-0x00007FF62CBF1000-memory.dmp xmrig behavioral2/memory/3608-130-0x00007FF6A4CA0000-0x00007FF6A4FF1000-memory.dmp xmrig behavioral2/memory/2760-133-0x00007FF736790000-0x00007FF736AE1000-memory.dmp xmrig behavioral2/memory/4688-144-0x00007FF766090000-0x00007FF7663E1000-memory.dmp xmrig behavioral2/memory/4844-131-0x00007FF7D9400000-0x00007FF7D9751000-memory.dmp xmrig behavioral2/memory/2772-128-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp xmrig behavioral2/memory/3584-148-0x00007FF705260000-0x00007FF7055B1000-memory.dmp xmrig behavioral2/memory/4552-147-0x00007FF79D5F0000-0x00007FF79D941000-memory.dmp xmrig behavioral2/memory/2780-149-0x00007FF72AFF0000-0x00007FF72B341000-memory.dmp xmrig behavioral2/memory/4044-146-0x00007FF6BFC30000-0x00007FF6BFF81000-memory.dmp xmrig behavioral2/memory/4016-145-0x00007FF793740000-0x00007FF793A91000-memory.dmp xmrig behavioral2/memory/2772-150-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp xmrig behavioral2/memory/2772-151-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp xmrig behavioral2/memory/2568-196-0x00007FF7921B0000-0x00007FF792501000-memory.dmp xmrig behavioral2/memory/3608-198-0x00007FF6A4CA0000-0x00007FF6A4FF1000-memory.dmp xmrig behavioral2/memory/4844-200-0x00007FF7D9400000-0x00007FF7D9751000-memory.dmp xmrig behavioral2/memory/5096-202-0x00007FF726370000-0x00007FF7266C1000-memory.dmp xmrig behavioral2/memory/1472-204-0x00007FF6908F0000-0x00007FF690C41000-memory.dmp xmrig behavioral2/memory/4308-206-0x00007FF62C8A0000-0x00007FF62CBF1000-memory.dmp xmrig behavioral2/memory/640-208-0x00007FF63AF60000-0x00007FF63B2B1000-memory.dmp xmrig behavioral2/memory/1584-210-0x00007FF711FA0000-0x00007FF7122F1000-memory.dmp xmrig behavioral2/memory/2760-212-0x00007FF736790000-0x00007FF736AE1000-memory.dmp xmrig behavioral2/memory/1620-214-0x00007FF73D4F0000-0x00007FF73D841000-memory.dmp xmrig behavioral2/memory/4540-228-0x00007FF73ACD0000-0x00007FF73B021000-memory.dmp xmrig behavioral2/memory/3964-230-0x00007FF63F2C0000-0x00007FF63F611000-memory.dmp xmrig behavioral2/memory/2380-234-0x00007FF7DBA40000-0x00007FF7DBD91000-memory.dmp xmrig behavioral2/memory/4400-236-0x00007FF684170000-0x00007FF6844C1000-memory.dmp xmrig behavioral2/memory/4148-232-0x00007FF791520000-0x00007FF791871000-memory.dmp xmrig behavioral2/memory/4016-238-0x00007FF793740000-0x00007FF793A91000-memory.dmp xmrig behavioral2/memory/4688-243-0x00007FF766090000-0x00007FF7663E1000-memory.dmp xmrig behavioral2/memory/4552-246-0x00007FF79D5F0000-0x00007FF79D941000-memory.dmp xmrig behavioral2/memory/2780-248-0x00007FF72AFF0000-0x00007FF72B341000-memory.dmp xmrig behavioral2/memory/3584-245-0x00007FF705260000-0x00007FF7055B1000-memory.dmp xmrig behavioral2/memory/4044-240-0x00007FF6BFC30000-0x00007FF6BFF81000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2568 PywkeKF.exe 3608 qQJElLd.exe 4844 mHfKjkC.exe 5096 mtUtkAv.exe 2760 wHpNzGK.exe 1472 bQXaJAE.exe 4308 NGGpmso.exe 1584 uNXvmhV.exe 640 JexgdGT.exe 1620 BBqROin.exe 3964 CvyTDZw.exe 4148 FEyFqpO.exe 4540 VqldaTQ.exe 2380 NkjbIxm.exe 4400 TAmSMpo.exe 4016 TVfibMi.exe 4688 rpBhAZo.exe 4044 csDXYsA.exe 4552 vovrmFi.exe 3584 DKbgiPv.exe 2780 PTkylCb.exe -
resource yara_rule behavioral2/memory/2772-0-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp upx behavioral2/files/0x0009000000023485-5.dat upx behavioral2/files/0x00070000000234e9-9.dat upx behavioral2/memory/3608-13-0x00007FF6A4CA0000-0x00007FF6A4FF1000-memory.dmp upx behavioral2/files/0x00080000000234e8-17.dat upx behavioral2/files/0x00070000000234ea-22.dat upx behavioral2/files/0x00070000000234ec-33.dat upx behavioral2/files/0x00070000000234ed-38.dat upx behavioral2/files/0x00070000000234ee-44.dat upx behavioral2/files/0x00070000000234eb-53.dat upx behavioral2/memory/2760-49-0x00007FF736790000-0x00007FF736AE1000-memory.dmp upx behavioral2/files/0x00070000000234ef-48.dat upx behavioral2/memory/5096-28-0x00007FF726370000-0x00007FF7266C1000-memory.dmp upx behavioral2/memory/4844-16-0x00007FF7D9400000-0x00007FF7D9751000-memory.dmp upx behavioral2/memory/2568-11-0x00007FF7921B0000-0x00007FF792501000-memory.dmp upx behavioral2/memory/1472-60-0x00007FF6908F0000-0x00007FF690C41000-memory.dmp upx behavioral2/files/0x00070000000234f1-58.dat upx behavioral2/files/0x00070000000234f0-55.dat upx behavioral2/memory/640-71-0x00007FF63AF60000-0x00007FF63B2B1000-memory.dmp upx behavioral2/files/0x00070000000234f5-79.dat upx behavioral2/files/0x00070000000234f4-78.dat upx behavioral2/files/0x00070000000234f7-86.dat upx behavioral2/memory/4400-104-0x00007FF684170000-0x00007FF6844C1000-memory.dmp upx behavioral2/memory/4552-106-0x00007FF79D5F0000-0x00007FF79D941000-memory.dmp upx behavioral2/memory/1584-108-0x00007FF711FA0000-0x00007FF7122F1000-memory.dmp upx behavioral2/memory/4148-110-0x00007FF791520000-0x00007FF791871000-memory.dmp upx behavioral2/memory/4016-112-0x00007FF793740000-0x00007FF793A91000-memory.dmp upx behavioral2/files/0x00080000000234e6-117.dat upx behavioral2/files/0x00070000000234fa-126.dat upx behavioral2/memory/2780-125-0x00007FF72AFF0000-0x00007FF72B341000-memory.dmp upx behavioral2/files/0x00070000000234f6-122.dat upx behavioral2/files/0x00070000000234f9-120.dat upx behavioral2/files/0x00070000000234f8-119.dat upx behavioral2/memory/4688-113-0x00007FF766090000-0x00007FF7663E1000-memory.dmp upx behavioral2/memory/2380-111-0x00007FF7DBA40000-0x00007FF7DBD91000-memory.dmp upx behavioral2/memory/3964-109-0x00007FF63F2C0000-0x00007FF63F611000-memory.dmp upx behavioral2/memory/3584-107-0x00007FF705260000-0x00007FF7055B1000-memory.dmp upx behavioral2/memory/4044-105-0x00007FF6BFC30000-0x00007FF6BFF81000-memory.dmp upx behavioral2/memory/4540-103-0x00007FF73ACD0000-0x00007FF73B021000-memory.dmp upx behavioral2/memory/1620-92-0x00007FF73D4F0000-0x00007FF73D841000-memory.dmp upx behavioral2/files/0x00070000000234f3-84.dat upx behavioral2/files/0x00070000000234f2-75.dat upx behavioral2/memory/4308-68-0x00007FF62C8A0000-0x00007FF62CBF1000-memory.dmp upx behavioral2/memory/3608-130-0x00007FF6A4CA0000-0x00007FF6A4FF1000-memory.dmp upx behavioral2/memory/2760-133-0x00007FF736790000-0x00007FF736AE1000-memory.dmp upx behavioral2/memory/4688-144-0x00007FF766090000-0x00007FF7663E1000-memory.dmp upx behavioral2/memory/4844-131-0x00007FF7D9400000-0x00007FF7D9751000-memory.dmp upx behavioral2/memory/2772-128-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp upx behavioral2/memory/3584-148-0x00007FF705260000-0x00007FF7055B1000-memory.dmp upx behavioral2/memory/4552-147-0x00007FF79D5F0000-0x00007FF79D941000-memory.dmp upx behavioral2/memory/2780-149-0x00007FF72AFF0000-0x00007FF72B341000-memory.dmp upx behavioral2/memory/4044-146-0x00007FF6BFC30000-0x00007FF6BFF81000-memory.dmp upx behavioral2/memory/4016-145-0x00007FF793740000-0x00007FF793A91000-memory.dmp upx behavioral2/memory/2772-150-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp upx behavioral2/memory/2772-151-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp upx behavioral2/memory/2568-196-0x00007FF7921B0000-0x00007FF792501000-memory.dmp upx behavioral2/memory/3608-198-0x00007FF6A4CA0000-0x00007FF6A4FF1000-memory.dmp upx behavioral2/memory/4844-200-0x00007FF7D9400000-0x00007FF7D9751000-memory.dmp upx behavioral2/memory/5096-202-0x00007FF726370000-0x00007FF7266C1000-memory.dmp upx behavioral2/memory/1472-204-0x00007FF6908F0000-0x00007FF690C41000-memory.dmp upx behavioral2/memory/4308-206-0x00007FF62C8A0000-0x00007FF62CBF1000-memory.dmp upx behavioral2/memory/640-208-0x00007FF63AF60000-0x00007FF63B2B1000-memory.dmp upx behavioral2/memory/1584-210-0x00007FF711FA0000-0x00007FF7122F1000-memory.dmp upx behavioral2/memory/2760-212-0x00007FF736790000-0x00007FF736AE1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\uNXvmhV.exe 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BBqROin.exe 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FEyFqpO.exe 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vovrmFi.exe 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mtUtkAv.exe 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\wHpNzGK.exe 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rpBhAZo.exe 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\csDXYsA.exe 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bQXaJAE.exe 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NGGpmso.exe 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mHfKjkC.exe 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JexgdGT.exe 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TAmSMpo.exe 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TVfibMi.exe 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DKbgiPv.exe 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PTkylCb.exe 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PywkeKF.exe 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qQJElLd.exe 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NkjbIxm.exe 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CvyTDZw.exe 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VqldaTQ.exe 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2568 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 2772 wrote to memory of 2568 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 2772 wrote to memory of 3608 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 2772 wrote to memory of 3608 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 2772 wrote to memory of 4844 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2772 wrote to memory of 4844 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2772 wrote to memory of 5096 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2772 wrote to memory of 5096 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2772 wrote to memory of 2760 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2772 wrote to memory of 2760 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2772 wrote to memory of 1472 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2772 wrote to memory of 1472 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2772 wrote to memory of 4308 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2772 wrote to memory of 4308 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2772 wrote to memory of 1584 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2772 wrote to memory of 1584 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2772 wrote to memory of 640 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2772 wrote to memory of 640 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2772 wrote to memory of 1620 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2772 wrote to memory of 1620 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2772 wrote to memory of 3964 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2772 wrote to memory of 3964 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2772 wrote to memory of 4148 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2772 wrote to memory of 4148 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2772 wrote to memory of 4540 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2772 wrote to memory of 4540 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2772 wrote to memory of 2380 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2772 wrote to memory of 2380 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2772 wrote to memory of 4400 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2772 wrote to memory of 4400 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2772 wrote to memory of 4688 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2772 wrote to memory of 4688 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2772 wrote to memory of 4016 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2772 wrote to memory of 4016 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2772 wrote to memory of 4044 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2772 wrote to memory of 4044 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2772 wrote to memory of 4552 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2772 wrote to memory of 4552 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2772 wrote to memory of 3584 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2772 wrote to memory of 3584 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2772 wrote to memory of 2780 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2772 wrote to memory of 2780 2772 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\System\PywkeKF.exeC:\Windows\System\PywkeKF.exe2⤵
- Executes dropped EXE
PID:2568
-
-
C:\Windows\System\qQJElLd.exeC:\Windows\System\qQJElLd.exe2⤵
- Executes dropped EXE
PID:3608
-
-
C:\Windows\System\mHfKjkC.exeC:\Windows\System\mHfKjkC.exe2⤵
- Executes dropped EXE
PID:4844
-
-
C:\Windows\System\mtUtkAv.exeC:\Windows\System\mtUtkAv.exe2⤵
- Executes dropped EXE
PID:5096
-
-
C:\Windows\System\wHpNzGK.exeC:\Windows\System\wHpNzGK.exe2⤵
- Executes dropped EXE
PID:2760
-
-
C:\Windows\System\bQXaJAE.exeC:\Windows\System\bQXaJAE.exe2⤵
- Executes dropped EXE
PID:1472
-
-
C:\Windows\System\NGGpmso.exeC:\Windows\System\NGGpmso.exe2⤵
- Executes dropped EXE
PID:4308
-
-
C:\Windows\System\uNXvmhV.exeC:\Windows\System\uNXvmhV.exe2⤵
- Executes dropped EXE
PID:1584
-
-
C:\Windows\System\JexgdGT.exeC:\Windows\System\JexgdGT.exe2⤵
- Executes dropped EXE
PID:640
-
-
C:\Windows\System\BBqROin.exeC:\Windows\System\BBqROin.exe2⤵
- Executes dropped EXE
PID:1620
-
-
C:\Windows\System\CvyTDZw.exeC:\Windows\System\CvyTDZw.exe2⤵
- Executes dropped EXE
PID:3964
-
-
C:\Windows\System\FEyFqpO.exeC:\Windows\System\FEyFqpO.exe2⤵
- Executes dropped EXE
PID:4148
-
-
C:\Windows\System\VqldaTQ.exeC:\Windows\System\VqldaTQ.exe2⤵
- Executes dropped EXE
PID:4540
-
-
C:\Windows\System\NkjbIxm.exeC:\Windows\System\NkjbIxm.exe2⤵
- Executes dropped EXE
PID:2380
-
-
C:\Windows\System\TAmSMpo.exeC:\Windows\System\TAmSMpo.exe2⤵
- Executes dropped EXE
PID:4400
-
-
C:\Windows\System\rpBhAZo.exeC:\Windows\System\rpBhAZo.exe2⤵
- Executes dropped EXE
PID:4688
-
-
C:\Windows\System\TVfibMi.exeC:\Windows\System\TVfibMi.exe2⤵
- Executes dropped EXE
PID:4016
-
-
C:\Windows\System\csDXYsA.exeC:\Windows\System\csDXYsA.exe2⤵
- Executes dropped EXE
PID:4044
-
-
C:\Windows\System\vovrmFi.exeC:\Windows\System\vovrmFi.exe2⤵
- Executes dropped EXE
PID:4552
-
-
C:\Windows\System\DKbgiPv.exeC:\Windows\System\DKbgiPv.exe2⤵
- Executes dropped EXE
PID:3584
-
-
C:\Windows\System\PTkylCb.exeC:\Windows\System\PTkylCb.exe2⤵
- Executes dropped EXE
PID:2780
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD53448327b47470edc9c7d6017dffc27f1
SHA186fc91ce26c95574654204fb3555d3399a7e4358
SHA256e5c7b39ae7657058bf148af36cbee960c3a13552426e7ccbdcd504e32d0f5fd6
SHA512af60c8348cec628caf7f4b65632e449658a5beb1a3bfc118df2ffa35964d825552835a16912544826881b7eb1299d3f520b8266d80c3641ec9840ef4d82fb35d
-
Filesize
5.2MB
MD5ee07c5d0cc50153572b5d61e6696f527
SHA1a4d03879ab002bd5c18f974354ff23c7fb004172
SHA2560cd42ccf224ba49cda56cf74b9b2afc12c12417c569a62f2a405029f9437e226
SHA512b9b99bdd174c5545f35184cf386a8ea5700ef2c384b220c7e53f4c7917a8510f6d79c222759da0470dc17d4f24e69e5fabf936f7880d2a3e1a95ab8f2d4216cd
-
Filesize
5.2MB
MD545605b672574c3be59ecc00d3f92cd78
SHA1f1ce093603798c59830adede009ca05d5c9eef0c
SHA256b40b1547af3d8d76b4892008ef2281f21c589497a3468c29a9ddd48cfab9f666
SHA512bb50b5d2922c703db25cad11777d7406d0188a11ba353e1c24369aba4edb08c4e7eb9d6022427f0454acf17a9d0d9df8e7c3eedd0a30234d4ff88bdb44fe8335
-
Filesize
5.2MB
MD50f5a6d3c51427c2b7b70e6600fc3d9b9
SHA132115465d41503cba40809d707df5baf4fb00b2e
SHA256ac281f23007115181d5054a36bef2efd0bc72e56ae85a3de12d0febf7ec1ee5d
SHA512b7b1d0f0b0def9c6cb4a2b0a69a76d0bdbd13528a89386040a7926320cc2800fa8143cb74a09042839cff4601b3456847f1e91351e76ef9083829a2831c4945f
-
Filesize
5.2MB
MD565d1aa973c0da8e492c1ee7db226005a
SHA1189e1e4f8be59f4f4773226235c9f4f957d58c8a
SHA25610a7e9c94cb23896212acfb04e4a5c009650db74366a1d543519b722ef3b5a42
SHA512ce5c0f4644e3684fd433827e38146dcfebe33d08c311a1c04d8235a7fc50d8885c17e59665bddaea1ced15365a50cc4efdeae470d1116df178efe772efb3ecb1
-
Filesize
5.2MB
MD57346ced0479497a7a107b52cb6845f7b
SHA157f14df2387ae66602c99f2ea573c05823c8a1ec
SHA256be8f3ed90e0029164d324e7b4d5ea4b9a06d1783585224232210010b89273ac0
SHA5128fd82575c7bcfaf0d8c71c04ed15966da79e5f37fa45e418bd2c00eb6f37214b73f64bf390d7ec2d0ffb5e37c156227017ee3c57fe11eb208f76a0df4a72f017
-
Filesize
5.2MB
MD57338d41d663562f7909195352a98e475
SHA1477e7649f831f3cec6854908e27662df85bc84f2
SHA256291d7fb4f1f95541bc5540ed5182933bcdd2e4b391da07d47f874b7ed0766dd1
SHA5125b921b5abf23f784ab32b4a9f1c165c97c23c26f46f5986a9aec958d2c97bcd33538fa36c486b86f9631c4c564558574bfb1fefd0f2ef18892c8e026878ce17e
-
Filesize
5.2MB
MD5e148aa85ac3ec35d0c543d5010f2b170
SHA173dd8927b62c954122db9d6cfa9a1258e1a9743f
SHA2567537dc7be1bb124e24fa0f2eb95532e9a81b9cd054aec5cf67b0e61d676f620a
SHA51272bc93cbae37b7364a93ccea107d5014e6efd8de319d7c96454b81e3b84ecac500c9afa024643a4d759fe2ae73c0b21a60a8b5a076560e684974f7462512d75e
-
Filesize
5.2MB
MD56b72b504f71c15d354c845d6f2122e0c
SHA1eedf720714cb39dfddd2a49da0e0786059f035db
SHA256ba939f3ec5bb59423de7b232035e58de58816205031a0872e0c732440d2a02db
SHA5126eb676695c887ad2056c23c53a5a9a48605b3b5c2b8d3730615010f16f47c2b5e23a5e8f69efac3b238f17e43e8993b585d38c877e8367d8913c9cfce95f590b
-
Filesize
5.2MB
MD50686d0bbe59af3e28e81c44c3de80ccc
SHA1666530a047d4ab89e1b110feeab08eab754ac7f1
SHA256f75d1ad6f974d8287fbeee4d6d7d5a50b4970aaccc300e191639c167c61e27e1
SHA512ea98cf313e03db1ee4230d85a721b28d2c6696aad17c03f53e0015631baff0b9d193839d9a2226e390123caaddf229bd26b170db3db1576b38fb56a0fc47492f
-
Filesize
5.2MB
MD557f2ad5d71a5a3de4a2b07e8bc50cd18
SHA12caf349350c57167b66b8355271ab74438ce16e0
SHA25651cfb8d8283c909aedbab2627195d4f438819c2abf4af0aca415f61eca2eaa36
SHA5122f32d3aa85a4f4e3a7d8d619e625f64df975ebcd0a229bbafdd9d2c70432666943803388c73c8f465f1509c0822adbf51cae107533d4da1783f78d49af5fcba1
-
Filesize
5.2MB
MD546aaf48d5d11e26e440ed786c311f5cf
SHA1c305b65b0d26b99f39ae44e37b9b83843338c5c2
SHA2563d3423cf7b8e162b5bda2386d6970018d7e1e3ebfdf1d5fe636cec2e09e1dbc0
SHA5123c1aa73851389796e19891943845e5741a4d3c7a3cbd5623f14f5ddb232fb4e213e42b48ee8c3744ec1e1b1bc27eac866a8c43c1ade9cf9eb2bf7857050b4ae2
-
Filesize
5.2MB
MD51cefa2f1b8d2f271cd0e3eaa361bf1b3
SHA1b99811310dba9f90bbf9ee81efc9f5e4be7c08aa
SHA256f5c140e25540e60fd8383b89552378387f2b3004ef5eefb8e358c016bd479b30
SHA5125547fd42d11169fc49007ff37ba8650a5fe1a373c1894865af74b8b4e5688bd4295d5722f5e9a90e08f1cc5b7d30cc508c0791bef935984249f63208596647a3
-
Filesize
5.2MB
MD552e83168137301672caf0e73a5829c0e
SHA1e3f6a5dd04c4b5b8d8a871fe08273fc683f738b2
SHA2562b58128fc553499f80a8c42068de13780f19f251fce59b49b3b43ea7b84e21e4
SHA512b3c6fe6c978714c8e1e90369852056702c681b9d1c3b31608ed7f3698217eefb0e7327763b71960cc74b54736f8bcbd4f40ac19473d4e196a96730f1564ce7e2
-
Filesize
5.2MB
MD51b06510e3ae1cdaeae3b6f88f7cb998d
SHA17a505681b569a5ab997eab41eb6956f28f87cf25
SHA256dc676628c15ed520f8824824a33ef8eec5c14d6f040cc0f544de05b6ebcacaf4
SHA5129915870f623ae7b94d1e4f6896258330babd395f26bb653ef52cd2f3a3ab941a5335a86cc11f1c0d9ea8c34953ea323988246576cb3982591fd2513f3c7264ca
-
Filesize
5.2MB
MD5d7d903027a756803a493254535c5ad80
SHA12efbae273c25dc730d2f23e068b93e2096654b62
SHA256272adadd94245af8243f2533853fb0b2b5f0cd0934ce023d3bdccbaad31c8897
SHA5128ea444aee488bd2ec8092abeb233ed018c8e4cc01da4bba0c12fa54888f0ed98f2fbc65243899316c3bc1c16e525071b469cff2385b0a4ba72fe6a352a91fa28
-
Filesize
5.2MB
MD58034cf26d5f7e15d35db81d88f2e766a
SHA1bf6391f7f42d42659f0ceb41b4cdf89bdc2605cc
SHA256befe586438cf0571b77ae94d900c430ef07559a409dd20dd8baa324e052a50ea
SHA512892e7bcac5177a7688e08d8524f0eb3928796fe5bc1e3e0f60da35756d3cd7587c5c118bae0007672cd12ef83b038f5fade7f758d22661b2bbb943472ad82c8f
-
Filesize
5.2MB
MD5325284a047f63f563f9348c52917c115
SHA17ad0b4d0d03a380bfba3e9b9c5d94dcfde31b4f3
SHA2566212b8b895abf7bbc5897ce3252dd9892ccd96bcd964d94f17dce6b5caae4eb4
SHA512c5a5ef92faa33c3c63757d29f1f56ced87234fa17ba7abf3c023da5a4bf116dfd180c01ecba531ca4db206e658dce0664284190dcd4bbff7f4255e04d58fd4a2
-
Filesize
5.2MB
MD5de25170e1fddcb630273f6256bc5fba6
SHA163b43aaec1160decb1ff59545e9f97d63cf9fb59
SHA25655a8389912715e1de1c021589dd6dfb80c798cf1f0010b3e8b1b234ed5f74ba8
SHA512cd557cf52986bca82632d4f54aacceeafe56e3a952f6794abc56ba539ad840e70a86d26253a30aee8d65c987fbee878ddde850474f0d640815b1bbe3ddfd0275
-
Filesize
5.2MB
MD50abfa0fd58fa989ff6b33d519007201a
SHA175c4165c2ea30871934d14f35656d62b152c672e
SHA256a8bc53c8079b83feaa7f47e9a2b40a86ed41e3eeb8b41aa2601f9360f5e65c79
SHA512f8168fc439a6a74eea996e8a029e67f6c68f7f60af5a8e0196500c5b983daa3257b86246b0747feed0f94f8128195fbe51ab9128d0b12b10e0ccf4c51b5e19bb
-
Filesize
5.2MB
MD5fb2eb9cb20fe008544dc43b582caa1ae
SHA1d450d6a4c2092a1b222563e862f506d82ba64150
SHA2568182f0158b1dad29645e701a890304ff9f547394d6ec6eeb62c903fb73365cb2
SHA51282a931ccc4f5be8aec1a14b9cb9a25bf4df46245211797e117ae3e52832d1d89f876c4a949c0b6e4d4c731fef783645d7160e8acc8f0c53c497a9cee86cf3ed8