Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-08-2024 19:28
Behavioral task
behavioral1
Sample
2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240704-en
General
-
Target
2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.9MB
-
MD5
87d95ffb654b96c7cbd7964e84413876
-
SHA1
21d16953f71d20407183c381ad69ab360dc93feb
-
SHA256
8fc94c3007b1d914b5869e67db6211367e0b69c1c4ee1953ebb95fd6fd0491d3
-
SHA512
32d368120e91ffb59eb34a37e303aadd304457a481fba88ed1f2fde97f789ed1d8776a88460028250c592f2f252c03d2656d49a6886aed8401c6d080e05b08b7
-
SSDEEP
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUY:T+856utgpPF8u/7Y
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0009000000023461-5.dat cobalt_reflective_dll behavioral2/files/0x0008000000023478-10.dat cobalt_reflective_dll behavioral2/files/0x0007000000023479-12.dat cobalt_reflective_dll behavioral2/files/0x0008000000023476-22.dat cobalt_reflective_dll behavioral2/files/0x000700000002347b-35.dat cobalt_reflective_dll behavioral2/files/0x000700000002347a-29.dat cobalt_reflective_dll behavioral2/files/0x000700000002347d-46.dat cobalt_reflective_dll behavioral2/files/0x000700000002347c-48.dat cobalt_reflective_dll behavioral2/files/0x000700000002347e-52.dat cobalt_reflective_dll behavioral2/files/0x000900000002347f-58.dat cobalt_reflective_dll behavioral2/files/0x0008000000023482-63.dat cobalt_reflective_dll behavioral2/files/0x0007000000023483-70.dat cobalt_reflective_dll behavioral2/files/0x0007000000023484-79.dat cobalt_reflective_dll behavioral2/files/0x0007000000023486-90.dat cobalt_reflective_dll behavioral2/files/0x0007000000023488-100.dat cobalt_reflective_dll behavioral2/files/0x0007000000023485-101.dat cobalt_reflective_dll behavioral2/files/0x0007000000023487-108.dat cobalt_reflective_dll behavioral2/files/0x000700000002348b-118.dat cobalt_reflective_dll behavioral2/files/0x000700000002348a-116.dat cobalt_reflective_dll behavioral2/files/0x0007000000023489-105.dat cobalt_reflective_dll behavioral2/files/0x000700000002348c-130.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 64 IoCs
resource yara_rule behavioral2/memory/2008-0-0x00007FF612BC0000-0x00007FF612F14000-memory.dmp xmrig behavioral2/files/0x0009000000023461-5.dat xmrig behavioral2/memory/3636-8-0x00007FF730AD0000-0x00007FF730E24000-memory.dmp xmrig behavioral2/files/0x0008000000023478-10.dat xmrig behavioral2/files/0x0007000000023479-12.dat xmrig behavioral2/memory/3380-14-0x00007FF67ABC0000-0x00007FF67AF14000-memory.dmp xmrig behavioral2/memory/2028-19-0x00007FF703FA0000-0x00007FF7042F4000-memory.dmp xmrig behavioral2/files/0x0008000000023476-22.dat xmrig behavioral2/files/0x000700000002347b-35.dat xmrig behavioral2/memory/1040-31-0x00007FF6B8F30000-0x00007FF6B9284000-memory.dmp xmrig behavioral2/files/0x000700000002347a-29.dat xmrig behavioral2/memory/556-43-0x00007FF6BA610000-0x00007FF6BA964000-memory.dmp xmrig behavioral2/files/0x000700000002347d-46.dat xmrig behavioral2/memory/4260-49-0x00007FF68EEF0000-0x00007FF68F244000-memory.dmp xmrig behavioral2/files/0x000700000002347c-48.dat xmrig behavioral2/memory/1652-45-0x00007FF733FD0000-0x00007FF734324000-memory.dmp xmrig behavioral2/memory/4396-41-0x00007FF63D540000-0x00007FF63D894000-memory.dmp xmrig behavioral2/files/0x000700000002347e-52.dat xmrig behavioral2/memory/116-56-0x00007FF71DAF0000-0x00007FF71DE44000-memory.dmp xmrig behavioral2/files/0x000900000002347f-58.dat xmrig behavioral2/memory/2160-61-0x00007FF6E9E10000-0x00007FF6EA164000-memory.dmp xmrig behavioral2/files/0x0008000000023482-63.dat xmrig behavioral2/memory/2008-65-0x00007FF612BC0000-0x00007FF612F14000-memory.dmp xmrig behavioral2/files/0x0007000000023483-70.dat xmrig behavioral2/memory/1712-69-0x00007FF7A7A90000-0x00007FF7A7DE4000-memory.dmp xmrig behavioral2/memory/3636-75-0x00007FF730AD0000-0x00007FF730E24000-memory.dmp xmrig behavioral2/memory/1612-78-0x00007FF606510000-0x00007FF606864000-memory.dmp xmrig behavioral2/files/0x0007000000023484-79.dat xmrig behavioral2/files/0x0007000000023486-90.dat xmrig behavioral2/files/0x0007000000023488-100.dat xmrig behavioral2/files/0x0007000000023485-101.dat xmrig behavioral2/files/0x0007000000023487-108.dat xmrig behavioral2/files/0x000700000002348b-118.dat xmrig behavioral2/files/0x000700000002348a-116.dat xmrig behavioral2/memory/556-113-0x00007FF6BA610000-0x00007FF6BA964000-memory.dmp xmrig behavioral2/memory/2852-112-0x00007FF6D8D90000-0x00007FF6D90E4000-memory.dmp xmrig behavioral2/files/0x0007000000023489-105.dat xmrig behavioral2/memory/1020-103-0x00007FF61DA50000-0x00007FF61DDA4000-memory.dmp xmrig behavioral2/memory/1636-104-0x00007FF708F80000-0x00007FF7092D4000-memory.dmp xmrig behavioral2/memory/2584-97-0x00007FF6A4700000-0x00007FF6A4A54000-memory.dmp xmrig behavioral2/memory/2028-88-0x00007FF703FA0000-0x00007FF7042F4000-memory.dmp xmrig behavioral2/memory/2164-87-0x00007FF7F3170000-0x00007FF7F34C4000-memory.dmp xmrig behavioral2/files/0x000700000002348c-130.dat xmrig behavioral2/memory/4500-129-0x00007FF7A1640000-0x00007FF7A1994000-memory.dmp xmrig behavioral2/memory/4292-125-0x00007FF6C8C10000-0x00007FF6C8F64000-memory.dmp xmrig behavioral2/memory/2292-120-0x00007FF6C1560000-0x00007FF6C18B4000-memory.dmp xmrig behavioral2/memory/2024-119-0x00007FF74C560000-0x00007FF74C8B4000-memory.dmp xmrig behavioral2/memory/2160-132-0x00007FF6E9E10000-0x00007FF6EA164000-memory.dmp xmrig behavioral2/memory/1712-133-0x00007FF7A7A90000-0x00007FF7A7DE4000-memory.dmp xmrig behavioral2/memory/2584-134-0x00007FF6A4700000-0x00007FF6A4A54000-memory.dmp xmrig behavioral2/memory/1636-135-0x00007FF708F80000-0x00007FF7092D4000-memory.dmp xmrig behavioral2/memory/2852-136-0x00007FF6D8D90000-0x00007FF6D90E4000-memory.dmp xmrig behavioral2/memory/4292-138-0x00007FF6C8C10000-0x00007FF6C8F64000-memory.dmp xmrig behavioral2/memory/2292-137-0x00007FF6C1560000-0x00007FF6C18B4000-memory.dmp xmrig behavioral2/memory/4500-139-0x00007FF7A1640000-0x00007FF7A1994000-memory.dmp xmrig behavioral2/memory/3636-140-0x00007FF730AD0000-0x00007FF730E24000-memory.dmp xmrig behavioral2/memory/3380-141-0x00007FF67ABC0000-0x00007FF67AF14000-memory.dmp xmrig behavioral2/memory/2028-142-0x00007FF703FA0000-0x00007FF7042F4000-memory.dmp xmrig behavioral2/memory/1040-143-0x00007FF6B8F30000-0x00007FF6B9284000-memory.dmp xmrig behavioral2/memory/4396-144-0x00007FF63D540000-0x00007FF63D894000-memory.dmp xmrig behavioral2/memory/1652-145-0x00007FF733FD0000-0x00007FF734324000-memory.dmp xmrig behavioral2/memory/4260-146-0x00007FF68EEF0000-0x00007FF68F244000-memory.dmp xmrig behavioral2/memory/556-147-0x00007FF6BA610000-0x00007FF6BA964000-memory.dmp xmrig behavioral2/memory/116-148-0x00007FF71DAF0000-0x00007FF71DE44000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 3636 OAgQTXn.exe 3380 tgcITuK.exe 2028 rqxsVRc.exe 1040 DFCGhcl.exe 4396 pIzHjTt.exe 1652 DXPWZrL.exe 556 ZcMZEyp.exe 4260 ovOwjie.exe 116 dXJTRDl.exe 2160 eVpSUPc.exe 1712 GWHaqyG.exe 1612 LCQnuyM.exe 2164 QskeQFP.exe 2584 uXKhIfv.exe 1020 HvHwXCi.exe 1636 wWkiKnw.exe 2852 fWpgprB.exe 2024 oIGfIdb.exe 4292 GelTvQj.exe 2292 oaOBtHB.exe 4500 EXYkgcM.exe -
resource yara_rule behavioral2/memory/2008-0-0x00007FF612BC0000-0x00007FF612F14000-memory.dmp upx behavioral2/files/0x0009000000023461-5.dat upx behavioral2/memory/3636-8-0x00007FF730AD0000-0x00007FF730E24000-memory.dmp upx behavioral2/files/0x0008000000023478-10.dat upx behavioral2/files/0x0007000000023479-12.dat upx behavioral2/memory/3380-14-0x00007FF67ABC0000-0x00007FF67AF14000-memory.dmp upx behavioral2/memory/2028-19-0x00007FF703FA0000-0x00007FF7042F4000-memory.dmp upx behavioral2/files/0x0008000000023476-22.dat upx behavioral2/files/0x000700000002347b-35.dat upx behavioral2/memory/1040-31-0x00007FF6B8F30000-0x00007FF6B9284000-memory.dmp upx behavioral2/files/0x000700000002347a-29.dat upx behavioral2/memory/556-43-0x00007FF6BA610000-0x00007FF6BA964000-memory.dmp upx behavioral2/files/0x000700000002347d-46.dat upx behavioral2/memory/4260-49-0x00007FF68EEF0000-0x00007FF68F244000-memory.dmp upx behavioral2/files/0x000700000002347c-48.dat upx behavioral2/memory/1652-45-0x00007FF733FD0000-0x00007FF734324000-memory.dmp upx behavioral2/memory/4396-41-0x00007FF63D540000-0x00007FF63D894000-memory.dmp upx behavioral2/files/0x000700000002347e-52.dat upx behavioral2/memory/116-56-0x00007FF71DAF0000-0x00007FF71DE44000-memory.dmp upx behavioral2/files/0x000900000002347f-58.dat upx behavioral2/memory/2160-61-0x00007FF6E9E10000-0x00007FF6EA164000-memory.dmp upx behavioral2/files/0x0008000000023482-63.dat upx behavioral2/memory/2008-65-0x00007FF612BC0000-0x00007FF612F14000-memory.dmp upx behavioral2/files/0x0007000000023483-70.dat upx behavioral2/memory/1712-69-0x00007FF7A7A90000-0x00007FF7A7DE4000-memory.dmp upx behavioral2/memory/3636-75-0x00007FF730AD0000-0x00007FF730E24000-memory.dmp upx behavioral2/memory/1612-78-0x00007FF606510000-0x00007FF606864000-memory.dmp upx behavioral2/files/0x0007000000023484-79.dat upx behavioral2/files/0x0007000000023486-90.dat upx behavioral2/files/0x0007000000023488-100.dat upx behavioral2/files/0x0007000000023485-101.dat upx behavioral2/files/0x0007000000023487-108.dat upx behavioral2/files/0x000700000002348b-118.dat upx behavioral2/files/0x000700000002348a-116.dat upx behavioral2/memory/556-113-0x00007FF6BA610000-0x00007FF6BA964000-memory.dmp upx behavioral2/memory/2852-112-0x00007FF6D8D90000-0x00007FF6D90E4000-memory.dmp upx behavioral2/files/0x0007000000023489-105.dat upx behavioral2/memory/1020-103-0x00007FF61DA50000-0x00007FF61DDA4000-memory.dmp upx behavioral2/memory/1636-104-0x00007FF708F80000-0x00007FF7092D4000-memory.dmp upx behavioral2/memory/2584-97-0x00007FF6A4700000-0x00007FF6A4A54000-memory.dmp upx behavioral2/memory/2028-88-0x00007FF703FA0000-0x00007FF7042F4000-memory.dmp upx behavioral2/memory/2164-87-0x00007FF7F3170000-0x00007FF7F34C4000-memory.dmp upx behavioral2/files/0x000700000002348c-130.dat upx behavioral2/memory/4500-129-0x00007FF7A1640000-0x00007FF7A1994000-memory.dmp upx behavioral2/memory/4292-125-0x00007FF6C8C10000-0x00007FF6C8F64000-memory.dmp upx behavioral2/memory/2292-120-0x00007FF6C1560000-0x00007FF6C18B4000-memory.dmp upx behavioral2/memory/2024-119-0x00007FF74C560000-0x00007FF74C8B4000-memory.dmp upx behavioral2/memory/2160-132-0x00007FF6E9E10000-0x00007FF6EA164000-memory.dmp upx behavioral2/memory/1712-133-0x00007FF7A7A90000-0x00007FF7A7DE4000-memory.dmp upx behavioral2/memory/2584-134-0x00007FF6A4700000-0x00007FF6A4A54000-memory.dmp upx behavioral2/memory/1636-135-0x00007FF708F80000-0x00007FF7092D4000-memory.dmp upx behavioral2/memory/2852-136-0x00007FF6D8D90000-0x00007FF6D90E4000-memory.dmp upx behavioral2/memory/4292-138-0x00007FF6C8C10000-0x00007FF6C8F64000-memory.dmp upx behavioral2/memory/2292-137-0x00007FF6C1560000-0x00007FF6C18B4000-memory.dmp upx behavioral2/memory/4500-139-0x00007FF7A1640000-0x00007FF7A1994000-memory.dmp upx behavioral2/memory/3636-140-0x00007FF730AD0000-0x00007FF730E24000-memory.dmp upx behavioral2/memory/3380-141-0x00007FF67ABC0000-0x00007FF67AF14000-memory.dmp upx behavioral2/memory/2028-142-0x00007FF703FA0000-0x00007FF7042F4000-memory.dmp upx behavioral2/memory/1040-143-0x00007FF6B8F30000-0x00007FF6B9284000-memory.dmp upx behavioral2/memory/4396-144-0x00007FF63D540000-0x00007FF63D894000-memory.dmp upx behavioral2/memory/1652-145-0x00007FF733FD0000-0x00007FF734324000-memory.dmp upx behavioral2/memory/4260-146-0x00007FF68EEF0000-0x00007FF68F244000-memory.dmp upx behavioral2/memory/556-147-0x00007FF6BA610000-0x00007FF6BA964000-memory.dmp upx behavioral2/memory/116-148-0x00007FF71DAF0000-0x00007FF71DE44000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\QskeQFP.exe 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\wWkiKnw.exe 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\oaOBtHB.exe 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\OAgQTXn.exe 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZcMZEyp.exe 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ovOwjie.exe 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dXJTRDl.exe 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HvHwXCi.exe 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EXYkgcM.exe 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\tgcITuK.exe 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DFCGhcl.exe 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\pIzHjTt.exe 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fWpgprB.exe 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GelTvQj.exe 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rqxsVRc.exe 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DXPWZrL.exe 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\eVpSUPc.exe 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GWHaqyG.exe 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LCQnuyM.exe 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uXKhIfv.exe 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\oIGfIdb.exe 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2008 wrote to memory of 3636 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 2008 wrote to memory of 3636 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 2008 wrote to memory of 3380 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2008 wrote to memory of 3380 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2008 wrote to memory of 2028 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2008 wrote to memory of 2028 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2008 wrote to memory of 1040 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2008 wrote to memory of 1040 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2008 wrote to memory of 4396 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2008 wrote to memory of 4396 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2008 wrote to memory of 1652 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2008 wrote to memory of 1652 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2008 wrote to memory of 556 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2008 wrote to memory of 556 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2008 wrote to memory of 4260 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2008 wrote to memory of 4260 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2008 wrote to memory of 116 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2008 wrote to memory of 116 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2008 wrote to memory of 2160 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2008 wrote to memory of 2160 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2008 wrote to memory of 1712 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2008 wrote to memory of 1712 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2008 wrote to memory of 1612 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2008 wrote to memory of 1612 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2008 wrote to memory of 2164 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2008 wrote to memory of 2164 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2008 wrote to memory of 2584 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2008 wrote to memory of 2584 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2008 wrote to memory of 1020 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2008 wrote to memory of 1020 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2008 wrote to memory of 1636 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2008 wrote to memory of 1636 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2008 wrote to memory of 2852 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2008 wrote to memory of 2852 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2008 wrote to memory of 2024 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2008 wrote to memory of 2024 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2008 wrote to memory of 4292 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2008 wrote to memory of 4292 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2008 wrote to memory of 2292 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 2008 wrote to memory of 2292 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 2008 wrote to memory of 4500 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 2008 wrote to memory of 4500 2008 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\System\OAgQTXn.exeC:\Windows\System\OAgQTXn.exe2⤵
- Executes dropped EXE
PID:3636
-
-
C:\Windows\System\tgcITuK.exeC:\Windows\System\tgcITuK.exe2⤵
- Executes dropped EXE
PID:3380
-
-
C:\Windows\System\rqxsVRc.exeC:\Windows\System\rqxsVRc.exe2⤵
- Executes dropped EXE
PID:2028
-
-
C:\Windows\System\DFCGhcl.exeC:\Windows\System\DFCGhcl.exe2⤵
- Executes dropped EXE
PID:1040
-
-
C:\Windows\System\pIzHjTt.exeC:\Windows\System\pIzHjTt.exe2⤵
- Executes dropped EXE
PID:4396
-
-
C:\Windows\System\DXPWZrL.exeC:\Windows\System\DXPWZrL.exe2⤵
- Executes dropped EXE
PID:1652
-
-
C:\Windows\System\ZcMZEyp.exeC:\Windows\System\ZcMZEyp.exe2⤵
- Executes dropped EXE
PID:556
-
-
C:\Windows\System\ovOwjie.exeC:\Windows\System\ovOwjie.exe2⤵
- Executes dropped EXE
PID:4260
-
-
C:\Windows\System\dXJTRDl.exeC:\Windows\System\dXJTRDl.exe2⤵
- Executes dropped EXE
PID:116
-
-
C:\Windows\System\eVpSUPc.exeC:\Windows\System\eVpSUPc.exe2⤵
- Executes dropped EXE
PID:2160
-
-
C:\Windows\System\GWHaqyG.exeC:\Windows\System\GWHaqyG.exe2⤵
- Executes dropped EXE
PID:1712
-
-
C:\Windows\System\LCQnuyM.exeC:\Windows\System\LCQnuyM.exe2⤵
- Executes dropped EXE
PID:1612
-
-
C:\Windows\System\QskeQFP.exeC:\Windows\System\QskeQFP.exe2⤵
- Executes dropped EXE
PID:2164
-
-
C:\Windows\System\uXKhIfv.exeC:\Windows\System\uXKhIfv.exe2⤵
- Executes dropped EXE
PID:2584
-
-
C:\Windows\System\HvHwXCi.exeC:\Windows\System\HvHwXCi.exe2⤵
- Executes dropped EXE
PID:1020
-
-
C:\Windows\System\wWkiKnw.exeC:\Windows\System\wWkiKnw.exe2⤵
- Executes dropped EXE
PID:1636
-
-
C:\Windows\System\fWpgprB.exeC:\Windows\System\fWpgprB.exe2⤵
- Executes dropped EXE
PID:2852
-
-
C:\Windows\System\oIGfIdb.exeC:\Windows\System\oIGfIdb.exe2⤵
- Executes dropped EXE
PID:2024
-
-
C:\Windows\System\GelTvQj.exeC:\Windows\System\GelTvQj.exe2⤵
- Executes dropped EXE
PID:4292
-
-
C:\Windows\System\oaOBtHB.exeC:\Windows\System\oaOBtHB.exe2⤵
- Executes dropped EXE
PID:2292
-
-
C:\Windows\System\EXYkgcM.exeC:\Windows\System\EXYkgcM.exe2⤵
- Executes dropped EXE
PID:4500
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD5d522b87082c42c7ec9e5c59d8de8260c
SHA100e7b32e8d1b41ad45f3946634c17b74e5eb8c60
SHA256755b8dd881ef898c8fd8d23bb83fe3b342cd1e51569d7f3414d650be8c18c86a
SHA512335640324571c9f68b94e80a362985d61b03c6bf677761d17e19bd1258d8cb36a1c0868ee2ba71a414e5de4e82470851f8f3a3e6e17753ecc4f2f1b0586caadb
-
Filesize
5.9MB
MD553e203444b147dc93c08beabf16a389f
SHA1fe57fa8c4a5ff0e7e9ecf155d81df69b7cebbaac
SHA256bfa6bb481ff876f79fb25bb866991c8aa190062e42c9a367a47d1f4ed9b051bb
SHA512267250aae653dd3afd7d966a5858d331d946025323340736a234e0d675b1122dc423181f3466debcf0d1548969f43fba622fa244d4da200f71bd10ba282842df
-
Filesize
5.9MB
MD5775f2fb6dc8aa63ad19fd8cdba1b28a2
SHA1682244e7e4bac2c253f102f608eb13ea3a025e11
SHA256fbdf2b4a560cd3cebce3a55c0c91d0bebcde5a960aa0b0954dea10bc006db874
SHA512c5dde9e8bfd438b40cc864bba62be9edafd691691a68cb99834f2137d3f787775de0c4e6030599cad94e4e159be52dfee33cea04adb4c22f7e9be54c4885331d
-
Filesize
5.9MB
MD552ede3b3f80ae88246ef55c23ac4d5e0
SHA1f0b32207bec8f18c3c4075ae76a8579d21a46957
SHA256e5693f85c6127a27413acffc6555af0c62bbd63aa63b92e6db2129ac9031e92a
SHA512ecf4b7b3a206498ab86e85ebde2a754a135b21c3e8670e57e447de5b2db1ead4e325f268e49d8d24321692a5b144d37f6cb95c404e340e8352b91ef7bae75ec9
-
Filesize
5.9MB
MD5ff93d06990ff393ba617fe890ecca3af
SHA16aa4dfe518dbf6830270dab4ac5bfd2d8dbcd9ff
SHA2560ea6fda6d0db90814ce86bcd7e9e08e708919da9b02ffabda514ba0277988e56
SHA512b45a14a1778fc23f5fc1a333473e088c2b8046d90d5886c7368939353a08100d849c57f669670f4512196810960a1e0c7dc97d824cabee4043444e99c870e27a
-
Filesize
5.9MB
MD58de180bf23094ccab6b763a23271dca1
SHA154d165e9f33959ce0ea08da028233765eba4d916
SHA2560e807769981a231c6050372ab3266633ece1349ffaab02c605af532d75ab592f
SHA51281264e6fdf2732732ea27a34783f47106f468f817f38bec38cfd7eb3c5ccf65cc9a4d69edec02688d34a9f95033478ab66ac8318b055bd8fbada9731ea2ba98b
-
Filesize
5.9MB
MD554d78b30f845d7a127c57521c8d51a14
SHA1ef13f3be28b92081bc357e54a702e3cf2994c316
SHA2568ba49001eac18d986064a2bfef60f251a461bdeb18b4a699289f54c84386788c
SHA512caa45aef9450f449fbfc493165e846ce64e4c8641f79b5ec13f8d0de44cd6baaa3f917efc82071e34c03ecc8d5ec71534a4a89a47b277359dc05c0ce804d24f5
-
Filesize
5.9MB
MD55a92b9fb9fc2c479338bcab78a5431e8
SHA13d1b359ea90b29b3aff0865581150f4c1598495b
SHA2569079a14e02c79d1222cd2954fe3d8dac5886a19d6d455d64e4c48d5a331de254
SHA512626f356d06cf4a41d1bf7fef4136106a37375ba4a25e558d26f808f52f746c5eacc4cd8b795db78178b33dce7d1f745d3313a210edb841b9d27d5c73dde54b2a
-
Filesize
5.9MB
MD517ebe891c61c938d243760a3e7aef802
SHA13f702dfbe5889e465367469fdd7e0f1b69d510b3
SHA256a6b4678103302fab862643f2309e6c3236f10bed082391fb84e6949b0a1f30f3
SHA512d1d50991f2e465434a1aa1048bded3b907004a0ff1dfbe1b65232ec61826b07b5bf7af4aebc5da5c61fdb9fb3c1359aa6985fba5b81e166a1f55830aa3510641
-
Filesize
5.9MB
MD5c342490e0af9db6cbaa8ca2dcd264539
SHA169b61a9a82c4f74cfd808e325b50536f2f35c25a
SHA256e665d45a91673f73dc201fa97b85817bd2af09efaa1be2e4a716f5c5e1dd0f59
SHA51285fa7c0fe4b274af813d7e62414f5f08cf20b64fc668eae420fea3cf2bb4947ce942513b74f21ed534befe50aa099c2685fec6389cdad1e69979f6b439fae564
-
Filesize
5.9MB
MD50410c1305766d8a68f6958224db38969
SHA1229dd25e7c8d0ac3a78c0e3846c5de66160a0ec6
SHA256aa388b52ac9b680cc2b25d0dcd77b3b45a2696afabb055a08d4d0ac2feaa2738
SHA51295a026f5d6900fecb061f3673bedbea16f4f1739a96ee47c63d66f28e2fe936574f9eaf892a46871829a32d9dc7126d9d79fbe773f7c3385c8be8b8c56ebfe52
-
Filesize
5.9MB
MD5b02518c920c76c90489020b47a770e50
SHA18f8fbea12e38df1e96784f7955a735bbe5664eb5
SHA2562d98325eb4b9f707b96781e000f07d6810551a3b0af671b5fec9a7dca23b6a82
SHA512b62e5489e1cb901afbc71865f507d20bd95a46e21243da885cc74f48814d49347315eb1d5cd92e5188ba7943675b02e077a11505826af44f209dab6eb2d53b16
-
Filesize
5.9MB
MD512e94d95dcb12880ac2fad246a193aa1
SHA1a71db75a85faa43a14f07939d48773bbfe12c713
SHA256a57ee6f5d5ccad29a181acd91bf360804a4debf26c97e884aafe3c0a6fd9a18e
SHA5125b974fc12cacef85eb4a427406c49a9419e3a1d345241db89ec2f44e99d29d29cc8a588e7dcb52b818f51d69e9f887cd6a7b0b67985b272db9efb6ca67a4e642
-
Filesize
5.9MB
MD575ce01334acd5ee61db58f89ed872784
SHA1c609d4b507dbb5d434ca656aee37aa0be6b73b35
SHA25695feb6978a3883413b801992af5a14b35bc14290fb3cc39af27c88b1de1b3e1e
SHA5122df97d7f9de9a5ecd607f47f299f2c361e0e88c61d52df81e3bb71ad5993969ef8c0c0edaae0c9cbf6761ac09dce95780f0c0f94c023841ed15204e0ae364ecc
-
Filesize
5.9MB
MD508ce73603c171eb9e301f71b1aae4605
SHA198f2a42be9061bb5881096bb378a1d46a66d14b9
SHA256fed57448d240c200a55ec69d96a80ddff4dd4e998d7587354d3314325c4a44af
SHA5125334d03c0322adf39677d5e3be8dd2ad54e603d63dd8735590be7a675e95988a44d7e0db0c675d332da766b71264c4529c59693d0b63362d985da535ffce2f7f
-
Filesize
5.9MB
MD5d4d6ca982226d2371e49b819c4e4444a
SHA158a75583ea2d551f404e25c90c050c5863a6d759
SHA25680bc16bdb3de6bedd10e1339ca6a929cf8f6fd8ad337f132720113e0a6511a73
SHA512bf673445696e4c6574702054e876fc19728301356269a3aaf31a9bebe40a253063d26c346f65e306eb593686463b5622a3962ee18a32438844aefe8fa99ace92
-
Filesize
5.9MB
MD51d953d87db81e5e5e7bcd1335defd200
SHA14d10657bad5b13dbf878f8d9006a035e2c915e7b
SHA256656c7b9e9b134f42839303aea1a49c9d2f6c2fd97bc78601183ed9a5e57ada81
SHA512c8d19538034b69b9b1fbfa6a1a5b92444b7f1dc1886f9e10267ce7167c0ad925dd126e16c715084166760f33b0e721e3c3727ba68083cf60dc05b79c613998a3
-
Filesize
5.9MB
MD524e2c2bb757ffc13782b60955eab1cdb
SHA1372b4a30d7e3a333159262bc262e474bd46f5f89
SHA256660bf25f96bc80c3bf1af6fc1c5a6f5b025673981e76a2020a5f1cfbd6f4757d
SHA512eaba697eb49b6a8a535917b46135bbb825b95d38cc7af5079daca0bda30a2002b60934e815bad3405fe14d3fa4607f79af0c9c7da6b83a86506ae1393f57d57c
-
Filesize
5.9MB
MD5800d32925377b10e467591595a25f275
SHA195340a112ad3e44e00c0a58e4a8e3cfcaca73b25
SHA256a062c9bf248993438250cb2219d16667dbfc41a373caf5d31b8592e52c4fab97
SHA5123e19271d1b211246dd468e594a87ee44c6b7e09fd67e1f611c4e0157e3f45c7434be00bfe534f145340850cbbf9f4c15dcf3f7be88106aaaa609c3433e0b0bb0
-
Filesize
5.9MB
MD5aa6663faaff56865384db2edebd53e69
SHA1780611c6c26952f885e80b31a78c1f50d6155191
SHA256b7dd86a091d22c62db9171df9b0d80df34d576d2537db0b98fd5e1b124fc97bf
SHA51227fed9d3bea2380e0d10db2f337fa4c4304987ac3024fb2c95aac6e45980df99ee87cb765ffcc4c83cf84da3da829ab60b83b5eb1817187076416edb58ea8e98
-
Filesize
5.9MB
MD5c7f63ce5b1068030aaf237da1295f4c0
SHA1c8d1732316de052e9ddc4173fbdf5e1eac48d806
SHA25634fe8e29c46857d6e06a39f755453850d62a6234fd80e6be6b8d90eb0bc7fa19
SHA512e9cb97ab66fe4d968a6f1ee0946df16ca753bacca17f23229f07a43b9cbd779e5c5aee72c2e7449184bbef94cf3369d709c24be95bd3900d982ba2444bdcbed2