Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-08-2024 19:30
Behavioral task
behavioral1
Sample
2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240708-en
General
-
Target
2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
bf0575a6f253b0c260097259084b75dc
-
SHA1
7be8b7529a988bf1656c8ce78506032f384db44b
-
SHA256
e9fb559514d55c6bb2ce6b36ccc09456ccf22426ed927529157fe567e49cfc4b
-
SHA512
d3121434d2faf36140002eadf6da725c4e942d43f8d163e762efa7bf2a18c63372f5200f897b5ff9566aa7a9a8a8b412c5cc0a101b6f4caccb9d62d1e23c947d
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lh:RWWBibf56utgpPFotBER/mQ32lUt
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00090000000233cc-4.dat cobalt_reflective_dll behavioral2/files/0x000700000002342d-9.dat cobalt_reflective_dll behavioral2/files/0x000800000002342c-12.dat cobalt_reflective_dll behavioral2/files/0x000700000002342e-20.dat cobalt_reflective_dll behavioral2/files/0x0007000000023431-35.dat cobalt_reflective_dll behavioral2/files/0x000700000002342f-37.dat cobalt_reflective_dll behavioral2/files/0x0007000000023432-48.dat cobalt_reflective_dll behavioral2/files/0x0007000000023430-38.dat cobalt_reflective_dll behavioral2/files/0x0007000000023433-55.dat cobalt_reflective_dll behavioral2/files/0x0007000000023434-56.dat cobalt_reflective_dll behavioral2/files/0x000800000002342a-69.dat cobalt_reflective_dll behavioral2/files/0x0007000000023437-79.dat cobalt_reflective_dll behavioral2/files/0x000700000002343c-104.dat cobalt_reflective_dll behavioral2/files/0x000700000002343d-116.dat cobalt_reflective_dll behavioral2/files/0x000700000002343e-120.dat cobalt_reflective_dll behavioral2/files/0x000700000002343b-112.dat cobalt_reflective_dll behavioral2/files/0x000700000002343a-110.dat cobalt_reflective_dll behavioral2/files/0x0007000000023438-108.dat cobalt_reflective_dll behavioral2/files/0x0007000000023439-96.dat cobalt_reflective_dll behavioral2/files/0x0007000000023436-83.dat cobalt_reflective_dll behavioral2/files/0x0007000000023435-73.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/2140-18-0x00007FF6E4D20000-0x00007FF6E5071000-memory.dmp xmrig behavioral2/memory/5100-10-0x00007FF697670000-0x00007FF6979C1000-memory.dmp xmrig behavioral2/memory/2672-46-0x00007FF738AB0000-0x00007FF738E01000-memory.dmp xmrig behavioral2/memory/5008-31-0x00007FF676010000-0x00007FF676361000-memory.dmp xmrig behavioral2/memory/452-30-0x00007FF76ED40000-0x00007FF76F091000-memory.dmp xmrig behavioral2/memory/3408-84-0x00007FF7963E0000-0x00007FF796731000-memory.dmp xmrig behavioral2/memory/2540-82-0x00007FF61D0D0000-0x00007FF61D421000-memory.dmp xmrig behavioral2/memory/3204-76-0x00007FF603930000-0x00007FF603C81000-memory.dmp xmrig behavioral2/memory/3588-52-0x00007FF69D620000-0x00007FF69D971000-memory.dmp xmrig behavioral2/memory/2380-123-0x00007FF6A6610000-0x00007FF6A6961000-memory.dmp xmrig behavioral2/memory/436-124-0x00007FF70A540000-0x00007FF70A891000-memory.dmp xmrig behavioral2/memory/2524-125-0x00007FF64DC40000-0x00007FF64DF91000-memory.dmp xmrig behavioral2/memory/3228-126-0x00007FF7B0FB0000-0x00007FF7B1301000-memory.dmp xmrig behavioral2/memory/3408-127-0x00007FF7963E0000-0x00007FF796731000-memory.dmp xmrig behavioral2/memory/1932-132-0x00007FF6BF0B0000-0x00007FF6BF401000-memory.dmp xmrig behavioral2/memory/2024-133-0x00007FF6EFE50000-0x00007FF6F01A1000-memory.dmp xmrig behavioral2/memory/720-134-0x00007FF600D80000-0x00007FF6010D1000-memory.dmp xmrig behavioral2/memory/2324-136-0x00007FF6E4650000-0x00007FF6E49A1000-memory.dmp xmrig behavioral2/memory/4780-138-0x00007FF7BD210000-0x00007FF7BD561000-memory.dmp xmrig behavioral2/memory/2120-144-0x00007FF7C5C20000-0x00007FF7C5F71000-memory.dmp xmrig behavioral2/memory/4056-143-0x00007FF6FA200000-0x00007FF6FA551000-memory.dmp xmrig behavioral2/memory/4980-142-0x00007FF65C220000-0x00007FF65C571000-memory.dmp xmrig behavioral2/memory/800-139-0x00007FF74ED40000-0x00007FF74F091000-memory.dmp xmrig behavioral2/memory/3408-151-0x00007FF7963E0000-0x00007FF796731000-memory.dmp xmrig behavioral2/memory/5100-196-0x00007FF697670000-0x00007FF6979C1000-memory.dmp xmrig behavioral2/memory/2140-198-0x00007FF6E4D20000-0x00007FF6E5071000-memory.dmp xmrig behavioral2/memory/452-200-0x00007FF76ED40000-0x00007FF76F091000-memory.dmp xmrig behavioral2/memory/5008-202-0x00007FF676010000-0x00007FF676361000-memory.dmp xmrig behavioral2/memory/2672-205-0x00007FF738AB0000-0x00007FF738E01000-memory.dmp xmrig behavioral2/memory/1932-207-0x00007FF6BF0B0000-0x00007FF6BF401000-memory.dmp xmrig behavioral2/memory/2324-208-0x00007FF6E4650000-0x00007FF6E49A1000-memory.dmp xmrig behavioral2/memory/3588-210-0x00007FF69D620000-0x00007FF69D971000-memory.dmp xmrig behavioral2/memory/800-226-0x00007FF74ED40000-0x00007FF74F091000-memory.dmp xmrig behavioral2/memory/4780-228-0x00007FF7BD210000-0x00007FF7BD561000-memory.dmp xmrig behavioral2/memory/2540-232-0x00007FF61D0D0000-0x00007FF61D421000-memory.dmp xmrig behavioral2/memory/3204-231-0x00007FF603930000-0x00007FF603C81000-memory.dmp xmrig behavioral2/memory/4056-235-0x00007FF6FA200000-0x00007FF6FA551000-memory.dmp xmrig behavioral2/memory/4980-238-0x00007FF65C220000-0x00007FF65C571000-memory.dmp xmrig behavioral2/memory/2024-237-0x00007FF6EFE50000-0x00007FF6F01A1000-memory.dmp xmrig behavioral2/memory/2120-240-0x00007FF7C5C20000-0x00007FF7C5F71000-memory.dmp xmrig behavioral2/memory/720-242-0x00007FF600D80000-0x00007FF6010D1000-memory.dmp xmrig behavioral2/memory/3228-250-0x00007FF7B0FB0000-0x00007FF7B1301000-memory.dmp xmrig behavioral2/memory/2380-248-0x00007FF6A6610000-0x00007FF6A6961000-memory.dmp xmrig behavioral2/memory/2524-247-0x00007FF64DC40000-0x00007FF64DF91000-memory.dmp xmrig behavioral2/memory/436-245-0x00007FF70A540000-0x00007FF70A891000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 5100 QIKgowQ.exe 2140 XwrUKnL.exe 452 JitgnOx.exe 5008 JhsCXJn.exe 1932 aNMWkHT.exe 2672 hRLuKzi.exe 2324 HAIVcMV.exe 3588 ZhrdRrR.exe 4780 WWfZEQx.exe 800 CbjcLDv.exe 3204 bgwhKvM.exe 2540 jcPujhd.exe 4980 zQqMQJl.exe 4056 ccEwGue.exe 2120 jFXLITt.exe 2024 haNLeGp.exe 720 MMLmagT.exe 2380 CWqbGgc.exe 436 QzUinEm.exe 2524 DnAsLca.exe 3228 ajelOck.exe -
resource yara_rule behavioral2/memory/3408-0-0x00007FF7963E0000-0x00007FF796731000-memory.dmp upx behavioral2/files/0x00090000000233cc-4.dat upx behavioral2/files/0x000700000002342d-9.dat upx behavioral2/files/0x000800000002342c-12.dat upx behavioral2/files/0x000700000002342e-20.dat upx behavioral2/files/0x0007000000023431-35.dat upx behavioral2/memory/2140-18-0x00007FF6E4D20000-0x00007FF6E5071000-memory.dmp upx behavioral2/memory/5100-10-0x00007FF697670000-0x00007FF6979C1000-memory.dmp upx behavioral2/files/0x000700000002342f-37.dat upx behavioral2/memory/1932-45-0x00007FF6BF0B0000-0x00007FF6BF401000-memory.dmp upx behavioral2/files/0x0007000000023432-48.dat upx behavioral2/memory/2672-46-0x00007FF738AB0000-0x00007FF738E01000-memory.dmp upx behavioral2/memory/2324-36-0x00007FF6E4650000-0x00007FF6E49A1000-memory.dmp upx behavioral2/files/0x0007000000023430-38.dat upx behavioral2/memory/5008-31-0x00007FF676010000-0x00007FF676361000-memory.dmp upx behavioral2/memory/452-30-0x00007FF76ED40000-0x00007FF76F091000-memory.dmp upx behavioral2/files/0x0007000000023433-55.dat upx behavioral2/files/0x0007000000023434-56.dat upx behavioral2/files/0x000800000002342a-69.dat upx behavioral2/files/0x0007000000023437-79.dat upx behavioral2/files/0x000700000002343c-104.dat upx behavioral2/files/0x000700000002343d-116.dat upx behavioral2/files/0x000700000002343e-120.dat upx behavioral2/files/0x000700000002343b-112.dat upx behavioral2/files/0x000700000002343a-110.dat upx behavioral2/files/0x0007000000023438-108.dat upx behavioral2/files/0x0007000000023439-96.dat upx behavioral2/memory/4980-87-0x00007FF65C220000-0x00007FF65C571000-memory.dmp upx behavioral2/memory/4056-89-0x00007FF6FA200000-0x00007FF6FA551000-memory.dmp upx behavioral2/memory/3408-84-0x00007FF7963E0000-0x00007FF796731000-memory.dmp upx behavioral2/files/0x0007000000023436-83.dat upx behavioral2/memory/2540-82-0x00007FF61D0D0000-0x00007FF61D421000-memory.dmp upx behavioral2/memory/3204-76-0x00007FF603930000-0x00007FF603C81000-memory.dmp upx behavioral2/files/0x0007000000023435-73.dat upx behavioral2/memory/800-62-0x00007FF74ED40000-0x00007FF74F091000-memory.dmp upx behavioral2/memory/4780-57-0x00007FF7BD210000-0x00007FF7BD561000-memory.dmp upx behavioral2/memory/3588-52-0x00007FF69D620000-0x00007FF69D971000-memory.dmp upx behavioral2/memory/2120-122-0x00007FF7C5C20000-0x00007FF7C5F71000-memory.dmp upx behavioral2/memory/2380-123-0x00007FF6A6610000-0x00007FF6A6961000-memory.dmp upx behavioral2/memory/436-124-0x00007FF70A540000-0x00007FF70A891000-memory.dmp upx behavioral2/memory/2524-125-0x00007FF64DC40000-0x00007FF64DF91000-memory.dmp upx behavioral2/memory/3228-126-0x00007FF7B0FB0000-0x00007FF7B1301000-memory.dmp upx behavioral2/memory/3408-127-0x00007FF7963E0000-0x00007FF796731000-memory.dmp upx behavioral2/memory/1932-132-0x00007FF6BF0B0000-0x00007FF6BF401000-memory.dmp upx behavioral2/memory/2024-133-0x00007FF6EFE50000-0x00007FF6F01A1000-memory.dmp upx behavioral2/memory/720-134-0x00007FF600D80000-0x00007FF6010D1000-memory.dmp upx behavioral2/memory/2324-136-0x00007FF6E4650000-0x00007FF6E49A1000-memory.dmp upx behavioral2/memory/4780-138-0x00007FF7BD210000-0x00007FF7BD561000-memory.dmp upx behavioral2/memory/2120-144-0x00007FF7C5C20000-0x00007FF7C5F71000-memory.dmp upx behavioral2/memory/4056-143-0x00007FF6FA200000-0x00007FF6FA551000-memory.dmp upx behavioral2/memory/4980-142-0x00007FF65C220000-0x00007FF65C571000-memory.dmp upx behavioral2/memory/800-139-0x00007FF74ED40000-0x00007FF74F091000-memory.dmp upx behavioral2/memory/3408-151-0x00007FF7963E0000-0x00007FF796731000-memory.dmp upx behavioral2/memory/5100-196-0x00007FF697670000-0x00007FF6979C1000-memory.dmp upx behavioral2/memory/2140-198-0x00007FF6E4D20000-0x00007FF6E5071000-memory.dmp upx behavioral2/memory/452-200-0x00007FF76ED40000-0x00007FF76F091000-memory.dmp upx behavioral2/memory/5008-202-0x00007FF676010000-0x00007FF676361000-memory.dmp upx behavioral2/memory/2672-205-0x00007FF738AB0000-0x00007FF738E01000-memory.dmp upx behavioral2/memory/1932-207-0x00007FF6BF0B0000-0x00007FF6BF401000-memory.dmp upx behavioral2/memory/2324-208-0x00007FF6E4650000-0x00007FF6E49A1000-memory.dmp upx behavioral2/memory/3588-210-0x00007FF69D620000-0x00007FF69D971000-memory.dmp upx behavioral2/memory/800-226-0x00007FF74ED40000-0x00007FF74F091000-memory.dmp upx behavioral2/memory/4780-228-0x00007FF7BD210000-0x00007FF7BD561000-memory.dmp upx behavioral2/memory/2540-232-0x00007FF61D0D0000-0x00007FF61D421000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\JitgnOx.exe 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\aNMWkHT.exe 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ccEwGue.exe 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CWqbGgc.exe 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QIKgowQ.exe 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CbjcLDv.exe 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zQqMQJl.exe 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\haNLeGp.exe 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MMLmagT.exe 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ajelOck.exe 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HAIVcMV.exe 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZhrdRrR.exe 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WWfZEQx.exe 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jcPujhd.exe 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QzUinEm.exe 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XwrUKnL.exe 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JhsCXJn.exe 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hRLuKzi.exe 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bgwhKvM.exe 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jFXLITt.exe 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DnAsLca.exe 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3408 wrote to memory of 5100 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 3408 wrote to memory of 5100 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 3408 wrote to memory of 2140 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3408 wrote to memory of 2140 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3408 wrote to memory of 452 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3408 wrote to memory of 452 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3408 wrote to memory of 5008 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3408 wrote to memory of 5008 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3408 wrote to memory of 1932 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3408 wrote to memory of 1932 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3408 wrote to memory of 2672 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3408 wrote to memory of 2672 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3408 wrote to memory of 2324 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3408 wrote to memory of 2324 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3408 wrote to memory of 3588 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3408 wrote to memory of 3588 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3408 wrote to memory of 4780 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3408 wrote to memory of 4780 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3408 wrote to memory of 800 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3408 wrote to memory of 800 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3408 wrote to memory of 3204 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3408 wrote to memory of 3204 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3408 wrote to memory of 2540 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3408 wrote to memory of 2540 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3408 wrote to memory of 4980 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3408 wrote to memory of 4980 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3408 wrote to memory of 4056 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3408 wrote to memory of 4056 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3408 wrote to memory of 2120 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3408 wrote to memory of 2120 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3408 wrote to memory of 2024 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3408 wrote to memory of 2024 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3408 wrote to memory of 720 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3408 wrote to memory of 720 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3408 wrote to memory of 2380 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3408 wrote to memory of 2380 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3408 wrote to memory of 436 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3408 wrote to memory of 436 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3408 wrote to memory of 2524 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3408 wrote to memory of 2524 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3408 wrote to memory of 3228 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3408 wrote to memory of 3228 3408 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\System\QIKgowQ.exeC:\Windows\System\QIKgowQ.exe2⤵
- Executes dropped EXE
PID:5100
-
-
C:\Windows\System\XwrUKnL.exeC:\Windows\System\XwrUKnL.exe2⤵
- Executes dropped EXE
PID:2140
-
-
C:\Windows\System\JitgnOx.exeC:\Windows\System\JitgnOx.exe2⤵
- Executes dropped EXE
PID:452
-
-
C:\Windows\System\JhsCXJn.exeC:\Windows\System\JhsCXJn.exe2⤵
- Executes dropped EXE
PID:5008
-
-
C:\Windows\System\aNMWkHT.exeC:\Windows\System\aNMWkHT.exe2⤵
- Executes dropped EXE
PID:1932
-
-
C:\Windows\System\hRLuKzi.exeC:\Windows\System\hRLuKzi.exe2⤵
- Executes dropped EXE
PID:2672
-
-
C:\Windows\System\HAIVcMV.exeC:\Windows\System\HAIVcMV.exe2⤵
- Executes dropped EXE
PID:2324
-
-
C:\Windows\System\ZhrdRrR.exeC:\Windows\System\ZhrdRrR.exe2⤵
- Executes dropped EXE
PID:3588
-
-
C:\Windows\System\WWfZEQx.exeC:\Windows\System\WWfZEQx.exe2⤵
- Executes dropped EXE
PID:4780
-
-
C:\Windows\System\CbjcLDv.exeC:\Windows\System\CbjcLDv.exe2⤵
- Executes dropped EXE
PID:800
-
-
C:\Windows\System\bgwhKvM.exeC:\Windows\System\bgwhKvM.exe2⤵
- Executes dropped EXE
PID:3204
-
-
C:\Windows\System\jcPujhd.exeC:\Windows\System\jcPujhd.exe2⤵
- Executes dropped EXE
PID:2540
-
-
C:\Windows\System\zQqMQJl.exeC:\Windows\System\zQqMQJl.exe2⤵
- Executes dropped EXE
PID:4980
-
-
C:\Windows\System\ccEwGue.exeC:\Windows\System\ccEwGue.exe2⤵
- Executes dropped EXE
PID:4056
-
-
C:\Windows\System\jFXLITt.exeC:\Windows\System\jFXLITt.exe2⤵
- Executes dropped EXE
PID:2120
-
-
C:\Windows\System\haNLeGp.exeC:\Windows\System\haNLeGp.exe2⤵
- Executes dropped EXE
PID:2024
-
-
C:\Windows\System\MMLmagT.exeC:\Windows\System\MMLmagT.exe2⤵
- Executes dropped EXE
PID:720
-
-
C:\Windows\System\CWqbGgc.exeC:\Windows\System\CWqbGgc.exe2⤵
- Executes dropped EXE
PID:2380
-
-
C:\Windows\System\QzUinEm.exeC:\Windows\System\QzUinEm.exe2⤵
- Executes dropped EXE
PID:436
-
-
C:\Windows\System\DnAsLca.exeC:\Windows\System\DnAsLca.exe2⤵
- Executes dropped EXE
PID:2524
-
-
C:\Windows\System\ajelOck.exeC:\Windows\System\ajelOck.exe2⤵
- Executes dropped EXE
PID:3228
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5a9a14d660f9aba714e9b8a87a3164539
SHA1e6374a5f0d9ad684833e7495b692905791a2994f
SHA2564a73e2d1f3d2c4c0e77cbb10043eb64c1bb65d8883effc5c85b22d0f63fbafba
SHA5122ce7aec3eb02107f2765eeb4981dbf728f7b3e1246dbab454d6ed5a4b111aa3935456f2e9b560c8749d30f83176f01410b895f7498e9b076b4c66a56bdae0d0a
-
Filesize
5.2MB
MD514a59ac47de077fdea64ca9cb01d7ac0
SHA13f8a41ea8ac1472de06ab2544ed925fc17286a1b
SHA256741b99f0bce6531cc1714bf1b7ec475e14a94e3cada1194aab6b9b41f39ab5a9
SHA512ba3bb114c84f09368a74aca15b1ee3d0de855350da63dcf0173f7e54e7c1d13869eb784d12ae2dbfac86f4585b1d9b523a59075165044429963537039e87cdaa
-
Filesize
5.2MB
MD5b699da9b91fa47aae69f04bcdf85fd8c
SHA126c550bd561db542702b0567799c2584af44c27f
SHA2561619d9e0d32f58e402ad357568ae7464e713d9ed543f4fc9dbb169b85eb632f4
SHA51261eedcb62ce8c4842c61089254c988e12b6578d2f581b6c0ba0749f0b72340a884ae1056c9ea2901b117839f32ba6b1f15fbf8fe01cf1ccbaf92e2b570b3a036
-
Filesize
5.2MB
MD554bc07f41732ab080d26a717865db82f
SHA13ed07533832eec22f56c101cf243f245b9af4f6f
SHA256cbdf49236f880ec6d7e16548c9c5d9d0da13930d073c77a443a91c6e7dc7263b
SHA5121a573dddf8741ecfc1107c2cee416881ed76febffcc8e05a32e6696f36fee43503349aed7552e22d34ed60d257f60348606e72cabec7e4403870d5c625820ed2
-
Filesize
5.2MB
MD5e32db90ef70c420474453a83c53d1685
SHA19628a05882830dcb11008a25f701f816a1a5cac0
SHA2560dc922838d64ab9589f62419ab086537f6c56791de82d4546ac322f76e2776ae
SHA51289207d336192f020b3da88669a661654c4ffa6766a56c44010d75184263834986e1d2e7e02af3be1b3436b86206acf2306c0ddd6a34a0d40454f117270412725
-
Filesize
5.2MB
MD57eabb126773092fe6347077c790ba92d
SHA1f57f7f506fc084836b38f5f99a4f32bced7f844f
SHA256fcc854561da09770546af99ff42da3efda9e34fc97e7e610662b1fe0118e814f
SHA51223282894eae29b0d491a474fd75c9a87daa11d7f89fb10fe8f088296d69766e5b3f08753c4b09942e4605e596243bb2dd15034a64883e3ee93dfaba46f8f72a4
-
Filesize
5.2MB
MD55bf58294b75f82e889ec2257910bfb0a
SHA1d954bd7311bcb87a593cdcd630e87192c7dce3bb
SHA2568db6f459fce2e3a1083c447d641c467b512fbd79285f589cf00ddb92d9608526
SHA5122c9a2a53842c7eefce560741d85d8a996d236178124056f2264f2bebaaead5c3062be1929299bca9ec5a2edaa968085de8e3bca0865307f8b25206ac9f461f5c
-
Filesize
5.2MB
MD5f887a65160bee2c568a9b2dfe9e18754
SHA1301ca044d404e2f8a7c740ea4e3e45209d8a026a
SHA256e37a1c5fb1ccc56dd5ac195dcca818ca7f357da71888209541d6d95d560a7a7e
SHA512984638b8075a3ca8e2a8376a7de85a37986db2a6e77ee4d09a0a6c2e341ce77b79d1625db492194b7390a89080a8c3eb2c4516a11864acd6c2e07c35ff91df3d
-
Filesize
5.2MB
MD577e1701230589b5a3933910f5fb15a13
SHA164bef1d09837032d759aeedf53372f47392d9fad
SHA2563067aa7ce078b109c285a8c87fccd54e9c3bb2d5500109ba47252806dc39fe04
SHA5123783cc1930b7c7bf8306c99cf58f6e4407939ca7dc2b32c94194bce27b25e24c17197962d489447216501fe54e1ce89610b5dfd0cb4073ed6842757163d36d32
-
Filesize
5.2MB
MD585648fc112d4d0fa74517b8e3a57901a
SHA160a3a074f1e6821c913cffdbcf7cf9c6f2a644d1
SHA256290c77b248d883e2676bea62a88f24e7b2e8d42127d00a48746d448ad36c63fd
SHA512813d46353c676df1218ac30b3314f7beab80be4f38a597502f72782ea2e359a35bca3594139e85768b72217d39e67c5b2e3af971a7191fbd257ccf9149c0e27e
-
Filesize
5.2MB
MD5eea0c16b5dc489c6a0bfb6731f9b6972
SHA1a75cb7003cb2ebbfcc3c14524b045b722f20e675
SHA256ed48aa5d2a7e6b059ad4111163384ccc7fd7ab7405086dd9d863061e4859c06a
SHA512a74f9e6b6b78c78281f2c0efd3702b77842b56c992223b21730ea1b49ccc4d560498c3879f458f34dd8e5cf269fcb95bd97769bcc74bc3e4137395641eb153f2
-
Filesize
5.2MB
MD5d77c4550c0af27021fd2812d70672ccd
SHA1251cccca63df4f13f7c5ec1efb20305f2b41f56e
SHA25653742b0b640ced8c2ad3ed5b38823f90f60288188eda5a91366fb81bcfa67c0d
SHA512347649a34df173af60841dde878f4185abbec8a2f04250d3a8fb8c46e2b86bad3f5a29a07017ecf27a780c7bf0099ac3c7551bc586c465ecdc470ae19751e48b
-
Filesize
5.2MB
MD516229302870618d17562966a7fe2773b
SHA11b23caa2d7069db1c9bc0dce5e89df71e8dffc23
SHA256b176be0a0067cd33cfcc98a1f4fe3c962b82cf2dda077066eb6f83bedc616b7b
SHA51245703d2f539384d50cdca84a3e152bfdb08dd13f5f09cb01713009babaad2a452ce7041d52a2f7b73ad62b744fc751e3ee23ade8d5b66b26baea737e142f464f
-
Filesize
5.2MB
MD55ead9ac738cab2df3b64e142bb800974
SHA19a5c922d1ab140b7e601b8486e57a67a7b1b9508
SHA25624e7219a8e793da422d8cdf5c5be529d3310ad88938ff8bd4dd1541b34bd98cc
SHA512d42bf2c9eeb46d8603f2b017f096f691d62e1b13721c4ee3fa9dda6a6f344329f28af636b398d7030bc60e3108540b5b242dffbfc9f7300ccc35136e16920248
-
Filesize
5.2MB
MD5d0b4cf86bb8cefc4e718197568713b8d
SHA1b42c6ac94e2be575023129163c74f084fe4a0c9e
SHA256c7a618cfa5251ab10a51fc06367c869b7bfdb3c59c06f872197f8d15ba0146c0
SHA512c3a7d31fe664b2c9711adb8900f8f3874550d651e5b08ac22adfea67130775d7c24a0c87d6e02b25b53901369ef55c95458850da9e88e0f389969edcde16cdf2
-
Filesize
5.2MB
MD563242d87e44e003390554346c9e87220
SHA14828439b770332cd6240ffbd349c969753246d87
SHA2563443ef6e07c80f74a5097af5b8daae675ebfb6e467f9a5a144bb649d17cd04ff
SHA5123b98976b0f71342963dba759c8d9c0729e84826fc3a302f42cc6ca9c1bf64b8d709eab699d62f4863b6490a1bb41a71e0dc1222227a25c0de3f7107a07cf8776
-
Filesize
5.2MB
MD55fa02a25e58184598b781000e25d873b
SHA10ff63fa571680ec996335683f138546f9c093702
SHA256af72051d8cbd64302a3881eb3c78564de8a785110966f410559a8cbf591a4d43
SHA512fd9a67e1b5c7b3a9a191b2a4b5f0a917d810d4b310f37d4a21bbc24f64fd3854322a13363c6ace5a284f5af5c99f4ac72c1a45b9756d90727fd939b4ec04f221
-
Filesize
5.2MB
MD5cabaa4888428bca4e90b3160a4006f5e
SHA13b3e1d3e2aaa7389566948eea2720c8efa24a5c6
SHA25608e0bf66c2f8f01a65824745e90f3e0622dc437c1bd805ab7ed1463772307c0d
SHA512ac2690a3968444637c695b0025b518512ce0ce09adf39aef31451d79e44d6217255572701d7732b4e1a01b7d74b1ebf471d0f4cb6264cbd160556172af49ef03
-
Filesize
5.2MB
MD561def9f0192db5b9d3065852e85866f8
SHA14a9481346bcfbf5679f6d030940809917ab90e63
SHA256183cabcbaf1f9a4fd72b67b0598677bd0e3e197c0c09d0ae4b0b50b85515f9c0
SHA512de84cac51d112b170c6592085edce33a1ff6261cc83160b22607ca524d92f0d94a1f92bd01432cf113f3640c854ec987202da01711ef81fe6d3453424febd59b
-
Filesize
5.2MB
MD597ef5eb76a9869f8cb9cf6873497556e
SHA1218594f749bfb5c61ef07cda0ac378ee8d0f4b38
SHA256014122518a60e99e3b20343fdbc5709b435842b4553724b41423aed68ec22b39
SHA5128a24ee8ab9b38adcd00f611c11f460091ffc600e32ff6cc4a10052a606e425d81146f0fbcea7d9a47bcf04f8e5c7ad47c21d1bfe4b71ba9d10422698c8049c44
-
Filesize
5.2MB
MD50756988f8313a35c767de64e69d7fcf8
SHA1a9e49358eb7b2c598f5b10493499684c4f215bba
SHA256ec5138ed90184f54069e48ca3a1bd1f412bf8ed92aae1382827e1f9bb48feb81
SHA51212b973699b8523b4ecb5b02395443b6edfb0f9ced150b3c2ada2a983bfd309f161ff6c96bad82d71b5e1820c65c0d3e54e60ab1250fae9250a4b897aa0101cf2