Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-08-2024 20:22
Behavioral task
behavioral1
Sample
2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240704-en
General
-
Target
2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
35fd3e6cfdf21d052e03cfd295554f4a
-
SHA1
01c8baa8e0e87d64866f756a9397502c7a70b55b
-
SHA256
fe976a7e383b394424552a3b9084fefeeab182f64ca5032daa0e9aff4fb6df53
-
SHA512
85ec2a8af8b804afcee9578b3432ff77b7514f31300b94c70f2007dc386337a6b76d4b439460a8d7dfacd51b184d79199886cce463f0039bf87f0de8d8fb3cd3
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lS:RWWBibf56utgpPFotBER/mQ32lUW
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000300000001e62f-4.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e8-10.dat cobalt_reflective_dll behavioral2/files/0x00080000000234e7-11.dat cobalt_reflective_dll behavioral2/files/0x00080000000234e5-24.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e9-29.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ea-35.dat cobalt_reflective_dll behavioral2/files/0x00070000000234eb-40.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ec-46.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ed-52.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ee-59.dat cobalt_reflective_dll behavioral2/files/0x00070000000234ef-65.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f0-74.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f2-84.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f3-88.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f4-98.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f1-79.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f5-105.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f6-110.dat cobalt_reflective_dll behavioral2/files/0x00070000000234f7-118.dat cobalt_reflective_dll behavioral2/files/0x00080000000234f8-124.dat cobalt_reflective_dll behavioral2/files/0x00080000000234fa-131.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 46 IoCs
resource yara_rule behavioral2/memory/1936-26-0x00007FF712A20000-0x00007FF712D71000-memory.dmp xmrig behavioral2/memory/1636-44-0x00007FF76ACC0000-0x00007FF76B011000-memory.dmp xmrig behavioral2/memory/2756-50-0x00007FF636D00000-0x00007FF637051000-memory.dmp xmrig behavioral2/memory/2060-61-0x00007FF74D4E0000-0x00007FF74D831000-memory.dmp xmrig behavioral2/memory/3780-91-0x00007FF74C330000-0x00007FF74C681000-memory.dmp xmrig behavioral2/memory/4532-92-0x00007FF7C8FA0000-0x00007FF7C92F1000-memory.dmp xmrig behavioral2/memory/1752-90-0x00007FF68BC30000-0x00007FF68BF81000-memory.dmp xmrig behavioral2/memory/3480-89-0x00007FF65C900000-0x00007FF65CC51000-memory.dmp xmrig behavioral2/memory/4380-68-0x00007FF67E6F0000-0x00007FF67EA41000-memory.dmp xmrig behavioral2/memory/1240-101-0x00007FF6FD9F0000-0x00007FF6FDD41000-memory.dmp xmrig behavioral2/memory/4492-102-0x00007FF7127A0000-0x00007FF712AF1000-memory.dmp xmrig behavioral2/memory/4940-111-0x00007FF70B700000-0x00007FF70BA51000-memory.dmp xmrig behavioral2/memory/1244-119-0x00007FF7D3470000-0x00007FF7D37C1000-memory.dmp xmrig behavioral2/memory/1636-128-0x00007FF76ACC0000-0x00007FF76B011000-memory.dmp xmrig behavioral2/memory/4448-130-0x00007FF671190000-0x00007FF6714E1000-memory.dmp xmrig behavioral2/memory/2428-134-0x00007FF785E40000-0x00007FF786191000-memory.dmp xmrig behavioral2/memory/2060-135-0x00007FF74D4E0000-0x00007FF74D831000-memory.dmp xmrig behavioral2/memory/3228-140-0x00007FF6954B0000-0x00007FF695801000-memory.dmp xmrig behavioral2/memory/2956-141-0x00007FF7A3460000-0x00007FF7A37B1000-memory.dmp xmrig behavioral2/memory/960-148-0x00007FF7E4F90000-0x00007FF7E52E1000-memory.dmp xmrig behavioral2/memory/1040-152-0x00007FF632EC0000-0x00007FF633211000-memory.dmp xmrig behavioral2/memory/4388-154-0x00007FF66A040000-0x00007FF66A391000-memory.dmp xmrig behavioral2/memory/3896-156-0x00007FF7A95F0000-0x00007FF7A9941000-memory.dmp xmrig behavioral2/memory/4036-155-0x00007FF74F6D0000-0x00007FF74FA21000-memory.dmp xmrig behavioral2/memory/2060-159-0x00007FF74D4E0000-0x00007FF74D831000-memory.dmp xmrig behavioral2/memory/4380-207-0x00007FF67E6F0000-0x00007FF67EA41000-memory.dmp xmrig behavioral2/memory/3480-209-0x00007FF65C900000-0x00007FF65CC51000-memory.dmp xmrig behavioral2/memory/1240-211-0x00007FF6FD9F0000-0x00007FF6FDD41000-memory.dmp xmrig behavioral2/memory/1936-213-0x00007FF712A20000-0x00007FF712D71000-memory.dmp xmrig behavioral2/memory/4940-215-0x00007FF70B700000-0x00007FF70BA51000-memory.dmp xmrig behavioral2/memory/1244-217-0x00007FF7D3470000-0x00007FF7D37C1000-memory.dmp xmrig behavioral2/memory/1636-229-0x00007FF76ACC0000-0x00007FF76B011000-memory.dmp xmrig behavioral2/memory/2756-231-0x00007FF636D00000-0x00007FF637051000-memory.dmp xmrig behavioral2/memory/3228-233-0x00007FF6954B0000-0x00007FF695801000-memory.dmp xmrig behavioral2/memory/2956-235-0x00007FF7A3460000-0x00007FF7A37B1000-memory.dmp xmrig behavioral2/memory/960-237-0x00007FF7E4F90000-0x00007FF7E52E1000-memory.dmp xmrig behavioral2/memory/1752-239-0x00007FF68BC30000-0x00007FF68BF81000-memory.dmp xmrig behavioral2/memory/3780-241-0x00007FF74C330000-0x00007FF74C681000-memory.dmp xmrig behavioral2/memory/4532-243-0x00007FF7C8FA0000-0x00007FF7C92F1000-memory.dmp xmrig behavioral2/memory/1040-245-0x00007FF632EC0000-0x00007FF633211000-memory.dmp xmrig behavioral2/memory/4492-247-0x00007FF7127A0000-0x00007FF712AF1000-memory.dmp xmrig behavioral2/memory/4388-249-0x00007FF66A040000-0x00007FF66A391000-memory.dmp xmrig behavioral2/memory/4036-251-0x00007FF74F6D0000-0x00007FF74FA21000-memory.dmp xmrig behavioral2/memory/3896-254-0x00007FF7A95F0000-0x00007FF7A9941000-memory.dmp xmrig behavioral2/memory/4448-256-0x00007FF671190000-0x00007FF6714E1000-memory.dmp xmrig behavioral2/memory/2428-258-0x00007FF785E40000-0x00007FF786191000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4380 yKPudEa.exe 3480 HgGnpFq.exe 1240 OrmLigu.exe 1936 IWcTIMM.exe 4940 WXaKnOp.exe 1244 ClnYSCM.exe 1636 dDThacf.exe 2756 hwBhhiK.exe 3228 lVNCYWf.exe 2956 bUgPkol.exe 960 cqtoraH.exe 1752 agmRdfb.exe 3780 qZhMbBf.exe 4532 HEvnwHm.exe 1040 KzLbSAn.exe 4492 CkOCVlW.exe 4388 yocSFip.exe 4036 kHiNZGj.exe 3896 oexSsrm.exe 4448 LerOdFh.exe 2428 BMHYBEd.exe -
resource yara_rule behavioral2/memory/2060-0-0x00007FF74D4E0000-0x00007FF74D831000-memory.dmp upx behavioral2/files/0x000300000001e62f-4.dat upx behavioral2/files/0x00070000000234e8-10.dat upx behavioral2/files/0x00080000000234e7-11.dat upx behavioral2/memory/3480-12-0x00007FF65C900000-0x00007FF65CC51000-memory.dmp upx behavioral2/memory/4380-7-0x00007FF67E6F0000-0x00007FF67EA41000-memory.dmp upx behavioral2/memory/1240-20-0x00007FF6FD9F0000-0x00007FF6FDD41000-memory.dmp upx behavioral2/files/0x00080000000234e5-24.dat upx behavioral2/memory/1936-26-0x00007FF712A20000-0x00007FF712D71000-memory.dmp upx behavioral2/files/0x00070000000234e9-29.dat upx behavioral2/memory/4940-30-0x00007FF70B700000-0x00007FF70BA51000-memory.dmp upx behavioral2/files/0x00070000000234ea-35.dat upx behavioral2/memory/1244-37-0x00007FF7D3470000-0x00007FF7D37C1000-memory.dmp upx behavioral2/files/0x00070000000234eb-40.dat upx behavioral2/memory/1636-44-0x00007FF76ACC0000-0x00007FF76B011000-memory.dmp upx behavioral2/files/0x00070000000234ec-46.dat upx behavioral2/memory/2756-50-0x00007FF636D00000-0x00007FF637051000-memory.dmp upx behavioral2/files/0x00070000000234ed-52.dat upx behavioral2/files/0x00070000000234ee-59.dat upx behavioral2/files/0x00070000000234ef-65.dat upx behavioral2/memory/2060-61-0x00007FF74D4E0000-0x00007FF74D831000-memory.dmp upx behavioral2/files/0x00070000000234f0-74.dat upx behavioral2/files/0x00070000000234f2-84.dat upx behavioral2/files/0x00070000000234f3-88.dat upx behavioral2/memory/3780-91-0x00007FF74C330000-0x00007FF74C681000-memory.dmp upx behavioral2/files/0x00070000000234f4-98.dat upx behavioral2/memory/1040-96-0x00007FF632EC0000-0x00007FF633211000-memory.dmp upx behavioral2/memory/4532-92-0x00007FF7C8FA0000-0x00007FF7C92F1000-memory.dmp upx behavioral2/memory/1752-90-0x00007FF68BC30000-0x00007FF68BF81000-memory.dmp upx behavioral2/memory/3480-89-0x00007FF65C900000-0x00007FF65CC51000-memory.dmp upx behavioral2/files/0x00070000000234f1-79.dat upx behavioral2/memory/960-72-0x00007FF7E4F90000-0x00007FF7E52E1000-memory.dmp upx behavioral2/memory/4380-68-0x00007FF67E6F0000-0x00007FF67EA41000-memory.dmp upx behavioral2/memory/2956-66-0x00007FF7A3460000-0x00007FF7A37B1000-memory.dmp upx behavioral2/memory/3228-53-0x00007FF6954B0000-0x00007FF695801000-memory.dmp upx behavioral2/memory/1240-101-0x00007FF6FD9F0000-0x00007FF6FDD41000-memory.dmp upx behavioral2/memory/4492-102-0x00007FF7127A0000-0x00007FF712AF1000-memory.dmp upx behavioral2/files/0x00070000000234f5-105.dat upx behavioral2/files/0x00070000000234f6-110.dat upx behavioral2/memory/4036-112-0x00007FF74F6D0000-0x00007FF74FA21000-memory.dmp upx behavioral2/memory/4940-111-0x00007FF70B700000-0x00007FF70BA51000-memory.dmp upx behavioral2/memory/4388-107-0x00007FF66A040000-0x00007FF66A391000-memory.dmp upx behavioral2/files/0x00070000000234f7-118.dat upx behavioral2/files/0x00080000000234f8-124.dat upx behavioral2/memory/3896-120-0x00007FF7A95F0000-0x00007FF7A9941000-memory.dmp upx behavioral2/memory/1244-119-0x00007FF7D3470000-0x00007FF7D37C1000-memory.dmp upx behavioral2/memory/1636-128-0x00007FF76ACC0000-0x00007FF76B011000-memory.dmp upx behavioral2/files/0x00080000000234fa-131.dat upx behavioral2/memory/4448-130-0x00007FF671190000-0x00007FF6714E1000-memory.dmp upx behavioral2/memory/2428-134-0x00007FF785E40000-0x00007FF786191000-memory.dmp upx behavioral2/memory/2060-135-0x00007FF74D4E0000-0x00007FF74D831000-memory.dmp upx behavioral2/memory/3228-140-0x00007FF6954B0000-0x00007FF695801000-memory.dmp upx behavioral2/memory/2956-141-0x00007FF7A3460000-0x00007FF7A37B1000-memory.dmp upx behavioral2/memory/960-148-0x00007FF7E4F90000-0x00007FF7E52E1000-memory.dmp upx behavioral2/memory/1040-152-0x00007FF632EC0000-0x00007FF633211000-memory.dmp upx behavioral2/memory/4388-154-0x00007FF66A040000-0x00007FF66A391000-memory.dmp upx behavioral2/memory/3896-156-0x00007FF7A95F0000-0x00007FF7A9941000-memory.dmp upx behavioral2/memory/4036-155-0x00007FF74F6D0000-0x00007FF74FA21000-memory.dmp upx behavioral2/memory/2060-159-0x00007FF74D4E0000-0x00007FF74D831000-memory.dmp upx behavioral2/memory/4380-207-0x00007FF67E6F0000-0x00007FF67EA41000-memory.dmp upx behavioral2/memory/3480-209-0x00007FF65C900000-0x00007FF65CC51000-memory.dmp upx behavioral2/memory/1240-211-0x00007FF6FD9F0000-0x00007FF6FDD41000-memory.dmp upx behavioral2/memory/1936-213-0x00007FF712A20000-0x00007FF712D71000-memory.dmp upx behavioral2/memory/4940-215-0x00007FF70B700000-0x00007FF70BA51000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\WXaKnOp.exe 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lVNCYWf.exe 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cqtoraH.exe 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\agmRdfb.exe 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KzLbSAn.exe 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LerOdFh.exe 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yKPudEa.exe 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HgGnpFq.exe 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qZhMbBf.exe 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HEvnwHm.exe 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BMHYBEd.exe 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ClnYSCM.exe 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dDThacf.exe 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yocSFip.exe 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\oexSsrm.exe 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\OrmLigu.exe 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hwBhhiK.exe 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CkOCVlW.exe 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kHiNZGj.exe 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\IWcTIMM.exe 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bUgPkol.exe 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2060 wrote to memory of 4380 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 2060 wrote to memory of 4380 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 2060 wrote to memory of 3480 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2060 wrote to memory of 3480 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2060 wrote to memory of 1240 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2060 wrote to memory of 1240 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2060 wrote to memory of 1936 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2060 wrote to memory of 1936 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2060 wrote to memory of 4940 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2060 wrote to memory of 4940 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2060 wrote to memory of 1244 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2060 wrote to memory of 1244 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2060 wrote to memory of 1636 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2060 wrote to memory of 1636 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2060 wrote to memory of 2756 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2060 wrote to memory of 2756 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2060 wrote to memory of 3228 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2060 wrote to memory of 3228 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2060 wrote to memory of 2956 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2060 wrote to memory of 2956 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2060 wrote to memory of 960 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2060 wrote to memory of 960 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2060 wrote to memory of 1752 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2060 wrote to memory of 1752 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2060 wrote to memory of 3780 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2060 wrote to memory of 3780 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2060 wrote to memory of 4532 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2060 wrote to memory of 4532 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2060 wrote to memory of 1040 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2060 wrote to memory of 1040 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2060 wrote to memory of 4492 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2060 wrote to memory of 4492 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2060 wrote to memory of 4388 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2060 wrote to memory of 4388 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2060 wrote to memory of 4036 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2060 wrote to memory of 4036 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2060 wrote to memory of 3896 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2060 wrote to memory of 3896 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2060 wrote to memory of 4448 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 2060 wrote to memory of 4448 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 2060 wrote to memory of 2428 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 2060 wrote to memory of 2428 2060 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\System\yKPudEa.exeC:\Windows\System\yKPudEa.exe2⤵
- Executes dropped EXE
PID:4380
-
-
C:\Windows\System\HgGnpFq.exeC:\Windows\System\HgGnpFq.exe2⤵
- Executes dropped EXE
PID:3480
-
-
C:\Windows\System\OrmLigu.exeC:\Windows\System\OrmLigu.exe2⤵
- Executes dropped EXE
PID:1240
-
-
C:\Windows\System\IWcTIMM.exeC:\Windows\System\IWcTIMM.exe2⤵
- Executes dropped EXE
PID:1936
-
-
C:\Windows\System\WXaKnOp.exeC:\Windows\System\WXaKnOp.exe2⤵
- Executes dropped EXE
PID:4940
-
-
C:\Windows\System\ClnYSCM.exeC:\Windows\System\ClnYSCM.exe2⤵
- Executes dropped EXE
PID:1244
-
-
C:\Windows\System\dDThacf.exeC:\Windows\System\dDThacf.exe2⤵
- Executes dropped EXE
PID:1636
-
-
C:\Windows\System\hwBhhiK.exeC:\Windows\System\hwBhhiK.exe2⤵
- Executes dropped EXE
PID:2756
-
-
C:\Windows\System\lVNCYWf.exeC:\Windows\System\lVNCYWf.exe2⤵
- Executes dropped EXE
PID:3228
-
-
C:\Windows\System\bUgPkol.exeC:\Windows\System\bUgPkol.exe2⤵
- Executes dropped EXE
PID:2956
-
-
C:\Windows\System\cqtoraH.exeC:\Windows\System\cqtoraH.exe2⤵
- Executes dropped EXE
PID:960
-
-
C:\Windows\System\agmRdfb.exeC:\Windows\System\agmRdfb.exe2⤵
- Executes dropped EXE
PID:1752
-
-
C:\Windows\System\qZhMbBf.exeC:\Windows\System\qZhMbBf.exe2⤵
- Executes dropped EXE
PID:3780
-
-
C:\Windows\System\HEvnwHm.exeC:\Windows\System\HEvnwHm.exe2⤵
- Executes dropped EXE
PID:4532
-
-
C:\Windows\System\KzLbSAn.exeC:\Windows\System\KzLbSAn.exe2⤵
- Executes dropped EXE
PID:1040
-
-
C:\Windows\System\CkOCVlW.exeC:\Windows\System\CkOCVlW.exe2⤵
- Executes dropped EXE
PID:4492
-
-
C:\Windows\System\yocSFip.exeC:\Windows\System\yocSFip.exe2⤵
- Executes dropped EXE
PID:4388
-
-
C:\Windows\System\kHiNZGj.exeC:\Windows\System\kHiNZGj.exe2⤵
- Executes dropped EXE
PID:4036
-
-
C:\Windows\System\oexSsrm.exeC:\Windows\System\oexSsrm.exe2⤵
- Executes dropped EXE
PID:3896
-
-
C:\Windows\System\LerOdFh.exeC:\Windows\System\LerOdFh.exe2⤵
- Executes dropped EXE
PID:4448
-
-
C:\Windows\System\BMHYBEd.exeC:\Windows\System\BMHYBEd.exe2⤵
- Executes dropped EXE
PID:2428
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5b4eaa00d0c4749e3d28d2f569c965580
SHA16a441dd508e49860f6f199cf7a62703bdf8393e9
SHA256aa682b6514e7dcdbe1aae4b1b5dfd9e8e72f165711a01600d653f5574d72b162
SHA512407342f52504d0b07d8a1d5f4a3da480c62ff600d5689c3fc999b3c559db9cfa4da0121413c8ddf0a38929867cee251d00b1a6f7229234301b0b5e13286a1fab
-
Filesize
5.2MB
MD555d8380f1dce015d4ff865eda13e6768
SHA1a043fa7b652a2b00a85055affba5e4b7efb20ed3
SHA2566fcceb973cc3ae373aafce35f159c8d69cf7d20060ee255e481bb7b3f47369dc
SHA512baccf9503086ba4e7defe19fad803e08580f63805b85155a9d6e4751536bcbdd7f53ab0d1f2402c67ced69c1e981a8d92d2dee09be0213d8c15813984cc18970
-
Filesize
5.2MB
MD5f6d6b546ab1c204b98a186cf46971238
SHA1ebdfc9a06923cb909beac9f43150f21d5119799e
SHA256b3b98d8d19efebc7768a698574527d9fa890dec4c5f402cceb47c08395f15c69
SHA51212cdded0e2292b000442224bfe88c82fe2faf9503807937e25f6cfa9a012b01f292d7b85d6b71651e1710f99437fd863ff614b2c643156948a997639ed5f6a5c
-
Filesize
5.2MB
MD50edf1a3bd3a5184333db1fee24c8efe2
SHA1509931f204e6ea021e106457feeedebe3b015666
SHA256fe3b1b03a8d9e85556c76cb18bdc9fd762392bef25d2cb01d6caea959c973fb4
SHA5125e9eab2bd109b22409c2725d14aaaf6613be5a622506ef236f18395379c70b06838933996524bfa80fa1e976eed337f3b6b762278512ac2515fe5d73db56f6f2
-
Filesize
5.2MB
MD52c5e80756ae8e6c2e5237561d6c5a1ae
SHA1c2e1435ee2fe43b9e712b66ffc10664a70eb1b1a
SHA256d862e3e1696a173f2860e820a8bf73cdff9c010c4f10a43ce01e362b50498f6c
SHA512482da4f9c92adfa964f7477393a25190a19742ab625eb66092bec815efe6dbafd17d44e3f5c0cc43a310108a4e9db533c1f59d9caf1725f00517268d88766d2e
-
Filesize
5.2MB
MD57bfe750f8cbf9199a2fc9e00ddc0d67a
SHA17c9469ce346a127e8db4cf180155a2ef4e9c696c
SHA25694dd1e19255b114b55e645862c1ddcca2ec0dd480e927b0a47b526a35e0d37a8
SHA512489127f977c6cb3333393438a5967932fbb36bb1c9dab8f984ef82ac2c9fac70ab47d500b4c1610b78a151bfd4f4cf3e3292f7ffe01954e78d9adf3d1d56a3c0
-
Filesize
5.2MB
MD5b82735eb8854277cdfdbb4ffd9eed451
SHA1f11906528242e4f3cd9cbc99327192a249b3a114
SHA25647e116d17744b89a4e15c0b94f8a19dc3a40ffdd72b24d58fc8fe1a402bfcef5
SHA512ab499e67c5ede7f70336892805dacf31ba917089ea9fb084d05b67808cb45cbefd7ba895b98dd362f51b15f11a32374b6391465583af58086e366317f6b42dc2
-
Filesize
5.2MB
MD56118e86418ff089e578c56b030209ca0
SHA15fde8e50e1f365ed08d76eb0a7cea032494de2e1
SHA256533e106eae3ebedc98d2865c8f5a9582ddefe854846777db7f612288b7b48c53
SHA512a949eae3547132bc2bc9f56294e7458ca24652a56da27a0bede2c220e343367958d50c1c8021592f431e79588e62433b7038d303f732f57260c1ec4f761ec234
-
Filesize
5.2MB
MD5971beef3f248dde96d06e81c518defba
SHA1b425ca24d47a29b805c4e8cfb531e9f67c799d85
SHA25665fc08128e708ed4f714a3f0a97954fe7b5ed8f693c9206260c53b24e05c0dab
SHA5125179bf118e93ffad8db6a85c1ddcb1ca0d417e2de9ece5bafe198ab0fa65dcfd7054a4b0202203614c0c2c0cfa0ba2c9d589c9d5da932c6bf925eb0e50acfce8
-
Filesize
5.2MB
MD5b32fb0f1c3b226e39ebaed88562bc27f
SHA1a8e0c0d0e955d854eb0e696887c13f1a999c1686
SHA256908a723bfabdf76853982f1282a4e220efc1c0e9112aefadcaede13adc2caa56
SHA512616b11e60397504a6cfe5d7374bdd3279028eac49ecc0d670f302ef730715cd18a76e04f8ff0754eaf746406f32c10f64cf0fe92804d991b472d27793dd554ba
-
Filesize
5.2MB
MD57b86ae4e359a6571e615bcb82e467a7a
SHA105345c0add0f2174f7742cabcace80817ffcd916
SHA25608245a6a8208f08f36cb15c1d99b79fb1f5f5acb49d6e01c2376b9ecf3c1c60f
SHA512db323ed9bc4f0b145b84b74e4c50ff8e0691972594fe12c4d7afb0a29212d38a75e207f5c530e3ee87cba24ed862ae0a4f23af93bd1c23a5f09f533b85abe067
-
Filesize
5.2MB
MD5423e356a9b1adf0b96e1cd9bbabfd61c
SHA13f065b149725044bf9e71a7197b1eae51a62c6d9
SHA2564f597c778918ebd976f025a8f29fc801153ae8ff7a475d9d99d0aa1ad91a56eb
SHA512725c5c378d9d679dca99f719b9dbf6c80bd80ff78bd80e590abca6443092ab24e553002a6fae78ef6a6cef711da4731cc8e38c6707602eeb27dc374bf5168c58
-
Filesize
5.2MB
MD5f9a070844afafb05fa60e8a2cdc04275
SHA18f0a76d45e75cdd546fd38b4d1377296a541f9d9
SHA256f33a9796d7db30a16f69c7a8c37456c213cf2a95e88a7a02098586919b2b4589
SHA512cc13e443f3ad69d19dab45508ebae484637546004587ebc4f68443fc2dddd8aadde2193810bee4d81e59e7ffdc565adb61c1d759ac60e90dca41eecadbddf43f
-
Filesize
5.2MB
MD5edd247ca954096c0bfbf325a097b0791
SHA1db113359b82b49a63446d73a1d6e274c07271639
SHA2562ed4fe46a4ee304433dd5354a1349d24e20a4ace2174f5f4d9bfbe115ad20648
SHA512a42bf622cb2ab273f1e4803d0b2cda067805d789f9f6818187abebb3217eef32f8076380dd6abcf88ca7801082915bb5d0eebb76a0220a32d24f8f64f00215b3
-
Filesize
5.2MB
MD526ceb4dea678500e2bcd4f7a06bf1dfc
SHA137cd1a4c48e6db4860344d0c5893ef3af2c8e0b1
SHA256cb998e14818ff377bfae2a8d4b6d527c6aee6ae364bf545e3cb3b8b937a8d57a
SHA512722952324492ba650aceaa96923fea31f384d240ae5c51901a4a5cc34cba13f08c06fb96ac0b6293b9d1991d70e4caa2f9ee02b64a8a7a34db45f9bffb237e18
-
Filesize
5.2MB
MD56f19bcf308c528fe1239ad242f4dc64f
SHA17e1de3368ecb2cad839d5d5363658db1ba374325
SHA256a0d550508955df26024f6460ede526e985ea83867be93bc80722c5b98fc84acf
SHA512f1ff3cb6e1dafb8637c6dc9163162f7855b158e60d04f5568d59b5a9597810384ca9d5ccd1ce976709963bd3dc7f5206346d193e937bfc0330f2ed34ab59b01d
-
Filesize
5.2MB
MD5662695c32943f6fb2f8e4e4392aefbf1
SHA1f3595bc8d7a614a8ec3fd43a74bf39ee94349242
SHA256171fa27bf69e17a07cdce6643a46eae22cfc0406f9aebda15ebaf367419887ce
SHA512627eb8bc5603a2b17f4a82dc5b794add35143ac102f0b4fbef47b603736680c6490516df32443d0e77516c23e1f415bfdeaa429b40c0991c83e5aa4a9fa190ea
-
Filesize
5.2MB
MD5f7ff76f804d5b14966985e2ff126cea0
SHA10c7523395d6fb0debf8e8add4ab6346c85b84760
SHA25632ad235c799279b63443b86f170f717e075df68213325d81c5b4e1c4e72af8a4
SHA512b8e2409894f5e7c1b9b49a190b2dbfe283eec90eed954923920cf56745b9f17b11e1c4f6691cd55be53118da43120f83bda72fa40c4de867a2eb20aa2bb881e6
-
Filesize
5.2MB
MD5afdd59fa1339f11bf36b82ac7abb060d
SHA10ef2e3029f0c0f2400b5069deaea497cf0489695
SHA256d0925c226e5661f10f31c67b7fb10dafb15e6fbcd3a6502f4af28673260d2aa2
SHA512bc0c91a76a93ef35f5abb449c06a98c689f58b34b9b9815ceedecbd712ee4c0329a1b7b64d8840e5e9d2fd00040dc9fdf941f1d0091b62d54eb35ad4a1e0750a
-
Filesize
5.2MB
MD5c3d8374b316a48a1909286f1b6a458e5
SHA1ed9a876c2ed2464e0e49bc450ed6134935d4ba05
SHA2569ec14e614a2181f36e5d3aa4067fa01b35b25bafedbd1c956f403e52a4a663c1
SHA5123a57fb4956913547884ff0beb8d0f01526c95421433dbc9d6b64b17ff724a3b1df4d55d8ca1f4f8eb043159da78c70c6c1dcc3f257a0e349cf055781ef1f83a9
-
Filesize
5.2MB
MD5526f11bd8e792948204083ae6a504874
SHA15b66dfe61cc726b4e2879678bb058a87a845f203
SHA25631b40f30b2a153df60b11b960bdc3254eae374fca0871e057d68552f2eed4613
SHA51252172237a0d12ccb890f3c46515bbcc2b85645377a624f833209acec24aa688fbc0f0cd08464846d7e4db1f31b781ed55c3ef3d109b495f2724ae404db2c543d