Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-08-2024 21:22
Behavioral task
behavioral1
Sample
2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240708-en
General
-
Target
2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
8a140827fa2626ef6bba6b213feae955
-
SHA1
d3f872016c4d67241a224208a3438930da414c13
-
SHA256
14ebc34fc109c6babd8231811e7371077e82a5cd36276c7ab389c84504b23a79
-
SHA512
c45ce9cbf7b369cc88b40123384e0dc8bf77d98755ef470fedaeeaead51e251ecdacff6669f39f719a9d4574b41bf98c950a17189d23190eebe16ac7cbab88fc
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l1:RWWBibf56utgpPFotBER/mQ32lUp
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000a00000002343d-4.dat cobalt_reflective_dll behavioral2/files/0x0007000000023483-11.dat cobalt_reflective_dll behavioral2/files/0x0008000000023482-12.dat cobalt_reflective_dll behavioral2/files/0x0007000000023484-23.dat cobalt_reflective_dll behavioral2/files/0x0007000000023485-26.dat cobalt_reflective_dll behavioral2/files/0x0008000000023480-40.dat cobalt_reflective_dll behavioral2/files/0x0007000000023487-52.dat cobalt_reflective_dll behavioral2/files/0x000700000002348a-57.dat cobalt_reflective_dll behavioral2/files/0x0007000000023488-60.dat cobalt_reflective_dll behavioral2/files/0x0007000000023489-68.dat cobalt_reflective_dll behavioral2/files/0x000700000002348b-72.dat cobalt_reflective_dll behavioral2/files/0x0007000000023486-44.dat cobalt_reflective_dll behavioral2/files/0x000700000002348c-77.dat cobalt_reflective_dll behavioral2/files/0x000700000002348f-101.dat cobalt_reflective_dll behavioral2/files/0x0007000000023490-109.dat cobalt_reflective_dll behavioral2/files/0x0007000000023491-113.dat cobalt_reflective_dll behavioral2/files/0x000700000002348e-111.dat cobalt_reflective_dll behavioral2/files/0x000700000002348d-81.dat cobalt_reflective_dll behavioral2/files/0x0007000000023492-117.dat cobalt_reflective_dll behavioral2/files/0x0008000000023495-130.dat cobalt_reflective_dll behavioral2/files/0x000500000001692d-128.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/1404-20-0x00007FF630520000-0x00007FF630871000-memory.dmp xmrig behavioral2/memory/1960-50-0x00007FF7C7BC0000-0x00007FF7C7F11000-memory.dmp xmrig behavioral2/memory/1848-76-0x00007FF73DCC0000-0x00007FF73E011000-memory.dmp xmrig behavioral2/memory/3576-88-0x00007FF6E5940000-0x00007FF6E5C91000-memory.dmp xmrig behavioral2/memory/1232-104-0x00007FF7E84F0000-0x00007FF7E8841000-memory.dmp xmrig behavioral2/memory/5072-107-0x00007FF6F4D00000-0x00007FF6F5051000-memory.dmp xmrig behavioral2/memory/2752-87-0x00007FF70BDD0000-0x00007FF70C121000-memory.dmp xmrig behavioral2/memory/4364-86-0x00007FF7FA860000-0x00007FF7FABB1000-memory.dmp xmrig behavioral2/memory/2008-80-0x00007FF74B6C0000-0x00007FF74BA11000-memory.dmp xmrig behavioral2/memory/116-123-0x00007FF710140000-0x00007FF710491000-memory.dmp xmrig behavioral2/memory/3456-138-0x00007FF7A2DC0000-0x00007FF7A3111000-memory.dmp xmrig behavioral2/memory/3040-135-0x00007FF6411E0000-0x00007FF641531000-memory.dmp xmrig behavioral2/memory/2496-143-0x00007FF625320000-0x00007FF625671000-memory.dmp xmrig behavioral2/memory/1172-145-0x00007FF6DEC20000-0x00007FF6DEF71000-memory.dmp xmrig behavioral2/memory/5048-144-0x00007FF640720000-0x00007FF640A71000-memory.dmp xmrig behavioral2/memory/380-142-0x00007FF6BA6D0000-0x00007FF6BAA21000-memory.dmp xmrig behavioral2/memory/2680-149-0x00007FF7F81C0000-0x00007FF7F8511000-memory.dmp xmrig behavioral2/memory/2620-148-0x00007FF744ED0000-0x00007FF745221000-memory.dmp xmrig behavioral2/memory/3648-151-0x00007FF6116D0000-0x00007FF611A21000-memory.dmp xmrig behavioral2/memory/3588-152-0x00007FF7A5DF0000-0x00007FF7A6141000-memory.dmp xmrig behavioral2/memory/2008-153-0x00007FF74B6C0000-0x00007FF74BA11000-memory.dmp xmrig behavioral2/memory/2284-158-0x00007FF7219D0000-0x00007FF721D21000-memory.dmp xmrig behavioral2/memory/1416-159-0x00007FF78C320000-0x00007FF78C671000-memory.dmp xmrig behavioral2/memory/2008-175-0x00007FF74B6C0000-0x00007FF74BA11000-memory.dmp xmrig behavioral2/memory/2752-203-0x00007FF70BDD0000-0x00007FF70C121000-memory.dmp xmrig behavioral2/memory/3576-205-0x00007FF6E5940000-0x00007FF6E5C91000-memory.dmp xmrig behavioral2/memory/1404-207-0x00007FF630520000-0x00007FF630871000-memory.dmp xmrig behavioral2/memory/116-209-0x00007FF710140000-0x00007FF710491000-memory.dmp xmrig behavioral2/memory/5072-211-0x00007FF6F4D00000-0x00007FF6F5051000-memory.dmp xmrig behavioral2/memory/1960-224-0x00007FF7C7BC0000-0x00007FF7C7F11000-memory.dmp xmrig behavioral2/memory/3040-226-0x00007FF6411E0000-0x00007FF641531000-memory.dmp xmrig behavioral2/memory/2496-236-0x00007FF625320000-0x00007FF625671000-memory.dmp xmrig behavioral2/memory/5048-235-0x00007FF640720000-0x00007FF640A71000-memory.dmp xmrig behavioral2/memory/380-233-0x00007FF6BA6D0000-0x00007FF6BAA21000-memory.dmp xmrig behavioral2/memory/1172-231-0x00007FF6DEC20000-0x00007FF6DEF71000-memory.dmp xmrig behavioral2/memory/1848-229-0x00007FF73DCC0000-0x00007FF73E011000-memory.dmp xmrig behavioral2/memory/4364-242-0x00007FF7FA860000-0x00007FF7FABB1000-memory.dmp xmrig behavioral2/memory/2620-244-0x00007FF744ED0000-0x00007FF745221000-memory.dmp xmrig behavioral2/memory/1232-246-0x00007FF7E84F0000-0x00007FF7E8841000-memory.dmp xmrig behavioral2/memory/2680-249-0x00007FF7F81C0000-0x00007FF7F8511000-memory.dmp xmrig behavioral2/memory/3648-250-0x00007FF6116D0000-0x00007FF611A21000-memory.dmp xmrig behavioral2/memory/3588-252-0x00007FF7A5DF0000-0x00007FF7A6141000-memory.dmp xmrig behavioral2/memory/3456-260-0x00007FF7A2DC0000-0x00007FF7A3111000-memory.dmp xmrig behavioral2/memory/2284-259-0x00007FF7219D0000-0x00007FF721D21000-memory.dmp xmrig behavioral2/memory/1416-262-0x00007FF78C320000-0x00007FF78C671000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2752 ZFbFNrl.exe 3576 jXFIDzq.exe 1404 DkZEdNl.exe 116 GtXpmaL.exe 5072 ImQywtv.exe 3040 VisaCuv.exe 1960 DPrTxtD.exe 2496 QhhBMzn.exe 380 Zxelqwc.exe 5048 fFuMtzc.exe 1172 UMwZQxG.exe 1848 hequdPE.exe 4364 XMngTdt.exe 2620 iWLkdOJ.exe 1232 MJIBtWh.exe 3648 xVDUbGI.exe 2680 RwpkHIl.exe 3588 lckuBDC.exe 2284 kxYOpSR.exe 1416 fSbfqpv.exe 3456 gvRdjoO.exe -
resource yara_rule behavioral2/memory/2008-0-0x00007FF74B6C0000-0x00007FF74BA11000-memory.dmp upx behavioral2/files/0x000a00000002343d-4.dat upx behavioral2/memory/2752-7-0x00007FF70BDD0000-0x00007FF70C121000-memory.dmp upx behavioral2/files/0x0007000000023483-11.dat upx behavioral2/memory/3576-19-0x00007FF6E5940000-0x00007FF6E5C91000-memory.dmp upx behavioral2/memory/1404-20-0x00007FF630520000-0x00007FF630871000-memory.dmp upx behavioral2/files/0x0008000000023482-12.dat upx behavioral2/files/0x0007000000023484-23.dat upx behavioral2/files/0x0007000000023485-26.dat upx behavioral2/files/0x0008000000023480-40.dat upx behavioral2/files/0x0007000000023487-52.dat upx behavioral2/files/0x000700000002348a-57.dat upx behavioral2/files/0x0007000000023488-60.dat upx behavioral2/files/0x0007000000023489-68.dat upx behavioral2/files/0x000700000002348b-72.dat upx behavioral2/memory/1172-66-0x00007FF6DEC20000-0x00007FF6DEF71000-memory.dmp upx behavioral2/memory/5048-58-0x00007FF640720000-0x00007FF640A71000-memory.dmp upx behavioral2/memory/2496-59-0x00007FF625320000-0x00007FF625671000-memory.dmp upx behavioral2/memory/380-56-0x00007FF6BA6D0000-0x00007FF6BAA21000-memory.dmp upx behavioral2/memory/1960-50-0x00007FF7C7BC0000-0x00007FF7C7F11000-memory.dmp upx behavioral2/memory/3040-46-0x00007FF6411E0000-0x00007FF641531000-memory.dmp upx behavioral2/files/0x0007000000023486-44.dat upx behavioral2/memory/5072-38-0x00007FF6F4D00000-0x00007FF6F5051000-memory.dmp upx behavioral2/memory/116-31-0x00007FF710140000-0x00007FF710491000-memory.dmp upx behavioral2/files/0x000700000002348c-77.dat upx behavioral2/memory/1848-76-0x00007FF73DCC0000-0x00007FF73E011000-memory.dmp upx behavioral2/memory/3576-88-0x00007FF6E5940000-0x00007FF6E5C91000-memory.dmp upx behavioral2/files/0x000700000002348f-101.dat upx behavioral2/memory/1232-104-0x00007FF7E84F0000-0x00007FF7E8841000-memory.dmp upx behavioral2/memory/2680-106-0x00007FF7F81C0000-0x00007FF7F8511000-memory.dmp upx behavioral2/files/0x0007000000023490-109.dat upx behavioral2/files/0x0007000000023491-113.dat upx behavioral2/files/0x000700000002348e-111.dat upx behavioral2/memory/3588-108-0x00007FF7A5DF0000-0x00007FF7A6141000-memory.dmp upx behavioral2/memory/5072-107-0x00007FF6F4D00000-0x00007FF6F5051000-memory.dmp upx behavioral2/memory/3648-105-0x00007FF6116D0000-0x00007FF611A21000-memory.dmp upx behavioral2/memory/2620-95-0x00007FF744ED0000-0x00007FF745221000-memory.dmp upx behavioral2/memory/2752-87-0x00007FF70BDD0000-0x00007FF70C121000-memory.dmp upx behavioral2/memory/4364-86-0x00007FF7FA860000-0x00007FF7FABB1000-memory.dmp upx behavioral2/files/0x000700000002348d-81.dat upx behavioral2/memory/2008-80-0x00007FF74B6C0000-0x00007FF74BA11000-memory.dmp upx behavioral2/files/0x0007000000023492-117.dat upx behavioral2/memory/116-123-0x00007FF710140000-0x00007FF710491000-memory.dmp upx behavioral2/memory/2284-127-0x00007FF7219D0000-0x00007FF721D21000-memory.dmp upx behavioral2/files/0x0008000000023495-130.dat upx behavioral2/files/0x000500000001692d-128.dat upx behavioral2/memory/1416-136-0x00007FF78C320000-0x00007FF78C671000-memory.dmp upx behavioral2/memory/3456-138-0x00007FF7A2DC0000-0x00007FF7A3111000-memory.dmp upx behavioral2/memory/3040-135-0x00007FF6411E0000-0x00007FF641531000-memory.dmp upx behavioral2/memory/2496-143-0x00007FF625320000-0x00007FF625671000-memory.dmp upx behavioral2/memory/1172-145-0x00007FF6DEC20000-0x00007FF6DEF71000-memory.dmp upx behavioral2/memory/5048-144-0x00007FF640720000-0x00007FF640A71000-memory.dmp upx behavioral2/memory/380-142-0x00007FF6BA6D0000-0x00007FF6BAA21000-memory.dmp upx behavioral2/memory/2680-149-0x00007FF7F81C0000-0x00007FF7F8511000-memory.dmp upx behavioral2/memory/2620-148-0x00007FF744ED0000-0x00007FF745221000-memory.dmp upx behavioral2/memory/3648-151-0x00007FF6116D0000-0x00007FF611A21000-memory.dmp upx behavioral2/memory/3588-152-0x00007FF7A5DF0000-0x00007FF7A6141000-memory.dmp upx behavioral2/memory/2008-153-0x00007FF74B6C0000-0x00007FF74BA11000-memory.dmp upx behavioral2/memory/2284-158-0x00007FF7219D0000-0x00007FF721D21000-memory.dmp upx behavioral2/memory/1416-159-0x00007FF78C320000-0x00007FF78C671000-memory.dmp upx behavioral2/memory/2008-175-0x00007FF74B6C0000-0x00007FF74BA11000-memory.dmp upx behavioral2/memory/2752-203-0x00007FF70BDD0000-0x00007FF70C121000-memory.dmp upx behavioral2/memory/3576-205-0x00007FF6E5940000-0x00007FF6E5C91000-memory.dmp upx behavioral2/memory/1404-207-0x00007FF630520000-0x00007FF630871000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\GtXpmaL.exe 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VisaCuv.exe 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QhhBMzn.exe 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RwpkHIl.exe 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gvRdjoO.exe 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jXFIDzq.exe 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DkZEdNl.exe 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hequdPE.exe 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XMngTdt.exe 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\iWLkdOJ.exe 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xVDUbGI.exe 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\Zxelqwc.exe 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fFuMtzc.exe 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DPrTxtD.exe 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\UMwZQxG.exe 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MJIBtWh.exe 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lckuBDC.exe 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kxYOpSR.exe 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fSbfqpv.exe 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZFbFNrl.exe 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ImQywtv.exe 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2752 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 2008 wrote to memory of 2752 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 2008 wrote to memory of 3576 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2008 wrote to memory of 3576 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2008 wrote to memory of 1404 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2008 wrote to memory of 1404 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2008 wrote to memory of 116 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2008 wrote to memory of 116 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2008 wrote to memory of 5072 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2008 wrote to memory of 5072 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2008 wrote to memory of 3040 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2008 wrote to memory of 3040 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2008 wrote to memory of 1960 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2008 wrote to memory of 1960 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2008 wrote to memory of 380 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2008 wrote to memory of 380 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2008 wrote to memory of 2496 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2008 wrote to memory of 2496 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2008 wrote to memory of 5048 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2008 wrote to memory of 5048 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2008 wrote to memory of 1172 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2008 wrote to memory of 1172 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2008 wrote to memory of 1848 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2008 wrote to memory of 1848 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2008 wrote to memory of 4364 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2008 wrote to memory of 4364 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2008 wrote to memory of 2620 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2008 wrote to memory of 2620 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2008 wrote to memory of 2680 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2008 wrote to memory of 2680 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2008 wrote to memory of 1232 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2008 wrote to memory of 1232 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2008 wrote to memory of 3648 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2008 wrote to memory of 3648 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2008 wrote to memory of 3588 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2008 wrote to memory of 3588 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2008 wrote to memory of 2284 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2008 wrote to memory of 2284 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2008 wrote to memory of 1416 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 2008 wrote to memory of 1416 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 2008 wrote to memory of 3456 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 2008 wrote to memory of 3456 2008 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\System\ZFbFNrl.exeC:\Windows\System\ZFbFNrl.exe2⤵
- Executes dropped EXE
PID:2752
-
-
C:\Windows\System\jXFIDzq.exeC:\Windows\System\jXFIDzq.exe2⤵
- Executes dropped EXE
PID:3576
-
-
C:\Windows\System\DkZEdNl.exeC:\Windows\System\DkZEdNl.exe2⤵
- Executes dropped EXE
PID:1404
-
-
C:\Windows\System\GtXpmaL.exeC:\Windows\System\GtXpmaL.exe2⤵
- Executes dropped EXE
PID:116
-
-
C:\Windows\System\ImQywtv.exeC:\Windows\System\ImQywtv.exe2⤵
- Executes dropped EXE
PID:5072
-
-
C:\Windows\System\VisaCuv.exeC:\Windows\System\VisaCuv.exe2⤵
- Executes dropped EXE
PID:3040
-
-
C:\Windows\System\DPrTxtD.exeC:\Windows\System\DPrTxtD.exe2⤵
- Executes dropped EXE
PID:1960
-
-
C:\Windows\System\Zxelqwc.exeC:\Windows\System\Zxelqwc.exe2⤵
- Executes dropped EXE
PID:380
-
-
C:\Windows\System\QhhBMzn.exeC:\Windows\System\QhhBMzn.exe2⤵
- Executes dropped EXE
PID:2496
-
-
C:\Windows\System\fFuMtzc.exeC:\Windows\System\fFuMtzc.exe2⤵
- Executes dropped EXE
PID:5048
-
-
C:\Windows\System\UMwZQxG.exeC:\Windows\System\UMwZQxG.exe2⤵
- Executes dropped EXE
PID:1172
-
-
C:\Windows\System\hequdPE.exeC:\Windows\System\hequdPE.exe2⤵
- Executes dropped EXE
PID:1848
-
-
C:\Windows\System\XMngTdt.exeC:\Windows\System\XMngTdt.exe2⤵
- Executes dropped EXE
PID:4364
-
-
C:\Windows\System\iWLkdOJ.exeC:\Windows\System\iWLkdOJ.exe2⤵
- Executes dropped EXE
PID:2620
-
-
C:\Windows\System\RwpkHIl.exeC:\Windows\System\RwpkHIl.exe2⤵
- Executes dropped EXE
PID:2680
-
-
C:\Windows\System\MJIBtWh.exeC:\Windows\System\MJIBtWh.exe2⤵
- Executes dropped EXE
PID:1232
-
-
C:\Windows\System\xVDUbGI.exeC:\Windows\System\xVDUbGI.exe2⤵
- Executes dropped EXE
PID:3648
-
-
C:\Windows\System\lckuBDC.exeC:\Windows\System\lckuBDC.exe2⤵
- Executes dropped EXE
PID:3588
-
-
C:\Windows\System\kxYOpSR.exeC:\Windows\System\kxYOpSR.exe2⤵
- Executes dropped EXE
PID:2284
-
-
C:\Windows\System\fSbfqpv.exeC:\Windows\System\fSbfqpv.exe2⤵
- Executes dropped EXE
PID:1416
-
-
C:\Windows\System\gvRdjoO.exeC:\Windows\System\gvRdjoO.exe2⤵
- Executes dropped EXE
PID:3456
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD56d0941990005e8c64a31ad8620deda23
SHA17b981ede1daff462084e0214fcda617177d31964
SHA25618ce9427726240370e338b4c45ebb33a10ce665d7e26ecd6c6c5b1a15343d9c5
SHA512d02ddaa1d343ef825060cc9affbcf4f5ef662977a70176f543a08047e1f6868524e813bf8742465c8ea3e7b91065e520e3518679caa561cd7e6504ed54cc3925
-
Filesize
5.2MB
MD573f0047721e0be9a36849fae85e039d9
SHA13fe0e0c9511b8288c1ff5f77aacd3402c3977e43
SHA2567846d056ed6e1e8d7c671afb3a45ec23dbf0d629f5f031914e5a92d8c32bc5ba
SHA512d6c5e98b35c832d59c460f735371dc9b220d2d6ac196c64d166171a591dd3522cfc5914e4054f40a7c9f7d3b6d092e239206fa9ebb2970be3a143598d4620791
-
Filesize
5.2MB
MD51639eb65276d348242ef8fee0e2a3b95
SHA1c4368aeda51da192dd1ea0915f94baed85437d30
SHA256ee33b86605addf9dedf913418af20de9a42581ac73127952db72512b070d632b
SHA512c257c8661ca91f332d0faf0849496df03750921a751fb3d2c3af2b90cc17fe0cd8c30c47a328ca19d6b45a32dacf01e7ce7be6876b6e82568222ed610657818f
-
Filesize
5.2MB
MD58749afb3ea2cb91bc797d60f0cb77aa9
SHA1495ac99c37986c3939ae0fa7aa11e00ce8dc6d4d
SHA2563c03b05cef5e2e467bbbb34b879c75f0bb5c22aec09a7d63111de09cc6379213
SHA5121f339befc66bad599656f572d639a8220f9265cb11b9f1b34735e12e447342c02315ac4ad3cff3908c64048cd26bdef7da3cf91f59ad31f2cf831df46bb5b976
-
Filesize
5.2MB
MD519c4cc5735b1810bd9519d28f3d03dd9
SHA1cb1193971ef414f7bad9985e8d4a252f91be3db0
SHA2568c340ffd6487640f3fd6bb4cdcd2b8b2e70d4a21faeb2ecbd4caceddccdefc25
SHA512fcd56c2f0ffbe39e5e7872325a0ff1be7d50308678e8967b226605115e06438fa12f38a24e78836af47363cdfbe44a82ee4c2e5058010070fe88ac1f5630561d
-
Filesize
5.2MB
MD569a4d4d426608f627b37b076dceff9f9
SHA165ffb49f6fb8422d9c7f1abf9190b5c8c126c83c
SHA256ea82641be57f1810a0fe5f90f74749bbf864998162a3c82e2def63f3ed0cdfae
SHA512cac9d79f64995409283af54177ae387da887ad0c777551195df8a8ad58b703b3715e0cb7b070712b56f0bdff5abcf52c63b576fe1d4ea47bf5d8924cc726b921
-
Filesize
5.2MB
MD5b5803e9c79e1e77cd95193f8abb500fd
SHA1e0fe3c83f8dc572fb45350a9193d602df6da4a6a
SHA2560516409a63464f86280c56e43262bdbfa97ccd0e33a21842f8223e9c87e75960
SHA51233b379ccc431e51f16acd6280ae42f59eac9824bc2bdf9d1c989f0a7f49d376d16f040af38691c672f89e37b987223cf918fade2e821ddc28f9b8c2e8584246f
-
Filesize
5.2MB
MD51c5f921255913e606bf38f2cd2f6da58
SHA167bbb749c48c66c76301db64a3edc81bd92fd3df
SHA25673be29e6e0ff28dbfcb54b6cabe99db2bd9af2e2103dd4983c49fc99ba183167
SHA512babb52c36d603c5fa7a1a2f214419108cdc9ca7051926a363f4f767bb14d40f5baaeb59bf4e4fb272b61776dc4e88cb75e3be319c58fd1c574d8f43692b06008
-
Filesize
5.2MB
MD5d04f2edd39c43fde6492386eefaa38c8
SHA195ac8aa19fddd1c9d81519322f93a409a36a6473
SHA2567be557e728350f78ac8885eb899bf0c14f498fd19a169c90735541ce4cc58427
SHA512307f2417209daee873979428c26e8a16e470b84726235732b6c36ef56306ec09df3a50986356281662bf193ac48a35dc10d49e7a9ae0aa766f2207933851a1b7
-
Filesize
5.2MB
MD5d3eda531576c79d599d7d2700f3dabcc
SHA104f90fc2eb785d32df275b94ab58cf4b58f6d708
SHA25619ba6b6d4599d1cdbf58643a4957eaa50d2acace4a33247913376d54cd5b56d9
SHA51219cc61e1aea3da15e42b4b4b95fee3a42063e53170db35a8ec64d6815f9546b4e709f2546cc8c892bceae20980e10e2d1afe96f6e32e524669b445ef1286f1ea
-
Filesize
5.2MB
MD54d193580b617c1de6ba11b4a0eaa7600
SHA15c7bbef2d295557284ac8f66d5f3d89a0ee7652a
SHA25660a2149ea81d502e5c2a6df2f40ec68d6fb7b42bab75f463bcada2d345d5f344
SHA5120eebf8491fe4882b42ea2a90fc2eb5d5967a100535ae6f7f9c0b3d1efc7ae05a2e5694373b2c6499d973499ed9f67050a816b1c123cc55ba7f565dada7be282a
-
Filesize
5.2MB
MD52921b808845b4ee9938f96927e7dc62a
SHA1d5de6a867935c5dcfcf82d360efa380eb579f2d9
SHA256cd304366d95802c52e527b35c4613a941c83c9bd1631d1fe4c1d09148e9af3dc
SHA5127a6fabd05b1fa4a370781fcd05d4103eda75efc90021da64b3c131781136e7d5ea10cc66da77db5fff310bb2974848da26767498c497b85c728f3062fb9c177b
-
Filesize
5.2MB
MD5015e1f1c478c927a7ecc93e1a3a6fc8e
SHA13358cba6ea64a6d8f2850b42da23fa787530c4d0
SHA256609c31cd4d0209369066619ca44b29761090f9701718a61a2f05c19007c4d4c5
SHA51215e1afed3dcb717e7d4282b0daa4e095945c44289276ae216c765b997ef64b2580625e5eb865acee861d6cea6955cc877ca2d4614dd414ae2a974e1e8ad1474e
-
Filesize
5.2MB
MD506d761d6f637513a15223d31f02b53d3
SHA10b755cff50f4feaaab82641a227a1848fd407931
SHA256692c3e00cee9b42cea9f52fc846e641d8af7c93020badd521849ea8bab69f7f8
SHA5125c5f3a0973b31a7e07235941018a1443be48451709907d632d3885114f26dc42899ac8080b396a555f1b53c81d5f895d7050ccdc3ab5098271d5fd4cf8223b89
-
Filesize
5.2MB
MD531deb27eff3bf54ed665142c13ead7ff
SHA19c9715e162b19db70e8268c33d4be66e7f47047d
SHA25636da9bad3e9f2dd6fe2e0972bd95bed9540a52b57ff778fb74611035f7fe410d
SHA5120163887544f8b4d76a9f13aa6187e3e302f511bdd8ac57e265f69137cc019731e5ca036fe7251c78eb45ed8562876222a9e110534cb6891aa4e2746f74c546b1
-
Filesize
5.2MB
MD59d0175ebd669b70f6eae311b8d16021d
SHA177b0b976a2d8609a2791f8a1aee9c13ef0824dc1
SHA25661d6d663482b3d86e53976a1d081bad717d16a511742c3c9906d0799329d324a
SHA512b154f4bc9525e8a525dc3d7aa72cd828f5b0840802fece11a47b8bc397644a1df3d61aeb2da31eb5603ee9d921f66d95c993df7d1f82c8e004b87603acc540e4
-
Filesize
5.2MB
MD52b5ba4cec4d8181dec77af1f41496736
SHA18aa2b5d9b36a6500dc4f25f43ec2e0cf5a0aeb76
SHA25669fc56de00a44cd3d8c58e924d5687a7dd8258bf93f2c378585f61a083e526b8
SHA51295f518a081d5d1e44cd9832852055572915035e2334d4bbd866266f3ac21806b97566e5a49efb9a144eefd80df892957f71981a45112852864b9fd86085df8f3
-
Filesize
5.2MB
MD54020b7920e6009f7c29f838ac2b2c246
SHA163b2ff9881bff23fb55debb6d022f1634066ace9
SHA256db1beff56ea84827d84a2419f2c588e208084a1b62857e5eba72104cc6c52048
SHA5123524aae439ef5e4fe0b13446aec3ec4fbe5f38676ac4f57898f09084fa6217d5d11b5b23e3f9a7faed31954b0ad80ab59e22647bec925693d0d6c499b01671e2
-
Filesize
5.2MB
MD5c02b04321826a3eeb7e7f48a7fc37582
SHA1125f12e98a27e0b64a6efa9710dabcc55a86c818
SHA25643b5d3657ab4fbc90650afcd77ea978ab1c99093ece772a79d37589d4b38682d
SHA512aa9c1543e4f68643870fa788c6083df5889592c54cc60bb240010a694b92c80c0be855604159c7988ef99924bbf9978c2baeeb0088ac5fb3420ccfd1a9b8be0a
-
Filesize
5.2MB
MD5e2a1f04c6a0136452da90f738f591a82
SHA1433811576548d9cf19b702ea7358713f5a2710cf
SHA2560d7cee4f161bb97714ca5b764fc016e2df63e12a2d39bf581ad7ebc4cd2e0712
SHA51297ab06f9108f69ccb4384ccb819989a800bf23432c057ac215eee7ef252000cfb6cfe5e541f0e01c7ba0f633817e8d08651cdd9816f7b28e1dda39deb7aca9a5
-
Filesize
5.2MB
MD52dbf276a0d06a88b7f88d9ef8fe846b6
SHA125b89236f64cfbc307131fec2d674b948daa49ae
SHA25646c05c5a77619af4689ddef84e4fba1bdd005088d60ec44be463013eb0d89e4e
SHA512b575d6b6614f06ca65f95ef8dca6caae6e2d81b77ba0921ce63bce050a94a4c828e433367563dcc3f83bfb9d2f46ec168e635fabfb68d02137d93b3f78bd231c