Analysis
-
max time kernel
138s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-08-2024 20:42
Behavioral task
behavioral1
Sample
2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240704-en
General
-
Target
2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.9MB
-
MD5
01c56173cdbdfe59ff4416ecdcd81065
-
SHA1
3d38185cec191d4d1bf956a012a7293d5e0759ec
-
SHA256
237ac774ed9765035e75e8b788c8240891a0207f40f435d21f7300544c6d2eeb
-
SHA512
dc93d36d19b7f53aa7c945a868274fa823c003fd8007ba5d57f70d3479dff954b0424c0fff1e84bc8ded7a9a8b55aa83e530709778436b552014f4283b40e93b
-
SSDEEP
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUZ:T+856utgpPF8u/7Z
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000a0000000233c2-4.dat cobalt_reflective_dll behavioral2/files/0x000800000002340d-10.dat cobalt_reflective_dll behavioral2/files/0x000700000002340e-13.dat cobalt_reflective_dll behavioral2/files/0x000700000002340f-23.dat cobalt_reflective_dll behavioral2/files/0x0007000000023410-29.dat cobalt_reflective_dll behavioral2/files/0x0007000000023412-38.dat cobalt_reflective_dll behavioral2/files/0x0007000000023413-42.dat cobalt_reflective_dll behavioral2/files/0x0007000000023415-52.dat cobalt_reflective_dll behavioral2/files/0x0007000000023414-57.dat cobalt_reflective_dll behavioral2/files/0x0007000000023417-72.dat cobalt_reflective_dll behavioral2/files/0x0007000000023416-70.dat cobalt_reflective_dll behavioral2/files/0x0007000000023411-46.dat cobalt_reflective_dll behavioral2/files/0x0007000000023418-77.dat cobalt_reflective_dll behavioral2/files/0x000800000002340b-84.dat cobalt_reflective_dll behavioral2/files/0x0007000000023419-89.dat cobalt_reflective_dll behavioral2/files/0x000700000002341a-93.dat cobalt_reflective_dll behavioral2/files/0x000700000002341b-103.dat cobalt_reflective_dll behavioral2/files/0x000700000002341e-115.dat cobalt_reflective_dll behavioral2/files/0x000700000002341f-120.dat cobalt_reflective_dll behavioral2/files/0x000700000002341d-114.dat cobalt_reflective_dll behavioral2/files/0x000700000002341c-108.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 64 IoCs
resource yara_rule behavioral2/memory/4176-0-0x00007FF7580E0000-0x00007FF758434000-memory.dmp xmrig behavioral2/files/0x000a0000000233c2-4.dat xmrig behavioral2/memory/2596-8-0x00007FF7DCD60000-0x00007FF7DD0B4000-memory.dmp xmrig behavioral2/files/0x000800000002340d-10.dat xmrig behavioral2/files/0x000700000002340e-13.dat xmrig behavioral2/memory/1376-21-0x00007FF751440000-0x00007FF751794000-memory.dmp xmrig behavioral2/files/0x000700000002340f-23.dat xmrig behavioral2/files/0x0007000000023410-29.dat xmrig behavioral2/memory/2480-27-0x00007FF76D140000-0x00007FF76D494000-memory.dmp xmrig behavioral2/files/0x0007000000023412-38.dat xmrig behavioral2/files/0x0007000000023413-42.dat xmrig behavioral2/files/0x0007000000023415-52.dat xmrig behavioral2/files/0x0007000000023414-57.dat xmrig behavioral2/memory/2540-74-0x00007FF673E20000-0x00007FF674174000-memory.dmp xmrig behavioral2/files/0x0007000000023417-72.dat xmrig behavioral2/files/0x0007000000023416-70.dat xmrig behavioral2/memory/1160-69-0x00007FF71E780000-0x00007FF71EAD4000-memory.dmp xmrig behavioral2/memory/4916-66-0x00007FF6438A0000-0x00007FF643BF4000-memory.dmp xmrig behavioral2/memory/952-65-0x00007FF75EA70000-0x00007FF75EDC4000-memory.dmp xmrig behavioral2/memory/3688-56-0x00007FF6F54A0000-0x00007FF6F57F4000-memory.dmp xmrig behavioral2/memory/3736-50-0x00007FF601C10000-0x00007FF601F64000-memory.dmp xmrig behavioral2/files/0x0007000000023411-46.dat xmrig behavioral2/memory/1616-39-0x00007FF6B1300000-0x00007FF6B1654000-memory.dmp xmrig behavioral2/memory/3276-36-0x00007FF6CFCE0000-0x00007FF6D0034000-memory.dmp xmrig behavioral2/memory/4400-16-0x00007FF6BFC90000-0x00007FF6BFFE4000-memory.dmp xmrig behavioral2/files/0x0007000000023418-77.dat xmrig behavioral2/memory/3356-83-0x00007FF7E48B0000-0x00007FF7E4C04000-memory.dmp xmrig behavioral2/files/0x000800000002340b-84.dat xmrig behavioral2/files/0x0007000000023419-89.dat xmrig behavioral2/memory/4176-80-0x00007FF7580E0000-0x00007FF758434000-memory.dmp xmrig behavioral2/files/0x000700000002341a-93.dat xmrig behavioral2/files/0x000700000002341b-103.dat xmrig behavioral2/files/0x000700000002341e-115.dat xmrig behavioral2/files/0x000700000002341f-120.dat xmrig behavioral2/memory/2700-123-0x00007FF7C9F80000-0x00007FF7CA2D4000-memory.dmp xmrig behavioral2/memory/1616-127-0x00007FF6B1300000-0x00007FF6B1654000-memory.dmp xmrig behavioral2/memory/4136-126-0x00007FF786070000-0x00007FF7863C4000-memory.dmp xmrig behavioral2/memory/1524-125-0x00007FF72F0E0000-0x00007FF72F434000-memory.dmp xmrig behavioral2/memory/3276-121-0x00007FF6CFCE0000-0x00007FF6D0034000-memory.dmp xmrig behavioral2/memory/2480-117-0x00007FF76D140000-0x00007FF76D494000-memory.dmp xmrig behavioral2/memory/2372-116-0x00007FF6F1120000-0x00007FF6F1474000-memory.dmp xmrig behavioral2/files/0x000700000002341d-114.dat xmrig behavioral2/memory/4068-112-0x00007FF6A60C0000-0x00007FF6A6414000-memory.dmp xmrig behavioral2/files/0x000700000002341c-108.dat xmrig behavioral2/memory/456-104-0x00007FF6414D0000-0x00007FF641824000-memory.dmp xmrig behavioral2/memory/4664-95-0x00007FF792490000-0x00007FF7927E4000-memory.dmp xmrig behavioral2/memory/1724-92-0x00007FF6F9640000-0x00007FF6F9994000-memory.dmp xmrig behavioral2/memory/3736-132-0x00007FF601C10000-0x00007FF601F64000-memory.dmp xmrig behavioral2/memory/3688-133-0x00007FF6F54A0000-0x00007FF6F57F4000-memory.dmp xmrig behavioral2/memory/4916-134-0x00007FF6438A0000-0x00007FF643BF4000-memory.dmp xmrig behavioral2/memory/2540-135-0x00007FF673E20000-0x00007FF674174000-memory.dmp xmrig behavioral2/memory/4664-136-0x00007FF792490000-0x00007FF7927E4000-memory.dmp xmrig behavioral2/memory/456-137-0x00007FF6414D0000-0x00007FF641824000-memory.dmp xmrig behavioral2/memory/4068-138-0x00007FF6A60C0000-0x00007FF6A6414000-memory.dmp xmrig behavioral2/memory/2700-139-0x00007FF7C9F80000-0x00007FF7CA2D4000-memory.dmp xmrig behavioral2/memory/1524-140-0x00007FF72F0E0000-0x00007FF72F434000-memory.dmp xmrig behavioral2/memory/2596-141-0x00007FF7DCD60000-0x00007FF7DD0B4000-memory.dmp xmrig behavioral2/memory/4400-142-0x00007FF6BFC90000-0x00007FF6BFFE4000-memory.dmp xmrig behavioral2/memory/1376-143-0x00007FF751440000-0x00007FF751794000-memory.dmp xmrig behavioral2/memory/2480-144-0x00007FF76D140000-0x00007FF76D494000-memory.dmp xmrig behavioral2/memory/3276-145-0x00007FF6CFCE0000-0x00007FF6D0034000-memory.dmp xmrig behavioral2/memory/3736-146-0x00007FF601C10000-0x00007FF601F64000-memory.dmp xmrig behavioral2/memory/952-147-0x00007FF75EA70000-0x00007FF75EDC4000-memory.dmp xmrig behavioral2/memory/3688-149-0x00007FF6F54A0000-0x00007FF6F57F4000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2596 AFFJgWG.exe 4400 NAjEhGp.exe 1376 FrgxtFn.exe 2480 THBlTRN.exe 3276 mvOBSnn.exe 1616 pAZLPWm.exe 3736 fNnVRde.exe 3688 IbYVoDZ.exe 1160 WNUqMAW.exe 952 mcnoWTv.exe 2540 LKTdldf.exe 4916 koPWKDN.exe 3356 utChYOc.exe 1724 QzarDqv.exe 4664 AzRHMSx.exe 456 jkZZWgY.exe 4068 mVBFHwy.exe 2372 UuEHRiP.exe 1524 GNhEzGO.exe 2700 VuSmMnX.exe 4136 bbYdIsc.exe -
resource yara_rule behavioral2/memory/4176-0-0x00007FF7580E0000-0x00007FF758434000-memory.dmp upx behavioral2/files/0x000a0000000233c2-4.dat upx behavioral2/memory/2596-8-0x00007FF7DCD60000-0x00007FF7DD0B4000-memory.dmp upx behavioral2/files/0x000800000002340d-10.dat upx behavioral2/files/0x000700000002340e-13.dat upx behavioral2/memory/1376-21-0x00007FF751440000-0x00007FF751794000-memory.dmp upx behavioral2/files/0x000700000002340f-23.dat upx behavioral2/files/0x0007000000023410-29.dat upx behavioral2/memory/2480-27-0x00007FF76D140000-0x00007FF76D494000-memory.dmp upx behavioral2/files/0x0007000000023412-38.dat upx behavioral2/files/0x0007000000023413-42.dat upx behavioral2/files/0x0007000000023415-52.dat upx behavioral2/files/0x0007000000023414-57.dat upx behavioral2/memory/2540-74-0x00007FF673E20000-0x00007FF674174000-memory.dmp upx behavioral2/files/0x0007000000023417-72.dat upx behavioral2/files/0x0007000000023416-70.dat upx behavioral2/memory/1160-69-0x00007FF71E780000-0x00007FF71EAD4000-memory.dmp upx behavioral2/memory/4916-66-0x00007FF6438A0000-0x00007FF643BF4000-memory.dmp upx behavioral2/memory/952-65-0x00007FF75EA70000-0x00007FF75EDC4000-memory.dmp upx behavioral2/memory/3688-56-0x00007FF6F54A0000-0x00007FF6F57F4000-memory.dmp upx behavioral2/memory/3736-50-0x00007FF601C10000-0x00007FF601F64000-memory.dmp upx behavioral2/files/0x0007000000023411-46.dat upx behavioral2/memory/1616-39-0x00007FF6B1300000-0x00007FF6B1654000-memory.dmp upx behavioral2/memory/3276-36-0x00007FF6CFCE0000-0x00007FF6D0034000-memory.dmp upx behavioral2/memory/4400-16-0x00007FF6BFC90000-0x00007FF6BFFE4000-memory.dmp upx behavioral2/files/0x0007000000023418-77.dat upx behavioral2/memory/3356-83-0x00007FF7E48B0000-0x00007FF7E4C04000-memory.dmp upx behavioral2/files/0x000800000002340b-84.dat upx behavioral2/files/0x0007000000023419-89.dat upx behavioral2/memory/4176-80-0x00007FF7580E0000-0x00007FF758434000-memory.dmp upx behavioral2/files/0x000700000002341a-93.dat upx behavioral2/files/0x000700000002341b-103.dat upx behavioral2/files/0x000700000002341e-115.dat upx behavioral2/files/0x000700000002341f-120.dat upx behavioral2/memory/2700-123-0x00007FF7C9F80000-0x00007FF7CA2D4000-memory.dmp upx behavioral2/memory/1616-127-0x00007FF6B1300000-0x00007FF6B1654000-memory.dmp upx behavioral2/memory/4136-126-0x00007FF786070000-0x00007FF7863C4000-memory.dmp upx behavioral2/memory/1524-125-0x00007FF72F0E0000-0x00007FF72F434000-memory.dmp upx behavioral2/memory/3276-121-0x00007FF6CFCE0000-0x00007FF6D0034000-memory.dmp upx behavioral2/memory/2480-117-0x00007FF76D140000-0x00007FF76D494000-memory.dmp upx behavioral2/memory/2372-116-0x00007FF6F1120000-0x00007FF6F1474000-memory.dmp upx behavioral2/files/0x000700000002341d-114.dat upx behavioral2/memory/4068-112-0x00007FF6A60C0000-0x00007FF6A6414000-memory.dmp upx behavioral2/files/0x000700000002341c-108.dat upx behavioral2/memory/456-104-0x00007FF6414D0000-0x00007FF641824000-memory.dmp upx behavioral2/memory/4664-95-0x00007FF792490000-0x00007FF7927E4000-memory.dmp upx behavioral2/memory/1724-92-0x00007FF6F9640000-0x00007FF6F9994000-memory.dmp upx behavioral2/memory/3736-132-0x00007FF601C10000-0x00007FF601F64000-memory.dmp upx behavioral2/memory/3688-133-0x00007FF6F54A0000-0x00007FF6F57F4000-memory.dmp upx behavioral2/memory/4916-134-0x00007FF6438A0000-0x00007FF643BF4000-memory.dmp upx behavioral2/memory/2540-135-0x00007FF673E20000-0x00007FF674174000-memory.dmp upx behavioral2/memory/4664-136-0x00007FF792490000-0x00007FF7927E4000-memory.dmp upx behavioral2/memory/456-137-0x00007FF6414D0000-0x00007FF641824000-memory.dmp upx behavioral2/memory/4068-138-0x00007FF6A60C0000-0x00007FF6A6414000-memory.dmp upx behavioral2/memory/2700-139-0x00007FF7C9F80000-0x00007FF7CA2D4000-memory.dmp upx behavioral2/memory/1524-140-0x00007FF72F0E0000-0x00007FF72F434000-memory.dmp upx behavioral2/memory/2596-141-0x00007FF7DCD60000-0x00007FF7DD0B4000-memory.dmp upx behavioral2/memory/4400-142-0x00007FF6BFC90000-0x00007FF6BFFE4000-memory.dmp upx behavioral2/memory/1376-143-0x00007FF751440000-0x00007FF751794000-memory.dmp upx behavioral2/memory/2480-144-0x00007FF76D140000-0x00007FF76D494000-memory.dmp upx behavioral2/memory/3276-145-0x00007FF6CFCE0000-0x00007FF6D0034000-memory.dmp upx behavioral2/memory/3736-146-0x00007FF601C10000-0x00007FF601F64000-memory.dmp upx behavioral2/memory/952-147-0x00007FF75EA70000-0x00007FF75EDC4000-memory.dmp upx behavioral2/memory/3688-149-0x00007FF6F54A0000-0x00007FF6F57F4000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\koPWKDN.exe 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QzarDqv.exe 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AzRHMSx.exe 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GNhEzGO.exe 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VuSmMnX.exe 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AFFJgWG.exe 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NAjEhGp.exe 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FrgxtFn.exe 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\THBlTRN.exe 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mcnoWTv.exe 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WNUqMAW.exe 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\IbYVoDZ.exe 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\utChYOc.exe 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mVBFHwy.exe 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\UuEHRiP.exe 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mvOBSnn.exe 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\pAZLPWm.exe 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fNnVRde.exe 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LKTdldf.exe 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jkZZWgY.exe 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bbYdIsc.exe 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4176 wrote to memory of 2596 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4176 wrote to memory of 2596 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4176 wrote to memory of 4400 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4176 wrote to memory of 4400 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4176 wrote to memory of 1376 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4176 wrote to memory of 1376 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4176 wrote to memory of 2480 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4176 wrote to memory of 2480 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4176 wrote to memory of 3276 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4176 wrote to memory of 3276 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4176 wrote to memory of 1616 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4176 wrote to memory of 1616 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4176 wrote to memory of 3736 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4176 wrote to memory of 3736 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4176 wrote to memory of 3688 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4176 wrote to memory of 3688 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4176 wrote to memory of 952 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4176 wrote to memory of 952 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4176 wrote to memory of 1160 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4176 wrote to memory of 1160 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4176 wrote to memory of 2540 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4176 wrote to memory of 2540 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4176 wrote to memory of 4916 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4176 wrote to memory of 4916 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4176 wrote to memory of 3356 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4176 wrote to memory of 3356 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4176 wrote to memory of 1724 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4176 wrote to memory of 1724 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4176 wrote to memory of 4664 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4176 wrote to memory of 4664 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4176 wrote to memory of 456 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4176 wrote to memory of 456 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4176 wrote to memory of 4068 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4176 wrote to memory of 4068 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4176 wrote to memory of 2372 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4176 wrote to memory of 2372 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4176 wrote to memory of 1524 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4176 wrote to memory of 1524 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4176 wrote to memory of 2700 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 4176 wrote to memory of 2700 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 4176 wrote to memory of 4136 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 4176 wrote to memory of 4136 4176 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\System\AFFJgWG.exeC:\Windows\System\AFFJgWG.exe2⤵
- Executes dropped EXE
PID:2596
-
-
C:\Windows\System\NAjEhGp.exeC:\Windows\System\NAjEhGp.exe2⤵
- Executes dropped EXE
PID:4400
-
-
C:\Windows\System\FrgxtFn.exeC:\Windows\System\FrgxtFn.exe2⤵
- Executes dropped EXE
PID:1376
-
-
C:\Windows\System\THBlTRN.exeC:\Windows\System\THBlTRN.exe2⤵
- Executes dropped EXE
PID:2480
-
-
C:\Windows\System\mvOBSnn.exeC:\Windows\System\mvOBSnn.exe2⤵
- Executes dropped EXE
PID:3276
-
-
C:\Windows\System\pAZLPWm.exeC:\Windows\System\pAZLPWm.exe2⤵
- Executes dropped EXE
PID:1616
-
-
C:\Windows\System\fNnVRde.exeC:\Windows\System\fNnVRde.exe2⤵
- Executes dropped EXE
PID:3736
-
-
C:\Windows\System\IbYVoDZ.exeC:\Windows\System\IbYVoDZ.exe2⤵
- Executes dropped EXE
PID:3688
-
-
C:\Windows\System\mcnoWTv.exeC:\Windows\System\mcnoWTv.exe2⤵
- Executes dropped EXE
PID:952
-
-
C:\Windows\System\WNUqMAW.exeC:\Windows\System\WNUqMAW.exe2⤵
- Executes dropped EXE
PID:1160
-
-
C:\Windows\System\LKTdldf.exeC:\Windows\System\LKTdldf.exe2⤵
- Executes dropped EXE
PID:2540
-
-
C:\Windows\System\koPWKDN.exeC:\Windows\System\koPWKDN.exe2⤵
- Executes dropped EXE
PID:4916
-
-
C:\Windows\System\utChYOc.exeC:\Windows\System\utChYOc.exe2⤵
- Executes dropped EXE
PID:3356
-
-
C:\Windows\System\QzarDqv.exeC:\Windows\System\QzarDqv.exe2⤵
- Executes dropped EXE
PID:1724
-
-
C:\Windows\System\AzRHMSx.exeC:\Windows\System\AzRHMSx.exe2⤵
- Executes dropped EXE
PID:4664
-
-
C:\Windows\System\jkZZWgY.exeC:\Windows\System\jkZZWgY.exe2⤵
- Executes dropped EXE
PID:456
-
-
C:\Windows\System\mVBFHwy.exeC:\Windows\System\mVBFHwy.exe2⤵
- Executes dropped EXE
PID:4068
-
-
C:\Windows\System\UuEHRiP.exeC:\Windows\System\UuEHRiP.exe2⤵
- Executes dropped EXE
PID:2372
-
-
C:\Windows\System\GNhEzGO.exeC:\Windows\System\GNhEzGO.exe2⤵
- Executes dropped EXE
PID:1524
-
-
C:\Windows\System\VuSmMnX.exeC:\Windows\System\VuSmMnX.exe2⤵
- Executes dropped EXE
PID:2700
-
-
C:\Windows\System\bbYdIsc.exeC:\Windows\System\bbYdIsc.exe2⤵
- Executes dropped EXE
PID:4136
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD5fb45ce017f9803501d56dce593f4df63
SHA17ba386fe2cf08a0cd6dee38f19e39a81c5a13085
SHA256a79cff814af0908cf5c70e14fd8f16b9e3978a8619f8370804c3d1b342f56241
SHA512d0549989ce666008e0e1cdabff70e4f9bcaa0a7a131ffaeed04dbecbc823c86fd9b8d385004fe9672aa087d6d02f10e9346d6b4764c5b9df57a81094f01733ec
-
Filesize
5.9MB
MD512aad2539e2e720ce40b4ca2710cc29d
SHA1007791fd07b218a784ee51382f340f3f4bb7fa66
SHA256e35cc4c0b6dbf7dda9f047dceb538179fb91febc01adde1ec9267aba58afc737
SHA512c9993a52143b0ff28316ce9565aef68a4f046732c8a1512ea1205546f9259f43cfb84f81661e970aa7b2afb6e15ab1dcc9e88bacd1d4c9756d5de7e3511df6e5
-
Filesize
5.9MB
MD539dce9b2fd44e25d1694be9d5f85d4e4
SHA1e26d691cf7c38ea085a7e51e656521f3b7bcae43
SHA2568061d19c5fcb0a6c599ea06f7003a0339641bb0bc2ee351b55c94eff2ca48241
SHA512a4379e61a3eac431ef1709f1731eadd56933ac1a5d0f96de68eab5454c38a6fc03dfc9407d4c9e84e9abc814325ee043327fc781ec97439f6e0826cb7ad59a68
-
Filesize
5.9MB
MD5aafdb4aa24b2d8cc5c270b87bb46a33e
SHA1c38f04a1765a47eb2b57d3206abe636b9ef54546
SHA25631ffc5ed0350ead5839f2b678b3f088e9a0b6d1ff6147ba933fc91fa631f6be3
SHA512772eaa327db0a3b33aadcf4db39e3a724daf8413aa11275251e9f39efbe68d0d3faebed4600532c57f7f53ccff4bb862900c37f5956ca2c474459c5634c0c96b
-
Filesize
5.9MB
MD596547644fba1670dd398bf891f64fa74
SHA1f33ddfcf5610f8652e0b166f84dddfe3a8c77a52
SHA25652a4bfcc5e703a9ee412ca11146b52bd4f4d0f468fed8adb8c8c6542041e5fcb
SHA51237fecf08765c3e71f77116846f1af10c9351ad4fea13bd9319d659052ce5e15346e173d5dfe56adb677b64b896d07584984b5c465d2ed140a0deb275ee625002
-
Filesize
5.9MB
MD510f20988ea62e7f20b58d9e17c8a6940
SHA1a4b637f6b19f7934b44383fe32546c8b227b9027
SHA256b884aacafbe3a64628fdb16552c6793149f93ac9aacfdcc1f3cd151d8e8fd4ad
SHA512886c6cc14244b86a0501e0daead0188ca406eef57a4023772dd3b9d46291d4310dda0609b675ca23162e012406d85b0ea30108acea148b4b5e8be25f0b071961
-
Filesize
5.9MB
MD511ca59ac2e2688102ee6af372c3c85b8
SHA10b106bdfb21deb36fed0747bbb87d35dda1e403f
SHA256044844ff762dc1832bf225f292e33370c6a7eed80b6385d59323a5a31e3ce997
SHA5129f87c282c1e4bbda7f6451bebbb4b20b44546e3025aab4e2af7f7008da0a64321e9500d0a00c12b40fd52e08d547df50efece32d4eee3aab83a6a85761554761
-
Filesize
5.9MB
MD559c23adc328b46cd0fc9fc04614eb5d0
SHA19441f4672897bbda56b9aec23c65f89dd2c76657
SHA256f44f711948282a664332b99f9411dde4a399a303665d1b5961107b3458aa8c18
SHA512791a892b88464340d567b191d7abf40e4a687fb5e09e2363164319d86b3a9b519616f17baf805ff6cdfdf565c6acedf0e368d97a250029c1a2695b6a5e70325c
-
Filesize
5.9MB
MD56063c376d7fc6110e6658c2a59d7ad53
SHA1a99a99edd07876aad3153828bdc4401ba60fb608
SHA25647d2cdff30f7089c175e12087ee77f29bec3ff194297dade8d9293e633636211
SHA512e3126d189169e1512d46b01044dc55956be53479f7b62fbb9aabd90206039aedd697990cb9a52f7103373825dd4af6694f66bc099461f4029dc05f69f2ca2c52
-
Filesize
5.9MB
MD59951fd045f286a37d46b5b9b466e84a0
SHA1895f045965c8e12bc58465b593535786d61cc062
SHA2563f9bbc7b4b17dbc7cfb1abf3378b84c41b90d8b7bf1ab65f441031999a2e8b1f
SHA51296d368a16f7ec25ccbf418df67188a93286d36652d16d4e9f6b83bee3396c6897653acf4d2e252a1f906e702fe0b1c1ecb3760d95618c75fb1813cd870690c91
-
Filesize
5.9MB
MD55c1450bdbe278b979402546c44ee6532
SHA1dcc02982b4f6f5f6ceefee26e1d3256460070673
SHA256cd9ec3f374dd6298c084d77852fa80be7d80f5236fc780cc9da1ca87e4692cc3
SHA512e507a585e14841cf1577895538f2c133c9ebfaff2d587c156691214b63b2a92e8bb803b1ae8225a5284f113968e7c1cd4b9fef67311bf2d39304d7f059340bbc
-
Filesize
5.9MB
MD5e05f3aa736af887cc6a0e7c1e93acc09
SHA197fe7562ebbd6d67d2e3aaacf8339457e822a087
SHA256a19277da9141fb7d4a0555d7103594016c5fb73811287e72929c0c268fa2787d
SHA5126171c69c4379cda268e247a5b6dcf39e296d6e7f8822aca1f8c70cfde63a1e59ccd55792e5d2e1ff8634a3a6a55402b7599f102cdaa52b6f5c9c8eb1355991e7
-
Filesize
5.9MB
MD5ec7e4ff94c18239bf2ee2d893db67f60
SHA1adf4aa2922f126b78cace79f6b66d1ab033d63c1
SHA256a372a64a204e51cc6b86664caed628fccb46e5a2d676b3cc77e34adef2f0369d
SHA51273ec6306c576ee212ee7eefda00985c6964be8b6b74bcc2330ca035c7bdb66f38cdae75fda8cb0e1d82372e57b2798d4ad3ce67f6b58311eb8f1568aa61b8910
-
Filesize
5.9MB
MD5f798517a533795dff250f13fcc446be8
SHA19bda12a41083eb8acbc89516484b37610e96caea
SHA256891dcaa734aa3307802cd1083e298a597b90aa850084bc11fdacdfa1fc2b337c
SHA512418587e2285a451d5f349bc0f9b9ac13ea9b4d779a61b4e675857e5675f07404d54203e364012b24f3912904a9c657676cc0dad6ba7d4418c405bd4feaf8f81d
-
Filesize
5.9MB
MD599d8dcb89430593fad4ba2d563509da4
SHA19865ca289c693bfa103e0137946906b05002c7e1
SHA2565ad3ccdda216f05a0d823a3c6a2d41006b8d35a2a97f6d7a14dd04699daef0c2
SHA512a7f4a10e5745404d8db32c0c0254a80df1511d5a51ec7292018212e6f31e961941d09655dfb99f3f7e5c56560b1862c5f767a7aa7c4e4faa7de34a6411f0c68e
-
Filesize
5.9MB
MD51f0c6c7f8cca23eef2dba4de468ec7eb
SHA17ebd0f514b05700af085709a82c980a871c35447
SHA256eac009d9b92797afd70dc8b03d564b4bcdf6b47975ed37b105b4efbb4d2ee7f4
SHA5128fb909557836b4d776ba904b5f81372f4b710eb11e8f347cb5dc687a104a4d70db60390af643dfc391c044df15c363cb2feda9b9db42fb63321934b9ffd40976
-
Filesize
5.9MB
MD585c23c610a1081e66b2eef36592f725a
SHA1c7cefef2e1f5db363e80628c4490a3ad9bcceb6f
SHA25631c86cc94a03329b5fe9deb8e6044f5ade912c7df46d33ab400060feb52c7af7
SHA5121a4897b4557f013fe6d3badbd70c85a59fdad4fe8eb9579e742b44880bc384402a32354c157da38a157fbe1e99e15bb7862e2405fc0c443f73240962bdfc041a
-
Filesize
5.9MB
MD5ea8930f1c78f31675544eb8ad6b916ad
SHA1d4dcd88b3ca2a91e4f02858660ead6d05ae785d1
SHA2565f8e6dd8e91c4efa329d5b720afd90ed3d846d31472a0c48bf32ac880f43c44c
SHA5122e1d64b99959f2d15c9e760c17ff66bd6e4215024f3632be255de0171810736d98b2b5ab85a91d6760ecdd3357722b2447601f1442216768e43fe7f34f40a290
-
Filesize
5.9MB
MD51ccfd61c0b74b50ca91141edf1ea623e
SHA171c1f67a6538824233070b2690aafa80c0bd02be
SHA256e3d6f39f1c1821fc55159dfd4802047fdfeb40b082b8eee7b2ce006da703e162
SHA512bf3bd05c2352bd1ba2de274a176fcd27c1b36de83362f2fe91524ba664dfa8e41d0147ba31b72c75df89ebc6a060359f905c2e6ca52e0663011c0f86a06aba2e
-
Filesize
5.9MB
MD53f301689a78ff7b3f7600da69a28bf3f
SHA1e27b0cd40c74d0deb017e1519ee7943cc91cab1d
SHA256928f17770e80ad9ec6a42887e4a4d3217cb5e2fceed2919c4784fb2b65aac618
SHA512f98feb0940918ccc890a54b354b74fc0e1a7962eb6f309cf3ab1b66ea0e0c9b3bc832418389060b0ac00e811f0d9cdc4b6b792a2b8a648969c7fcd2775c98659
-
Filesize
5.9MB
MD5cd7d7a210a52205b73c96a7f5148c7ff
SHA166cdd4bd8d0102b710e461aa70156e497f798628
SHA2564d5a1149e826faffaf2810bfab0eea2a6ef8c500a935dabbf28d4d3aff313ffb
SHA51291c990be6117b3941111d69876a63ff415485552e4847a3b59d0bbc97f9f6b4cb3144f992a203eef40cae2a74cb21b4588f3794fe48d082e960cfad0dd22103f