Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-08-2024 20:43
Behavioral task
behavioral1
Sample
2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240705-en
General
-
Target
2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.9MB
-
MD5
3b8afb3ebab0e9c3dae938153cfe0de0
-
SHA1
4d6a9b112b74d0e87f7c455c0b745fd215de7e8c
-
SHA256
f6ead074c05299d334deca323435b92987862f1efef747ab2011a9277ccf3545
-
SHA512
261154d5c738aadc0f3e5777b5559973660bba90bd95bf5dce027dfa6bfbe7db9c48685b0649175b18373ec22675523a53ecf9ee2c6d10b5c61a3660ba02c26e
-
SSDEEP
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUR:T+856utgpPF8u/7R
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0008000000023452-5.dat cobalt_reflective_dll behavioral2/files/0x0008000000023458-10.dat cobalt_reflective_dll behavioral2/files/0x0007000000023459-12.dat cobalt_reflective_dll behavioral2/files/0x000700000002345a-24.dat cobalt_reflective_dll behavioral2/files/0x000700000002345b-29.dat cobalt_reflective_dll behavioral2/files/0x0008000000023456-34.dat cobalt_reflective_dll behavioral2/files/0x000700000002345c-40.dat cobalt_reflective_dll behavioral2/files/0x000700000002345d-48.dat cobalt_reflective_dll behavioral2/files/0x000700000002345e-54.dat cobalt_reflective_dll behavioral2/files/0x0007000000023460-66.dat cobalt_reflective_dll behavioral2/files/0x0007000000023461-71.dat cobalt_reflective_dll behavioral2/files/0x000700000002345f-59.dat cobalt_reflective_dll behavioral2/files/0x000400000001da3a-80.dat cobalt_reflective_dll behavioral2/files/0x0008000000023464-87.dat cobalt_reflective_dll behavioral2/files/0x0009000000023465-91.dat cobalt_reflective_dll behavioral2/files/0x0007000000023467-103.dat cobalt_reflective_dll behavioral2/files/0x0007000000023468-112.dat cobalt_reflective_dll behavioral2/files/0x0007000000023466-102.dat cobalt_reflective_dll behavioral2/files/0x000700000002346a-123.dat cobalt_reflective_dll behavioral2/files/0x000700000002346b-128.dat cobalt_reflective_dll behavioral2/files/0x0007000000023469-119.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 64 IoCs
resource yara_rule behavioral2/memory/3252-0-0x00007FF682390000-0x00007FF6826E4000-memory.dmp xmrig behavioral2/files/0x0008000000023452-5.dat xmrig behavioral2/files/0x0008000000023458-10.dat xmrig behavioral2/files/0x0007000000023459-12.dat xmrig behavioral2/memory/2476-14-0x00007FF7237A0000-0x00007FF723AF4000-memory.dmp xmrig behavioral2/files/0x000700000002345a-24.dat xmrig behavioral2/memory/1800-26-0x00007FF66AE20000-0x00007FF66B174000-memory.dmp xmrig behavioral2/memory/2196-22-0x00007FF79B370000-0x00007FF79B6C4000-memory.dmp xmrig behavioral2/memory/4716-7-0x00007FF6A10D0000-0x00007FF6A1424000-memory.dmp xmrig behavioral2/files/0x000700000002345b-29.dat xmrig behavioral2/memory/2492-32-0x00007FF6D9570000-0x00007FF6D98C4000-memory.dmp xmrig behavioral2/files/0x0008000000023456-34.dat xmrig behavioral2/memory/3092-36-0x00007FF660F30000-0x00007FF661284000-memory.dmp xmrig behavioral2/files/0x000700000002345c-40.dat xmrig behavioral2/memory/220-43-0x00007FF757FA0000-0x00007FF7582F4000-memory.dmp xmrig behavioral2/files/0x000700000002345d-48.dat xmrig behavioral2/files/0x000700000002345e-54.dat xmrig behavioral2/memory/388-50-0x00007FF708010000-0x00007FF708364000-memory.dmp xmrig behavioral2/memory/3252-61-0x00007FF682390000-0x00007FF6826E4000-memory.dmp xmrig behavioral2/memory/2184-62-0x00007FF692620000-0x00007FF692974000-memory.dmp xmrig behavioral2/files/0x0007000000023460-66.dat xmrig behavioral2/files/0x0007000000023461-71.dat xmrig behavioral2/memory/4980-73-0x00007FF713A10000-0x00007FF713D64000-memory.dmp xmrig behavioral2/memory/3724-74-0x00007FF685C80000-0x00007FF685FD4000-memory.dmp xmrig behavioral2/memory/4716-72-0x00007FF6A10D0000-0x00007FF6A1424000-memory.dmp xmrig behavioral2/files/0x000700000002345f-59.dat xmrig behavioral2/memory/3744-57-0x00007FF770A20000-0x00007FF770D74000-memory.dmp xmrig behavioral2/files/0x000400000001da3a-80.dat xmrig behavioral2/files/0x0008000000023464-87.dat xmrig behavioral2/files/0x0009000000023465-91.dat xmrig behavioral2/memory/4504-94-0x00007FF6F6C60000-0x00007FF6F6FB4000-memory.dmp xmrig behavioral2/memory/1172-98-0x00007FF74AF50000-0x00007FF74B2A4000-memory.dmp xmrig behavioral2/files/0x0007000000023467-103.dat xmrig behavioral2/files/0x0007000000023468-112.dat xmrig behavioral2/memory/1112-107-0x00007FF7663E0000-0x00007FF766734000-memory.dmp xmrig behavioral2/memory/3092-105-0x00007FF660F30000-0x00007FF661284000-memory.dmp xmrig behavioral2/files/0x0007000000023466-102.dat xmrig behavioral2/memory/684-93-0x00007FF7A6F90000-0x00007FF7A72E4000-memory.dmp xmrig behavioral2/memory/4460-85-0x00007FF71F8A0000-0x00007FF71FBF4000-memory.dmp xmrig behavioral2/memory/2476-82-0x00007FF7237A0000-0x00007FF723AF4000-memory.dmp xmrig behavioral2/memory/4008-116-0x00007FF628490000-0x00007FF6287E4000-memory.dmp xmrig behavioral2/files/0x000700000002346a-123.dat xmrig behavioral2/files/0x000700000002346b-128.dat xmrig behavioral2/memory/3060-124-0x00007FF69B830000-0x00007FF69BB84000-memory.dmp xmrig behavioral2/files/0x0007000000023469-119.dat xmrig behavioral2/memory/220-114-0x00007FF757FA0000-0x00007FF7582F4000-memory.dmp xmrig behavioral2/memory/4848-131-0x00007FF7797D0000-0x00007FF779B24000-memory.dmp xmrig behavioral2/memory/2184-133-0x00007FF692620000-0x00007FF692974000-memory.dmp xmrig behavioral2/memory/4484-132-0x00007FF6CF2E0000-0x00007FF6CF634000-memory.dmp xmrig behavioral2/memory/3724-134-0x00007FF685C80000-0x00007FF685FD4000-memory.dmp xmrig behavioral2/memory/4504-135-0x00007FF6F6C60000-0x00007FF6F6FB4000-memory.dmp xmrig behavioral2/memory/1172-136-0x00007FF74AF50000-0x00007FF74B2A4000-memory.dmp xmrig behavioral2/memory/1112-137-0x00007FF7663E0000-0x00007FF766734000-memory.dmp xmrig behavioral2/memory/4716-138-0x00007FF6A10D0000-0x00007FF6A1424000-memory.dmp xmrig behavioral2/memory/2476-139-0x00007FF7237A0000-0x00007FF723AF4000-memory.dmp xmrig behavioral2/memory/2196-140-0x00007FF79B370000-0x00007FF79B6C4000-memory.dmp xmrig behavioral2/memory/1800-141-0x00007FF66AE20000-0x00007FF66B174000-memory.dmp xmrig behavioral2/memory/2492-142-0x00007FF6D9570000-0x00007FF6D98C4000-memory.dmp xmrig behavioral2/memory/3092-143-0x00007FF660F30000-0x00007FF661284000-memory.dmp xmrig behavioral2/memory/220-144-0x00007FF757FA0000-0x00007FF7582F4000-memory.dmp xmrig behavioral2/memory/388-145-0x00007FF708010000-0x00007FF708364000-memory.dmp xmrig behavioral2/memory/3744-146-0x00007FF770A20000-0x00007FF770D74000-memory.dmp xmrig behavioral2/memory/2184-147-0x00007FF692620000-0x00007FF692974000-memory.dmp xmrig behavioral2/memory/4980-148-0x00007FF713A10000-0x00007FF713D64000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4716 ZzPSRcg.exe 2476 SBvxVzx.exe 2196 CxnqFUB.exe 1800 MavSWKs.exe 2492 GRmvVFW.exe 3092 ZaucKlA.exe 220 qwZzDJI.exe 388 gWRLvBM.exe 3744 cPxjvPy.exe 2184 ZZvxHgC.exe 4980 POfRPmH.exe 3724 qZaMLRC.exe 4460 NfRRmLS.exe 684 zOHapuq.exe 4504 zdlaUun.exe 1172 WliOoEU.exe 1112 iqPzFti.exe 4008 MWuEwkR.exe 3060 jBtWjPs.exe 4848 CXjTJmS.exe 4484 okGEKLi.exe -
resource yara_rule behavioral2/memory/3252-0-0x00007FF682390000-0x00007FF6826E4000-memory.dmp upx behavioral2/files/0x0008000000023452-5.dat upx behavioral2/files/0x0008000000023458-10.dat upx behavioral2/files/0x0007000000023459-12.dat upx behavioral2/memory/2476-14-0x00007FF7237A0000-0x00007FF723AF4000-memory.dmp upx behavioral2/files/0x000700000002345a-24.dat upx behavioral2/memory/1800-26-0x00007FF66AE20000-0x00007FF66B174000-memory.dmp upx behavioral2/memory/2196-22-0x00007FF79B370000-0x00007FF79B6C4000-memory.dmp upx behavioral2/memory/4716-7-0x00007FF6A10D0000-0x00007FF6A1424000-memory.dmp upx behavioral2/files/0x000700000002345b-29.dat upx behavioral2/memory/2492-32-0x00007FF6D9570000-0x00007FF6D98C4000-memory.dmp upx behavioral2/files/0x0008000000023456-34.dat upx behavioral2/memory/3092-36-0x00007FF660F30000-0x00007FF661284000-memory.dmp upx behavioral2/files/0x000700000002345c-40.dat upx behavioral2/memory/220-43-0x00007FF757FA0000-0x00007FF7582F4000-memory.dmp upx behavioral2/files/0x000700000002345d-48.dat upx behavioral2/files/0x000700000002345e-54.dat upx behavioral2/memory/388-50-0x00007FF708010000-0x00007FF708364000-memory.dmp upx behavioral2/memory/3252-61-0x00007FF682390000-0x00007FF6826E4000-memory.dmp upx behavioral2/memory/2184-62-0x00007FF692620000-0x00007FF692974000-memory.dmp upx behavioral2/files/0x0007000000023460-66.dat upx behavioral2/files/0x0007000000023461-71.dat upx behavioral2/memory/4980-73-0x00007FF713A10000-0x00007FF713D64000-memory.dmp upx behavioral2/memory/3724-74-0x00007FF685C80000-0x00007FF685FD4000-memory.dmp upx behavioral2/memory/4716-72-0x00007FF6A10D0000-0x00007FF6A1424000-memory.dmp upx behavioral2/files/0x000700000002345f-59.dat upx behavioral2/memory/3744-57-0x00007FF770A20000-0x00007FF770D74000-memory.dmp upx behavioral2/files/0x000400000001da3a-80.dat upx behavioral2/files/0x0008000000023464-87.dat upx behavioral2/files/0x0009000000023465-91.dat upx behavioral2/memory/4504-94-0x00007FF6F6C60000-0x00007FF6F6FB4000-memory.dmp upx behavioral2/memory/1172-98-0x00007FF74AF50000-0x00007FF74B2A4000-memory.dmp upx behavioral2/files/0x0007000000023467-103.dat upx behavioral2/files/0x0007000000023468-112.dat upx behavioral2/memory/1112-107-0x00007FF7663E0000-0x00007FF766734000-memory.dmp upx behavioral2/memory/3092-105-0x00007FF660F30000-0x00007FF661284000-memory.dmp upx behavioral2/files/0x0007000000023466-102.dat upx behavioral2/memory/684-93-0x00007FF7A6F90000-0x00007FF7A72E4000-memory.dmp upx behavioral2/memory/4460-85-0x00007FF71F8A0000-0x00007FF71FBF4000-memory.dmp upx behavioral2/memory/2476-82-0x00007FF7237A0000-0x00007FF723AF4000-memory.dmp upx behavioral2/memory/4008-116-0x00007FF628490000-0x00007FF6287E4000-memory.dmp upx behavioral2/files/0x000700000002346a-123.dat upx behavioral2/files/0x000700000002346b-128.dat upx behavioral2/memory/3060-124-0x00007FF69B830000-0x00007FF69BB84000-memory.dmp upx behavioral2/files/0x0007000000023469-119.dat upx behavioral2/memory/220-114-0x00007FF757FA0000-0x00007FF7582F4000-memory.dmp upx behavioral2/memory/4848-131-0x00007FF7797D0000-0x00007FF779B24000-memory.dmp upx behavioral2/memory/2184-133-0x00007FF692620000-0x00007FF692974000-memory.dmp upx behavioral2/memory/4484-132-0x00007FF6CF2E0000-0x00007FF6CF634000-memory.dmp upx behavioral2/memory/3724-134-0x00007FF685C80000-0x00007FF685FD4000-memory.dmp upx behavioral2/memory/4504-135-0x00007FF6F6C60000-0x00007FF6F6FB4000-memory.dmp upx behavioral2/memory/1172-136-0x00007FF74AF50000-0x00007FF74B2A4000-memory.dmp upx behavioral2/memory/1112-137-0x00007FF7663E0000-0x00007FF766734000-memory.dmp upx behavioral2/memory/4716-138-0x00007FF6A10D0000-0x00007FF6A1424000-memory.dmp upx behavioral2/memory/2476-139-0x00007FF7237A0000-0x00007FF723AF4000-memory.dmp upx behavioral2/memory/2196-140-0x00007FF79B370000-0x00007FF79B6C4000-memory.dmp upx behavioral2/memory/1800-141-0x00007FF66AE20000-0x00007FF66B174000-memory.dmp upx behavioral2/memory/2492-142-0x00007FF6D9570000-0x00007FF6D98C4000-memory.dmp upx behavioral2/memory/3092-143-0x00007FF660F30000-0x00007FF661284000-memory.dmp upx behavioral2/memory/220-144-0x00007FF757FA0000-0x00007FF7582F4000-memory.dmp upx behavioral2/memory/388-145-0x00007FF708010000-0x00007FF708364000-memory.dmp upx behavioral2/memory/3744-146-0x00007FF770A20000-0x00007FF770D74000-memory.dmp upx behavioral2/memory/2184-147-0x00007FF692620000-0x00007FF692974000-memory.dmp upx behavioral2/memory/4980-148-0x00007FF713A10000-0x00007FF713D64000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\okGEKLi.exe 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZzPSRcg.exe 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZaucKlA.exe 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cPxjvPy.exe 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZZvxHgC.exe 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jBtWjPs.exe 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MavSWKs.exe 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GRmvVFW.exe 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qwZzDJI.exe 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zOHapuq.exe 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WliOoEU.exe 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\iqPzFti.exe 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MWuEwkR.exe 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CXjTJmS.exe 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NfRRmLS.exe 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zdlaUun.exe 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SBvxVzx.exe 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CxnqFUB.exe 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gWRLvBM.exe 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\POfRPmH.exe 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qZaMLRC.exe 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3252 wrote to memory of 4716 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3252 wrote to memory of 4716 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3252 wrote to memory of 2476 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3252 wrote to memory of 2476 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3252 wrote to memory of 2196 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3252 wrote to memory of 2196 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3252 wrote to memory of 1800 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3252 wrote to memory of 1800 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3252 wrote to memory of 2492 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3252 wrote to memory of 2492 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3252 wrote to memory of 3092 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3252 wrote to memory of 3092 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3252 wrote to memory of 220 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3252 wrote to memory of 220 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3252 wrote to memory of 388 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3252 wrote to memory of 388 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3252 wrote to memory of 3744 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3252 wrote to memory of 3744 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3252 wrote to memory of 2184 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3252 wrote to memory of 2184 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3252 wrote to memory of 4980 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3252 wrote to memory of 4980 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3252 wrote to memory of 3724 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3252 wrote to memory of 3724 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3252 wrote to memory of 4460 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3252 wrote to memory of 4460 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3252 wrote to memory of 684 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3252 wrote to memory of 684 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3252 wrote to memory of 4504 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3252 wrote to memory of 4504 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3252 wrote to memory of 1172 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3252 wrote to memory of 1172 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3252 wrote to memory of 1112 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3252 wrote to memory of 1112 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3252 wrote to memory of 4008 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3252 wrote to memory of 4008 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3252 wrote to memory of 3060 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3252 wrote to memory of 3060 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3252 wrote to memory of 4848 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3252 wrote to memory of 4848 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3252 wrote to memory of 4484 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3252 wrote to memory of 4484 3252 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\System\ZzPSRcg.exeC:\Windows\System\ZzPSRcg.exe2⤵
- Executes dropped EXE
PID:4716
-
-
C:\Windows\System\SBvxVzx.exeC:\Windows\System\SBvxVzx.exe2⤵
- Executes dropped EXE
PID:2476
-
-
C:\Windows\System\CxnqFUB.exeC:\Windows\System\CxnqFUB.exe2⤵
- Executes dropped EXE
PID:2196
-
-
C:\Windows\System\MavSWKs.exeC:\Windows\System\MavSWKs.exe2⤵
- Executes dropped EXE
PID:1800
-
-
C:\Windows\System\GRmvVFW.exeC:\Windows\System\GRmvVFW.exe2⤵
- Executes dropped EXE
PID:2492
-
-
C:\Windows\System\ZaucKlA.exeC:\Windows\System\ZaucKlA.exe2⤵
- Executes dropped EXE
PID:3092
-
-
C:\Windows\System\qwZzDJI.exeC:\Windows\System\qwZzDJI.exe2⤵
- Executes dropped EXE
PID:220
-
-
C:\Windows\System\gWRLvBM.exeC:\Windows\System\gWRLvBM.exe2⤵
- Executes dropped EXE
PID:388
-
-
C:\Windows\System\cPxjvPy.exeC:\Windows\System\cPxjvPy.exe2⤵
- Executes dropped EXE
PID:3744
-
-
C:\Windows\System\ZZvxHgC.exeC:\Windows\System\ZZvxHgC.exe2⤵
- Executes dropped EXE
PID:2184
-
-
C:\Windows\System\POfRPmH.exeC:\Windows\System\POfRPmH.exe2⤵
- Executes dropped EXE
PID:4980
-
-
C:\Windows\System\qZaMLRC.exeC:\Windows\System\qZaMLRC.exe2⤵
- Executes dropped EXE
PID:3724
-
-
C:\Windows\System\NfRRmLS.exeC:\Windows\System\NfRRmLS.exe2⤵
- Executes dropped EXE
PID:4460
-
-
C:\Windows\System\zOHapuq.exeC:\Windows\System\zOHapuq.exe2⤵
- Executes dropped EXE
PID:684
-
-
C:\Windows\System\zdlaUun.exeC:\Windows\System\zdlaUun.exe2⤵
- Executes dropped EXE
PID:4504
-
-
C:\Windows\System\WliOoEU.exeC:\Windows\System\WliOoEU.exe2⤵
- Executes dropped EXE
PID:1172
-
-
C:\Windows\System\iqPzFti.exeC:\Windows\System\iqPzFti.exe2⤵
- Executes dropped EXE
PID:1112
-
-
C:\Windows\System\MWuEwkR.exeC:\Windows\System\MWuEwkR.exe2⤵
- Executes dropped EXE
PID:4008
-
-
C:\Windows\System\jBtWjPs.exeC:\Windows\System\jBtWjPs.exe2⤵
- Executes dropped EXE
PID:3060
-
-
C:\Windows\System\CXjTJmS.exeC:\Windows\System\CXjTJmS.exe2⤵
- Executes dropped EXE
PID:4848
-
-
C:\Windows\System\okGEKLi.exeC:\Windows\System\okGEKLi.exe2⤵
- Executes dropped EXE
PID:4484
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD5138e96df12b20b3546137d50afeebd8c
SHA1679c73708bf4af7089dcb5e22c722fdb7e86b227
SHA25694cad01dc9ab07af258d591fdb1b1543704620fb0cc4fae1aba7ba10d88f1cb8
SHA51258d923b4f2fee21c1c51f4bb51b4ff324aad2d8c4b2dfc4771a271df4bb59a3bb1977423745d86ed6984d6710d9732f8bfeff39444a098c46e02b4900623ab54
-
Filesize
5.9MB
MD51fe2ea021e732f64efe50f960b79ec7b
SHA192ffff05445ab732658736387bb978d658618337
SHA256cb186c7ffd677c6946cb9264037f4931f0dc83e49bb3ca9c0d6fbc42d53ef094
SHA51202400bc7c170c97c7a1427672e7d4944d798dcc5629a6812b32bbf1bb360d9dfb9646b4d99e4f4ff183eb4b52f24eecb523fa34face7e546abf0a902b9d3bd28
-
Filesize
5.9MB
MD517a689f0b16ab658553e969cb0c0ae9c
SHA15b163fd229338ab6960513459e0d20f507b5caa1
SHA256425452af2b79391dcdbfdb9b76665ecb68101bb9a69c31836678a0def30a8737
SHA5120224e981f207011fbd7881df837a70c81bdd00f39cee404feb0ba4f95a580abc41e8cf48ac60645487fa689b4cba40e82b121ff17dcac935d8780ab51883bf55
-
Filesize
5.9MB
MD5fe74d98a260a45c6c7a9ed9cd528a83d
SHA1af58b131174ddbe39fc0d4a5226689e5ace88bc1
SHA2562851b205962f1fde2da47c0aa7d97da9502fcdde9795d7e6ae1b78ed99da1eeb
SHA512730b48206f25c27304fbbf2edf238ba94d90b78a2eb62fadc9a3e41036cd4652ca2b745436e56f504ab142711423584e93343d78c59b68a93f6372330da9d6aa
-
Filesize
5.9MB
MD54fdf8aaad2b8e872efbbec9c915eed0d
SHA173eaa5a67f72e84c7e60588245771d86c7063edd
SHA256f410d2bdb532a3ed333118e92add5fae0e8031dc338526051896e7861cb3795b
SHA512dd068f14afeafde6aebeae4741814231efd82a316205034f625e6da37686de9e0c152f5e855af1717111e07f5cc54cbe9232a7380f85ee5646063f4de68a3e29
-
Filesize
5.9MB
MD599996ea791ee926cb30f47f8f40304fb
SHA12e353f4f5c9c6e91724c5657dcd78ee6be5b3bac
SHA2562982d15bdefa85b0190d3ef158b3230965f3c9e9af16a1df598f00ca0e5b4310
SHA512fd97b1db74df270c270ff30028b331543611eb25ebd790b4aceb3a6b0a1d02bb8ee94d72b8d156d8ba0abd456c1942f7184b3e2e97bf64552c7db14b0ee6ff0d
-
Filesize
5.9MB
MD573b6d199861f613913af0ffcc13fd8ba
SHA19ccd41b439901e95a9df7ed207ccfd40b1df899a
SHA2564ba541fa40b6745f5d56bd7563639aac8cad32c1628092ffddf68e4db402fca6
SHA51219a2a2a5c2bacf261c9ee9f8b722c9a1df580ea2e36345af064ea7ec8c481c2abbace0580611ba2a5db6ac0176f7ecd109a0386ca514cb8fff93e7dd89ec79fa
-
Filesize
5.9MB
MD5d339586cf47263de70ac981286b78bcf
SHA18e78c2841d265606da957168b41e1e537dd539e6
SHA256b0081e3b05b363bdefce81de371e7319e152f9482756eace8f6629a751394b51
SHA512c7aa8756d022336abcb1629aa46ab32e9c5d2e5ea8d83fc515165317572d1f4d8ff383851571669136f82a42eda3ead18a10f46699b6357947dbace0dbe762fc
-
Filesize
5.9MB
MD54099993801c402206690b85eb6c5bee5
SHA10dfac6aa0f5ff0df497c7f21aea3b8d43ae1b5cf
SHA256d0e2a955c7cfc8fa5f9536f8fea08338552db0a5beab4eec2169ede8e67924cf
SHA512728219553651af4851f8d7d68f8c0dd89ef51880d225f1224a81bcd4b129edddccb04da3890aa5f0c8e24c07a124842d620e6289e557ccaa30b9acf0b4b0413a
-
Filesize
5.9MB
MD57164cd980c3fb8707e14150fac8d4f56
SHA104cd4db8d25b075a988b961e94d01bddb5f9db8d
SHA256239792bc3f29aac690e750dfd6d6de47c8bc9fa385753e435008a0677d00ac8a
SHA51228bb9aeb1737d56e8c0293f30a3fbf5ee03c3626f57a10c95088d6ef1fc3fbbabae1ebb5c2a6d67f9d0225882e3c3a3fb680635901a1446211b92f2e97e64164
-
Filesize
5.9MB
MD5944f346559d13277befc4dc34efdf29f
SHA198519aea1a7b0c7b17a22f2581c988378e68e1b1
SHA25638470fef086830ae5faa5ef483cca3e4ae4cfc8c61cf7fb2c099f5390790565b
SHA512c1b06a59ee152bc2a2f101626b9b2a2621983485a9e9b9aaa0f680d9fbee49fa7ffe894cd90b1735d1c5d97595bca8844d9c336a8b7eee32d710d4657f0db294
-
Filesize
5.9MB
MD5565f05945debf33abc80126e0e2cbd42
SHA107146e6d88252aab96b0a50e1b2291ba0a5578f7
SHA2569ecad043ca27e533e411e944d0ad7e849227d154e66c9eea7cb8861848c7278f
SHA512160bba0f07577d69ab3b1fe6239310fdfd1c2b6ce653b17d94c5495f3273fb58d5972466400b7d6bea5262dc2900b2d897513cf7b85d8b0634a74374b083ee92
-
Filesize
5.9MB
MD5a7fe8b816071c093c840d3e8acf02626
SHA17682860f305d617aa6623b512ccb97bed1ec3ee8
SHA256fd44920cafd3792ee98a87b1ba908fde26a1e5d2019c31d9015b2919ce0f46a8
SHA512820612064eefa9a828e3b248d5e5e1762aa02a285b8ce172929dd1fa974aba88f925cdd21edb6a00500443d15c5c6217af7ade3079eba9c2bb0441f9acb944b3
-
Filesize
5.9MB
MD51f31b4338984cb3a3fd99cb979fe8b37
SHA1f2d24060bfaa87e09195c1fd07ebf9939a36a438
SHA256ec61a414fac26859afe62a93febcb4215e0f36ba0ba75faee5330b467e008464
SHA5125abb2fda26bc39a1a895903eba683d44ed980c54658068a52975427e974c49f443b34c59e78af8a5ba082bbba30b9aed205e7922651863f64e1f5c697e8b4f95
-
Filesize
5.9MB
MD50438ae7cf080131d4b8c8e42cf9a102c
SHA127c1fcc2a9a6b3c5a06ebf515fffbd69e9fd741a
SHA256b854834865a9b4241f60b1ed96f2ab4e919bd01c613d6193814a6d9d78abf5a3
SHA512992fa6b34aa405937a62cbb4cdb9a53e6591cf92e5394b8c19c6a74d9e59236ba0024e03bafc31fcb3005237a4b65e6e60b630d8111f21bca65f29b5efdc11e6
-
Filesize
5.9MB
MD55a01847bf0175084cd886354fe94e986
SHA1277b52dd74eac983de217ba6ff90356f7ee49789
SHA256e018fbe87b3f439492f23854d03bfcc2896cccc2e8e5a4549af628b682378766
SHA512d8ba853d97df9d3547e522b91372a294fe5ee9ceecdbfb933a0984715842722aa998c1380e8e704327204b589743d60a1296fd85f600d680fcd9f6f5369f9fc8
-
Filesize
5.9MB
MD5f7c67aa61a1eca01758afce1aa088a7e
SHA189eb9c81df6afbd63858e73bc0755d4f40ac6a64
SHA25668e3642f52b74e1b17d7786da4d7aa7d4c528c548b2841b93c2df3057fa3308f
SHA512fa5b38b1e4b6ef816d7699b9aeb13e8e8d9575e552c4b969d4b288bc3c149ce3f8672796ca393f06a0a433b7b1a69398b5d144bab92679b01e944951d6cc8792
-
Filesize
5.9MB
MD5192089e3adcaaa6cd4886b20dca09f8a
SHA16709121b981f2b1b4216a8782a43cd7c5ddea1fe
SHA2566434fc3129ad56134a7186a74d48787c27748c41b704f6205543b955d9fc411e
SHA512f1f6d32d7435619c231987d9029c0dac80f994874d6e021cb3cc425b53f9008014d7544652cbfd3ddd72139a43ac60976ca6557ffc905fb5bde099734276986a
-
Filesize
5.9MB
MD5d939a1ea8cb4a1da88f882caf5c2c94f
SHA1ac047a6b8a36fae31ebc1dd09a4a7b44d6308e59
SHA256a3e075ee0fbd3ccd9ef88518fe32b5e0f2c4e24e72ebf77254a040d3658e1520
SHA512d98cfeca180b0c265e8f87e5794834ece642e1f16ac1af115eb6122d140e1d753bf889a7fe7b953406ed367826b760e13b44eef78d1d4fb5b953e4c83448c0bc
-
Filesize
5.9MB
MD53a2b52cc1fedef0ff4689b4187f18e40
SHA12d01d5db9ac05803bccac2a60ee75c2b0be27534
SHA2568b22c150927a8987862e2eb53ffb1fc5311cc7adf6671f5cfea8be38245efcc8
SHA512af6ec30d45597b177c69622e411202f72d23f169bb30182a009eef1958408dc7f775e2bdc78f7461d1c9fa308d52de4a2a2806aa2df95745587937aeb012995e
-
Filesize
5.9MB
MD50027d873ab2f7d8afd194cbfa0feb5bd
SHA1ca739d2961a7ef5c8b9e7704d32d5e68f4d17614
SHA256bbbfce947708db221a0f1b0ec6322117003fafb94614e04fa16962081f7b5a5d
SHA512ebb2f905bdce382c0e5dbfd88a9988c043e3b6958e9c97dfa97e913e2a02b32334286d4f6987165fa31eba17e47ced018ebef3bc3d61f616310c455822b3dec1