Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-08-2024 20:44
Behavioral task
behavioral1
Sample
2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240729-en
General
-
Target
2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
3e6b4053e06fd3dafd9ef15112bfb66d
-
SHA1
246516c368838a667aaca52e2a5b44c44fed862c
-
SHA256
82ddcf208870b5e00846fbd3bf96f43a4447386d9919458a312420aaf72fad6a
-
SHA512
3db631a6d374b40125c3bebb426092ba1efcccc7b848abc36918214fb2c0921a9f5dc569a1667600894b01b96365ae2597b57305f381916ca96df8b8bc48cbee
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lM:RWWBibf56utgpPFotBER/mQ32lUQ
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00090000000235e6-4.dat cobalt_reflective_dll behavioral2/files/0x00070000000235ed-7.dat cobalt_reflective_dll behavioral2/files/0x00070000000235ee-18.dat cobalt_reflective_dll behavioral2/files/0x00080000000235ec-19.dat cobalt_reflective_dll behavioral2/files/0x00070000000235f1-43.dat cobalt_reflective_dll behavioral2/files/0x00070000000235f0-46.dat cobalt_reflective_dll behavioral2/files/0x00070000000235f3-56.dat cobalt_reflective_dll behavioral2/files/0x00070000000235f5-64.dat cobalt_reflective_dll behavioral2/files/0x00070000000235fa-101.dat cobalt_reflective_dll behavioral2/files/0x00070000000235fe-121.dat cobalt_reflective_dll behavioral2/files/0x00070000000235fd-119.dat cobalt_reflective_dll behavioral2/files/0x00070000000235fc-117.dat cobalt_reflective_dll behavioral2/files/0x00070000000235fb-115.dat cobalt_reflective_dll behavioral2/files/0x00070000000235f9-110.dat cobalt_reflective_dll behavioral2/files/0x00080000000235ea-92.dat cobalt_reflective_dll behavioral2/files/0x00070000000235f8-90.dat cobalt_reflective_dll behavioral2/files/0x00070000000235f7-83.dat cobalt_reflective_dll behavioral2/files/0x00070000000235f6-75.dat cobalt_reflective_dll behavioral2/files/0x00070000000235f4-60.dat cobalt_reflective_dll behavioral2/files/0x00070000000235f2-51.dat cobalt_reflective_dll behavioral2/files/0x00070000000235ef-39.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/2768-81-0x00007FF7278F0000-0x00007FF727C41000-memory.dmp xmrig behavioral2/memory/3320-88-0x00007FF790CC0000-0x00007FF791011000-memory.dmp xmrig behavioral2/memory/1512-80-0x00007FF668FD0000-0x00007FF669321000-memory.dmp xmrig behavioral2/memory/2740-69-0x00007FF7B1DF0000-0x00007FF7B2141000-memory.dmp xmrig behavioral2/memory/3948-124-0x00007FF660F10000-0x00007FF661261000-memory.dmp xmrig behavioral2/memory/3680-127-0x00007FF7A1280000-0x00007FF7A15D1000-memory.dmp xmrig behavioral2/memory/952-136-0x00007FF61FD20000-0x00007FF620071000-memory.dmp xmrig behavioral2/memory/4400-138-0x00007FF7C3E90000-0x00007FF7C41E1000-memory.dmp xmrig behavioral2/memory/2576-140-0x00007FF6C16A0000-0x00007FF6C19F1000-memory.dmp xmrig behavioral2/memory/3216-142-0x00007FF6B9280000-0x00007FF6B95D1000-memory.dmp xmrig behavioral2/memory/4240-144-0x00007FF7DE890000-0x00007FF7DEBE1000-memory.dmp xmrig behavioral2/memory/4624-143-0x00007FF71C5E0000-0x00007FF71C931000-memory.dmp xmrig behavioral2/memory/2916-141-0x00007FF659300000-0x00007FF659651000-memory.dmp xmrig behavioral2/memory/1020-139-0x00007FF6D8CA0000-0x00007FF6D8FF1000-memory.dmp xmrig behavioral2/memory/1672-137-0x00007FF6C8230000-0x00007FF6C8581000-memory.dmp xmrig behavioral2/memory/4884-131-0x00007FF61EDC0000-0x00007FF61F111000-memory.dmp xmrig behavioral2/memory/4480-130-0x00007FF712370000-0x00007FF7126C1000-memory.dmp xmrig behavioral2/memory/4128-129-0x00007FF723EF0000-0x00007FF724241000-memory.dmp xmrig behavioral2/memory/2896-126-0x00007FF654A40000-0x00007FF654D91000-memory.dmp xmrig behavioral2/memory/1856-125-0x00007FF7F4540000-0x00007FF7F4891000-memory.dmp xmrig behavioral2/memory/1208-135-0x00007FF631CF0000-0x00007FF632041000-memory.dmp xmrig behavioral2/memory/4832-128-0x00007FF6A9E20000-0x00007FF6AA171000-memory.dmp xmrig behavioral2/memory/3320-123-0x00007FF790CC0000-0x00007FF791011000-memory.dmp xmrig behavioral2/memory/3320-151-0x00007FF790CC0000-0x00007FF791011000-memory.dmp xmrig behavioral2/memory/3948-197-0x00007FF660F10000-0x00007FF661261000-memory.dmp xmrig behavioral2/memory/1856-199-0x00007FF7F4540000-0x00007FF7F4891000-memory.dmp xmrig behavioral2/memory/2896-203-0x00007FF654A40000-0x00007FF654D91000-memory.dmp xmrig behavioral2/memory/4832-206-0x00007FF6A9E20000-0x00007FF6AA171000-memory.dmp xmrig behavioral2/memory/4480-207-0x00007FF712370000-0x00007FF7126C1000-memory.dmp xmrig behavioral2/memory/3680-201-0x00007FF7A1280000-0x00007FF7A15D1000-memory.dmp xmrig behavioral2/memory/1512-210-0x00007FF668FD0000-0x00007FF669321000-memory.dmp xmrig behavioral2/memory/4128-213-0x00007FF723EF0000-0x00007FF724241000-memory.dmp xmrig behavioral2/memory/4884-211-0x00007FF61EDC0000-0x00007FF61F111000-memory.dmp xmrig behavioral2/memory/2768-219-0x00007FF7278F0000-0x00007FF727C41000-memory.dmp xmrig behavioral2/memory/952-221-0x00007FF61FD20000-0x00007FF620071000-memory.dmp xmrig behavioral2/memory/2740-218-0x00007FF7B1DF0000-0x00007FF7B2141000-memory.dmp xmrig behavioral2/memory/1208-216-0x00007FF631CF0000-0x00007FF632041000-memory.dmp xmrig behavioral2/memory/4240-224-0x00007FF7DE890000-0x00007FF7DEBE1000-memory.dmp xmrig behavioral2/memory/4400-233-0x00007FF7C3E90000-0x00007FF7C41E1000-memory.dmp xmrig behavioral2/memory/2576-237-0x00007FF6C16A0000-0x00007FF6C19F1000-memory.dmp xmrig behavioral2/memory/1020-236-0x00007FF6D8CA0000-0x00007FF6D8FF1000-memory.dmp xmrig behavioral2/memory/2916-229-0x00007FF659300000-0x00007FF659651000-memory.dmp xmrig behavioral2/memory/3216-228-0x00007FF6B9280000-0x00007FF6B95D1000-memory.dmp xmrig behavioral2/memory/4624-225-0x00007FF71C5E0000-0x00007FF71C931000-memory.dmp xmrig behavioral2/memory/1672-232-0x00007FF6C8230000-0x00007FF6C8581000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 3948 ZHPNJPC.exe 1856 jbGLeSG.exe 2896 qlFmlJt.exe 3680 NkgTGsz.exe 4832 LZewaqy.exe 4128 AuFXGrm.exe 4480 RayVyuD.exe 4884 eiNJBKx.exe 1512 uTbUDxE.exe 2740 zEIlgpV.exe 2768 NtYGPmQ.exe 1208 bEMESrx.exe 952 FdUqPVy.exe 1672 AjIkJVh.exe 2576 PdAWZSZ.exe 4400 kqkYUsQ.exe 1020 WQMNYvn.exe 2916 KtXDbou.exe 3216 iygrAYr.exe 4624 wgCnGuY.exe 4240 cDWbzxb.exe -
resource yara_rule behavioral2/memory/3320-0-0x00007FF790CC0000-0x00007FF791011000-memory.dmp upx behavioral2/files/0x00090000000235e6-4.dat upx behavioral2/files/0x00070000000235ed-7.dat upx behavioral2/memory/3948-8-0x00007FF660F10000-0x00007FF661261000-memory.dmp upx behavioral2/files/0x00070000000235ee-18.dat upx behavioral2/files/0x00080000000235ec-19.dat upx behavioral2/memory/3680-33-0x00007FF7A1280000-0x00007FF7A15D1000-memory.dmp upx behavioral2/memory/4128-34-0x00007FF723EF0000-0x00007FF724241000-memory.dmp upx behavioral2/files/0x00070000000235f1-43.dat upx behavioral2/files/0x00070000000235f0-46.dat upx behavioral2/files/0x00070000000235f3-56.dat upx behavioral2/files/0x00070000000235f5-64.dat upx behavioral2/memory/1208-71-0x00007FF631CF0000-0x00007FF632041000-memory.dmp upx behavioral2/memory/2768-81-0x00007FF7278F0000-0x00007FF727C41000-memory.dmp upx behavioral2/memory/2576-87-0x00007FF6C16A0000-0x00007FF6C19F1000-memory.dmp upx behavioral2/files/0x00070000000235fa-101.dat upx behavioral2/files/0x00070000000235fe-121.dat upx behavioral2/files/0x00070000000235fd-119.dat upx behavioral2/files/0x00070000000235fc-117.dat upx behavioral2/files/0x00070000000235fb-115.dat upx behavioral2/files/0x00070000000235f9-110.dat upx behavioral2/files/0x00080000000235ea-92.dat upx behavioral2/files/0x00070000000235f8-90.dat upx behavioral2/memory/1672-89-0x00007FF6C8230000-0x00007FF6C8581000-memory.dmp upx behavioral2/memory/3320-88-0x00007FF790CC0000-0x00007FF791011000-memory.dmp upx behavioral2/memory/952-86-0x00007FF61FD20000-0x00007FF620071000-memory.dmp upx behavioral2/files/0x00070000000235f7-83.dat upx behavioral2/memory/1512-80-0x00007FF668FD0000-0x00007FF669321000-memory.dmp upx behavioral2/files/0x00070000000235f6-75.dat upx behavioral2/memory/2740-69-0x00007FF7B1DF0000-0x00007FF7B2141000-memory.dmp upx behavioral2/memory/4884-61-0x00007FF61EDC0000-0x00007FF61F111000-memory.dmp upx behavioral2/files/0x00070000000235f4-60.dat upx behavioral2/files/0x00070000000235f2-51.dat upx behavioral2/memory/4480-45-0x00007FF712370000-0x00007FF7126C1000-memory.dmp upx behavioral2/files/0x00070000000235ef-39.dat upx behavioral2/memory/4832-38-0x00007FF6A9E20000-0x00007FF6AA171000-memory.dmp upx behavioral2/memory/2896-25-0x00007FF654A40000-0x00007FF654D91000-memory.dmp upx behavioral2/memory/1856-15-0x00007FF7F4540000-0x00007FF7F4891000-memory.dmp upx behavioral2/memory/3948-124-0x00007FF660F10000-0x00007FF661261000-memory.dmp upx behavioral2/memory/3680-127-0x00007FF7A1280000-0x00007FF7A15D1000-memory.dmp upx behavioral2/memory/952-136-0x00007FF61FD20000-0x00007FF620071000-memory.dmp upx behavioral2/memory/4400-138-0x00007FF7C3E90000-0x00007FF7C41E1000-memory.dmp upx behavioral2/memory/2576-140-0x00007FF6C16A0000-0x00007FF6C19F1000-memory.dmp upx behavioral2/memory/3216-142-0x00007FF6B9280000-0x00007FF6B95D1000-memory.dmp upx behavioral2/memory/4240-144-0x00007FF7DE890000-0x00007FF7DEBE1000-memory.dmp upx behavioral2/memory/4624-143-0x00007FF71C5E0000-0x00007FF71C931000-memory.dmp upx behavioral2/memory/2916-141-0x00007FF659300000-0x00007FF659651000-memory.dmp upx behavioral2/memory/1020-139-0x00007FF6D8CA0000-0x00007FF6D8FF1000-memory.dmp upx behavioral2/memory/1672-137-0x00007FF6C8230000-0x00007FF6C8581000-memory.dmp upx behavioral2/memory/4884-131-0x00007FF61EDC0000-0x00007FF61F111000-memory.dmp upx behavioral2/memory/4480-130-0x00007FF712370000-0x00007FF7126C1000-memory.dmp upx behavioral2/memory/4128-129-0x00007FF723EF0000-0x00007FF724241000-memory.dmp upx behavioral2/memory/2896-126-0x00007FF654A40000-0x00007FF654D91000-memory.dmp upx behavioral2/memory/1856-125-0x00007FF7F4540000-0x00007FF7F4891000-memory.dmp upx behavioral2/memory/1208-135-0x00007FF631CF0000-0x00007FF632041000-memory.dmp upx behavioral2/memory/4832-128-0x00007FF6A9E20000-0x00007FF6AA171000-memory.dmp upx behavioral2/memory/3320-123-0x00007FF790CC0000-0x00007FF791011000-memory.dmp upx behavioral2/memory/3320-151-0x00007FF790CC0000-0x00007FF791011000-memory.dmp upx behavioral2/memory/3948-197-0x00007FF660F10000-0x00007FF661261000-memory.dmp upx behavioral2/memory/1856-199-0x00007FF7F4540000-0x00007FF7F4891000-memory.dmp upx behavioral2/memory/2896-203-0x00007FF654A40000-0x00007FF654D91000-memory.dmp upx behavioral2/memory/4832-206-0x00007FF6A9E20000-0x00007FF6AA171000-memory.dmp upx behavioral2/memory/4480-207-0x00007FF712370000-0x00007FF7126C1000-memory.dmp upx behavioral2/memory/3680-201-0x00007FF7A1280000-0x00007FF7A15D1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\ZHPNJPC.exe 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LZewaqy.exe 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RayVyuD.exe 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bEMESrx.exe 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kqkYUsQ.exe 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\wgCnGuY.exe 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jbGLeSG.exe 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qlFmlJt.exe 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AuFXGrm.exe 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uTbUDxE.exe 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FdUqPVy.exe 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AjIkJVh.exe 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WQMNYvn.exe 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NkgTGsz.exe 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\eiNJBKx.exe 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PdAWZSZ.exe 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KtXDbou.exe 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\iygrAYr.exe 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cDWbzxb.exe 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zEIlgpV.exe 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NtYGPmQ.exe 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3320 wrote to memory of 3948 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3320 wrote to memory of 3948 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3320 wrote to memory of 1856 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3320 wrote to memory of 1856 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3320 wrote to memory of 2896 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3320 wrote to memory of 2896 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3320 wrote to memory of 3680 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3320 wrote to memory of 3680 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3320 wrote to memory of 4832 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3320 wrote to memory of 4832 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3320 wrote to memory of 4128 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3320 wrote to memory of 4128 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3320 wrote to memory of 4480 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3320 wrote to memory of 4480 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3320 wrote to memory of 4884 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3320 wrote to memory of 4884 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3320 wrote to memory of 1512 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3320 wrote to memory of 1512 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3320 wrote to memory of 2740 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3320 wrote to memory of 2740 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3320 wrote to memory of 2768 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3320 wrote to memory of 2768 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3320 wrote to memory of 1208 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3320 wrote to memory of 1208 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3320 wrote to memory of 952 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3320 wrote to memory of 952 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3320 wrote to memory of 1672 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3320 wrote to memory of 1672 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3320 wrote to memory of 2576 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3320 wrote to memory of 2576 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3320 wrote to memory of 4400 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 3320 wrote to memory of 4400 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 3320 wrote to memory of 1020 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 3320 wrote to memory of 1020 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 3320 wrote to memory of 2916 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 3320 wrote to memory of 2916 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 3320 wrote to memory of 3216 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 110 PID 3320 wrote to memory of 3216 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 110 PID 3320 wrote to memory of 4624 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 111 PID 3320 wrote to memory of 4624 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 111 PID 3320 wrote to memory of 4240 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 112 PID 3320 wrote to memory of 4240 3320 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\System\ZHPNJPC.exeC:\Windows\System\ZHPNJPC.exe2⤵
- Executes dropped EXE
PID:3948
-
-
C:\Windows\System\jbGLeSG.exeC:\Windows\System\jbGLeSG.exe2⤵
- Executes dropped EXE
PID:1856
-
-
C:\Windows\System\qlFmlJt.exeC:\Windows\System\qlFmlJt.exe2⤵
- Executes dropped EXE
PID:2896
-
-
C:\Windows\System\NkgTGsz.exeC:\Windows\System\NkgTGsz.exe2⤵
- Executes dropped EXE
PID:3680
-
-
C:\Windows\System\LZewaqy.exeC:\Windows\System\LZewaqy.exe2⤵
- Executes dropped EXE
PID:4832
-
-
C:\Windows\System\AuFXGrm.exeC:\Windows\System\AuFXGrm.exe2⤵
- Executes dropped EXE
PID:4128
-
-
C:\Windows\System\RayVyuD.exeC:\Windows\System\RayVyuD.exe2⤵
- Executes dropped EXE
PID:4480
-
-
C:\Windows\System\eiNJBKx.exeC:\Windows\System\eiNJBKx.exe2⤵
- Executes dropped EXE
PID:4884
-
-
C:\Windows\System\uTbUDxE.exeC:\Windows\System\uTbUDxE.exe2⤵
- Executes dropped EXE
PID:1512
-
-
C:\Windows\System\zEIlgpV.exeC:\Windows\System\zEIlgpV.exe2⤵
- Executes dropped EXE
PID:2740
-
-
C:\Windows\System\NtYGPmQ.exeC:\Windows\System\NtYGPmQ.exe2⤵
- Executes dropped EXE
PID:2768
-
-
C:\Windows\System\bEMESrx.exeC:\Windows\System\bEMESrx.exe2⤵
- Executes dropped EXE
PID:1208
-
-
C:\Windows\System\FdUqPVy.exeC:\Windows\System\FdUqPVy.exe2⤵
- Executes dropped EXE
PID:952
-
-
C:\Windows\System\AjIkJVh.exeC:\Windows\System\AjIkJVh.exe2⤵
- Executes dropped EXE
PID:1672
-
-
C:\Windows\System\PdAWZSZ.exeC:\Windows\System\PdAWZSZ.exe2⤵
- Executes dropped EXE
PID:2576
-
-
C:\Windows\System\kqkYUsQ.exeC:\Windows\System\kqkYUsQ.exe2⤵
- Executes dropped EXE
PID:4400
-
-
C:\Windows\System\WQMNYvn.exeC:\Windows\System\WQMNYvn.exe2⤵
- Executes dropped EXE
PID:1020
-
-
C:\Windows\System\KtXDbou.exeC:\Windows\System\KtXDbou.exe2⤵
- Executes dropped EXE
PID:2916
-
-
C:\Windows\System\iygrAYr.exeC:\Windows\System\iygrAYr.exe2⤵
- Executes dropped EXE
PID:3216
-
-
C:\Windows\System\wgCnGuY.exeC:\Windows\System\wgCnGuY.exe2⤵
- Executes dropped EXE
PID:4624
-
-
C:\Windows\System\cDWbzxb.exeC:\Windows\System\cDWbzxb.exe2⤵
- Executes dropped EXE
PID:4240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4056,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=3896 /prefetch:81⤵PID:780
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD542da02e06bd7f8484e0f7dc3b25ce12c
SHA188d29d124e6a3c4ef61f25945dc74fcf4aa463ed
SHA256a9d4d99ba7f2bb063731fefb67593485b3d2592a79c6e722172902fab072d4cc
SHA5121014f97e7b19336051f585203a10a3f99599dffd0e8e434e01e5bcf26282ff48820f3a2b36cecc72057072f207c5b1e96f1fa080b8b2dafbd05ec4738dd64e7c
-
Filesize
5.2MB
MD50b98af4559cafd5941e57377fd31182b
SHA1c3196f2f03f97aafe006ef76c80099c6b49e7e42
SHA256d4532636dd67df286b9ba773982d21e9215e7e6eed672f4f15380942e9bdfd8b
SHA512258139e18937eadf93d83bd598a8721ddffe07e23c44139cf9abafd7f5ffb7dfb1da499d78b0a3b621fca79e2e09b5279443818b82895a471d9967ca7133ba71
-
Filesize
5.2MB
MD5ddfc0ea6efae48bb92b28c25ddd8986b
SHA138acb6921f00f3229a2998f3a4a5bde29161c910
SHA2567fbc6c6f057be30c442ad75f97335d7255ba9c38ac8e6f1bfa6e5912203828c1
SHA512b8f29974585f8a0a4cd02c9bdb3e9cad916db507d3fb9db201fe846f8d2c5487252b97a186051c4b0d71babe6db1097810da4c7f7d484c10cb78f71c4631506a
-
Filesize
5.2MB
MD5e2130a192ee4addccababf4ec1fa4aac
SHA1254c056c7ac2d57c3f3c11eb8eb37cd6414ac483
SHA25600ab6c187f607b546fc082e66b094ce5fecdfb2ee0ed76f68f31ea8cafe33bd8
SHA512d86c9c40feae4b8148396882ff0ad9c729ef3175d1cf51ecf4cb78d77c7afb56b418157b9c5624e312e6ecd9744c819abefe971ca020b215491286c0f4118d83
-
Filesize
5.2MB
MD5c97481e16df51133685ba9168bbaa696
SHA181fa6ec75700ae4ef85ea8e321b4261eeff98149
SHA25629bd6b579fb444c336ca5369d339a8d97705e51bbecac46e9f32e0e1d6686937
SHA512edb983e9921f7dd3a54ea22fe976f576865d474be58982bd79fe3e2fef37fdadc0b444723ce3c595945d4059f0d7081775b1b2a4fe6f0687cee5ada1398d9cbc
-
Filesize
5.2MB
MD54e1a83cee8e092bab19cb01af02434d2
SHA199b235c1f6554a40fe8b9a48631bd53dacd041f6
SHA2567b6d8f58037d964554a5c0bf68ceffc80f425d59621a7b3d594e496e405f4c6e
SHA5121168ecdbbd1aa259b0c15324e49c4d28bf207d5ccdd582a4f87222cb28e27a286e0017d7cc3c428e154b6e43bc2108c4492a1cb902cc33a4de95c3b801e714c3
-
Filesize
5.2MB
MD561eb30d01c5de07d2d73e20c40c00e38
SHA16aaf9d390311fed175baa9284e7eacc9b66a66b7
SHA2569c4bc505c8291753bbcf9e581429ab693441eaae74e81ac28c2b2c28633476eb
SHA5124cc2465ad95d8e2550a811f0967c7f0acde9599ca0da0f33d2cdb19fbb8bcad6ade2988431d2b4c05a658a5b641acfe0dc93310415e37938d0f71a1600bd24bf
-
Filesize
5.2MB
MD57703a69c3e61f3ccaf2f9096311e264e
SHA148b999e6ff78353fc140dbfd9d6385f61869a1c1
SHA2569b3c6868e2893b0b18e02b3f38f469cdf2f0abee191f2ec61c5102894f605022
SHA512b44ead27ef6ade20a0b1c494d616e4ab5a9cb3854b4288570f56119822a129b2601e5531add15653a80b90cfb252b5000ce7fe5956fce60a469b25356df997bb
-
Filesize
5.2MB
MD55d3afc8db59d4d122416aac48a802a25
SHA1a060888afcc54f5562f77fa192044f112fa35513
SHA256683afcb99f53b1f83b1fe107ebcea14eb3eaf19ea1f1b6012b841fd8a39ab0f9
SHA5129d6196b8d6b2c44b105f400e793ba742b65f9b051628fb5babce0529af1d7c47f2a4270c6053becc59ce070470d7b11d13d3420474cee1037b7c29e3b45fd534
-
Filesize
5.2MB
MD5d2eb2c97fa6c40987a6e38bf7b1c100c
SHA194bf4762e3e43e977b3d44225ff6545461b395dc
SHA256b177aa4837857e811354facf9d86cf4ac28448ca268b82454b357573173d178e
SHA512f9825cbd65f09df478be20a2bcabcc1fd7664e371900ea3ab69e680437fc6758ecd188f0f1e5552c50b5e4c9b1aaf21fe0ba329cef149560e9136c3152a5b407
-
Filesize
5.2MB
MD5ee131c0f690bf0a34c6119eaf77e165a
SHA19d8d0cff4b715ebc9bb2d48bf2c81bad0ede4bbd
SHA256771963d26310700fea53c647b86c90499b2d03abfe18e5513957c53f9c3fa6cb
SHA51223e0de3a766a8456be1b291eeeba4ffd69aa85f10253b0d38d38f37ea537c69e18ead4070f108c6cff230f8f1d3f48cecc21b8c625b07f297094c54943e3303c
-
Filesize
5.2MB
MD52a915343a3b94ce5e9e08df617e80f73
SHA1f48ab84f681f53b9ac757590abf7acffce4f1088
SHA2566c7f3b82a2f269b8df0df3672348725602498140812c2f4e9e404ab925da79ad
SHA5125adf48b8a2ca447217df58b6b7019fd0bebd94eb3c0a28a6d55778397540d29fb249689947ce7eeac50ce6c61cc8223c0b7a71777ffb33e7e4b686ad82308985
-
Filesize
5.2MB
MD5188b211175e19dda47f03a8508f14773
SHA153c1062bc40f14973a35d2e69f33859676d935ad
SHA256f8d57827465f740fdefb2ca36dfb9fc805ee4bdc23a0980553c147dc4ae690e8
SHA512a603ecee53d6b85a0569bb08442a49ebf378cf0db5545f83e1e0243919350891591d829cc4515ba997c52c3ede37943ffead1d9ff17d864521ea34ae703c8004
-
Filesize
5.2MB
MD560c2528a73238ec0a292fa0cf926b100
SHA1a120925a6b504b3a4b81ca9a82419ce51636e172
SHA256efbadc4e4fad1ffeea05ed8ee0aa5f2c2de25347ac22c947e6e79dc61bf61e00
SHA5126e30e6fbbca267be481944122ab60a840f0ef76d01606c4eacd789d01d79ecaee74acf7f98842a70a4dd987e94563adeeb27e33b7026e8a44e5a00cdb4244554
-
Filesize
5.2MB
MD590c9521aff97adaa6cb3b77ce838dbfa
SHA1d398bf100e369ea3a34564b40ebeda9f7053b94e
SHA25629a10bd85c56d7b03983fbe997aa03ae51665d12d370ffdae5f6350b5738af86
SHA51219bcd0a30dc35a85dbd859cb37313c35df7283e0695a51bdae01019204697f02d4257ae94f3f88bffbd11142e5fd9a4a9f288df81b1faa24da5f8d247e51fcf9
-
Filesize
5.2MB
MD59180475dc85b14a9d94040ad7378f3a2
SHA16f1615f35f03f78106047709b5d330d210b3d22a
SHA2564d381a9468de0d688ecc12b2c9a688b43535f75d90c0d83c58e52cff4151aef8
SHA512c426fc6babd786fcdb0bb3e0406c11c77fdb569f7bd81e1e134fdc1c7d8e161c8692750e90c76bd1b6bc18958d0f20b2131992d29f8f9261c9ba0f335bbd3033
-
Filesize
5.2MB
MD51b2f6c220a0d78067add47cd17da681c
SHA1cc0dae9ada470ec0bb900addd84bd20a756fffe8
SHA2563f32b6b5f74c7fd70bae724a37aae55332f909723ed3fd2383d52d0b608b7b1c
SHA512efdbf220c0f895c1bbb5cfedfb05b8ed9d7377e632f8ffe246f0d835c08cc91cd120aa97813e69cc7ccb4d34ce8a9adb68c780f5518eb3ae97cf0e17ca75df19
-
Filesize
5.2MB
MD508308c8789368cb5ae0f9e3d999bbdde
SHA10582db3f35d89b575f84e533ec7cb5804753b871
SHA256a4409086020be1a187ca38e3c9a4463bd32b7a2186db56847ae22fe6f7572f39
SHA5122c79a18fdca6143decb542aabc5da4215143ccf8f9ab74156e58c688e99e5741b79bff1697ac7c11a0dd622bd0996d980f475b1f13be8a407b51038ad45b0f1a
-
Filesize
5.2MB
MD5a363c661c53db3ff8369c1a2f5414204
SHA1666e1c1ee9cd7454c2e79560307554902cfb2d8b
SHA256a2a4d411455cd75fc030be3d0917e67125406f98736e184b7391af9171694fa9
SHA512871c276923aa786ba810fa2a607e7e03266f8ef147a0e702b695e1db813fde7645fb5c3a3b896f8862e2ef48125c8550583896961e54a7a0126f0ebe0b036954
-
Filesize
5.2MB
MD54ffd1c8e3a1c3b3c01a5cd4ac884c46a
SHA1bdf8c52877488208203504a7d1bcd621f0d2f90b
SHA256eabc61c3a4f4eabcfb63019a9a159460b910276259109b7ec4a06950e44abba5
SHA512954f47f4f20b3f69000eaa1b3750d132f8f9c25b14f3dca8028568fb6cc2c45d0716d5e9518dd9abf88552bb2835857e4817ca4286540b9061375109ee23f717
-
Filesize
5.2MB
MD50e8276620e8b4ec3f12038862c322fa9
SHA1a6415b588ad13dbdef58d865ca7bb59f77c91b42
SHA25688edaa5ef204fa7225c8e5369ffbe6d19334d66dfe1dd87f2ae30fcefebea320
SHA512f6c0096830020d6f487cd525ddf571193795f237ff11f7d918c6f1f5b92b2a888462b305cd3c00626485f3bf23040f0af12c7db0ec4608762a271a0aa171d597