Malware Analysis Report

2025-03-15 08:02

Sample ID 240814-z8ep4avhkb
Target 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat
SHA256 614233b5e50372848f77dbeea5484975f0933abeb96124801397c2918ab477a9
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

614233b5e50372848f77dbeea5484975f0933abeb96124801397c2918ab477a9

Threat Level: Known bad

The file 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Xmrig family

xmrig

XMRig Miner payload

Cobalt Strike reflective loader

Cobaltstrike

Cobaltstrike family

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-14 21:23

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 21:23

Reported

2024-08-14 21:25

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\gZMNeRC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LIRLenV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\giHwwJu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OzrORBx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rXFmJUz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZnWfJaP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dBqIuaf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bDgwqLh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wGoHHIM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EebEoVM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iijXHPa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bzOVeAk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WowAWxd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ukjSniC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QCiVaYK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WGImGiN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DlkOXGs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jzDjCMs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nigEBMX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fgZHZhF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aRELhyd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5104 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OzrORBx.exe
PID 5104 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OzrORBx.exe
PID 5104 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wGoHHIM.exe
PID 5104 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wGoHHIM.exe
PID 5104 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EebEoVM.exe
PID 5104 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EebEoVM.exe
PID 5104 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jzDjCMs.exe
PID 5104 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jzDjCMs.exe
PID 5104 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iijXHPa.exe
PID 5104 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iijXHPa.exe
PID 5104 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ukjSniC.exe
PID 5104 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ukjSniC.exe
PID 5104 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bzOVeAk.exe
PID 5104 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bzOVeAk.exe
PID 5104 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rXFmJUz.exe
PID 5104 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rXFmJUz.exe
PID 5104 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZnWfJaP.exe
PID 5104 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZnWfJaP.exe
PID 5104 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QCiVaYK.exe
PID 5104 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QCiVaYK.exe
PID 5104 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dBqIuaf.exe
PID 5104 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dBqIuaf.exe
PID 5104 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nigEBMX.exe
PID 5104 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nigEBMX.exe
PID 5104 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gZMNeRC.exe
PID 5104 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gZMNeRC.exe
PID 5104 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LIRLenV.exe
PID 5104 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LIRLenV.exe
PID 5104 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bDgwqLh.exe
PID 5104 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bDgwqLh.exe
PID 5104 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WGImGiN.exe
PID 5104 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WGImGiN.exe
PID 5104 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DlkOXGs.exe
PID 5104 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DlkOXGs.exe
PID 5104 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\giHwwJu.exe
PID 5104 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\giHwwJu.exe
PID 5104 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WowAWxd.exe
PID 5104 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WowAWxd.exe
PID 5104 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fgZHZhF.exe
PID 5104 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fgZHZhF.exe
PID 5104 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aRELhyd.exe
PID 5104 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aRELhyd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\OzrORBx.exe

C:\Windows\System\OzrORBx.exe

C:\Windows\System\wGoHHIM.exe

C:\Windows\System\wGoHHIM.exe

C:\Windows\System\EebEoVM.exe

C:\Windows\System\EebEoVM.exe

C:\Windows\System\jzDjCMs.exe

C:\Windows\System\jzDjCMs.exe

C:\Windows\System\iijXHPa.exe

C:\Windows\System\iijXHPa.exe

C:\Windows\System\ukjSniC.exe

C:\Windows\System\ukjSniC.exe

C:\Windows\System\bzOVeAk.exe

C:\Windows\System\bzOVeAk.exe

C:\Windows\System\rXFmJUz.exe

C:\Windows\System\rXFmJUz.exe

C:\Windows\System\ZnWfJaP.exe

C:\Windows\System\ZnWfJaP.exe

C:\Windows\System\QCiVaYK.exe

C:\Windows\System\QCiVaYK.exe

C:\Windows\System\dBqIuaf.exe

C:\Windows\System\dBqIuaf.exe

C:\Windows\System\nigEBMX.exe

C:\Windows\System\nigEBMX.exe

C:\Windows\System\gZMNeRC.exe

C:\Windows\System\gZMNeRC.exe

C:\Windows\System\LIRLenV.exe

C:\Windows\System\LIRLenV.exe

C:\Windows\System\bDgwqLh.exe

C:\Windows\System\bDgwqLh.exe

C:\Windows\System\WGImGiN.exe

C:\Windows\System\WGImGiN.exe

C:\Windows\System\DlkOXGs.exe

C:\Windows\System\DlkOXGs.exe

C:\Windows\System\giHwwJu.exe

C:\Windows\System\giHwwJu.exe

C:\Windows\System\WowAWxd.exe

C:\Windows\System\WowAWxd.exe

C:\Windows\System\fgZHZhF.exe

C:\Windows\System\fgZHZhF.exe

C:\Windows\System\aRELhyd.exe

C:\Windows\System\aRELhyd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/5104-0-0x00007FF65CDE0000-0x00007FF65D131000-memory.dmp

memory/5104-1-0x0000024551930000-0x0000024551940000-memory.dmp

C:\Windows\System\OzrORBx.exe

MD5 9b0f98f21605468f44710db0e742fdb3
SHA1 a08cecd4b68a42da0d8ef77663f417ed32930d31
SHA256 4ccd7c79c81303d1255e8c4395f4fc573e70b91ed5becf6b7aaf9454fa377358
SHA512 b11da14ca240b8b3feda03c4ce72712f8d4d640f66d0b9c3f580ded3ab69e42dbf66ed5c96d5be97a11ba13ea8a5adecb329932738ea58bad0a4f62e1284b3ef

memory/828-10-0x00007FF60B7E0000-0x00007FF60BB31000-memory.dmp

C:\Windows\System\wGoHHIM.exe

MD5 fd5fe0f088f7044ecee704be88ea928d
SHA1 c2db757af03b14f0f20c1a412b54748f81992f47
SHA256 14c320bae32d780af64e3df6e3bc83b8e9aec075592052218f57aae592aae9cc
SHA512 a9c92fdd5fb1a9c51a85dd43ffcc023e20e1548ddb1da602e8444e597114fc6066724e06d166175ce8df0b27867c458e56c72378be1bf73e82465b8260adacd2

C:\Windows\System\jzDjCMs.exe

MD5 b526fbfcc1547bd7020c9b53f8e4b4db
SHA1 75c858a0f02e08fd6b2992dff307bf8b1fbb5348
SHA256 40e3ef47f33ee16356bd2a51477a3cd35cb2dd441f2af853aa13154a4d508ec1
SHA512 b0be21b2ad0e268441abbf555b884d66eb590a104b5df2d9edac0f8c7982b1a46607214443d61aef06ad90764d4965b86e46e37af2d04ef1ad7ac189ad04b4fb

memory/4376-23-0x00007FF6F1970000-0x00007FF6F1CC1000-memory.dmp

C:\Windows\System\EebEoVM.exe

MD5 35007a25bca19ef42d037ba9a134d790
SHA1 222033eee7fca0ad79c66aafd3faf84381d63173
SHA256 f737ec262257a18db47d5d8c333744afcc9fcf32c30075c66106a7db5d231c1d
SHA512 ebae774c144ca95ddf59299ea1354e83d2467919c10cce7b32341df5e5892d0f17c41cbec5ff91fa97cf24ac5bf6b441b8bd3bf63161198818f6b9afc1ac19b5

memory/1600-21-0x00007FF79B140000-0x00007FF79B491000-memory.dmp

memory/1040-16-0x00007FF61DC60000-0x00007FF61DFB1000-memory.dmp

C:\Windows\System\iijXHPa.exe

MD5 ff10b15414efe70d269f09e3c17e44e9
SHA1 5655a8448aa7e986ec90894b6dd7eb8bf096119f
SHA256 43eea3c4b1ad952dbbb599c8f64fde4c106a229401edbbd0673efb6c057946a7
SHA512 23380b66ac055dd704410dc3266016ec38b4ffa0f815ccbed75cfc4cbb8938c130d78fe4be07188fc3edf77e937c25d58927e45a742c8b56d5d6abcee6202959

C:\Windows\System\ukjSniC.exe

MD5 c114200f7db4a78956a4bdcee5e3aaee
SHA1 e89c85bf54f9489a4d15af0f1cbfd1cb993f9bd4
SHA256 e279ce39ba10fd0f824140759fe16fed0673adbfc03e9c7e9ca4f9a62a290e4a
SHA512 13c2cbd18fdec8beb041da358c4c77f5a5de5826a12c954737c627696451ce66ff2f49a65f722796e2b042646f4a5adfeed9d6474d3269ff82cd50f3bf839860

memory/4756-31-0x00007FF76C330000-0x00007FF76C681000-memory.dmp

memory/972-37-0x00007FF7B3EE0000-0x00007FF7B4231000-memory.dmp

C:\Windows\System\bzOVeAk.exe

MD5 ef1e9146fdb568a8a533a8bbc0394cc4
SHA1 668db20e9163b27875db2e2dee2a59dba552286c
SHA256 5bb20dd852ed7c830ece9cb333084d4484b168be47e50637e98c3267c49406dd
SHA512 f4b280675772ccaaaaa07d3cc9edd7658e7c7ba5457a382b9b00f3f6494928cd6380e3ca66a5454f5e9168c2f9d86c1487a244e161624b24075e153c87ab28e1

memory/4228-44-0x00007FF64CA90000-0x00007FF64CDE1000-memory.dmp

C:\Windows\System\rXFmJUz.exe

MD5 fac4c6a8805acee762781f27bfd37395
SHA1 c9b4c2c4f065d0673124523d4c42febf42d93d02
SHA256 737e629de8c8c3f983ea53b3d75cf9b74fe97b50836dcd362ec2116e2344da9b
SHA512 485f368aa9d261d5559351e5e5741cfa95feb6192998bea2dbea17a7f63573e346b7cc8c303d1e25b548371b89035045d8e6bc2b2bb7e84d342768b0c8aa354a

memory/2228-50-0x00007FF6DAC70000-0x00007FF6DAFC1000-memory.dmp

C:\Windows\System\ZnWfJaP.exe

MD5 c352140102b37b84979e0b91cd1b6c42
SHA1 1b7f3a51682dbc1f8e221b98b4a75be2a30668b3
SHA256 1d0614c6ca711f41f55980e3d3bb432ca6dead6732136ae6d26c6e4b82cf5cb1
SHA512 800f4e2f69f52304a84dc35126bd1f0a76e46fa081ad4acdf544591e40e9ba5b17fc80ee053d1c599915b909f203c6a92ff29c9849379954129ea09b5d48a659

memory/1192-56-0x00007FF600E50000-0x00007FF6011A1000-memory.dmp

C:\Windows\System\QCiVaYK.exe

MD5 b93f9bf1b7ef4f16eae6c2d95456a5d8
SHA1 ac715d3711ec4b0559934d79a1cf82af98e74042
SHA256 97094005b6d3035eeb6b2cee010bf010ebd6f97a1048b0ef03341792da08e7ab
SHA512 42159a045dfc8fd782ee52e538b60bd4630ec6b0813e0342befcba8fe62f40fddaad9ff7113b0999387c16e92ec78716b405e6b463ac952f09e4cece9f74e8a1

C:\Windows\System\dBqIuaf.exe

MD5 6d508af3e9cbdb100b99058a61aa5471
SHA1 72b1a3e29b098ffd4f3921142db778b51a724471
SHA256 19604a49580c5eb1310a8970b09fc3febbafa6785a199c7d84fd8d7c8989384e
SHA512 abbdb291821e361496c4e8884cef9be98c788d331556bbdcdedd9a40b0fdaa15cfe02c34c2f32c5a54649a006450eb8cc11041bae14c8e8bdc0f2469a54af210

memory/5104-75-0x00007FF65CDE0000-0x00007FF65D131000-memory.dmp

memory/4920-76-0x00007FF674FD0000-0x00007FF675321000-memory.dmp

memory/828-85-0x00007FF60B7E0000-0x00007FF60BB31000-memory.dmp

C:\Windows\System\LIRLenV.exe

MD5 78fe256792bf3c16d59e25164c8087cd
SHA1 a4565614c453ca26355bcc15b95fef5a1965d83e
SHA256 4a7ef8803bd0400f94fa4ab58d7cc216d7ce843ef12d18a4bb5fe9d1cd6c8d13
SHA512 298a84abadfbfaac377c51ae313b80a1ff6a78b8891a605cb88161c1a86f91000ef3d279494a95cfed1f93c5303070c768214f3e319c712e16d692ad754eecc3

memory/4740-86-0x00007FF7C9470000-0x00007FF7C97C1000-memory.dmp

memory/5116-84-0x00007FF769C40000-0x00007FF769F91000-memory.dmp

C:\Windows\System\gZMNeRC.exe

MD5 80ea1cb707401f718ad38f239c569648
SHA1 4b8aabaf10e6858e758b915f6d015d3a1b23268b
SHA256 0747c86f6ae9b0ecd8fa4a47c4843e413b8a004a649c8ad0540d4edc9c30b99d
SHA512 ac8c24e9d2e1bdd6db62d646fa6b52e57be594b16ef9bc4f1228fbafd5bd8dd78589dccfd705b4484e35021fcb8081f5ebcddfd3577f01eec09695f62532241d

memory/4172-79-0x00007FF661970000-0x00007FF661CC1000-memory.dmp

C:\Windows\System\nigEBMX.exe

MD5 4e96412b35a44abe68f1f700c3a10847
SHA1 44d7ec31a2a5b95e33103a5c5de46b5c95993622
SHA256 40eafebdb0999106498825151a0345771c0b9b43ebe9ab41a7c1c2ba243c691d
SHA512 f89f4216eda2d61e87a6e2060396a9f6f7415b9696e6026856bdeefc5abde74f4268d0b762650dd0dd2885a33cbce4b497d5b72f5b7ce7def0460a37f1f011a0

memory/2648-64-0x00007FF695220000-0x00007FF695571000-memory.dmp

memory/4376-103-0x00007FF6F1970000-0x00007FF6F1CC1000-memory.dmp

C:\Windows\System\giHwwJu.exe

MD5 2e9e251cd3c6abe1d28fc21857a4307e
SHA1 73173d5206e53071021593dd8ee5dd578406a7a8
SHA256 75f7e5d01758c21fd21a45d145579c4cc3b4d6bd105e988249e537411718ea1f
SHA512 1c998c590b8173024ee6729238e5fdbfa6befc17c2186663cc73f6b207fd6a3a9e91bcb8679e7cebbaa55c6270d744c541bcf5fc979d036197c8abb5869ed5d2

C:\Windows\System\WowAWxd.exe

MD5 5ae619ec26ca88146b65bc48337316cf
SHA1 13be319a7822110e7a5067f68368a15e82a891a1
SHA256 b851542825f65c49697b228208cfe8ff9b0efd2b3a5304886b7dcc92287d429a
SHA512 6eba1a6797d1a24af7ff40446f04c4ca7b4d8492fb926bff1bef94ac3992a8fa06a033c62349a93a858d2ecef06df3b9c0f2ebe1670462cd5f562015a557e921

memory/3964-110-0x00007FF6588D0000-0x00007FF658C21000-memory.dmp

memory/212-109-0x00007FF6566E0000-0x00007FF656A31000-memory.dmp

C:\Windows\System\fgZHZhF.exe

MD5 44aad26b5511cc29c55f6bba327ffdf4
SHA1 6fdc98c90d87dca5f89da6723f8ec55f5687470d
SHA256 d95ae8f75c7a66a22b6509ab019f11980d67af44eb5226fc853761a9300127af
SHA512 555ebff71b5a5783bf3b5dde7aaad0a4fc1645ebbd0199927ffd00eb1c2fbf3894e1cb7b0ef94c148c8deb8d85aa18fa49f001e36900c8f15fbbc4f91ddc4bf0

memory/2140-131-0x00007FF6D2C10000-0x00007FF6D2F61000-memory.dmp

memory/2228-134-0x00007FF6DAC70000-0x00007FF6DAFC1000-memory.dmp

memory/3280-133-0x00007FF642B70000-0x00007FF642EC1000-memory.dmp

memory/972-129-0x00007FF7B3EE0000-0x00007FF7B4231000-memory.dmp

memory/2420-128-0x00007FF692910000-0x00007FF692C61000-memory.dmp

C:\Windows\System\aRELhyd.exe

MD5 c498c7318980e84f97bea0ce36c95349
SHA1 d61615e7d9a24235854075f3f1f4d7382ff89e83
SHA256 a0df93fe3735811fc037f750132ae04ef70b6fc58aea6526eca7499b6d92a8da
SHA512 1b2f911043d69b20cc194be167fd00bf28213ed7d2154fbb01327ed58d6d4f4e1575151569d1d021d19bcb470bf0369d2c10a4a098fab55bd6c63bd7b6af0e71

memory/4696-120-0x00007FF770D40000-0x00007FF771091000-memory.dmp

C:\Windows\System\DlkOXGs.exe

MD5 9db71973617b98f3b3cdd8825dbaafed
SHA1 b8fd64c158430227f76d48e74d14d64f414503d0
SHA256 7d920f1cf1e87b54a1e3a09e70d4479bd9adcc8e4e0879879a9710a0ba1d5e20
SHA512 54bc10133957dfbbef1c87c1d02e6964c2a775f8488bcd2121f696262e3f550334ec4f2dc848ce7294884ff22c2346fefa0da22ffefb570656398397470f1475

memory/4756-116-0x00007FF76C330000-0x00007FF76C681000-memory.dmp

C:\Windows\System\WGImGiN.exe

MD5 4ccee419168d7581b32eb04cdbc1dfc8
SHA1 860a90e93a9dad42599dc90f3cd06100fd8f6a6a
SHA256 58e240139a9bf738d8f708b8beade02752f57d28f124203d7c05a82fc5594ca6
SHA512 ba118dd6befc4e8ee30e24aca9624d121b48fa9f29acab969b29c892a7e82b9326f18b1b171cebe97c74224479f54558b05de556668f4ef57ba2250dd6b5d1c3

memory/1600-101-0x00007FF79B140000-0x00007FF79B491000-memory.dmp

memory/1976-97-0x00007FF7B98E0000-0x00007FF7B9C31000-memory.dmp

memory/1040-96-0x00007FF61DC60000-0x00007FF61DFB1000-memory.dmp

C:\Windows\System\bDgwqLh.exe

MD5 1c5375807dad036f6cc803a38d4e88a5
SHA1 3d637b80e98d6a5539e3093abafb53799e5c23a3
SHA256 bc8c2ab89c4d547d5dee5509758f991c17f75e0443452e5e03bd79510790a6cc
SHA512 d306a6cd45793bc35b2819c55fb76db31346aeb06a57f484100259813d8494ad9cb28563f0a04dfe81895db34a1a2ae33ae3bd9602e1b588994d03d27d3f8919

memory/5104-136-0x00007FF65CDE0000-0x00007FF65D131000-memory.dmp

memory/4172-148-0x00007FF661970000-0x00007FF661CC1000-memory.dmp

memory/4740-150-0x00007FF7C9470000-0x00007FF7C97C1000-memory.dmp

memory/5116-149-0x00007FF769C40000-0x00007FF769F91000-memory.dmp

memory/1192-145-0x00007FF600E50000-0x00007FF6011A1000-memory.dmp

memory/4696-153-0x00007FF770D40000-0x00007FF771091000-memory.dmp

memory/3280-156-0x00007FF642B70000-0x00007FF642EC1000-memory.dmp

memory/3964-154-0x00007FF6588D0000-0x00007FF658C21000-memory.dmp

memory/2420-155-0x00007FF692910000-0x00007FF692C61000-memory.dmp

memory/212-152-0x00007FF6566E0000-0x00007FF656A31000-memory.dmp

memory/5104-158-0x00007FF65CDE0000-0x00007FF65D131000-memory.dmp

memory/828-203-0x00007FF60B7E0000-0x00007FF60BB31000-memory.dmp

memory/1040-205-0x00007FF61DC60000-0x00007FF61DFB1000-memory.dmp

memory/4376-208-0x00007FF6F1970000-0x00007FF6F1CC1000-memory.dmp

memory/1600-209-0x00007FF79B140000-0x00007FF79B491000-memory.dmp

memory/4756-216-0x00007FF76C330000-0x00007FF76C681000-memory.dmp

memory/972-218-0x00007FF7B3EE0000-0x00007FF7B4231000-memory.dmp

memory/4228-220-0x00007FF64CA90000-0x00007FF64CDE1000-memory.dmp

memory/2228-222-0x00007FF6DAC70000-0x00007FF6DAFC1000-memory.dmp

memory/1192-224-0x00007FF600E50000-0x00007FF6011A1000-memory.dmp

memory/2648-226-0x00007FF695220000-0x00007FF695571000-memory.dmp

memory/4920-228-0x00007FF674FD0000-0x00007FF675321000-memory.dmp

memory/4172-230-0x00007FF661970000-0x00007FF661CC1000-memory.dmp

memory/5116-232-0x00007FF769C40000-0x00007FF769F91000-memory.dmp

memory/4740-234-0x00007FF7C9470000-0x00007FF7C97C1000-memory.dmp

memory/1976-237-0x00007FF7B98E0000-0x00007FF7B9C31000-memory.dmp

memory/212-239-0x00007FF6566E0000-0x00007FF656A31000-memory.dmp

memory/3964-241-0x00007FF6588D0000-0x00007FF658C21000-memory.dmp

memory/2140-243-0x00007FF6D2C10000-0x00007FF6D2F61000-memory.dmp

memory/4696-245-0x00007FF770D40000-0x00007FF771091000-memory.dmp

memory/2420-247-0x00007FF692910000-0x00007FF692C61000-memory.dmp

memory/3280-250-0x00007FF642B70000-0x00007FF642EC1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 21:23

Reported

2024-08-14 21:25

Platform

win7-20240704-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\nVXpkSs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mKMipJu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RjMtjcp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yRgSdoU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bdAejdn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zUWZhVa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wtNGJPP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TQVvpsJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\deewEaI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uRHlWeK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JpiHJrB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KfqiGWU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fmwyVKP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UlqFtbX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\micZyeo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ajQutaJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HNwMVQD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fVKjFfP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KzhtXoe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lkLFWql.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fAbuhuG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1772 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RjMtjcp.exe
PID 1772 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RjMtjcp.exe
PID 1772 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RjMtjcp.exe
PID 1772 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JpiHJrB.exe
PID 1772 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JpiHJrB.exe
PID 1772 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JpiHJrB.exe
PID 1772 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fVKjFfP.exe
PID 1772 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fVKjFfP.exe
PID 1772 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fVKjFfP.exe
PID 1772 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KzhtXoe.exe
PID 1772 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KzhtXoe.exe
PID 1772 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KzhtXoe.exe
PID 1772 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yRgSdoU.exe
PID 1772 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yRgSdoU.exe
PID 1772 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yRgSdoU.exe
PID 1772 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wtNGJPP.exe
PID 1772 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wtNGJPP.exe
PID 1772 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wtNGJPP.exe
PID 1772 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lkLFWql.exe
PID 1772 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lkLFWql.exe
PID 1772 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lkLFWql.exe
PID 1772 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KfqiGWU.exe
PID 1772 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KfqiGWU.exe
PID 1772 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KfqiGWU.exe
PID 1772 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TQVvpsJ.exe
PID 1772 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TQVvpsJ.exe
PID 1772 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TQVvpsJ.exe
PID 1772 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bdAejdn.exe
PID 1772 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bdAejdn.exe
PID 1772 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bdAejdn.exe
PID 1772 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zUWZhVa.exe
PID 1772 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zUWZhVa.exe
PID 1772 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zUWZhVa.exe
PID 1772 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fAbuhuG.exe
PID 1772 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fAbuhuG.exe
PID 1772 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fAbuhuG.exe
PID 1772 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\micZyeo.exe
PID 1772 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\micZyeo.exe
PID 1772 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\micZyeo.exe
PID 1772 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nVXpkSs.exe
PID 1772 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nVXpkSs.exe
PID 1772 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nVXpkSs.exe
PID 1772 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ajQutaJ.exe
PID 1772 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ajQutaJ.exe
PID 1772 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ajQutaJ.exe
PID 1772 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fmwyVKP.exe
PID 1772 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fmwyVKP.exe
PID 1772 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fmwyVKP.exe
PID 1772 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UlqFtbX.exe
PID 1772 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UlqFtbX.exe
PID 1772 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UlqFtbX.exe
PID 1772 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\deewEaI.exe
PID 1772 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\deewEaI.exe
PID 1772 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\deewEaI.exe
PID 1772 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HNwMVQD.exe
PID 1772 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HNwMVQD.exe
PID 1772 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HNwMVQD.exe
PID 1772 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uRHlWeK.exe
PID 1772 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uRHlWeK.exe
PID 1772 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uRHlWeK.exe
PID 1772 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mKMipJu.exe
PID 1772 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mKMipJu.exe
PID 1772 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mKMipJu.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\RjMtjcp.exe

C:\Windows\System\RjMtjcp.exe

C:\Windows\System\JpiHJrB.exe

C:\Windows\System\JpiHJrB.exe

C:\Windows\System\fVKjFfP.exe

C:\Windows\System\fVKjFfP.exe

C:\Windows\System\KzhtXoe.exe

C:\Windows\System\KzhtXoe.exe

C:\Windows\System\yRgSdoU.exe

C:\Windows\System\yRgSdoU.exe

C:\Windows\System\wtNGJPP.exe

C:\Windows\System\wtNGJPP.exe

C:\Windows\System\lkLFWql.exe

C:\Windows\System\lkLFWql.exe

C:\Windows\System\KfqiGWU.exe

C:\Windows\System\KfqiGWU.exe

C:\Windows\System\TQVvpsJ.exe

C:\Windows\System\TQVvpsJ.exe

C:\Windows\System\bdAejdn.exe

C:\Windows\System\bdAejdn.exe

C:\Windows\System\zUWZhVa.exe

C:\Windows\System\zUWZhVa.exe

C:\Windows\System\fAbuhuG.exe

C:\Windows\System\fAbuhuG.exe

C:\Windows\System\micZyeo.exe

C:\Windows\System\micZyeo.exe

C:\Windows\System\nVXpkSs.exe

C:\Windows\System\nVXpkSs.exe

C:\Windows\System\ajQutaJ.exe

C:\Windows\System\ajQutaJ.exe

C:\Windows\System\fmwyVKP.exe

C:\Windows\System\fmwyVKP.exe

C:\Windows\System\UlqFtbX.exe

C:\Windows\System\UlqFtbX.exe

C:\Windows\System\deewEaI.exe

C:\Windows\System\deewEaI.exe

C:\Windows\System\HNwMVQD.exe

C:\Windows\System\HNwMVQD.exe

C:\Windows\System\uRHlWeK.exe

C:\Windows\System\uRHlWeK.exe

C:\Windows\System\mKMipJu.exe

C:\Windows\System\mKMipJu.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1772-0-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/1772-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\RjMtjcp.exe

MD5 8c47f625a0fa1b8050fab3386298df5f
SHA1 003ba1726d61acd4a08291e9543dd760e7373a39
SHA256 df75049ede5c468df3710ae9b993d0d76aaaa28f9f1428bb5c37bc95c30b50bc
SHA512 bf629566e15bd01e1ef4e50e1763c1160fde9384f0cf7ac253fcdf708e929c7b16b67600a1b219bec862a1994cf9cab533a754033e0f545c8a0bc11e314c8a91

\Windows\system\wtNGJPP.exe

MD5 29b51ea701d425b46f29396e74295ee2
SHA1 ae7d3bcb988cd860ddddeb4742352c923a7b9ec8
SHA256 2ec39707c84e41b4042c84b6595ea8fffc2401a644ff0f54b002175a5fbe478b
SHA512 b1f64a45bb587000d2c11daee72730e628bbc3357af815f3d6ba5f4aa689d0050079621456853240df78d71d08722b100c724f76263b2299e4ff16ed134dc6ef

C:\Windows\system\fVKjFfP.exe

MD5 7df8942a65612178b217f1a9a5bee001
SHA1 cb125ff65c332220b6d50e70b0426f83d1882925
SHA256 01a510141d0d4c7c8f17e4fedcae52b2b4acf8fafe7a31b1181373cb070b767b
SHA512 47694f34400ea360796d2618da933bab97e944531108e05f13a61248c34aae64f87af1f716031e782942272d7133da1c9256e5f9203924c5e320cb85629af4f0

C:\Windows\system\fAbuhuG.exe

MD5 26a8874a7357ee20ab1b9d0ee25ff585
SHA1 2b3fea5a66f41f8dbcd8db43543c390610f12db6
SHA256 e8f1826812a9b8d33b9e9763efd83772e42e853d78573089eb8219f79f3c9d48
SHA512 11fed5ce4da4d5cc47131b07d09fab107f532031a568f115cea7a13f1141a6a88aa8b7542c908262e948f37f491ca0a20f7cbd339737cfde47add7904a6a489e

memory/1772-65-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2692-68-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/1772-70-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/112-73-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2520-77-0x000000013F9F0000-0x000000013FD41000-memory.dmp

\Windows\system\lkLFWql.exe

MD5 a1e74e2e09848076025a09a647e59378
SHA1 78c067c4d50e79e645c10c629740d4935534ecfd
SHA256 30f1d716fb6d35521b0205be9094a2a7bfb57fc952937ad4203df27254396ce9
SHA512 3b8a55c8063ec32533ca60a262a4752711ad84da159fedbe66b03abb36cd92e91592b0f4375caacf743758c1f809fac76a4ba46a5ee5e4567a0bfe6b9adcd833

C:\Windows\system\KfqiGWU.exe

MD5 c919de64eddaf9ce472b21d66d9de993
SHA1 3ca0accceacf65deed7661b158de4018dfad3094
SHA256 7e51a2bbe5c784978b607bd807bfa8d88595267b796a3e686a58ca57cec2284d
SHA512 7216aad4bb1caa022c4c77a649c9c013960f6c08c3ca27f32e61bf4ab45a6b40c97e3bbb02be740638adb7f5d1eaf400382eccd9b40ba153936533dfaa516f88

C:\Windows\system\HNwMVQD.exe

MD5 010417e27cd0da886703637ccecabac2
SHA1 4837f4ca6e847d741cb774be23f58c556aab9644
SHA256 b0548165558d53e15da928399fbbe5b100077f61a0e032eebc5fc7aa8397c972
SHA512 08a8571dae142fc6463271e42b8f0632920815324de2d72e8adaeecf5c8153ac8c12efcc6f52203daec77e2f3363f4d9ecb45122234a6524657c66fc2e8ef255

\Windows\system\mKMipJu.exe

MD5 255465251e3ee9e9cf65299810ff2381
SHA1 1716ff20c247396b735da00f20004b7c346019e5
SHA256 2801fa7c489457bc4fd3a0874a178f64e0e96bfb441fc6073084f994a5c61b91
SHA512 3a70022a1c0829bf40c3662a6edd939689dd104c0699c211a17c390ec07cbdffb7ee17106f960e82b4a4cd850f0a627ad077c8af262eca5b4dc92047d86b10a5

C:\Windows\system\uRHlWeK.exe

MD5 b0eed62a656e3932b629250c35cf7f56
SHA1 a013f56961f72feadcfb24ee39793ee6f28f156a
SHA256 8d7de00bb78e078fd7a8dffefbb4337de8f1b48ecd388973a70e4d78a5f43414
SHA512 01408e38c3d5218577ce3c1a2030f8db89d33d72b9220525207a11f705df9069a20248678c8ef69fa4d6e698b75ee5d71977e9dbcdc1e75d04e0fcb460bc1046

C:\Windows\system\deewEaI.exe

MD5 a5de219fb2e0bee0938d598f4500f204
SHA1 670f73ab732f33f14a6c1688a20d650ada0e322e
SHA256 ee21bd8cd80938f3f802bd46290217e83de5817c48b6210e19b455d834b91fca
SHA512 35cd7197d66f3a5fa7a5da9e7ef36b776b56a362d2093214d181c70141222181f5d619a895eb85a47260c2be30dd8910f1c05d757a9d763e699629ae0c4bc1e7

C:\Windows\system\UlqFtbX.exe

MD5 bac36c661f98fcc0b2616f354d6eec32
SHA1 1a9bc0d6ac8daf9d55ebdb79720de6822b769fc4
SHA256 bcd8ab5d38257732fe8b3771c87e4a9bf5539696adcdd8ba1eeda44c5373aa80
SHA512 ad40506714ae9175f75a5c9198fa443be8f94a0944fa5338aee75d9fd133adb0fd393a012b2e44021a0c5aeecffd06ef29ae7af83d05c14d25c50c2422a4aa5c

C:\Windows\system\ajQutaJ.exe

MD5 446477d46d80d8e47e8dcb17671804cf
SHA1 2e02fc27ed68e57c84784b7d411b842f14d2b053
SHA256 3a957039b247cd2a2f5ad85e6d24989c0a5c81c238e108527712b7dbe79a0cda
SHA512 a45b9392de0666da8a1b61d46f23170a95290a49c86937d2de0dfd1174db7058427edf67c638271882fca603794cfa3abf8a20cf3bc573b18da16d22dea7ade3

memory/2352-104-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/1772-103-0x000000013FA20000-0x000000013FD71000-memory.dmp

C:\Windows\system\fmwyVKP.exe

MD5 6e6b7a547f2c63615638fe4815571e76
SHA1 8e022fda950ebe8c64c00507262dbc35076b1b2f
SHA256 4ce4ef2aaac5f6f05f2bf076164667d898e04172074b4213283f1e1a5a0f2836
SHA512 1e5b2fe386f4a8859f7b60c6815fa1d014236b6559c98384a73e130244f62ca0ab0aff36360f86fd199e19d3c5c80b4e76c20ed12ef50ec9d72cd0dc9298a1f4

memory/2556-91-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/1772-90-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2644-98-0x000000013F210000-0x000000013F561000-memory.dmp

memory/1772-97-0x000000013F210000-0x000000013F561000-memory.dmp

C:\Windows\system\micZyeo.exe

MD5 f5d6ec04cf070cd65490d1a8b3fec268
SHA1 fde779be42e8399dcc0d2c1c4b77ac0051879d03
SHA256 9e06db3fa003494ff11947c807b1a47f539805b2634cb12ca32b344bf84383e9
SHA512 3b8632a94d46a05a504f6e31c7d5728ff14a70d54caeaf86a69bd295681727eb4263b6d486b546bf1f997b7e6a55550c9b13b4679d5d48ca1543e9e04a6f68e3

\Windows\system\zUWZhVa.exe

MD5 53bacfa409645133552d28bb7c8afa31
SHA1 a0a0df41ec182f770c151a2c5637b70da6f32b21
SHA256 784ebe8ab600b045c2bb984da78f2da27e4d4f77d6677e52a2b0af5148dcebed
SHA512 65495e5b97f5dc407d963a61098118a6a89040d5e98c5e1d0ae9ddb2f3a53f6e8a04f634ad421a825b11c13884032f784a7ae2a9dd0c16290813c537560046b5

C:\Windows\system\nVXpkSs.exe

MD5 da26d7c39e6be8c3c53284d8cc35e3e5
SHA1 cc76c599f5c6af1dfe73a241a17216c546510f72
SHA256 16b3250fd6606323485010122e83c84a6db4a9d50c92e5157876b47527c20dbc
SHA512 6cb8e5463c18ff80f088b39f8c87153e34ea85a983f9e838e7436687e8ba61d22ac29b872fa07f480bc8dc632751e079970f09de5617d73c25209403584032b7

\Windows\system\TQVvpsJ.exe

MD5 8ea38b77e17fba3ecfa36c8555f17261
SHA1 0ebedf0065d873620d6e950e7b822fa8b1e76794
SHA256 ae708f114d7dacca4a5a63776735c3016946751784e7fda1a0ee1a0061e7ea6f
SHA512 a286ea6fbb54d47b91f0d6b879a5336947711e716d12cd7bf6008960687759569622ee834f390d56f071ef4b83e4a87ec63774efb5c05a6456ddf431892575d7

memory/2796-85-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2676-82-0x000000013F360000-0x000000013F6B1000-memory.dmp

\Windows\system\yRgSdoU.exe

MD5 1f453564245d5a5949534e25afa1aee9
SHA1 2f0071ebc0e111b3e21a38f2aa6249add7221c93
SHA256 6456e247c3a5335ce70cbd37c679782199dbf1a73a5d3b6096d0a557abc7361f
SHA512 4636d8968699d7c7830bf73f107448a5d96defe69ebaf0713e9289d00a58cb5961a764ea52f3dac848c32ef4ae9a249bdf1d335870b0a51ba45087d24c3b9096

memory/2932-78-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/1772-72-0x000000013F600000-0x000000013F951000-memory.dmp

memory/1772-71-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/1772-69-0x0000000002240000-0x0000000002591000-memory.dmp

memory/2772-67-0x000000013F600000-0x000000013F951000-memory.dmp

memory/1772-66-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/896-136-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/3048-64-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/2660-63-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/1772-62-0x0000000002240000-0x0000000002591000-memory.dmp

C:\Windows\system\bdAejdn.exe

MD5 15bdfaa787d7bf752c6cbef2536b0fe6
SHA1 3573334eef0386a3239e94a60f34cff354882a49
SHA256 5832355af484fcebd52d31d50765e7b28a6586d24be171a02fa860ea3eb28d19
SHA512 a95d45b10520511d173ac561fafd33bb3b8f43db302281151e4c2b2e42aa4de86ca8ea12527875353133f8276aad330f1ed312989851b3f1afa8845839405b5b

memory/1772-12-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/2200-54-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/896-50-0x000000013F090000-0x000000013F3E1000-memory.dmp

C:\Windows\system\JpiHJrB.exe

MD5 0166d2dba0a8a7f0dd150077919b9fa2
SHA1 0a3ef169320c91890539020b16d174e162bdf661
SHA256 f24efe07ef38c203dced499acc551aa33df97814780232f2dfe5cc252698b4a1
SHA512 2a5f3dbc38ecb01dc5e81c3948d68d696d3fb1d18523e656ede4299d42bae9047ab5e29d153bb42f22f5ff82d124205b949778e732900b50dc3f37a8d59280ac

memory/1772-33-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/1772-28-0x000000013F640000-0x000000013F991000-memory.dmp

C:\Windows\system\KzhtXoe.exe

MD5 b38817ec5006ba0dd5fcd1484c6c4804
SHA1 5c6dce7d279407f385c7d222fb61adccfcc0d9d0
SHA256 733680ac84dae7bfc64a607ed42ca98cba1f41526e0450526e68fc461b296db9
SHA512 b39900dd2c7b254dd89f367dcb752612df87093c00e9b864a1672c2b4d14bbfe9084e5b116efa247ddf1e31f034d221db2ab77634b195d274679a4e63d6a42cc

memory/2352-18-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/1772-7-0x0000000002240000-0x0000000002591000-memory.dmp

memory/1772-137-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/2932-144-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2556-150-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2644-151-0x000000013F210000-0x000000013F561000-memory.dmp

memory/1236-154-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/1804-153-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/1284-158-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/2380-156-0x000000013FB00000-0x000000013FE51000-memory.dmp

memory/1088-157-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/884-155-0x000000013F7C0000-0x000000013FB11000-memory.dmp

memory/876-152-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/1772-159-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/1772-181-0x0000000002240000-0x0000000002591000-memory.dmp

memory/2352-205-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/2200-209-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/896-207-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2660-211-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/3048-213-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/112-215-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2692-219-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/2772-217-0x000000013F600000-0x000000013F951000-memory.dmp

memory/2520-235-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2932-237-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2676-239-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2796-241-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2556-243-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2644-245-0x000000013F210000-0x000000013F561000-memory.dmp