Analysis

  • max time kernel
    131s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/09/2024, 09:48 UTC

General

  • Target

    2024-09-14_d45784228c48eb7d35957031c1ac389d_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.9MB

  • MD5

    d45784228c48eb7d35957031c1ac389d

  • SHA1

    27050959764bbc924c8db6eabe3558f89a511617

  • SHA256

    74c52888e87ba9d2bbd9268dd0e4499f9f3af67393aba468b34a79d31a556be3

  • SHA512

    fee423ec4fe25cc6e7a53ee035b3971c722200150be8095da7021a36c8d54dbdf4975d8031b4e0bd235830ca2b4a9f90edc1f0fed9561d8d31efd75452b6a650

  • SSDEEP

    98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUG:T+856utgpPF8u/7G

Score
10/10

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-14_d45784228c48eb7d35957031c1ac389d_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-14_d45784228c48eb7d35957031c1ac389d_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3432

Network

  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • 3.120.209.58:8080
    2024-09-14_d45784228c48eb7d35957031c1ac389d_cobalt-strike_cobaltstrike_poet-rat.exe
    260 B
    5
  • 3.120.209.58:8080
    2024-09-14_d45784228c48eb7d35957031c1ac389d_cobalt-strike_cobaltstrike_poet-rat.exe
    260 B
    5
  • 3.120.209.58:8080
    2024-09-14_d45784228c48eb7d35957031c1ac389d_cobalt-strike_cobaltstrike_poet-rat.exe
    260 B
    5
  • 3.120.209.58:8080
    2024-09-14_d45784228c48eb7d35957031c1ac389d_cobalt-strike_cobaltstrike_poet-rat.exe
    260 B
    5
  • 3.120.209.58:8080
    2024-09-14_d45784228c48eb7d35957031c1ac389d_cobalt-strike_cobaltstrike_poet-rat.exe
    260 B
    5
  • 3.120.209.58:8080
    2024-09-14_d45784228c48eb7d35957031c1ac389d_cobalt-strike_cobaltstrike_poet-rat.exe
    260 B
    5
  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3432-0-0x00007FF7CDC80000-0x00007FF7CDFD4000-memory.dmp

    Filesize

    3.3MB

  • memory/3432-1-0x00000214FC8B0000-0x00000214FC8C0000-memory.dmp

    Filesize

    64KB

  • memory/3432-2-0x00007FF7CDC80000-0x00007FF7CDFD4000-memory.dmp

    Filesize

    3.3MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.