Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 21:46
Behavioral task
behavioral1
Sample
2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
25155dc75fb17a02571d4013ab4ea2de
-
SHA1
6f7d53a05f2e6427fc648b711a48a7ef2e107cb8
-
SHA256
0fe3c1bd57822b505f31bf806801fa949d948f15bf2184990b99893594826772
-
SHA512
23f94469cda2e156106804e9a985769f64455c94b111fc31ee03c259d7f992107faa67a078f60d241ec7e1a8eb345fb2a9aad9d81add91ca1874fbde43418664
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lj:RWWBibf56utgpPFotBER/mQ32lUX
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00090000000233cc-5.dat cobalt_reflective_dll behavioral2/files/0x000800000002342c-14.dat cobalt_reflective_dll behavioral2/files/0x000700000002342e-21.dat cobalt_reflective_dll behavioral2/files/0x0007000000023430-30.dat cobalt_reflective_dll behavioral2/files/0x0007000000023431-38.dat cobalt_reflective_dll behavioral2/files/0x0007000000023433-51.dat cobalt_reflective_dll behavioral2/files/0x0007000000023432-62.dat cobalt_reflective_dll behavioral2/files/0x0007000000023434-65.dat cobalt_reflective_dll behavioral2/files/0x0007000000023435-67.dat cobalt_reflective_dll behavioral2/files/0x0007000000023436-73.dat cobalt_reflective_dll behavioral2/files/0x000800000002342a-82.dat cobalt_reflective_dll behavioral2/files/0x000700000002343a-96.dat cobalt_reflective_dll behavioral2/files/0x000700000002343e-114.dat cobalt_reflective_dll behavioral2/files/0x000700000002343d-118.dat cobalt_reflective_dll behavioral2/files/0x000700000002343c-101.dat cobalt_reflective_dll behavioral2/files/0x000700000002343b-99.dat cobalt_reflective_dll behavioral2/files/0x0007000000023439-89.dat cobalt_reflective_dll behavioral2/files/0x000700000002342f-32.dat cobalt_reflective_dll behavioral2/files/0x000700000002342d-24.dat cobalt_reflective_dll behavioral2/files/0x000700000002343f-124.dat cobalt_reflective_dll behavioral2/files/0x0007000000023440-127.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/3484-120-0x00007FF656B90000-0x00007FF656EE1000-memory.dmp xmrig behavioral2/memory/4800-117-0x00007FF60C640000-0x00007FF60C991000-memory.dmp xmrig behavioral2/memory/2612-116-0x00007FF717B30000-0x00007FF717E81000-memory.dmp xmrig behavioral2/memory/3916-111-0x00007FF679130000-0x00007FF679481000-memory.dmp xmrig behavioral2/memory/2528-108-0x00007FF794960000-0x00007FF794CB1000-memory.dmp xmrig behavioral2/memory/5004-107-0x00007FF7D2F90000-0x00007FF7D32E1000-memory.dmp xmrig behavioral2/memory/4184-37-0x00007FF72CC90000-0x00007FF72CFE1000-memory.dmp xmrig behavioral2/memory/4016-122-0x00007FF6483A0000-0x00007FF6486F1000-memory.dmp xmrig behavioral2/memory/4072-133-0x00007FF7B5B70000-0x00007FF7B5EC1000-memory.dmp xmrig behavioral2/memory/1084-132-0x00007FF730330000-0x00007FF730681000-memory.dmp xmrig behavioral2/memory/4580-131-0x00007FF67EBE0000-0x00007FF67EF31000-memory.dmp xmrig behavioral2/memory/408-134-0x00007FF7467D0000-0x00007FF746B21000-memory.dmp xmrig behavioral2/memory/1048-136-0x00007FF6A4880000-0x00007FF6A4BD1000-memory.dmp xmrig behavioral2/memory/5024-135-0x00007FF6A1CC0000-0x00007FF6A2011000-memory.dmp xmrig behavioral2/memory/5004-137-0x00007FF7D2F90000-0x00007FF7D32E1000-memory.dmp xmrig behavioral2/memory/116-145-0x00007FF7F71D0000-0x00007FF7F7521000-memory.dmp xmrig behavioral2/memory/4628-151-0x00007FF674E70000-0x00007FF6751C1000-memory.dmp xmrig behavioral2/memory/3108-150-0x00007FF795830000-0x00007FF795B81000-memory.dmp xmrig behavioral2/memory/4056-156-0x00007FF6523F0000-0x00007FF652741000-memory.dmp xmrig behavioral2/memory/384-157-0x00007FF6EAD50000-0x00007FF6EB0A1000-memory.dmp xmrig behavioral2/memory/5084-155-0x00007FF70F320000-0x00007FF70F671000-memory.dmp xmrig behavioral2/memory/3180-154-0x00007FF7298A0000-0x00007FF729BF1000-memory.dmp xmrig behavioral2/memory/3000-152-0x00007FF6F2580000-0x00007FF6F28D1000-memory.dmp xmrig behavioral2/memory/5004-161-0x00007FF7D2F90000-0x00007FF7D32E1000-memory.dmp xmrig behavioral2/memory/2528-218-0x00007FF794960000-0x00007FF794CB1000-memory.dmp xmrig behavioral2/memory/4800-220-0x00007FF60C640000-0x00007FF60C991000-memory.dmp xmrig behavioral2/memory/3484-224-0x00007FF656B90000-0x00007FF656EE1000-memory.dmp xmrig behavioral2/memory/4016-226-0x00007FF6483A0000-0x00007FF6486F1000-memory.dmp xmrig behavioral2/memory/4184-222-0x00007FF72CC90000-0x00007FF72CFE1000-memory.dmp xmrig behavioral2/memory/1084-228-0x00007FF730330000-0x00007FF730681000-memory.dmp xmrig behavioral2/memory/116-238-0x00007FF7F71D0000-0x00007FF7F7521000-memory.dmp xmrig behavioral2/memory/408-240-0x00007FF7467D0000-0x00007FF746B21000-memory.dmp xmrig behavioral2/memory/1048-242-0x00007FF6A4880000-0x00007FF6A4BD1000-memory.dmp xmrig behavioral2/memory/4628-244-0x00007FF674E70000-0x00007FF6751C1000-memory.dmp xmrig behavioral2/memory/5024-236-0x00007FF6A1CC0000-0x00007FF6A2011000-memory.dmp xmrig behavioral2/memory/3108-246-0x00007FF795830000-0x00007FF795B81000-memory.dmp xmrig behavioral2/memory/3916-251-0x00007FF679130000-0x00007FF679481000-memory.dmp xmrig behavioral2/memory/3180-257-0x00007FF7298A0000-0x00007FF729BF1000-memory.dmp xmrig behavioral2/memory/3000-259-0x00007FF6F2580000-0x00007FF6F28D1000-memory.dmp xmrig behavioral2/memory/4056-255-0x00007FF6523F0000-0x00007FF652741000-memory.dmp xmrig behavioral2/memory/2612-261-0x00007FF717B30000-0x00007FF717E81000-memory.dmp xmrig behavioral2/memory/5084-253-0x00007FF70F320000-0x00007FF70F671000-memory.dmp xmrig behavioral2/memory/384-263-0x00007FF6EAD50000-0x00007FF6EB0A1000-memory.dmp xmrig behavioral2/memory/4072-268-0x00007FF7B5B70000-0x00007FF7B5EC1000-memory.dmp xmrig behavioral2/memory/4580-267-0x00007FF67EBE0000-0x00007FF67EF31000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2528 kRoaGTt.exe 4800 DTfgJuC.exe 3484 pyDIWjv.exe 4184 GvqgWLY.exe 4016 uLnydre.exe 1084 TcpYAdI.exe 5024 eqXaSfy.exe 408 RcSTIJQ.exe 116 jmZlYJM.exe 1048 eAGZbGb.exe 4628 mvuNSIN.exe 3108 cYSMxwj.exe 3000 aPfwjSi.exe 3916 dvzcvXV.exe 3180 RwdYLbo.exe 5084 BkXQQpb.exe 4056 hhrsFCs.exe 2612 LqwYrCe.exe 384 LxrQuem.exe 4580 KOHCrdh.exe 4072 DQoudnC.exe -
resource yara_rule behavioral2/memory/5004-0-0x00007FF7D2F90000-0x00007FF7D32E1000-memory.dmp upx behavioral2/files/0x00090000000233cc-5.dat upx behavioral2/files/0x000800000002342c-14.dat upx behavioral2/files/0x000700000002342e-21.dat upx behavioral2/files/0x0007000000023430-30.dat upx behavioral2/memory/4016-36-0x00007FF6483A0000-0x00007FF6486F1000-memory.dmp upx behavioral2/files/0x0007000000023431-38.dat upx behavioral2/files/0x0007000000023433-51.dat upx behavioral2/files/0x0007000000023432-62.dat upx behavioral2/files/0x0007000000023434-65.dat upx behavioral2/files/0x0007000000023435-67.dat upx behavioral2/memory/4628-64-0x00007FF674E70000-0x00007FF6751C1000-memory.dmp upx behavioral2/memory/116-60-0x00007FF7F71D0000-0x00007FF7F7521000-memory.dmp upx behavioral2/memory/1048-53-0x00007FF6A4880000-0x00007FF6A4BD1000-memory.dmp upx behavioral2/memory/408-50-0x00007FF7467D0000-0x00007FF746B21000-memory.dmp upx behavioral2/files/0x0007000000023436-73.dat upx behavioral2/files/0x000800000002342a-82.dat upx behavioral2/memory/3180-92-0x00007FF7298A0000-0x00007FF729BF1000-memory.dmp upx behavioral2/files/0x000700000002343a-96.dat upx behavioral2/memory/4056-106-0x00007FF6523F0000-0x00007FF652741000-memory.dmp upx behavioral2/files/0x000700000002343e-114.dat upx behavioral2/memory/3484-120-0x00007FF656B90000-0x00007FF656EE1000-memory.dmp upx behavioral2/files/0x000700000002343d-118.dat upx behavioral2/memory/4800-117-0x00007FF60C640000-0x00007FF60C991000-memory.dmp upx behavioral2/memory/2612-116-0x00007FF717B30000-0x00007FF717E81000-memory.dmp upx behavioral2/memory/384-112-0x00007FF6EAD50000-0x00007FF6EB0A1000-memory.dmp upx behavioral2/memory/3916-111-0x00007FF679130000-0x00007FF679481000-memory.dmp upx behavioral2/memory/2528-108-0x00007FF794960000-0x00007FF794CB1000-memory.dmp upx behavioral2/memory/5004-107-0x00007FF7D2F90000-0x00007FF7D32E1000-memory.dmp upx behavioral2/files/0x000700000002343c-101.dat upx behavioral2/files/0x000700000002343b-99.dat upx behavioral2/memory/5084-93-0x00007FF70F320000-0x00007FF70F671000-memory.dmp upx behavioral2/files/0x0007000000023439-89.dat upx behavioral2/memory/3000-86-0x00007FF6F2580000-0x00007FF6F28D1000-memory.dmp upx behavioral2/memory/3108-72-0x00007FF795830000-0x00007FF795B81000-memory.dmp upx behavioral2/memory/5024-47-0x00007FF6A1CC0000-0x00007FF6A2011000-memory.dmp upx behavioral2/memory/1084-40-0x00007FF730330000-0x00007FF730681000-memory.dmp upx behavioral2/memory/4184-37-0x00007FF72CC90000-0x00007FF72CFE1000-memory.dmp upx behavioral2/files/0x000700000002342f-32.dat upx behavioral2/memory/3484-25-0x00007FF656B90000-0x00007FF656EE1000-memory.dmp upx behavioral2/files/0x000700000002342d-24.dat upx behavioral2/memory/4800-19-0x00007FF60C640000-0x00007FF60C991000-memory.dmp upx behavioral2/memory/2528-11-0x00007FF794960000-0x00007FF794CB1000-memory.dmp upx behavioral2/memory/4016-122-0x00007FF6483A0000-0x00007FF6486F1000-memory.dmp upx behavioral2/files/0x000700000002343f-124.dat upx behavioral2/files/0x0007000000023440-127.dat upx behavioral2/memory/4072-133-0x00007FF7B5B70000-0x00007FF7B5EC1000-memory.dmp upx behavioral2/memory/1084-132-0x00007FF730330000-0x00007FF730681000-memory.dmp upx behavioral2/memory/4580-131-0x00007FF67EBE0000-0x00007FF67EF31000-memory.dmp upx behavioral2/memory/408-134-0x00007FF7467D0000-0x00007FF746B21000-memory.dmp upx behavioral2/memory/1048-136-0x00007FF6A4880000-0x00007FF6A4BD1000-memory.dmp upx behavioral2/memory/5024-135-0x00007FF6A1CC0000-0x00007FF6A2011000-memory.dmp upx behavioral2/memory/5004-137-0x00007FF7D2F90000-0x00007FF7D32E1000-memory.dmp upx behavioral2/memory/116-145-0x00007FF7F71D0000-0x00007FF7F7521000-memory.dmp upx behavioral2/memory/4628-151-0x00007FF674E70000-0x00007FF6751C1000-memory.dmp upx behavioral2/memory/3108-150-0x00007FF795830000-0x00007FF795B81000-memory.dmp upx behavioral2/memory/4056-156-0x00007FF6523F0000-0x00007FF652741000-memory.dmp upx behavioral2/memory/384-157-0x00007FF6EAD50000-0x00007FF6EB0A1000-memory.dmp upx behavioral2/memory/5084-155-0x00007FF70F320000-0x00007FF70F671000-memory.dmp upx behavioral2/memory/3180-154-0x00007FF7298A0000-0x00007FF729BF1000-memory.dmp upx behavioral2/memory/3000-152-0x00007FF6F2580000-0x00007FF6F28D1000-memory.dmp upx behavioral2/memory/5004-161-0x00007FF7D2F90000-0x00007FF7D32E1000-memory.dmp upx behavioral2/memory/2528-218-0x00007FF794960000-0x00007FF794CB1000-memory.dmp upx behavioral2/memory/4800-220-0x00007FF60C640000-0x00007FF60C991000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\DTfgJuC.exe 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\eqXaSfy.exe 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cYSMxwj.exe 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\aPfwjSi.exe 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dvzcvXV.exe 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DQoudnC.exe 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GvqgWLY.exe 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uLnydre.exe 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RcSTIJQ.exe 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RwdYLbo.exe 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BkXQQpb.exe 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hhrsFCs.exe 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kRoaGTt.exe 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jmZlYJM.exe 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KOHCrdh.exe 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\pyDIWjv.exe 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TcpYAdI.exe 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\eAGZbGb.exe 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mvuNSIN.exe 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LxrQuem.exe 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LqwYrCe.exe 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 5004 wrote to memory of 2528 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 83 PID 5004 wrote to memory of 2528 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 83 PID 5004 wrote to memory of 4800 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 5004 wrote to memory of 4800 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 5004 wrote to memory of 3484 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 5004 wrote to memory of 3484 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 5004 wrote to memory of 4184 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 5004 wrote to memory of 4184 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 5004 wrote to memory of 4016 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 5004 wrote to memory of 4016 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 5004 wrote to memory of 1084 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 5004 wrote to memory of 1084 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 5004 wrote to memory of 5024 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 5004 wrote to memory of 5024 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 5004 wrote to memory of 408 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 5004 wrote to memory of 408 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 5004 wrote to memory of 116 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 5004 wrote to memory of 116 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 5004 wrote to memory of 1048 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 5004 wrote to memory of 1048 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 5004 wrote to memory of 4628 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 5004 wrote to memory of 4628 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 5004 wrote to memory of 3108 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 5004 wrote to memory of 3108 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 5004 wrote to memory of 3000 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 5004 wrote to memory of 3000 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 5004 wrote to memory of 3916 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 5004 wrote to memory of 3916 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 5004 wrote to memory of 3180 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 5004 wrote to memory of 3180 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 5004 wrote to memory of 5084 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 5004 wrote to memory of 5084 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 5004 wrote to memory of 4056 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 5004 wrote to memory of 4056 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 5004 wrote to memory of 384 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 5004 wrote to memory of 384 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 5004 wrote to memory of 2612 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 5004 wrote to memory of 2612 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 5004 wrote to memory of 4580 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 5004 wrote to memory of 4580 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 5004 wrote to memory of 4072 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 5004 wrote to memory of 4072 5004 2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\System\kRoaGTt.exeC:\Windows\System\kRoaGTt.exe2⤵
- Executes dropped EXE
PID:2528
-
-
C:\Windows\System\DTfgJuC.exeC:\Windows\System\DTfgJuC.exe2⤵
- Executes dropped EXE
PID:4800
-
-
C:\Windows\System\pyDIWjv.exeC:\Windows\System\pyDIWjv.exe2⤵
- Executes dropped EXE
PID:3484
-
-
C:\Windows\System\GvqgWLY.exeC:\Windows\System\GvqgWLY.exe2⤵
- Executes dropped EXE
PID:4184
-
-
C:\Windows\System\uLnydre.exeC:\Windows\System\uLnydre.exe2⤵
- Executes dropped EXE
PID:4016
-
-
C:\Windows\System\TcpYAdI.exeC:\Windows\System\TcpYAdI.exe2⤵
- Executes dropped EXE
PID:1084
-
-
C:\Windows\System\eqXaSfy.exeC:\Windows\System\eqXaSfy.exe2⤵
- Executes dropped EXE
PID:5024
-
-
C:\Windows\System\RcSTIJQ.exeC:\Windows\System\RcSTIJQ.exe2⤵
- Executes dropped EXE
PID:408
-
-
C:\Windows\System\jmZlYJM.exeC:\Windows\System\jmZlYJM.exe2⤵
- Executes dropped EXE
PID:116
-
-
C:\Windows\System\eAGZbGb.exeC:\Windows\System\eAGZbGb.exe2⤵
- Executes dropped EXE
PID:1048
-
-
C:\Windows\System\mvuNSIN.exeC:\Windows\System\mvuNSIN.exe2⤵
- Executes dropped EXE
PID:4628
-
-
C:\Windows\System\cYSMxwj.exeC:\Windows\System\cYSMxwj.exe2⤵
- Executes dropped EXE
PID:3108
-
-
C:\Windows\System\aPfwjSi.exeC:\Windows\System\aPfwjSi.exe2⤵
- Executes dropped EXE
PID:3000
-
-
C:\Windows\System\dvzcvXV.exeC:\Windows\System\dvzcvXV.exe2⤵
- Executes dropped EXE
PID:3916
-
-
C:\Windows\System\RwdYLbo.exeC:\Windows\System\RwdYLbo.exe2⤵
- Executes dropped EXE
PID:3180
-
-
C:\Windows\System\BkXQQpb.exeC:\Windows\System\BkXQQpb.exe2⤵
- Executes dropped EXE
PID:5084
-
-
C:\Windows\System\hhrsFCs.exeC:\Windows\System\hhrsFCs.exe2⤵
- Executes dropped EXE
PID:4056
-
-
C:\Windows\System\LxrQuem.exeC:\Windows\System\LxrQuem.exe2⤵
- Executes dropped EXE
PID:384
-
-
C:\Windows\System\LqwYrCe.exeC:\Windows\System\LqwYrCe.exe2⤵
- Executes dropped EXE
PID:2612
-
-
C:\Windows\System\KOHCrdh.exeC:\Windows\System\KOHCrdh.exe2⤵
- Executes dropped EXE
PID:4580
-
-
C:\Windows\System\DQoudnC.exeC:\Windows\System\DQoudnC.exe2⤵
- Executes dropped EXE
PID:4072
-
Network
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request20.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request79.190.18.2.in-addr.arpaIN PTRResponse79.190.18.2.in-addr.arpaIN PTRa2-18-190-79deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request22.236.111.52.in-addr.arpaIN PTRResponse
-
3.120.209.58:80802024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe260 B 5
-
3.120.209.58:80802024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe260 B 5
-
3.120.209.58:80802024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe260 B 5
-
3.120.209.58:80802024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe260 B 5
-
3.120.209.58:80802024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe260 B 5
-
3.120.209.58:80802024-09-20_25155dc75fb17a02571d4013ab4ea2de_cobalt-strike_cobaltstrike_poet-rat.exe208 B 4
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
20.160.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
79.190.18.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
22.236.111.52.in-addr.arpa
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD57e3656406055da3c84b5d56649c0e25b
SHA1ee9b6c780d37ba85d9676c85145a2001d665762c
SHA256a8d7a7ac791984ba86836cf0a5aebffdd4a531a0c19615570bfc8070dc787777
SHA5120b0f04f36afeeb8044c36777fe529478c4499c045aec6e1c764774a6ee87b42a1ef1528d4eb15b551ac722cdcfbb93e8938e93b02ed4436dc49c0539a4ad34e8
-
Filesize
5.2MB
MD5f80d8f22a4cea3ff78cbd556ad4b8103
SHA1e14178420460328ea6b97d08059a249bb1f82630
SHA256df09543033aefbef06958e3adfd7fc1bf4e0865592bad00921e9492908732b4b
SHA512f83957db5e123ea7cb95f7668c88eebcfb2c29d2cd63411b6c45c1dbefa1bc9f79474affc2145370f52be2302bb5c9af3208904d1469771c4dfe8edcd1b8f024
-
Filesize
5.2MB
MD5bcb723d24e7478802a7d8402b5b1fd00
SHA1ba08f28b9a97377e4d7d7eb4b6290a85b3b78203
SHA25694790535afecd04342124cb48e1cddd5f3b79cbea91cb763e5efee08b74dc6cb
SHA51267a7a8a31b465c3787f311e1a0c4408863940a7f7f29816d4f3d0872544bc9185d5c7adf580cd7a900e1bfcc0c59acdb5bcb805cdad494a651ff2d4e1918cc1f
-
Filesize
5.2MB
MD5294525533a897b07680a84795d71f5f7
SHA1c1943ee3683af09af0590b0b33a93ce86468a019
SHA25609834ed27e656e193ccdd2c16537ac781f4bcb693405413a71e923c1e89c7e86
SHA512b0f0ac7706d1d4f9ef759d89838f6ca05e148f70a2a9d81da5161146631f605c8e7d853c99afd1d08a254984e29de22b3f461b6b04e59db60b9fa2fcd60c4845
-
Filesize
5.2MB
MD57159b2aae1289cbb8ae87574c3df6b33
SHA12a79be9ab3e898b5d4e79bcac2a2997679f38719
SHA2564e7afd9bb2ccd477d903b3eaf4a6d31441b33fb06957bb9e7e92cb99aea43f46
SHA512d8cb335ef9779c66c32edbaf95c8f14e3ae4f29475761f0215d81e32cb2586d8fec0baf06ae494a3476019b5daed71eba7284205f41c41a2f6a309e6844fc2da
-
Filesize
5.2MB
MD5c5dbf83b90a559318a2a2fa00856a047
SHA148c637691c739f5a142e3a392be29116d98033f3
SHA256f44d3cde0d5cecaf085f1e24dcdfe789f9926e15b53c8fd1a749c9651cda3321
SHA5121545bb46084e4f3cf514ecf1fb490c6433c9f9fd49db96370345623bc42af24c75afe17180fb6d0c69f652adfe17e52f8777e13719a9ed16271b502c7f0193ea
-
Filesize
5.2MB
MD5f9d39560ad0bc194fe83508460177a70
SHA1850ac0f26cbd5ccd178398aca264669cbbd8d553
SHA25692699b17c35dc34748271ff9c3dc72febc2f3d7154199a2b8175a83d28d6020e
SHA51251e40faac498c8af578bbb4901c23d4ae43a91d28aabe282b99929a7834c7e4763599d8ece2aa310cc2c42e3ad52dc8f82c11ed1fb36f812fa3878fc3f9d0614
-
Filesize
5.2MB
MD515726fdf080a386e9f47374b0d752533
SHA1f8af865db7e7adedf8294006241842b982274ccb
SHA256e1af133596a8f5d8064209e05df96482d23c57ff9efb3d06b9e3e4a38a707954
SHA512246c05274d9d44945c962449b26bb77abaecc275d9029a09a631a9f5198c943c1b57500cb73d2c26a4725896062e4629c11a79edfd9b3e35965c141e60e5eee4
-
Filesize
5.2MB
MD5a7de08b41c6a4e6b2e307a69b64bbbd6
SHA137083600ce329c305d7bd3230c743827f7bff237
SHA256ecd887f8c09a568a8c4ae7a2c8011faf914e19f86531f2c46ba6ee27f33075f7
SHA512320b09c0c24f4c1d8a657b64b462b04b08bea118dd11406617da8e74bcdd4c232c5125a160adcb07d472300d0ecf9cff94f0d926b6e6c6c9924910ff8b8c2e2b
-
Filesize
5.2MB
MD506e396d10c1b82475f1d400bc756c038
SHA1710a18fdd39e9865dc5cfab30704cde9a5144df0
SHA25629653f720020be46cf1232af8e50396a4e85a555cb8caffc5ebc4e5d960c241b
SHA512ea275c8b5051bc5e8935e6190051d57b6ae8d5378b3e2330a479607b9c377e9eaefbebe250d8855abae3957372794d66cc32f83e51f0775c82df55c8913bfa7a
-
Filesize
5.2MB
MD5ada3121f9d23add736ae2cae17320d7c
SHA169d6d0a60d8ac6e2d7fe907b60eec4eb4de96654
SHA2567ddfedba6838e1dbd1e1dd5580d83b6575be2adcaa411c70a622c4fbbb0dd01f
SHA51282666c1cef3339f5d6fc1c030ef6325e97e9512127cd66d779bbcaf4307675b52fd6f5e5c1b1268df2362c767d1ca4f34a6684f3b11860821ce7b34772e311b0
-
Filesize
5.2MB
MD598ecb98923a1a51d739a0cf016f2c594
SHA13ddb50024f22fd3cba2e46157aa50dee987e0abe
SHA256eda6a5706e82d060a878077ede9e4f40a2558f72db42e47cf13b833af48490cf
SHA512e62c1889e4bb99c0cc113dc131264b7fbfda4411bf2d14064a4f6c012d0eb80fff0ddbd10f5aad940788c8f984a373d0a2f0649a705437f1b0ba347a2da9504c
-
Filesize
5.2MB
MD53ce7602c65a8c010ffdc4a782b7a6744
SHA1f8977b54d381e22b39d7555ca863430315152c64
SHA256aaef4134e8e5a2543d8fe3995ce113638d3e54dbfcaf18c2dd69e543e04c18d9
SHA512007209868b1e60ad66a3919e68d0c3deac88ee66d627924cf73f4e55a5d04062dbaf403e7d6c62b8ad21abce90344e40002c5566161e217a3a6f89ca208be7f7
-
Filesize
5.2MB
MD59fb0fbe9194d7df019d82019c717ddbf
SHA17829130915a0459b93b55725564aa45a29c14f09
SHA2568f796b4a21d697a692044d197f5900e2b6c0ec3fe0c4155e887ea8fd12f51ac9
SHA512a27bc7fe6ea9d9aa7085bc2731472f89a9cd3969fc87e566919dec0851972f0fda530ffb1fbd7ec8f9fc6b04becd0efc60b155c516e0bdb58757421d21cefc8a
-
Filesize
5.2MB
MD52a608adb9fe8ff08224f842d38eea12a
SHA15f635fbc814fa8f63b5c259cd20640d68067470a
SHA25639bc723d25a77e8b4c3d122c897266dc1004c54b3c8ef41901d413dc9a8e5d70
SHA51256b2966939bf493d1871b93fb700a30ba407aa432b9d99ef66712021e2043e71f394988a95d00cc638ec51e441166d8c9b322b4678b15eb9b70b9a9964ad7d40
-
Filesize
5.2MB
MD59fcf9ba00ddd41cbe07be5af4222a17f
SHA103b478163f5594af79867b245b5ab07a6b3f3279
SHA25612e4b343ec20cd0a9db4826f5d813289a877237ca85f978de5affdd105920666
SHA5120faf898b891b735d8a8b3bcd725c6cfbd25348e00562487e94f4de0bc8c436d8b9b4e556a4762403243a0656945a34d316ed3f1048c0d390f94efc740c09ebc8
-
Filesize
5.2MB
MD5fe31a6e717032ebd72b157b35f2896d8
SHA13bd4071075b00c5b1a967229e3be35037a3b382c
SHA256fbe4d97463da0d3edd9ce69077e591bda7b2467c0bc5ac85d926d8b6dc9a52cd
SHA512f946903a1c9391f1dc9b60e8f9f89ce1deda4cde7c54852063bd15fc84484976c18cd2e49eb90d4bd3d32a587ae443f58d31604dacd88b55d5d2f9de92b6c8d9
-
Filesize
5.2MB
MD5c819c2c0566b12ac82e131bb8bc3d74d
SHA1cef9010f3cd614bca5cc7a027ee9e724db663e55
SHA25615ca52f9d87e50e24019782074a25c10d37d422a5e58cc9820a5d598499b212c
SHA512a5af79750820db97ad641f07ec760508891a6f0587ad8194090ffd6e60258fe74992343ac4a158204e2db085e5874c2e01d519a97779f17c78d6084d6eff354d
-
Filesize
5.2MB
MD5ff3df7444545a5f68bffe3bebf015f5e
SHA1227317b8848ad97bd60f5066fba192a65e37e252
SHA25690533541a759576642ede0045c12517da42c8826e4677e7add2f89fc514a64c9
SHA512e90cb34379cc37a604dcc82e26ad12d1693b1e9b4b80d8706735e35b4d9de3f24b2d8db704e80ccf1690ded6d82abcf97ff3c20615c681d6ef27297868e53f39
-
Filesize
5.2MB
MD5b2c03d0a8735abf095d24765134d03e2
SHA182103facf3c9d24bc71eb3a283593b81ff230990
SHA256e032a25bdab19d04bbbdbdca3018abf7076adc64e4add2a4723b8eef4b11b05c
SHA512ef92288a827b71414c7493245a04d0d0c6f9cd26ddeb39a24d1ea5841f8d040493fbdeb2a14d474a8f9e9d0ca2f3bfe17717d9f8515d24ba3196bc5259cec466
-
Filesize
5.2MB
MD5b4c82fdff67a1fdebd8d62419f850d32
SHA138f80367e1e1eb8d25e914c91a269cf62017e90d
SHA25694af30ec6358dc5dd1998e74356340e3c8e4b8e1e3fc467589d21e69777f65b1
SHA512476f318e5720b6dfee7add90074662a1705a7cf353a4f579d8ecc31dbae065da2051335ceacb665635721485dae64650a26fc8026e9bab09d9e8b443f5f62edd