Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 11:52
Behavioral task
behavioral1
Sample
2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
d33b7b6e1fe0157278f9d593267e2d83
-
SHA1
e93e8c1963cff9ca40fce0ff8ce13585b664656d
-
SHA256
05066aa15d65559b5c818aae121963f180fcaf7c92b2ae8731c5595b2dedab32
-
SHA512
0e6200c63e35ce46dea88083c3effe91b346d6dd951f778ac6c964a1a13bcbb09c1eb143961a87408a745062a14d283b2a423b0c6d9f238f23d6ef55bc5337eb
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lz:RWWBibd56utgpPFotBER/mQ32lUf
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000b000000023ba6-5.dat cobalt_reflective_dll behavioral2/files/0x000a000000023ba7-11.dat cobalt_reflective_dll behavioral2/files/0x000a000000023ba8-8.dat cobalt_reflective_dll behavioral2/files/0x000b000000023ba4-23.dat cobalt_reflective_dll behavioral2/files/0x000a000000023ba9-28.dat cobalt_reflective_dll behavioral2/files/0x000a000000023bac-44.dat cobalt_reflective_dll behavioral2/files/0x000b000000023bae-58.dat cobalt_reflective_dll behavioral2/files/0x000a000000023bad-59.dat cobalt_reflective_dll behavioral2/files/0x000b000000023baf-64.dat cobalt_reflective_dll behavioral2/files/0x000b000000023bb0-71.dat cobalt_reflective_dll behavioral2/files/0x000a000000023bab-45.dat cobalt_reflective_dll behavioral2/files/0x000a000000023baa-43.dat cobalt_reflective_dll behavioral2/files/0x000a000000023bb8-81.dat cobalt_reflective_dll behavioral2/files/0x0009000000023bcd-100.dat cobalt_reflective_dll behavioral2/files/0x0009000000023bce-104.dat cobalt_reflective_dll behavioral2/files/0x0009000000023bcf-118.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bd8-126.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bd9-132.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bd5-130.dat cobalt_reflective_dll behavioral2/files/0x000e000000023bd3-124.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bc8-94.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 46 IoCs
resource yara_rule behavioral2/memory/1236-30-0x00007FF7911E0000-0x00007FF791531000-memory.dmp xmrig behavioral2/memory/4028-34-0x00007FF71D030000-0x00007FF71D381000-memory.dmp xmrig behavioral2/memory/2716-72-0x00007FF779790000-0x00007FF779AE1000-memory.dmp xmrig behavioral2/memory/3000-66-0x00007FF782F30000-0x00007FF783281000-memory.dmp xmrig behavioral2/memory/4764-63-0x00007FF648E90000-0x00007FF6491E1000-memory.dmp xmrig behavioral2/memory/4756-54-0x00007FF7A9690000-0x00007FF7A99E1000-memory.dmp xmrig behavioral2/memory/3764-85-0x00007FF6EC0D0000-0x00007FF6EC421000-memory.dmp xmrig behavioral2/memory/3804-96-0x00007FF642350000-0x00007FF6426A1000-memory.dmp xmrig behavioral2/memory/208-113-0x00007FF75EB20000-0x00007FF75EE71000-memory.dmp xmrig behavioral2/memory/3752-134-0x00007FF6BBBA0000-0x00007FF6BBEF1000-memory.dmp xmrig behavioral2/memory/1776-128-0x00007FF7EE0B0000-0x00007FF7EE401000-memory.dmp xmrig behavioral2/memory/3468-112-0x00007FF75CFF0000-0x00007FF75D341000-memory.dmp xmrig behavioral2/memory/2360-102-0x00007FF7215B0000-0x00007FF721901000-memory.dmp xmrig behavioral2/memory/4028-82-0x00007FF71D030000-0x00007FF71D381000-memory.dmp xmrig behavioral2/memory/1696-144-0x00007FF63ABC0000-0x00007FF63AF11000-memory.dmp xmrig behavioral2/memory/4756-140-0x00007FF7A9690000-0x00007FF7A99E1000-memory.dmp xmrig behavioral2/memory/3856-154-0x00007FF79FCB0000-0x00007FF7A0001000-memory.dmp xmrig behavioral2/memory/2420-155-0x00007FF744B60000-0x00007FF744EB1000-memory.dmp xmrig behavioral2/memory/2284-156-0x00007FF635450000-0x00007FF6357A1000-memory.dmp xmrig behavioral2/memory/3376-161-0x00007FF639F90000-0x00007FF63A2E1000-memory.dmp xmrig behavioral2/memory/3080-165-0x00007FF6A1CC0000-0x00007FF6A2011000-memory.dmp xmrig behavioral2/memory/3648-166-0x00007FF797260000-0x00007FF7975B1000-memory.dmp xmrig behavioral2/memory/4404-167-0x00007FF6FCD40000-0x00007FF6FD091000-memory.dmp xmrig behavioral2/memory/1432-164-0x00007FF667BE0000-0x00007FF667F31000-memory.dmp xmrig behavioral2/memory/4756-168-0x00007FF7A9690000-0x00007FF7A99E1000-memory.dmp xmrig behavioral2/memory/4764-217-0x00007FF648E90000-0x00007FF6491E1000-memory.dmp xmrig behavioral2/memory/3000-220-0x00007FF782F30000-0x00007FF783281000-memory.dmp xmrig behavioral2/memory/2716-222-0x00007FF779790000-0x00007FF779AE1000-memory.dmp xmrig behavioral2/memory/1236-232-0x00007FF7911E0000-0x00007FF791531000-memory.dmp xmrig behavioral2/memory/4028-234-0x00007FF71D030000-0x00007FF71D381000-memory.dmp xmrig behavioral2/memory/3804-236-0x00007FF642350000-0x00007FF6426A1000-memory.dmp xmrig behavioral2/memory/3764-238-0x00007FF6EC0D0000-0x00007FF6EC421000-memory.dmp xmrig behavioral2/memory/2360-240-0x00007FF7215B0000-0x00007FF721901000-memory.dmp xmrig behavioral2/memory/3468-242-0x00007FF75CFF0000-0x00007FF75D341000-memory.dmp xmrig behavioral2/memory/208-244-0x00007FF75EB20000-0x00007FF75EE71000-memory.dmp xmrig behavioral2/memory/1776-248-0x00007FF7EE0B0000-0x00007FF7EE401000-memory.dmp xmrig behavioral2/memory/3752-247-0x00007FF6BBBA0000-0x00007FF6BBEF1000-memory.dmp xmrig behavioral2/memory/1696-256-0x00007FF63ABC0000-0x00007FF63AF11000-memory.dmp xmrig behavioral2/memory/3856-258-0x00007FF79FCB0000-0x00007FF7A0001000-memory.dmp xmrig behavioral2/memory/2420-260-0x00007FF744B60000-0x00007FF744EB1000-memory.dmp xmrig behavioral2/memory/2284-262-0x00007FF635450000-0x00007FF6357A1000-memory.dmp xmrig behavioral2/memory/3376-267-0x00007FF639F90000-0x00007FF63A2E1000-memory.dmp xmrig behavioral2/memory/4404-269-0x00007FF6FCD40000-0x00007FF6FD091000-memory.dmp xmrig behavioral2/memory/1432-271-0x00007FF667BE0000-0x00007FF667F31000-memory.dmp xmrig behavioral2/memory/3080-273-0x00007FF6A1CC0000-0x00007FF6A2011000-memory.dmp xmrig behavioral2/memory/3648-275-0x00007FF797260000-0x00007FF7975B1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4764 WRCrTZM.exe 3000 IfoXNPv.exe 2716 DAJywEL.exe 1236 UFEadOY.exe 4028 zazUhRg.exe 3764 nUaBubK.exe 3804 BYlYOda.exe 2360 onrdWxS.exe 3468 eMukEVk.exe 208 BvgkdvE.exe 1776 ckrSBeV.exe 3752 vBUmsPf.exe 1696 Aibevck.exe 3856 pwBOzQv.exe 2420 HIzvhJz.exe 2284 EqKWsQU.exe 3376 szvHRHA.exe 4404 rqewCzZ.exe 1432 QvjVCbl.exe 3080 MTJxnJH.exe 3648 SmicNvk.exe -
resource yara_rule behavioral2/memory/4756-0-0x00007FF7A9690000-0x00007FF7A99E1000-memory.dmp upx behavioral2/files/0x000b000000023ba6-5.dat upx behavioral2/memory/4764-9-0x00007FF648E90000-0x00007FF6491E1000-memory.dmp upx behavioral2/files/0x000a000000023ba7-11.dat upx behavioral2/files/0x000a000000023ba8-8.dat upx behavioral2/memory/3000-14-0x00007FF782F30000-0x00007FF783281000-memory.dmp upx behavioral2/memory/2716-18-0x00007FF779790000-0x00007FF779AE1000-memory.dmp upx behavioral2/files/0x000b000000023ba4-23.dat upx behavioral2/files/0x000a000000023ba9-28.dat upx behavioral2/memory/1236-30-0x00007FF7911E0000-0x00007FF791531000-memory.dmp upx behavioral2/memory/4028-34-0x00007FF71D030000-0x00007FF71D381000-memory.dmp upx behavioral2/memory/3764-39-0x00007FF6EC0D0000-0x00007FF6EC421000-memory.dmp upx behavioral2/files/0x000a000000023bac-44.dat upx behavioral2/memory/2360-47-0x00007FF7215B0000-0x00007FF721901000-memory.dmp upx behavioral2/files/0x000b000000023bae-58.dat upx behavioral2/files/0x000a000000023bad-59.dat upx behavioral2/files/0x000b000000023baf-64.dat upx behavioral2/files/0x000b000000023bb0-71.dat upx behavioral2/memory/3752-73-0x00007FF6BBBA0000-0x00007FF6BBEF1000-memory.dmp upx behavioral2/memory/2716-72-0x00007FF779790000-0x00007FF779AE1000-memory.dmp upx behavioral2/memory/1776-70-0x00007FF7EE0B0000-0x00007FF7EE401000-memory.dmp upx behavioral2/memory/3000-66-0x00007FF782F30000-0x00007FF783281000-memory.dmp upx behavioral2/memory/208-65-0x00007FF75EB20000-0x00007FF75EE71000-memory.dmp upx behavioral2/memory/4764-63-0x00007FF648E90000-0x00007FF6491E1000-memory.dmp upx behavioral2/memory/3468-57-0x00007FF75CFF0000-0x00007FF75D341000-memory.dmp upx behavioral2/memory/4756-54-0x00007FF7A9690000-0x00007FF7A99E1000-memory.dmp upx behavioral2/files/0x000a000000023bab-45.dat upx behavioral2/files/0x000a000000023baa-43.dat upx behavioral2/memory/3804-40-0x00007FF642350000-0x00007FF6426A1000-memory.dmp upx behavioral2/files/0x000a000000023bb8-81.dat upx behavioral2/memory/3764-85-0x00007FF6EC0D0000-0x00007FF6EC421000-memory.dmp upx behavioral2/memory/3856-92-0x00007FF79FCB0000-0x00007FF7A0001000-memory.dmp upx behavioral2/memory/3804-96-0x00007FF642350000-0x00007FF6426A1000-memory.dmp upx behavioral2/files/0x0009000000023bcd-100.dat upx behavioral2/files/0x0009000000023bce-104.dat upx behavioral2/memory/208-113-0x00007FF75EB20000-0x00007FF75EE71000-memory.dmp upx behavioral2/files/0x0009000000023bcf-118.dat upx behavioral2/files/0x0008000000023bd8-126.dat upx behavioral2/files/0x0008000000023bd9-132.dat upx behavioral2/memory/3648-135-0x00007FF797260000-0x00007FF7975B1000-memory.dmp upx behavioral2/memory/3752-134-0x00007FF6BBBA0000-0x00007FF6BBEF1000-memory.dmp upx behavioral2/memory/3080-133-0x00007FF6A1CC0000-0x00007FF6A2011000-memory.dmp upx behavioral2/files/0x0008000000023bd5-130.dat upx behavioral2/memory/1432-129-0x00007FF667BE0000-0x00007FF667F31000-memory.dmp upx behavioral2/memory/1776-128-0x00007FF7EE0B0000-0x00007FF7EE401000-memory.dmp upx behavioral2/files/0x000e000000023bd3-124.dat upx behavioral2/memory/4404-120-0x00007FF6FCD40000-0x00007FF6FD091000-memory.dmp upx behavioral2/memory/3376-114-0x00007FF639F90000-0x00007FF63A2E1000-memory.dmp upx behavioral2/memory/3468-112-0x00007FF75CFF0000-0x00007FF75D341000-memory.dmp upx behavioral2/memory/2284-103-0x00007FF635450000-0x00007FF6357A1000-memory.dmp upx behavioral2/memory/2360-102-0x00007FF7215B0000-0x00007FF721901000-memory.dmp upx behavioral2/memory/2420-98-0x00007FF744B60000-0x00007FF744EB1000-memory.dmp upx behavioral2/files/0x0008000000023bc8-94.dat upx behavioral2/memory/1696-91-0x00007FF63ABC0000-0x00007FF63AF11000-memory.dmp upx behavioral2/memory/4028-82-0x00007FF71D030000-0x00007FF71D381000-memory.dmp upx behavioral2/memory/1696-144-0x00007FF63ABC0000-0x00007FF63AF11000-memory.dmp upx behavioral2/memory/4756-140-0x00007FF7A9690000-0x00007FF7A99E1000-memory.dmp upx behavioral2/memory/3856-154-0x00007FF79FCB0000-0x00007FF7A0001000-memory.dmp upx behavioral2/memory/2420-155-0x00007FF744B60000-0x00007FF744EB1000-memory.dmp upx behavioral2/memory/2284-156-0x00007FF635450000-0x00007FF6357A1000-memory.dmp upx behavioral2/memory/3376-161-0x00007FF639F90000-0x00007FF63A2E1000-memory.dmp upx behavioral2/memory/3080-165-0x00007FF6A1CC0000-0x00007FF6A2011000-memory.dmp upx behavioral2/memory/3648-166-0x00007FF797260000-0x00007FF7975B1000-memory.dmp upx behavioral2/memory/4404-167-0x00007FF6FCD40000-0x00007FF6FD091000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\BvgkdvE.exe 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WRCrTZM.exe 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\IfoXNPv.exe 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DAJywEL.exe 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\onrdWxS.exe 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\eMukEVk.exe 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rqewCzZ.exe 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QvjVCbl.exe 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\Aibevck.exe 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HIzvhJz.exe 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EqKWsQU.exe 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MTJxnJH.exe 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SmicNvk.exe 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\UFEadOY.exe 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zazUhRg.exe 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nUaBubK.exe 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BYlYOda.exe 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ckrSBeV.exe 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vBUmsPf.exe 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\pwBOzQv.exe 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\szvHRHA.exe 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4756 wrote to memory of 4764 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4756 wrote to memory of 4764 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4756 wrote to memory of 3000 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4756 wrote to memory of 3000 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4756 wrote to memory of 2716 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4756 wrote to memory of 2716 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4756 wrote to memory of 1236 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4756 wrote to memory of 1236 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4756 wrote to memory of 4028 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4756 wrote to memory of 4028 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4756 wrote to memory of 3764 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4756 wrote to memory of 3764 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4756 wrote to memory of 3804 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4756 wrote to memory of 3804 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4756 wrote to memory of 2360 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4756 wrote to memory of 2360 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4756 wrote to memory of 3468 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4756 wrote to memory of 3468 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4756 wrote to memory of 208 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4756 wrote to memory of 208 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4756 wrote to memory of 1776 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4756 wrote to memory of 1776 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4756 wrote to memory of 3752 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4756 wrote to memory of 3752 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4756 wrote to memory of 1696 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4756 wrote to memory of 1696 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4756 wrote to memory of 3856 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4756 wrote to memory of 3856 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4756 wrote to memory of 2420 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4756 wrote to memory of 2420 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4756 wrote to memory of 2284 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4756 wrote to memory of 2284 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4756 wrote to memory of 3376 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4756 wrote to memory of 3376 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4756 wrote to memory of 4404 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4756 wrote to memory of 4404 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4756 wrote to memory of 1432 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4756 wrote to memory of 1432 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4756 wrote to memory of 3080 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 4756 wrote to memory of 3080 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 4756 wrote to memory of 3648 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 4756 wrote to memory of 3648 4756 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\System\WRCrTZM.exeC:\Windows\System\WRCrTZM.exe2⤵
- Executes dropped EXE
PID:4764
-
-
C:\Windows\System\IfoXNPv.exeC:\Windows\System\IfoXNPv.exe2⤵
- Executes dropped EXE
PID:3000
-
-
C:\Windows\System\DAJywEL.exeC:\Windows\System\DAJywEL.exe2⤵
- Executes dropped EXE
PID:2716
-
-
C:\Windows\System\UFEadOY.exeC:\Windows\System\UFEadOY.exe2⤵
- Executes dropped EXE
PID:1236
-
-
C:\Windows\System\zazUhRg.exeC:\Windows\System\zazUhRg.exe2⤵
- Executes dropped EXE
PID:4028
-
-
C:\Windows\System\nUaBubK.exeC:\Windows\System\nUaBubK.exe2⤵
- Executes dropped EXE
PID:3764
-
-
C:\Windows\System\BYlYOda.exeC:\Windows\System\BYlYOda.exe2⤵
- Executes dropped EXE
PID:3804
-
-
C:\Windows\System\onrdWxS.exeC:\Windows\System\onrdWxS.exe2⤵
- Executes dropped EXE
PID:2360
-
-
C:\Windows\System\eMukEVk.exeC:\Windows\System\eMukEVk.exe2⤵
- Executes dropped EXE
PID:3468
-
-
C:\Windows\System\BvgkdvE.exeC:\Windows\System\BvgkdvE.exe2⤵
- Executes dropped EXE
PID:208
-
-
C:\Windows\System\ckrSBeV.exeC:\Windows\System\ckrSBeV.exe2⤵
- Executes dropped EXE
PID:1776
-
-
C:\Windows\System\vBUmsPf.exeC:\Windows\System\vBUmsPf.exe2⤵
- Executes dropped EXE
PID:3752
-
-
C:\Windows\System\Aibevck.exeC:\Windows\System\Aibevck.exe2⤵
- Executes dropped EXE
PID:1696
-
-
C:\Windows\System\pwBOzQv.exeC:\Windows\System\pwBOzQv.exe2⤵
- Executes dropped EXE
PID:3856
-
-
C:\Windows\System\HIzvhJz.exeC:\Windows\System\HIzvhJz.exe2⤵
- Executes dropped EXE
PID:2420
-
-
C:\Windows\System\EqKWsQU.exeC:\Windows\System\EqKWsQU.exe2⤵
- Executes dropped EXE
PID:2284
-
-
C:\Windows\System\szvHRHA.exeC:\Windows\System\szvHRHA.exe2⤵
- Executes dropped EXE
PID:3376
-
-
C:\Windows\System\rqewCzZ.exeC:\Windows\System\rqewCzZ.exe2⤵
- Executes dropped EXE
PID:4404
-
-
C:\Windows\System\QvjVCbl.exeC:\Windows\System\QvjVCbl.exe2⤵
- Executes dropped EXE
PID:1432
-
-
C:\Windows\System\MTJxnJH.exeC:\Windows\System\MTJxnJH.exe2⤵
- Executes dropped EXE
PID:3080
-
-
C:\Windows\System\SmicNvk.exeC:\Windows\System\SmicNvk.exe2⤵
- Executes dropped EXE
PID:3648
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5d103042c8f0210620305b9797c055cfd
SHA1de9ac4cbcea0fff593c56fdc914b641b23476490
SHA256adec7bab2d1b37fc5ff8d3b3dc6680aa5e3408e60a9647b1478b4686398cd4a2
SHA512d029fab067b5c7fcd73046eeef304a435408097d5282acabe420dfd7d8bbe95a7cb4bbc1fa4201f0d6ba75837184fa06e28ec8d84a7c74ebf1fc7974ff172fcf
-
Filesize
5.2MB
MD51b15a58e83fc1c148b03de638712b0fa
SHA1f44812e37fb4b5c9887039f2d855aae3b1fa54f9
SHA2562d608cbb4d928089d6f8a41121a457d1dd84686b07bae0f2376a6409580cee1f
SHA51252bfd8b1bf6ad1f77317206713ceca5022ff72f5a648852f9513a7b75243563173e379208727c815d235608cba7e28b89ee9771193c75b63a5473f10d5bf310e
-
Filesize
5.2MB
MD5c0e53197663531b8a997711b327dcb11
SHA183a601b0cc8de324f48777c9221fecb79bb48a91
SHA256f3369068f4a9d15333c1f389ede8520cdeb94de02d91852437116e1805c9ab0e
SHA512b6dbf0becfe2c31b6f1e030b9aecd7a805a646b8c54deaece1703418345d29cb77e21145ec77dbc64009d6a31d747234333e2f725c5ef72c7099f5c4d13295a4
-
Filesize
5.2MB
MD5496b17b255960d2c0154780c52244585
SHA15abc43f03c3a5cc73b92eaf78baa1ff484ece05d
SHA2560ff5a8161357bc1adb1038dd37c00d02fa054c6e899be05728f9d278d1de4646
SHA512b495b6254f50ae6c0a54fbf5f06ab3d0358b6d7e3a05bc2c0e680dfef649f8aab234fe0f089b7dd0cf31170b6de3fb004b354ddce411cfd827c54701a73304cd
-
Filesize
5.2MB
MD56cdb8f380c0a0163e9967b6a8478e04a
SHA1f7d34ef43a7273680cb31645d634839d815ee54f
SHA256064fcaf1e8af7da83f70788f3e9ffffdcbe23eda486788908b58f862e3c0e804
SHA5121b607d21c9b7a3b84d07c7fa3cee8fc2cb8d82148b351f1817ac6436dd0e1a2f87d2ab8cdcaa5bd51f41cfff69c308c30402d39a1544ccb7bc45f9904a1a7cdd
-
Filesize
5.2MB
MD5e79023d6c905ec09cb9b70941a36ae36
SHA196e36e5c848ac48af1e5c30d322c9f5a8afb799e
SHA2563eae3e8cebc52c0c6cbb82bb68cd13b1e43c9c1c72a1c4e76741416a17e45e11
SHA5122448d83be3d2c3a47469580f58aea6d7f9fe7d8fc2d9150cee1dd066e251bf43cdf04641529a3208c5315a661b293ccf6e3da8aa2317a028d227f6c399813903
-
Filesize
5.2MB
MD5d7e7603ecc1017ca6159ccc2e5062079
SHA1e327647005b9f9f9b8efd7b5da5134cc3b99b9b3
SHA256c87fa5562d24cc2608a75befaabe0b9fc88ffce9643a1c13f55b0e26c6acafb6
SHA5124cfcd014b32bc6bbe54c92e4a72d93fbff319aa40182d5a4ac88aa1c3c61c58fb2c12436d3c32e0cde722de31ffd3d70736e67493228bc124d0223bc2fc5c528
-
Filesize
5.2MB
MD51830477be1ffd84727037558535ea630
SHA14faadb4e222e062ba1ed1e121ae0d8d008977801
SHA25672bd094ad9cfa69e45b6aee2a3e12d723688b47ab681d4369c659cbaab75f74b
SHA5128d43193b355d05efdc6a63897c5e965d4093d9a05ebec0bd2b0c4026e59a695ceab658ea1478544792405c8e8c546003b57fa5bcfd92e55ff9ed92501a2180e2
-
Filesize
5.2MB
MD513cba1e97417690f79ea0f7ac74a582c
SHA141ac0f876647fac78e20ac88501dafc860a734a6
SHA256410f3ec0e9d04ee699d4cd6336b3097f8721ffdb4a0c34bc2bbc9a15ce7008a3
SHA51215c5dff7f689f68ed8283d741baed4dc43f87c1fbc3cb1589334652cc23fed3866f1436ec1230354a7cef8543569ab2c66d2d996115542d7ed5d9f35679fb1b9
-
Filesize
5.2MB
MD52fc40aed2432a24d5d0cf2e967cb740d
SHA19c195c05bf50569fd7f792096b8ae25abb8ce9b7
SHA256d5a249d4063262f852db3b168c551db9efecadb328e3ee8509d422fb6fc2dbf8
SHA5120be5f65b8f3dccb0747ed78a92c0cb7d6eceda0a2c1d5d1f4498606df6fec9bb160b44ceb1e981925ce4b8a4d1e535fa3c31d52487ca74a26f2d27837babbc87
-
Filesize
5.2MB
MD52293bb4b6a3971b4f4c458899c2b194b
SHA1878b8888aaa637e2ad2e96fc723892c12395a039
SHA256b99589a1126c52149f9eb546d8797a280eb9d71a888d6fc4a2393210864ebd01
SHA5128156c70edc6b6f2ae81875edfc1fd0f3af502e7e0c56068621d987694ddd932c90d0f41c0bb1af6d71c25f9759efc04fd9565c0bb722c6e38739912373a43598
-
Filesize
5.2MB
MD52a9d3c25d58f53e71529a30712a7da5c
SHA14dba39333b183840a78af07e5f6b39e2815066cf
SHA25691ba557101cbb8e8944524609658fef9c37a65c6273dc235a713b7721939289f
SHA512465a4904e58e576e05bbe07d141514b42d748e68089cda10f897e676f9d311a8a151adfbfe4d34eee889749ffd8b8f73678caae37c6c9aee0b434db1b61d9959
-
Filesize
5.2MB
MD543cbee0d0fafd641511ca5588fb06080
SHA17d5634537373ae9a33f7659bd16f63519466a726
SHA2565f87a6f28ac3f62092891f391f8ce56bc28a2c4cfd9108a35fb0e0d0dfddd8ca
SHA5121a3d97181e1b59149de6c135bdd1546ff9b7687c164683ef50fd9bd61395f990c9f8a98cd959f5aa98582662109a1fbf03b2d052a4f3d46e69554eb9f95dc03a
-
Filesize
5.2MB
MD5434d351eea9a1397dda6157c8b37b2b6
SHA1bef27e60423fdcf1e3fca5ba8ed6e70377f32663
SHA256be52405ba8362e2e5f41f5192ba8ee81c68fa5071902e767bfd199b7886f8052
SHA5125d5c6018efa9b12c356759c8988b25e068cd9307d7a00dc067b46f19fcaee4251902decadb42436913603a196fea9551a78377e486550147aa9821b28d26b943
-
Filesize
5.2MB
MD59124d618f93ab8ef7b2556b3644bcc23
SHA1569da2255fc2ed8aba6d2af8e9c586bdc6755bbb
SHA256334a292b7c2ed2f325b05f553dd9867ba8711a800f01d16cecceab7652bf3e01
SHA5121207d6219e698e02a887bcdde1c7f20c90b54a2c0fe58ce0e7699332c099e32b6b5169988559cb1bf84a2bec16182da5f01407476548e37f0497ed83ab9fd681
-
Filesize
5.2MB
MD55bf3ecb47da7af8b90bfa63b59ceac67
SHA1c0a98e367d9c9e17a95c1337e57bdd20574a8a25
SHA2561c74ba63945e604077fe225976d638c14e34870c07853ce4abb724cac56fbb88
SHA512c6a67914543f714c7f8d526a5ce3fabe4857a69b6fca96b58988cbd708327fd82ad5609c9510656ba721ac6a6159f6ce10de4d58810b5002b0312c2f127a3615
-
Filesize
5.2MB
MD504c371aca299b2c8dc64bee20cc050f9
SHA14957578b11fd55eb6ed5472267c9931303206b11
SHA256c25d26e41792ae0b08b35d60c2e425169e4f409c53d4cc2f5220a6cac92c9a67
SHA512778c09a309008d1a1845ad0a3a611384557d67c9764ecbcc6494b5d9be4c2f01c44fa4fbfc9faca4a5e68cd466a61e7a64c4c65e93d82ea155059277e3e80a97
-
Filesize
5.2MB
MD56c3e621ec6e4228e7f1994e2743a3c85
SHA17a97532bbc76cc25844bec695d4415d455728716
SHA2563e93393d9cbf89f919a576632a8d43512679877f5e7a7dee883e16d9b86d6089
SHA5123710213e69216af4e3c2903e354d38982d67b45ee69ad0be81535b0acf82b87cd50d730429de50e87cb0676540ab24e6d54090e9b57a3f784d1cad6d33f85281
-
Filesize
5.2MB
MD5065ff471c444ffe026bcdc2134c88d16
SHA1aa6ffacb0db804f25dc1537a0a10bd5107bc1e32
SHA256ae8f62e1fadb0c5c43756ad2c41d6ebdebc0bdb14f4e947b2142583d2ee544fe
SHA51209bf4fd95c757b8586f351684cafc1a39914e3d8377d38b92e18802ab4422b4da2020aadbca0ec49e5c2aa0aed103142362b7e68dcf421c5f707e3b1e00f348b
-
Filesize
5.2MB
MD543642a3f965c7043c0d267783141c507
SHA115706fd02738dec99d7232b2b3bed7b431dc3a89
SHA2562b390360fec2ae653c3b6e54ed82fa0c988333eeceb0707cfc8d977e8e047aca
SHA512ef9f62c8b8fda9cfe69f662a65d6c4a0784b7b28ea63a95b6c7171b375e8567a19557153429000465cbf7498a8d00fdfd52751866890f8ad6f42626c77aecb82
-
Filesize
5.2MB
MD53dc7b841075983cf7b28651dfa946bf8
SHA1266195a29b025cb34ddbce60d90ece7ea7ea3849
SHA2569a26e46568676c2126895689940d16bceb38a80c61752e25423c074627922635
SHA512b682f249f9ff5742bf4a9e98f8aec2bc5b1af784a56195ccc47927e00607b026ce8d8708726bc25b0893d600941489181cb11729ff49652896d8a292211e006e