Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 11:51
Behavioral task
behavioral1
Sample
2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
b346335f26a9c80e41a61c4caa52601e
-
SHA1
a45c77d5d6463c1bfbe4e92475014245157529be
-
SHA256
229bebd92a6b215cae70486bc4303023911e6e6299769923e235bedcbd430ff9
-
SHA512
bb7cdb60fa922c52a2b349389c6f9ecb97ccfb1dda2ee462c5ed4782e24f088b6a032b54a6a0dfc6c86014f8468dc7c52bf300e98d7ce7b00a4e1d7f9479ded3
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lo:RWWBibd56utgpPFotBER/mQ32lUE
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0008000000023ca1-5.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca6-8.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca5-10.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca7-30.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cac-50.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cae-61.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cad-69.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb2-91.dat cobalt_reflective_dll behavioral2/files/0x0008000000023ca2-95.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb4-108.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb7-121.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb6-120.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb5-118.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb1-105.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb3-102.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb0-78.dat cobalt_reflective_dll behavioral2/files/0x0007000000023caf-75.dat cobalt_reflective_dll behavioral2/files/0x0007000000023caa-57.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca9-49.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cab-44.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca8-34.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/2072-126-0x00007FF6FD020000-0x00007FF6FD371000-memory.dmp xmrig behavioral2/memory/2380-128-0x00007FF7931C0000-0x00007FF793511000-memory.dmp xmrig behavioral2/memory/2216-127-0x00007FF77CBB0000-0x00007FF77CF01000-memory.dmp xmrig behavioral2/memory/3120-125-0x00007FF668DF0000-0x00007FF669141000-memory.dmp xmrig behavioral2/memory/2836-124-0x00007FF65DAF0000-0x00007FF65DE41000-memory.dmp xmrig behavioral2/memory/3292-72-0x00007FF792AA0000-0x00007FF792DF1000-memory.dmp xmrig behavioral2/memory/2184-63-0x00007FF7B3070000-0x00007FF7B33C1000-memory.dmp xmrig behavioral2/memory/5064-35-0x00007FF60A850000-0x00007FF60ABA1000-memory.dmp xmrig behavioral2/memory/2216-129-0x00007FF77CBB0000-0x00007FF77CF01000-memory.dmp xmrig behavioral2/memory/2828-135-0x00007FF635760000-0x00007FF635AB1000-memory.dmp xmrig behavioral2/memory/756-141-0x00007FF637EC0000-0x00007FF638211000-memory.dmp xmrig behavioral2/memory/4640-143-0x00007FF66B130000-0x00007FF66B481000-memory.dmp xmrig behavioral2/memory/4504-146-0x00007FF7F8F70000-0x00007FF7F92C1000-memory.dmp xmrig behavioral2/memory/4468-145-0x00007FF6CC730000-0x00007FF6CCA81000-memory.dmp xmrig behavioral2/memory/2292-142-0x00007FF6C9B00000-0x00007FF6C9E51000-memory.dmp xmrig behavioral2/memory/1684-144-0x00007FF722B90000-0x00007FF722EE1000-memory.dmp xmrig behavioral2/memory/332-140-0x00007FF7644E0000-0x00007FF764831000-memory.dmp xmrig behavioral2/memory/1348-136-0x00007FF686BD0000-0x00007FF686F21000-memory.dmp xmrig behavioral2/memory/1556-134-0x00007FF7E2F80000-0x00007FF7E32D1000-memory.dmp xmrig behavioral2/memory/1872-130-0x00007FF7EF790000-0x00007FF7EFAE1000-memory.dmp xmrig behavioral2/memory/4848-139-0x00007FF711F20000-0x00007FF712271000-memory.dmp xmrig behavioral2/memory/2596-132-0x00007FF7D49E0000-0x00007FF7D4D31000-memory.dmp xmrig behavioral2/memory/2552-131-0x00007FF6ED350000-0x00007FF6ED6A1000-memory.dmp xmrig behavioral2/memory/2216-151-0x00007FF77CBB0000-0x00007FF77CF01000-memory.dmp xmrig behavioral2/memory/2552-204-0x00007FF6ED350000-0x00007FF6ED6A1000-memory.dmp xmrig behavioral2/memory/1872-206-0x00007FF7EF790000-0x00007FF7EFAE1000-memory.dmp xmrig behavioral2/memory/5064-223-0x00007FF60A850000-0x00007FF60ABA1000-memory.dmp xmrig behavioral2/memory/2184-228-0x00007FF7B3070000-0x00007FF7B33C1000-memory.dmp xmrig behavioral2/memory/1556-226-0x00007FF7E2F80000-0x00007FF7E32D1000-memory.dmp xmrig behavioral2/memory/2596-224-0x00007FF7D49E0000-0x00007FF7D4D31000-memory.dmp xmrig behavioral2/memory/1348-236-0x00007FF686BD0000-0x00007FF686F21000-memory.dmp xmrig behavioral2/memory/332-238-0x00007FF7644E0000-0x00007FF764831000-memory.dmp xmrig behavioral2/memory/756-240-0x00007FF637EC0000-0x00007FF638211000-memory.dmp xmrig behavioral2/memory/2828-235-0x00007FF635760000-0x00007FF635AB1000-memory.dmp xmrig behavioral2/memory/3292-233-0x00007FF792AA0000-0x00007FF792DF1000-memory.dmp xmrig behavioral2/memory/4848-231-0x00007FF711F20000-0x00007FF712271000-memory.dmp xmrig behavioral2/memory/2292-244-0x00007FF6C9B00000-0x00007FF6C9E51000-memory.dmp xmrig behavioral2/memory/1684-257-0x00007FF722B90000-0x00007FF722EE1000-memory.dmp xmrig behavioral2/memory/4468-255-0x00007FF6CC730000-0x00007FF6CCA81000-memory.dmp xmrig behavioral2/memory/4504-253-0x00007FF7F8F70000-0x00007FF7F92C1000-memory.dmp xmrig behavioral2/memory/4640-250-0x00007FF66B130000-0x00007FF66B481000-memory.dmp xmrig behavioral2/memory/2836-248-0x00007FF65DAF0000-0x00007FF65DE41000-memory.dmp xmrig behavioral2/memory/3120-246-0x00007FF668DF0000-0x00007FF669141000-memory.dmp xmrig behavioral2/memory/2072-243-0x00007FF6FD020000-0x00007FF6FD371000-memory.dmp xmrig behavioral2/memory/2380-258-0x00007FF7931C0000-0x00007FF793511000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 1872 ODUDEtT.exe 2552 OQwaaeZ.exe 2596 HVeobic.exe 5064 HgzDiDF.exe 1556 eUtIDIl.exe 2828 gMYweKB.exe 1348 aJcnBVV.exe 2184 ArhBAlg.exe 3292 yEMkEAa.exe 4848 QSPxuzz.exe 332 whjTHAj.exe 756 ROXzypk.exe 2292 nzbqjHW.exe 1684 xulpMeN.exe 4468 XvOnaaS.exe 4504 ZpSqGVc.exe 4640 DJoAAKS.exe 2836 YOWsSLj.exe 3120 jImBnTz.exe 2380 NeaTZvn.exe 2072 eGkMNLH.exe -
resource yara_rule behavioral2/memory/2216-0-0x00007FF77CBB0000-0x00007FF77CF01000-memory.dmp upx behavioral2/files/0x0008000000023ca1-5.dat upx behavioral2/memory/1872-7-0x00007FF7EF790000-0x00007FF7EFAE1000-memory.dmp upx behavioral2/files/0x0007000000023ca6-8.dat upx behavioral2/files/0x0007000000023ca5-10.dat upx behavioral2/memory/2596-20-0x00007FF7D49E0000-0x00007FF7D4D31000-memory.dmp upx behavioral2/files/0x0007000000023ca7-30.dat upx behavioral2/memory/1556-39-0x00007FF7E2F80000-0x00007FF7E32D1000-memory.dmp upx behavioral2/files/0x0007000000023cac-50.dat upx behavioral2/files/0x0007000000023cae-61.dat upx behavioral2/files/0x0007000000023cad-69.dat upx behavioral2/memory/332-77-0x00007FF7644E0000-0x00007FF764831000-memory.dmp upx behavioral2/files/0x0007000000023cb2-91.dat upx behavioral2/files/0x0008000000023ca2-95.dat upx behavioral2/files/0x0007000000023cb4-108.dat upx behavioral2/files/0x0007000000023cb7-121.dat upx behavioral2/files/0x0007000000023cb6-120.dat upx behavioral2/files/0x0007000000023cb5-118.dat upx behavioral2/memory/2072-126-0x00007FF6FD020000-0x00007FF6FD371000-memory.dmp upx behavioral2/memory/2380-128-0x00007FF7931C0000-0x00007FF793511000-memory.dmp upx behavioral2/memory/2216-127-0x00007FF77CBB0000-0x00007FF77CF01000-memory.dmp upx behavioral2/memory/3120-125-0x00007FF668DF0000-0x00007FF669141000-memory.dmp upx behavioral2/memory/2836-124-0x00007FF65DAF0000-0x00007FF65DE41000-memory.dmp upx behavioral2/files/0x0007000000023cb1-105.dat upx behavioral2/files/0x0007000000023cb3-102.dat upx behavioral2/memory/4468-98-0x00007FF6CC730000-0x00007FF6CCA81000-memory.dmp upx behavioral2/memory/4640-97-0x00007FF66B130000-0x00007FF66B481000-memory.dmp upx behavioral2/memory/4504-94-0x00007FF7F8F70000-0x00007FF7F92C1000-memory.dmp upx behavioral2/memory/1684-90-0x00007FF722B90000-0x00007FF722EE1000-memory.dmp upx behavioral2/memory/2292-86-0x00007FF6C9B00000-0x00007FF6C9E51000-memory.dmp upx behavioral2/files/0x0007000000023cb0-78.dat upx behavioral2/files/0x0007000000023caf-75.dat upx behavioral2/memory/3292-72-0x00007FF792AA0000-0x00007FF792DF1000-memory.dmp upx behavioral2/memory/756-71-0x00007FF637EC0000-0x00007FF638211000-memory.dmp upx behavioral2/memory/4848-64-0x00007FF711F20000-0x00007FF712271000-memory.dmp upx behavioral2/memory/2184-63-0x00007FF7B3070000-0x00007FF7B33C1000-memory.dmp upx behavioral2/memory/1348-56-0x00007FF686BD0000-0x00007FF686F21000-memory.dmp upx behavioral2/files/0x0007000000023caa-57.dat upx behavioral2/files/0x0007000000023ca9-49.dat upx behavioral2/memory/2828-47-0x00007FF635760000-0x00007FF635AB1000-memory.dmp upx behavioral2/files/0x0007000000023cab-44.dat upx behavioral2/memory/5064-35-0x00007FF60A850000-0x00007FF60ABA1000-memory.dmp upx behavioral2/files/0x0007000000023ca8-34.dat upx behavioral2/memory/2552-16-0x00007FF6ED350000-0x00007FF6ED6A1000-memory.dmp upx behavioral2/memory/2216-129-0x00007FF77CBB0000-0x00007FF77CF01000-memory.dmp upx behavioral2/memory/2828-135-0x00007FF635760000-0x00007FF635AB1000-memory.dmp upx behavioral2/memory/756-141-0x00007FF637EC0000-0x00007FF638211000-memory.dmp upx behavioral2/memory/4640-143-0x00007FF66B130000-0x00007FF66B481000-memory.dmp upx behavioral2/memory/4504-146-0x00007FF7F8F70000-0x00007FF7F92C1000-memory.dmp upx behavioral2/memory/4468-145-0x00007FF6CC730000-0x00007FF6CCA81000-memory.dmp upx behavioral2/memory/2292-142-0x00007FF6C9B00000-0x00007FF6C9E51000-memory.dmp upx behavioral2/memory/1684-144-0x00007FF722B90000-0x00007FF722EE1000-memory.dmp upx behavioral2/memory/332-140-0x00007FF7644E0000-0x00007FF764831000-memory.dmp upx behavioral2/memory/1348-136-0x00007FF686BD0000-0x00007FF686F21000-memory.dmp upx behavioral2/memory/1556-134-0x00007FF7E2F80000-0x00007FF7E32D1000-memory.dmp upx behavioral2/memory/1872-130-0x00007FF7EF790000-0x00007FF7EFAE1000-memory.dmp upx behavioral2/memory/4848-139-0x00007FF711F20000-0x00007FF712271000-memory.dmp upx behavioral2/memory/2596-132-0x00007FF7D49E0000-0x00007FF7D4D31000-memory.dmp upx behavioral2/memory/2552-131-0x00007FF6ED350000-0x00007FF6ED6A1000-memory.dmp upx behavioral2/memory/2216-151-0x00007FF77CBB0000-0x00007FF77CF01000-memory.dmp upx behavioral2/memory/2552-204-0x00007FF6ED350000-0x00007FF6ED6A1000-memory.dmp upx behavioral2/memory/1872-206-0x00007FF7EF790000-0x00007FF7EFAE1000-memory.dmp upx behavioral2/memory/5064-223-0x00007FF60A850000-0x00007FF60ABA1000-memory.dmp upx behavioral2/memory/2184-228-0x00007FF7B3070000-0x00007FF7B33C1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\gMYweKB.exe 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yEMkEAa.exe 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QSPxuzz.exe 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XvOnaaS.exe 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZpSqGVc.exe 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\OQwaaeZ.exe 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HVeobic.exe 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HgzDiDF.exe 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jImBnTz.exe 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\eGkMNLH.exe 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YOWsSLj.exe 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ROXzypk.exe 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nzbqjHW.exe 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DJoAAKS.exe 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\aJcnBVV.exe 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xulpMeN.exe 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NeaTZvn.exe 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\whjTHAj.exe 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ODUDEtT.exe 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\eUtIDIl.exe 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ArhBAlg.exe 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2216 wrote to memory of 1872 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 2216 wrote to memory of 1872 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 2216 wrote to memory of 2552 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2216 wrote to memory of 2552 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2216 wrote to memory of 2596 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2216 wrote to memory of 2596 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2216 wrote to memory of 5064 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2216 wrote to memory of 5064 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2216 wrote to memory of 1556 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2216 wrote to memory of 1556 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2216 wrote to memory of 2828 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2216 wrote to memory of 2828 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2216 wrote to memory of 1348 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2216 wrote to memory of 1348 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2216 wrote to memory of 2184 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2216 wrote to memory of 2184 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2216 wrote to memory of 3292 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2216 wrote to memory of 3292 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2216 wrote to memory of 4848 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2216 wrote to memory of 4848 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2216 wrote to memory of 332 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2216 wrote to memory of 332 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2216 wrote to memory of 756 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2216 wrote to memory of 756 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2216 wrote to memory of 2292 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2216 wrote to memory of 2292 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2216 wrote to memory of 4640 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2216 wrote to memory of 4640 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2216 wrote to memory of 1684 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2216 wrote to memory of 1684 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2216 wrote to memory of 4468 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2216 wrote to memory of 4468 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2216 wrote to memory of 4504 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2216 wrote to memory of 4504 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2216 wrote to memory of 2836 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2216 wrote to memory of 2836 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2216 wrote to memory of 3120 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2216 wrote to memory of 3120 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2216 wrote to memory of 2380 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2216 wrote to memory of 2380 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2216 wrote to memory of 2072 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2216 wrote to memory of 2072 2216 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\System\ODUDEtT.exeC:\Windows\System\ODUDEtT.exe2⤵
- Executes dropped EXE
PID:1872
-
-
C:\Windows\System\OQwaaeZ.exeC:\Windows\System\OQwaaeZ.exe2⤵
- Executes dropped EXE
PID:2552
-
-
C:\Windows\System\HVeobic.exeC:\Windows\System\HVeobic.exe2⤵
- Executes dropped EXE
PID:2596
-
-
C:\Windows\System\HgzDiDF.exeC:\Windows\System\HgzDiDF.exe2⤵
- Executes dropped EXE
PID:5064
-
-
C:\Windows\System\eUtIDIl.exeC:\Windows\System\eUtIDIl.exe2⤵
- Executes dropped EXE
PID:1556
-
-
C:\Windows\System\gMYweKB.exeC:\Windows\System\gMYweKB.exe2⤵
- Executes dropped EXE
PID:2828
-
-
C:\Windows\System\aJcnBVV.exeC:\Windows\System\aJcnBVV.exe2⤵
- Executes dropped EXE
PID:1348
-
-
C:\Windows\System\ArhBAlg.exeC:\Windows\System\ArhBAlg.exe2⤵
- Executes dropped EXE
PID:2184
-
-
C:\Windows\System\yEMkEAa.exeC:\Windows\System\yEMkEAa.exe2⤵
- Executes dropped EXE
PID:3292
-
-
C:\Windows\System\QSPxuzz.exeC:\Windows\System\QSPxuzz.exe2⤵
- Executes dropped EXE
PID:4848
-
-
C:\Windows\System\whjTHAj.exeC:\Windows\System\whjTHAj.exe2⤵
- Executes dropped EXE
PID:332
-
-
C:\Windows\System\ROXzypk.exeC:\Windows\System\ROXzypk.exe2⤵
- Executes dropped EXE
PID:756
-
-
C:\Windows\System\nzbqjHW.exeC:\Windows\System\nzbqjHW.exe2⤵
- Executes dropped EXE
PID:2292
-
-
C:\Windows\System\DJoAAKS.exeC:\Windows\System\DJoAAKS.exe2⤵
- Executes dropped EXE
PID:4640
-
-
C:\Windows\System\xulpMeN.exeC:\Windows\System\xulpMeN.exe2⤵
- Executes dropped EXE
PID:1684
-
-
C:\Windows\System\XvOnaaS.exeC:\Windows\System\XvOnaaS.exe2⤵
- Executes dropped EXE
PID:4468
-
-
C:\Windows\System\ZpSqGVc.exeC:\Windows\System\ZpSqGVc.exe2⤵
- Executes dropped EXE
PID:4504
-
-
C:\Windows\System\YOWsSLj.exeC:\Windows\System\YOWsSLj.exe2⤵
- Executes dropped EXE
PID:2836
-
-
C:\Windows\System\jImBnTz.exeC:\Windows\System\jImBnTz.exe2⤵
- Executes dropped EXE
PID:3120
-
-
C:\Windows\System\NeaTZvn.exeC:\Windows\System\NeaTZvn.exe2⤵
- Executes dropped EXE
PID:2380
-
-
C:\Windows\System\eGkMNLH.exeC:\Windows\System\eGkMNLH.exe2⤵
- Executes dropped EXE
PID:2072
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD574e35c2b3d1fb92aa44730824a9e9c44
SHA19c740d79270b7ed96dda06c5ea5f0741a4fa2100
SHA2561bdb0bcad38e753eb24d7b6aec0aed9128e63cece5917d8ca4444045b5ac43a0
SHA51251c5fba27881f375d17144ee5b0024b93aa1d75d0c98f02b651172bcb6afe40407ad55afe9ff3df9d89e50b0dd78747df78a13e4dfbbdcff1ebe37f366e009f6
-
Filesize
5.2MB
MD504f976256379243c656366fed5feeb74
SHA1f92db2184383d1e643b8bf56b170cc433b5f8612
SHA2569ae23bf8acf9d2232964170423c6de732cc311d3c37ae415dcd39bb00028a604
SHA5128a4b9cfa4735d7b2d858d99d4f0620937e22462fc6cabe748cef9c3f64d3eccdc1345e274dfbe0aecb1a15dffed28b34e5f51795b91397f535c8813e3d0770e4
-
Filesize
5.2MB
MD58c53b8ae18d26356191ae8be9ace3bf3
SHA12625b9aa7b43a5ce77e97dc7e790de6a7020cc19
SHA2566f0395e403932b366cb719bcda4b791f84c2974a3f425971f60e58cad7c4acf6
SHA5128f3e75aeda9a6ce7206424864d6347de81636246d015cc2bc39c4d71e799ed13b91f154c455f9f1c8eec64b13742ae7e4a097ca56c3472af534806aa71c8db0d
-
Filesize
5.2MB
MD5c7d8b44e0a989117e767180e94fd831c
SHA12708f7fdcdc700cbd6cba067c2a67c2abccccc09
SHA256aec53c8e00b116c6405a995ead85d1a6f04aec34c7b462e0cbf42b6b14d9a11a
SHA512bf387e05a4a23d8941d1ef23875f54a58aad4cb17c191beacd9a52d2f5f2b99869849128ce7d68536ea37b3ee5cc15972b8f2b203ab69d8fe2bb2901df04bad3
-
Filesize
5.2MB
MD5e88c7de0836f257b714c62c50c41a0be
SHA1fcb4cb09c92892667677b57737df42fec4dc06a7
SHA256f764270d42c4ee80b5274407ca046a8c26b50f86e8805019af3b9dc08715a289
SHA512ca7174b13614b30bf0877692cb8d72e8966eb540561346203aa0a13042c86f9b7a1a71e3ab28b072a4e76ad9b07292cbca1f91771b8ae42b3a2b6584e796a551
-
Filesize
5.2MB
MD51294d079b5d74b34c5010854c38abaa7
SHA1ceb908bdcb36467924b14381bf797e554c3d7dba
SHA2567c7f54e2d76e10230429a5d542d1d2b6cb761e0c3e5be8471be7111dc1573fe4
SHA5122fafa54ac648543d50a4472844e97ffc3ccc252212e4b04c31d4350650ad1f8891bb7c9c0270877fb36a8952a87df37d21fddd460f8cbff2f749a00151d1e258
-
Filesize
5.2MB
MD579dedeae47fe380279ce0156dcf0c04d
SHA1130083e238392f196f65b800f2e60ccb679cd4fc
SHA2568324cc03766b6241729ee66552eb929d0990e09258b019d89fc4b7fb6e9954f0
SHA512ffc72fe34948eaa2e84499889722abd6b89aa1c01ffc8fe643f9001fab1ad51a13f7680107a9d5feda4837aa8fb00cde047353371af89d446149740239e03be2
-
Filesize
5.2MB
MD59f2a5a03f109866f606a8d1012240e0c
SHA15e9097951f172188dddbc05ca585a476db0fe094
SHA2561731d01377bdc20cbc10eceaf9a8e9e9c076591e87224e20e9807ddea30fe9cb
SHA512764f88c9bcf983dc752e5c5952887e5d51dc882dc4af7f3327854f7bf19a788f7c942b3b0a6cdb1057f0505b2513eadbfed4782ad49175582569c3190a6c89af
-
Filesize
5.2MB
MD549efbf99284654dc83553413c4775dce
SHA1e47366a022191a95d24764001fc6a870cc3b47b1
SHA256d56e3f317b4695bd73c42fa22e6f2698c0f8f8761ae1708ffc9d2cb7507b4209
SHA5123e691b8b130add4c5f9f977674aec5e8a4918c89815ffa40c772e124163f1c6f09479696a7b9dc8a61853dd947b3fac50240385462d176d91bdbd9149c8df921
-
Filesize
5.2MB
MD5973f8b9ada538e778d2dab1e8c0555ed
SHA1aaad177f86d0f416f5400221a9bd2f97b308177d
SHA256f33235a0ae8b9c52fa0ec1a79ad214ab39ce858506e9cfca427e6cc3594b7efc
SHA5120b8e6e040c620ebec044960dc686601821cdb65ef0851d5d0a6f3b4fee4f0ff3f4e2158f705e54270ca7511186b035351b19bf9ecdd61866c5f93e372e60cb4d
-
Filesize
5.2MB
MD5fef351d02322e0df61b7f592c28a3607
SHA146655e0f2e2be62c3d25b0f56beee6f2a1707705
SHA256078c31f59caf588449188b11f531c22b43de0bec8ea4e72f035339763fc7b188
SHA512c0fda80eb28b8820fbb28416df9563e83803519bf077c451363921f002fe0a1f9c09f9c41d45ffa900cdd2a7310e8732bc03df39aa6eec50b95b4002382ff2ab
-
Filesize
5.2MB
MD5a266f52af8dbb6320f0d2cf5851cb021
SHA14bb7bc8683b872c387f1aa66703808e0e30853b6
SHA2565c35e49fe5b7ed501565ca3ca99f7bf31334118ef6bde242f648d8ad56da1573
SHA512a277045bd298aae3eb3e2ba512b25764f42be1a4604ce477110ba05734520b87c6fa86c5dda4991dcbc5c93993e3f1b26c05de7bbff7319929380ba7f41bb113
-
Filesize
5.2MB
MD55118eb6bff13be3089ae28b14e2e102d
SHA1166647314d3f2114b227d5f0be4cfbb72f4e832f
SHA256ec4b97e144b7e44142e65af661c5353737bf2a050d8ba28c63768ac5d7b5b9e1
SHA512fd839ca54c34bd7bcf9cc23722447ccb8d2ae4fa918481bafe0cc8ce97088e25d1378e12b593d739305ae310ab2c68cbac1b283a8059b79df6ba0bcf051867a7
-
Filesize
5.2MB
MD5db310503d2a857e029dd1f775eaa4c03
SHA15f5910f16430c6d44f7857cff34321d695066f54
SHA256c35948bb00338a6a243974a8a27dadebc89d8f52dee22becd6f211829b35b5f5
SHA512e2e0006a4857723f9bd6991cd90efcb2c2b9e0fe684968bd0fb746f12a66574fa06552a45ddb537d2eb2922ee8b7ff0edcd81a940b2bfb6a003c97875ee872f8
-
Filesize
5.2MB
MD55cb81bdf8d40aac6e307627b69d7f6c5
SHA14773e4597b938a2dacbf6299ade68d024ffec5ae
SHA256950e48459e7b0dd4b973409080667188543421134a35834de663141e9c66f74f
SHA5128666770345e8f1cffe5e2764da90a483b57276a128210e35ed482fb4665ae9c63931ad8e0773f7ea1bd64430b631ff2bc4f75d92e0b9ac06c38d3c600c0e4a84
-
Filesize
5.2MB
MD54716e65f58be475a6e97bff90e832470
SHA1d69e60b4e9fbf98b36e1261f7f2a95969e0346d3
SHA256026cb09c5af88168f6b648930f79ef9a0133b5a67f3288d94562b81445446d5f
SHA5126d9d3e970b5c2e5de496a9e8c0c3f27a6ccc3bf587770c3feb5c46c1349d4f0c0ce691e5592adb09454fa8a9eb62fc7d5fda023a90f48094325ed1db9b56d318
-
Filesize
5.2MB
MD55b946f39796ebe9fcc590b532ee8aba1
SHA199af8a9b8533dfc3d0a7d9b0b11f25d1019a65ba
SHA256756ef7732b5ed4773673541457d89158b1382ea1c2141673ea6d692d5daef939
SHA5124db38a2a5f59457deb86c4209a7f62a5e17dcd3f511d5597dfe05b320492cd5dd7a8392215c9216a9cd384b435d7de785679a72ac571955707aab4d3c7f3f2b6
-
Filesize
5.2MB
MD53fb90d526c55fabdb57a9523c6745c59
SHA1e905dfdc7bd4ed0f8ea4213ec434800c4ec7d8dc
SHA256e872ffad1a6963f36498a175bba0645815bd65876cce2313e361f9db97cb1c34
SHA5124ad05dd54f84bd2a00772b40ee7e9b01db834e5e81e971032fba84e153c14242d26fd5c83fc09a2e110e68e7604b541518f898b851517c87d4547c7e67af6341
-
Filesize
5.2MB
MD563340fb66e33f4584205acca05fd15a6
SHA1aa9f382e95da32f81464d51a64d8f849fd9bbd6c
SHA2567eaf2b1ee9dca82594d0def487a71773254daef074c9d8160ff1bb281323ef65
SHA51287338c74f12a8a46cfded83c94d14ac9c11f6c68b88f9ce0603a7b1ef6d91ce5d7c26827813ee662c16a024abee85ea9eec3472450f0ec84449cc52b8cbb20c6
-
Filesize
5.2MB
MD5bfe4155d00bf200c9f4e7fe843192a23
SHA13ed71d784cdd00c1ee6e0301af7adbf0f36c6917
SHA256bbe2aa9fa39da7710e2d94bcf0ad573e3199106692412a4e3ffb2d2cbfad5b01
SHA51207ae67aa3b7ef2f7b8c699e870aad587434e76ff3d52904b4c64a73520f6cb7d127d0c78026570b7b182f12bf78588b495f8636a91757fafe4b178d4f6626651
-
Filesize
5.2MB
MD5ff5cc292d6d0ed414d2621822e8f4af2
SHA136186c6171409fc4bdc721db571d53bcc19ecbb5
SHA256cac6a73e6f95a33cd58c3b9398f0492d681118e307a0c263fac7c4d3b507582c
SHA512a47f36e4914e9a5ec3675c977dd944821f8e2031354dab643408c1b1e93f5c916d181d4202c6516eae7522804d0432477ca40e583686503dd1702fb08b04b97c