Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 11:52
Behavioral task
behavioral1
Sample
2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
bf492e8fe609314ea99cc11e57500cbd
-
SHA1
26390a70811abcd773d86f6ccd79a35107b26329
-
SHA256
ffce603765f6bad1f27321a2c7dbe428b7b7aa9d5d4a0ed78b83296fc3f236f1
-
SHA512
fa819a7f32d42c0d34632fd3ab61da06543d5312020df70699f22669461048490a4d3e2b7692e5647ab813fb9b6be643e5b738742d882871cac01c4b49021aa7
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l3:RWWBibd56utgpPFotBER/mQ32lUT
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0008000000023cb4-5.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb6-14.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb7-22.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb9-29.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cba-36.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbc-55.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbf-65.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cc2-91.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cc1-95.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cc7-125.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cc6-124.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cc5-116.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cc4-111.dat cobalt_reflective_dll behavioral2/files/0x0008000000023cb2-109.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cc3-107.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cc0-82.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbe-73.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbb-60.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbd-67.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb8-35.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb5-21.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/4828-119-0x00007FF6C8F90000-0x00007FF6C92E1000-memory.dmp xmrig behavioral2/memory/1052-121-0x00007FF645650000-0x00007FF6459A1000-memory.dmp xmrig behavioral2/memory/1956-120-0x00007FF650580000-0x00007FF6508D1000-memory.dmp xmrig behavioral2/memory/1724-115-0x00007FF66A210000-0x00007FF66A561000-memory.dmp xmrig behavioral2/memory/2516-89-0x00007FF649E70000-0x00007FF64A1C1000-memory.dmp xmrig behavioral2/memory/3976-71-0x00007FF7E5630000-0x00007FF7E5981000-memory.dmp xmrig behavioral2/memory/5104-128-0x00007FF79A2E0000-0x00007FF79A631000-memory.dmp xmrig behavioral2/memory/1680-129-0x00007FF7907A0000-0x00007FF790AF1000-memory.dmp xmrig behavioral2/memory/2060-130-0x00007FF698DF0000-0x00007FF699141000-memory.dmp xmrig behavioral2/memory/4976-132-0x00007FF75D650000-0x00007FF75D9A1000-memory.dmp xmrig behavioral2/memory/2096-131-0x00007FF7ED190000-0x00007FF7ED4E1000-memory.dmp xmrig behavioral2/memory/2032-135-0x00007FF6A3140000-0x00007FF6A3491000-memory.dmp xmrig behavioral2/memory/952-137-0x00007FF646950000-0x00007FF646CA1000-memory.dmp xmrig behavioral2/memory/2160-136-0x00007FF6D82E0000-0x00007FF6D8631000-memory.dmp xmrig behavioral2/memory/5100-134-0x00007FF6DAE70000-0x00007FF6DB1C1000-memory.dmp xmrig behavioral2/memory/5104-133-0x00007FF79A2E0000-0x00007FF79A631000-memory.dmp xmrig behavioral2/memory/1268-154-0x00007FF644700000-0x00007FF644A51000-memory.dmp xmrig behavioral2/memory/3064-155-0x00007FF7A46E0000-0x00007FF7A4A31000-memory.dmp xmrig behavioral2/memory/776-157-0x00007FF7704E0000-0x00007FF770831000-memory.dmp xmrig behavioral2/memory/2596-153-0x00007FF684E00000-0x00007FF685151000-memory.dmp xmrig behavioral2/memory/956-147-0x00007FF7CC8C0000-0x00007FF7CCC11000-memory.dmp xmrig behavioral2/memory/3360-149-0x00007FF699620000-0x00007FF699971000-memory.dmp xmrig behavioral2/memory/4536-158-0x00007FF680BC0000-0x00007FF680F11000-memory.dmp xmrig behavioral2/memory/5104-159-0x00007FF79A2E0000-0x00007FF79A631000-memory.dmp xmrig behavioral2/memory/1680-214-0x00007FF7907A0000-0x00007FF790AF1000-memory.dmp xmrig behavioral2/memory/2060-216-0x00007FF698DF0000-0x00007FF699141000-memory.dmp xmrig behavioral2/memory/2096-218-0x00007FF7ED190000-0x00007FF7ED4E1000-memory.dmp xmrig behavioral2/memory/2032-233-0x00007FF6A3140000-0x00007FF6A3491000-memory.dmp xmrig behavioral2/memory/4976-234-0x00007FF75D650000-0x00007FF75D9A1000-memory.dmp xmrig behavioral2/memory/3976-236-0x00007FF7E5630000-0x00007FF7E5981000-memory.dmp xmrig behavioral2/memory/5100-238-0x00007FF6DAE70000-0x00007FF6DB1C1000-memory.dmp xmrig behavioral2/memory/2160-242-0x00007FF6D82E0000-0x00007FF6D8631000-memory.dmp xmrig behavioral2/memory/952-241-0x00007FF646950000-0x00007FF646CA1000-memory.dmp xmrig behavioral2/memory/1268-250-0x00007FF644700000-0x00007FF644A51000-memory.dmp xmrig behavioral2/memory/1052-260-0x00007FF645650000-0x00007FF6459A1000-memory.dmp xmrig behavioral2/memory/1724-262-0x00007FF66A210000-0x00007FF66A561000-memory.dmp xmrig behavioral2/memory/3064-258-0x00007FF7A46E0000-0x00007FF7A4A31000-memory.dmp xmrig behavioral2/memory/956-257-0x00007FF7CC8C0000-0x00007FF7CCC11000-memory.dmp xmrig behavioral2/memory/2516-254-0x00007FF649E70000-0x00007FF64A1C1000-memory.dmp xmrig behavioral2/memory/3360-253-0x00007FF699620000-0x00007FF699971000-memory.dmp xmrig behavioral2/memory/1956-249-0x00007FF650580000-0x00007FF6508D1000-memory.dmp xmrig behavioral2/memory/2596-246-0x00007FF684E00000-0x00007FF685151000-memory.dmp xmrig behavioral2/memory/4828-245-0x00007FF6C8F90000-0x00007FF6C92E1000-memory.dmp xmrig behavioral2/memory/776-266-0x00007FF7704E0000-0x00007FF770831000-memory.dmp xmrig behavioral2/memory/4536-265-0x00007FF680BC0000-0x00007FF680F11000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 1680 sgLXlJp.exe 2060 PysYUSO.exe 2096 bPyTItp.exe 4976 SSbLcit.exe 5100 SXWsWjj.exe 2032 judZQpF.exe 3976 jVcgHzc.exe 2160 KeZKehj.exe 952 QpMTLrz.exe 956 mKbVIXY.exe 2516 mINPePc.exe 3360 CiwPRGi.exe 1724 urxkLVh.exe 4828 WdvDejg.exe 1956 cBSSSUg.exe 2596 RSQFjzT.exe 1268 JuCuLOO.exe 3064 hCAUkFI.exe 1052 ZBoluBS.exe 776 MdReKcT.exe 4536 yaNuRZV.exe -
resource yara_rule behavioral2/memory/5104-0-0x00007FF79A2E0000-0x00007FF79A631000-memory.dmp upx behavioral2/memory/1680-6-0x00007FF7907A0000-0x00007FF790AF1000-memory.dmp upx behavioral2/files/0x0008000000023cb4-5.dat upx behavioral2/files/0x0007000000023cb6-14.dat upx behavioral2/files/0x0007000000023cb7-22.dat upx behavioral2/files/0x0007000000023cb9-29.dat upx behavioral2/files/0x0007000000023cba-36.dat upx behavioral2/memory/2032-43-0x00007FF6A3140000-0x00007FF6A3491000-memory.dmp upx behavioral2/files/0x0007000000023cbc-55.dat upx behavioral2/files/0x0007000000023cbf-65.dat upx behavioral2/files/0x0007000000023cc2-91.dat upx behavioral2/files/0x0007000000023cc1-95.dat upx behavioral2/memory/1268-104-0x00007FF644700000-0x00007FF644A51000-memory.dmp upx behavioral2/memory/3064-114-0x00007FF7A46E0000-0x00007FF7A4A31000-memory.dmp upx behavioral2/memory/4828-119-0x00007FF6C8F90000-0x00007FF6C92E1000-memory.dmp upx behavioral2/memory/1052-121-0x00007FF645650000-0x00007FF6459A1000-memory.dmp upx behavioral2/memory/4536-123-0x00007FF680BC0000-0x00007FF680F11000-memory.dmp upx behavioral2/files/0x0007000000023cc7-125.dat upx behavioral2/files/0x0007000000023cc6-124.dat upx behavioral2/memory/776-122-0x00007FF7704E0000-0x00007FF770831000-memory.dmp upx behavioral2/memory/1956-120-0x00007FF650580000-0x00007FF6508D1000-memory.dmp upx behavioral2/files/0x0007000000023cc5-116.dat upx behavioral2/memory/1724-115-0x00007FF66A210000-0x00007FF66A561000-memory.dmp upx behavioral2/files/0x0007000000023cc4-111.dat upx behavioral2/files/0x0008000000023cb2-109.dat upx behavioral2/files/0x0007000000023cc3-107.dat upx behavioral2/memory/2596-98-0x00007FF684E00000-0x00007FF685151000-memory.dmp upx behavioral2/memory/2516-89-0x00007FF649E70000-0x00007FF64A1C1000-memory.dmp upx behavioral2/memory/956-85-0x00007FF7CC8C0000-0x00007FF7CCC11000-memory.dmp upx behavioral2/files/0x0007000000023cc0-82.dat upx behavioral2/files/0x0007000000023cbe-73.dat upx behavioral2/memory/3976-71-0x00007FF7E5630000-0x00007FF7E5981000-memory.dmp upx behavioral2/memory/3360-66-0x00007FF699620000-0x00007FF699971000-memory.dmp upx behavioral2/files/0x0007000000023cbb-60.dat upx behavioral2/files/0x0007000000023cbd-67.dat upx behavioral2/memory/952-57-0x00007FF646950000-0x00007FF646CA1000-memory.dmp upx behavioral2/memory/2160-56-0x00007FF6D82E0000-0x00007FF6D8631000-memory.dmp upx behavioral2/files/0x0007000000023cb8-35.dat upx behavioral2/memory/5100-32-0x00007FF6DAE70000-0x00007FF6DB1C1000-memory.dmp upx behavioral2/memory/4976-30-0x00007FF75D650000-0x00007FF75D9A1000-memory.dmp upx behavioral2/files/0x0007000000023cb5-21.dat upx behavioral2/memory/2060-17-0x00007FF698DF0000-0x00007FF699141000-memory.dmp upx behavioral2/memory/2096-19-0x00007FF7ED190000-0x00007FF7ED4E1000-memory.dmp upx behavioral2/memory/5104-128-0x00007FF79A2E0000-0x00007FF79A631000-memory.dmp upx behavioral2/memory/1680-129-0x00007FF7907A0000-0x00007FF790AF1000-memory.dmp upx behavioral2/memory/2060-130-0x00007FF698DF0000-0x00007FF699141000-memory.dmp upx behavioral2/memory/4976-132-0x00007FF75D650000-0x00007FF75D9A1000-memory.dmp upx behavioral2/memory/2096-131-0x00007FF7ED190000-0x00007FF7ED4E1000-memory.dmp upx behavioral2/memory/2032-135-0x00007FF6A3140000-0x00007FF6A3491000-memory.dmp upx behavioral2/memory/952-137-0x00007FF646950000-0x00007FF646CA1000-memory.dmp upx behavioral2/memory/2160-136-0x00007FF6D82E0000-0x00007FF6D8631000-memory.dmp upx behavioral2/memory/5100-134-0x00007FF6DAE70000-0x00007FF6DB1C1000-memory.dmp upx behavioral2/memory/5104-133-0x00007FF79A2E0000-0x00007FF79A631000-memory.dmp upx behavioral2/memory/1268-154-0x00007FF644700000-0x00007FF644A51000-memory.dmp upx behavioral2/memory/3064-155-0x00007FF7A46E0000-0x00007FF7A4A31000-memory.dmp upx behavioral2/memory/776-157-0x00007FF7704E0000-0x00007FF770831000-memory.dmp upx behavioral2/memory/2596-153-0x00007FF684E00000-0x00007FF685151000-memory.dmp upx behavioral2/memory/956-147-0x00007FF7CC8C0000-0x00007FF7CCC11000-memory.dmp upx behavioral2/memory/3360-149-0x00007FF699620000-0x00007FF699971000-memory.dmp upx behavioral2/memory/4536-158-0x00007FF680BC0000-0x00007FF680F11000-memory.dmp upx behavioral2/memory/5104-159-0x00007FF79A2E0000-0x00007FF79A631000-memory.dmp upx behavioral2/memory/1680-214-0x00007FF7907A0000-0x00007FF790AF1000-memory.dmp upx behavioral2/memory/2060-216-0x00007FF698DF0000-0x00007FF699141000-memory.dmp upx behavioral2/memory/2096-218-0x00007FF7ED190000-0x00007FF7ED4E1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\SXWsWjj.exe 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jVcgHzc.exe 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\urxkLVh.exe 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WdvDejg.exe 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RSQFjzT.exe 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\sgLXlJp.exe 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PysYUSO.exe 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bPyTItp.exe 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SSbLcit.exe 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mINPePc.exe 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CiwPRGi.exe 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cBSSSUg.exe 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JuCuLOO.exe 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\judZQpF.exe 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KeZKehj.exe 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZBoluBS.exe 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QpMTLrz.exe 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mKbVIXY.exe 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hCAUkFI.exe 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MdReKcT.exe 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yaNuRZV.exe 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 5104 wrote to memory of 1680 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 5104 wrote to memory of 1680 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 5104 wrote to memory of 2060 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 5104 wrote to memory of 2060 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 5104 wrote to memory of 2096 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 5104 wrote to memory of 2096 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 5104 wrote to memory of 4976 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 5104 wrote to memory of 4976 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 5104 wrote to memory of 5100 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 5104 wrote to memory of 5100 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 5104 wrote to memory of 2032 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 5104 wrote to memory of 2032 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 5104 wrote to memory of 3976 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 5104 wrote to memory of 3976 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 5104 wrote to memory of 952 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 5104 wrote to memory of 952 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 5104 wrote to memory of 2160 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 5104 wrote to memory of 2160 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 5104 wrote to memory of 956 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 5104 wrote to memory of 956 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 5104 wrote to memory of 2516 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 5104 wrote to memory of 2516 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 5104 wrote to memory of 3360 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 5104 wrote to memory of 3360 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 5104 wrote to memory of 1724 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 5104 wrote to memory of 1724 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 5104 wrote to memory of 4828 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 5104 wrote to memory of 4828 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 5104 wrote to memory of 1956 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 5104 wrote to memory of 1956 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 5104 wrote to memory of 2596 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 5104 wrote to memory of 2596 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 5104 wrote to memory of 1268 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 5104 wrote to memory of 1268 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 5104 wrote to memory of 3064 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 5104 wrote to memory of 3064 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 5104 wrote to memory of 1052 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 5104 wrote to memory of 1052 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 5104 wrote to memory of 776 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 5104 wrote to memory of 776 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 5104 wrote to memory of 4536 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 5104 wrote to memory of 4536 5104 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\System\sgLXlJp.exeC:\Windows\System\sgLXlJp.exe2⤵
- Executes dropped EXE
PID:1680
-
-
C:\Windows\System\PysYUSO.exeC:\Windows\System\PysYUSO.exe2⤵
- Executes dropped EXE
PID:2060
-
-
C:\Windows\System\bPyTItp.exeC:\Windows\System\bPyTItp.exe2⤵
- Executes dropped EXE
PID:2096
-
-
C:\Windows\System\SSbLcit.exeC:\Windows\System\SSbLcit.exe2⤵
- Executes dropped EXE
PID:4976
-
-
C:\Windows\System\SXWsWjj.exeC:\Windows\System\SXWsWjj.exe2⤵
- Executes dropped EXE
PID:5100
-
-
C:\Windows\System\judZQpF.exeC:\Windows\System\judZQpF.exe2⤵
- Executes dropped EXE
PID:2032
-
-
C:\Windows\System\jVcgHzc.exeC:\Windows\System\jVcgHzc.exe2⤵
- Executes dropped EXE
PID:3976
-
-
C:\Windows\System\QpMTLrz.exeC:\Windows\System\QpMTLrz.exe2⤵
- Executes dropped EXE
PID:952
-
-
C:\Windows\System\KeZKehj.exeC:\Windows\System\KeZKehj.exe2⤵
- Executes dropped EXE
PID:2160
-
-
C:\Windows\System\mKbVIXY.exeC:\Windows\System\mKbVIXY.exe2⤵
- Executes dropped EXE
PID:956
-
-
C:\Windows\System\mINPePc.exeC:\Windows\System\mINPePc.exe2⤵
- Executes dropped EXE
PID:2516
-
-
C:\Windows\System\CiwPRGi.exeC:\Windows\System\CiwPRGi.exe2⤵
- Executes dropped EXE
PID:3360
-
-
C:\Windows\System\urxkLVh.exeC:\Windows\System\urxkLVh.exe2⤵
- Executes dropped EXE
PID:1724
-
-
C:\Windows\System\WdvDejg.exeC:\Windows\System\WdvDejg.exe2⤵
- Executes dropped EXE
PID:4828
-
-
C:\Windows\System\cBSSSUg.exeC:\Windows\System\cBSSSUg.exe2⤵
- Executes dropped EXE
PID:1956
-
-
C:\Windows\System\RSQFjzT.exeC:\Windows\System\RSQFjzT.exe2⤵
- Executes dropped EXE
PID:2596
-
-
C:\Windows\System\JuCuLOO.exeC:\Windows\System\JuCuLOO.exe2⤵
- Executes dropped EXE
PID:1268
-
-
C:\Windows\System\hCAUkFI.exeC:\Windows\System\hCAUkFI.exe2⤵
- Executes dropped EXE
PID:3064
-
-
C:\Windows\System\ZBoluBS.exeC:\Windows\System\ZBoluBS.exe2⤵
- Executes dropped EXE
PID:1052
-
-
C:\Windows\System\MdReKcT.exeC:\Windows\System\MdReKcT.exe2⤵
- Executes dropped EXE
PID:776
-
-
C:\Windows\System\yaNuRZV.exeC:\Windows\System\yaNuRZV.exe2⤵
- Executes dropped EXE
PID:4536
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5b4a56c4c87cc2868c65b160a33f6f865
SHA1adccfa5a99c2945af961279fa28b6dce1bd63561
SHA256e46f94e23ac45e740af5af422c8dc399494bb215b47df4fd9c76a0f3211455ee
SHA512f8c672c16a25049203afd46f07db0aec5095c146f12b9bbdf34f91eeaf2f5a4f21ec999af2494caed92caa2d2a123cd60ddf73272898188c00170a810857e85f
-
Filesize
5.2MB
MD512f017a0617b94218b6e9e8e94767a09
SHA17d4170185c116f870fc30f985c8d04a48ccdf32b
SHA256a3da256f029da4fcd3a8ef61050fb825b7075c2b636c6127bf0d78341c9594b8
SHA51256ed29fc23fac185ba103c7ccaa46bfe5eb2198221551c1d4c9e5a5f8912d9f7f067317ac96fce6028ae3c154862bbc8be1673d22b4ebb966b229f62dcaccaa9
-
Filesize
5.2MB
MD5f3f3dbc3b3649bbea31fbc4dca0af17b
SHA1c12d976b17bff42fdd14fa1913afa7072ea30ff7
SHA256c41b4ac9ffedb3e5cd359690a5a4275942ea78381b08033df74fb37b2cc5d256
SHA512f853e830eae1b8e531d8852555d71172ee03640aa954ac29ddcd1832afec81ddf7b331d4f7d4704a225ab5f2a9a705adda936f69cd25509e3139108fc56b7471
-
Filesize
5.2MB
MD55918c27a7d6be1437379d1bae8a286d1
SHA17733ef8ffc545114feb65527470c02da5f17dd8c
SHA2561b6b074f33e674b5edd9131bd81af3a0ad906a675b1e3f59a1ebc4f0473d7526
SHA51258cbba05b0638bd031c27be5b6dc2498d6e51cfcd0070e58c00b05969d0e65f82cc6537b554408b14781f1e8f2e3204b8204f57d598018176b0d5ea360ba0df0
-
Filesize
5.2MB
MD5145025a79af2c74a556134e7d8804d19
SHA1124c8fd704361d0a4abeb7a5bbae2dba9112f6a6
SHA256344e7dbb999952bc91720654a1f3e4dc0c1392327f6b1a05bb878fee9e543e04
SHA5129ea88df74df2cd8b052bd26d97981b7b9d5e36d2aaa80d3a8ff5c6411b770ea3646efb9fb09577ea7ffd436078d042e93d89dcf32eb65cc874bc9b2e20b2b016
-
Filesize
5.2MB
MD55f9d6fa8fa64a75b2eceb2ce9dbc1c7f
SHA10b3d42e9204ca3217f46c0a8bc3bd85a157bd3c0
SHA2569c3baaff033e8933376d80bfe634f4263bcbf0fb5954acded179c2b4df545eaa
SHA5120c16dad4abf94e3d088b0b78f3361d5be560d01b0564cb628b5e71548cdee423d82164e74399bca7238ff5d6c2e8f684eaabee65cb5c133393375605b03d9759
-
Filesize
5.2MB
MD52caeeeee34e87f09f83dd79a66d8bf58
SHA16fbf2b8b35d72f4e0f42217982a710094c2bed42
SHA256cf07b064b1151e357da315eb8acaa2239574521ef349f3fe920c6978be5d9fe9
SHA5121226a1ccab1e8e3c8be76a284cdee76a55eb5389d7886fa3f45c6e38bd36504701cd4385586f4d88ed6a91ba6ca95017afb56993984ebce6902df8e163b1b648
-
Filesize
5.2MB
MD5d762d7426a6438fe50e3ddbeb46f2bb0
SHA11372ba1c063fca5e4022801affd3558d75a25a2d
SHA256fe3849d99d0a29c55c14593b28306cfbce7d4be62b487283d3a8ffeb5d1c4399
SHA512c4a69ea2cb76bdc1a9ec34c9158a9779bdf85c7d37a282740c77be930452fb53523424b28985a0694057b577afd2dc6bf6e9cf37b7c192a8daadbf6d5090330a
-
Filesize
5.2MB
MD5fac369b4eb2897f47bf0b8661b1504b1
SHA175ad7e83bf884ec6aabc5e770294bb57f81d4255
SHA25652c686cc62917e8e7db87dc13461955436548211a998ca0b2688d71cadf604f4
SHA5125f2c85022dd9156ed3a213f40edcbef2063c50f6f131333786fd3a97b24fd85596b3a2566bd05110fe2052b00378d308427885a38a76f91af94cfcbd89fdba54
-
Filesize
5.2MB
MD5191a0d21c615a3637d83e410071001e3
SHA1923945537aa674487b626a01637bf40d03dfab26
SHA256ccf6691f455ee02fb0279d21c77681029f44111a2b83d532cc94ea1b3e253618
SHA512a23b1150977edeea6fa004fe964a269d3844896bf3de1940b5ce7dff65f041faf1432b6c2b354de7188fa0d4fbb70f6a3522d9af038e60f282b176e6b43c4471
-
Filesize
5.2MB
MD5ab7cb572eac1d2b120d3f91f5fee8f31
SHA1939fec42fe9256b79ff4c652b1457de657c27a04
SHA256e5a59045ad799d5d5452c48b1111b8b455aa000acc1aeac62d046a4496569de9
SHA5125027567805682da1b4a35adc2168c00bb40b4ce94eccf165b9ffbc8697466b26699bf03fb97856c2828b912fa942f31d058f48e455af5dac0a6a045ed92bd460
-
Filesize
5.2MB
MD5369a6de3fd59eb8897d268f5b8c7fc01
SHA13572de0cf0350f83f606ccaa958c24f6997fa124
SHA2569a2b7242e7b06452fbdaa6d5f53d98312e2f05eedb547043265654b2efebdc12
SHA5126265a577173c2e490d3d3c3499fedf1cbebc0ce340429c948413ee365d7264df01f4b2a4e0bd0a0e72ead0292078948da7e554aa40101e8d959d12d2675eb292
-
Filesize
5.2MB
MD5f68fb5aa105506edc19f355471632141
SHA156f7501ea438979e705d177d10c479e1939a5f8e
SHA25601b5afef693fbc341740bdf430b8b91c010ee6bbbd95c9d5652b319fc7758bee
SHA5127df7d2edcbe2004ca05f0c1f9709c796ca3f5f30f6dd79016066e137eb547a51f3552d0ea1693e2799780c2665c5087e8446614505d2ca00ad1b9210926d3c95
-
Filesize
5.2MB
MD5ac49d75fa5fbab0f05c8ba8a65e7b798
SHA134a962c04451057e424578da6dfa54f27b94e55f
SHA2561c67877c3b0f7402fe6bb54a866d13eed96350096b12777cc9a874d30aa583c0
SHA5126fe2143d009054a6d76f3ae2accc54af2b9e6110bcc075ef95753feb4e08d3225c5fc30103adea6fa6497f8aab7314ab357c91a76fdb388b781b06adfd751273
-
Filesize
5.2MB
MD5822795e7841aa2621cd0aabb2fc324cb
SHA1ed97688766ea0bbf61e963446a4722cdba254754
SHA25659a95ef81f74c55bfe6e2984bb94ed5d040d1e1a47953ebdba775aad9824b0b8
SHA512a1cb3ac802c67460f30131ca0713251bec2cadf6f7042df2bff616a83f7bb8608cd49bba0283713c679174ec333256d9b95f6afac995a0bfcf12d976e01069d5
-
Filesize
5.2MB
MD5319ecb3c3c35fc569f0d9c0df6390e46
SHA15f0ef4dc8636646f62976b6104fb7f5d6218e425
SHA256222282a53e98818f1e0be990aa68f262a2796caf4f7b4c1a09ff842bea3377f8
SHA512733c484b79d830526108e59d5b99d24da02b4b7051d9207a3ae42f881e673c8be10dde22bdefe578f062fd5b96c5d2f3645411cb7fc95c68c417618aa504f8a0
-
Filesize
5.2MB
MD55666998e5e9d48721f1f91771891d982
SHA1afa675d007ee32232f99c695c4713ce232c3882f
SHA256b5e7cd5da7e48cc3c2e8fe6a765e6407c40d7e89a5872e292d3a43421835a352
SHA51247085801e4944235bed8c976ff35adc7669138a47bdf1dddf9980875e14da77fb57cd3a606ff4564dec98337201fd68064b22b6e19fdebc656b5326e30a538e5
-
Filesize
5.2MB
MD5bb5262ba2c916aeaa51f7789e2a0b079
SHA166d8108586ef5016a8411a5a17477204725bc7ce
SHA256638c99e0e70be08325b3f6bdad1144a3f138053546a2ebab765be3a1811778ed
SHA5123dbb6ed4633673c27ce52f45f350b0c98f56e4a69616eb1ff71c1e942521a41a0a61e8f89208eaf1ffcdd3d3b75125c13ce39703551141197959872feed9ae88
-
Filesize
5.2MB
MD5f7172c41a2568c098b96af909f49d6a6
SHA15d2f4ef286cea53e16cff34f9f67b7141efd2900
SHA2562d69642395ebb109484d9b1b761266afcde26b09fa48713d1dc49fe3f0c1cdf4
SHA512844f457a03defb543fb88f57aca599d5b74240ebb99025e6df4974e5c572c10bbbdc24ee60c3b2c051a6239857001b1e580c5822b79c418c5fe6e5e099ee2239
-
Filesize
5.2MB
MD5f0fdaf9f00d15eb262105eacf51f5ee5
SHA1f22ad627da756782da95dfdc5128083b87cde17c
SHA256e4fad3f84ebca2a4711cc3e980187ac94e487a07ad1d9048cfea80695fecbe53
SHA512eff66ac332d3ed10738bbdf882d3bd531d9adc340c9cb3b046afa4d5b889c7c3b2ad5d51230530dbf24a257950e304e792c3099309bc31ee5a7eb3b5a6cb55ba
-
Filesize
5.2MB
MD5fa90fd5123191f0dc568f81899fd4cfc
SHA1504b993ff5aa3c7630010b40cd41289144a0415f
SHA2560fe283d56defa131677adcfa166ce23831c89f95851c3c2ff7bc8d6c2967a781
SHA51267a03377c2e243a334a938d2a6101d8168f4091c5f17c656022446ce5d9ef41bb0de69772fb628a94b49193c1b733c1d1d9f556254beeb9668ac1265339f807f