Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 11:54
Behavioral task
behavioral1
Sample
2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
f356f53568f3fe623d3db7149a57d2f0
-
SHA1
fe01d01c441b805681d655ca6b88af5c87a7b66a
-
SHA256
ec0342c224d1a630bac0247fcd10a2300d53d93c16cf8e30604a7fda933131b7
-
SHA512
ec0c8034273ec13e2e80aec79fcc76d2bd1cbf81e8779774e227539fc4c0ed9c45a4b1a462434acb88446996ea44e56979512aa0b97f73f30dc6c91950a0bc3f
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lm:RWWBibd56utgpPFotBER/mQ32lUa
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000b000000023b8e-4.dat cobalt_reflective_dll behavioral2/files/0x000b000000023b9b-8.dat cobalt_reflective_dll behavioral2/files/0x0009000000023bb0-36.dat cobalt_reflective_dll behavioral2/files/0x0008000000023ba9-37.dat cobalt_reflective_dll behavioral2/files/0x0009000000023baf-40.dat cobalt_reflective_dll behavioral2/files/0x000e000000023bb4-57.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bec-81.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bee-107.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bf1-127.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bf0-125.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bef-123.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bed-117.dat cobalt_reflective_dll behavioral2/files/0x0009000000023bbd-93.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bbc-91.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bba-88.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bbb-86.dat cobalt_reflective_dll behavioral2/files/0x000c000000023b8f-84.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bb9-79.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bb6-65.dat cobalt_reflective_dll behavioral2/files/0x0012000000023ba7-28.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b99-15.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/1832-97-0x00007FF69C360000-0x00007FF69C6B1000-memory.dmp xmrig behavioral2/memory/1820-130-0x00007FF70DDC0000-0x00007FF70E111000-memory.dmp xmrig behavioral2/memory/4712-129-0x00007FF70B0B0000-0x00007FF70B401000-memory.dmp xmrig behavioral2/memory/1764-111-0x00007FF6AF1A0000-0x00007FF6AF4F1000-memory.dmp xmrig behavioral2/memory/2976-103-0x00007FF7C2E30000-0x00007FF7C3181000-memory.dmp xmrig behavioral2/memory/2460-96-0x00007FF6FC3D0000-0x00007FF6FC721000-memory.dmp xmrig behavioral2/memory/1764-131-0x00007FF6AF1A0000-0x00007FF6AF4F1000-memory.dmp xmrig behavioral2/memory/4744-142-0x00007FF6A1930000-0x00007FF6A1C81000-memory.dmp xmrig behavioral2/memory/5084-146-0x00007FF7CF230000-0x00007FF7CF581000-memory.dmp xmrig behavioral2/memory/928-151-0x00007FF72DBC0000-0x00007FF72DF11000-memory.dmp xmrig behavioral2/memory/1152-149-0x00007FF6C7500000-0x00007FF6C7851000-memory.dmp xmrig behavioral2/memory/3240-148-0x00007FF7BF300000-0x00007FF7BF651000-memory.dmp xmrig behavioral2/memory/4676-144-0x00007FF734A20000-0x00007FF734D71000-memory.dmp xmrig behavioral2/memory/2156-141-0x00007FF715620000-0x00007FF715971000-memory.dmp xmrig behavioral2/memory/4048-140-0x00007FF775180000-0x00007FF7754D1000-memory.dmp xmrig behavioral2/memory/2400-139-0x00007FF6D9470000-0x00007FF6D97C1000-memory.dmp xmrig behavioral2/memory/2260-137-0x00007FF720DF0000-0x00007FF721141000-memory.dmp xmrig behavioral2/memory/4836-135-0x00007FF7877C0000-0x00007FF787B11000-memory.dmp xmrig behavioral2/memory/2152-133-0x00007FF6BF8B0000-0x00007FF6BFC01000-memory.dmp xmrig behavioral2/memory/2732-147-0x00007FF644950000-0x00007FF644CA1000-memory.dmp xmrig behavioral2/memory/3576-138-0x00007FF71EB30000-0x00007FF71EE81000-memory.dmp xmrig behavioral2/memory/2832-136-0x00007FF766730000-0x00007FF766A81000-memory.dmp xmrig behavioral2/memory/1632-152-0x00007FF6389D0000-0x00007FF638D21000-memory.dmp xmrig behavioral2/memory/1764-153-0x00007FF6AF1A0000-0x00007FF6AF4F1000-memory.dmp xmrig behavioral2/memory/4712-203-0x00007FF70B0B0000-0x00007FF70B401000-memory.dmp xmrig behavioral2/memory/2152-217-0x00007FF6BF8B0000-0x00007FF6BFC01000-memory.dmp xmrig behavioral2/memory/1832-219-0x00007FF69C360000-0x00007FF69C6B1000-memory.dmp xmrig behavioral2/memory/2260-222-0x00007FF720DF0000-0x00007FF721141000-memory.dmp xmrig behavioral2/memory/4836-225-0x00007FF7877C0000-0x00007FF787B11000-memory.dmp xmrig behavioral2/memory/2832-224-0x00007FF766730000-0x00007FF766A81000-memory.dmp xmrig behavioral2/memory/3576-227-0x00007FF71EB30000-0x00007FF71EE81000-memory.dmp xmrig behavioral2/memory/4676-230-0x00007FF734A20000-0x00007FF734D71000-memory.dmp xmrig behavioral2/memory/4048-235-0x00007FF775180000-0x00007FF7754D1000-memory.dmp xmrig behavioral2/memory/2460-239-0x00007FF6FC3D0000-0x00007FF6FC721000-memory.dmp xmrig behavioral2/memory/2732-243-0x00007FF644950000-0x00007FF644CA1000-memory.dmp xmrig behavioral2/memory/2976-241-0x00007FF7C2E30000-0x00007FF7C3181000-memory.dmp xmrig behavioral2/memory/2400-237-0x00007FF6D9470000-0x00007FF6D97C1000-memory.dmp xmrig behavioral2/memory/2156-234-0x00007FF715620000-0x00007FF715971000-memory.dmp xmrig behavioral2/memory/4744-231-0x00007FF6A1930000-0x00007FF6A1C81000-memory.dmp xmrig behavioral2/memory/1152-257-0x00007FF6C7500000-0x00007FF6C7851000-memory.dmp xmrig behavioral2/memory/1820-255-0x00007FF70DDC0000-0x00007FF70E111000-memory.dmp xmrig behavioral2/memory/1632-260-0x00007FF6389D0000-0x00007FF638D21000-memory.dmp xmrig behavioral2/memory/3240-258-0x00007FF7BF300000-0x00007FF7BF651000-memory.dmp xmrig behavioral2/memory/928-253-0x00007FF72DBC0000-0x00007FF72DF11000-memory.dmp xmrig behavioral2/memory/5084-251-0x00007FF7CF230000-0x00007FF7CF581000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4712 xYRTiBL.exe 2152 OEBkNnE.exe 1832 kqUmsBO.exe 4836 quvZurg.exe 2832 UKgCkED.exe 2260 PxElHep.exe 3576 cdVLYuS.exe 2400 ciZwxCz.exe 4048 NNmfyLp.exe 2156 eronHPT.exe 4744 meiumHc.exe 2460 airEmQp.exe 4676 sPceonp.exe 2976 gnvFqke.exe 5084 DjKfyzb.exe 2732 EuZmSCO.exe 3240 GeerTYM.exe 1152 tNGYyhO.exe 1820 cEQVkAm.exe 928 rbmzQux.exe 1632 XYSTzlS.exe -
resource yara_rule behavioral2/memory/1764-0-0x00007FF6AF1A0000-0x00007FF6AF4F1000-memory.dmp upx behavioral2/files/0x000b000000023b8e-4.dat upx behavioral2/files/0x000b000000023b9b-8.dat upx behavioral2/memory/4712-6-0x00007FF70B0B0000-0x00007FF70B401000-memory.dmp upx behavioral2/memory/2152-17-0x00007FF6BF8B0000-0x00007FF6BFC01000-memory.dmp upx behavioral2/memory/1832-19-0x00007FF69C360000-0x00007FF69C6B1000-memory.dmp upx behavioral2/files/0x0009000000023bb0-36.dat upx behavioral2/files/0x0008000000023ba9-37.dat upx behavioral2/files/0x0009000000023baf-40.dat upx behavioral2/memory/3576-50-0x00007FF71EB30000-0x00007FF71EE81000-memory.dmp upx behavioral2/files/0x000e000000023bb4-57.dat upx behavioral2/memory/4744-63-0x00007FF6A1930000-0x00007FF6A1C81000-memory.dmp upx behavioral2/files/0x0008000000023bec-81.dat upx behavioral2/memory/2732-90-0x00007FF644950000-0x00007FF644CA1000-memory.dmp upx behavioral2/memory/1832-97-0x00007FF69C360000-0x00007FF69C6B1000-memory.dmp upx behavioral2/files/0x0008000000023bee-107.dat upx behavioral2/memory/1820-130-0x00007FF70DDC0000-0x00007FF70E111000-memory.dmp upx behavioral2/memory/4712-129-0x00007FF70B0B0000-0x00007FF70B401000-memory.dmp upx behavioral2/files/0x0008000000023bf1-127.dat upx behavioral2/files/0x0008000000023bf0-125.dat upx behavioral2/files/0x0008000000023bef-123.dat upx behavioral2/memory/1632-122-0x00007FF6389D0000-0x00007FF638D21000-memory.dmp upx behavioral2/memory/928-121-0x00007FF72DBC0000-0x00007FF72DF11000-memory.dmp upx behavioral2/files/0x0008000000023bed-117.dat upx behavioral2/memory/1152-116-0x00007FF6C7500000-0x00007FF6C7851000-memory.dmp upx behavioral2/memory/3240-115-0x00007FF7BF300000-0x00007FF7BF651000-memory.dmp upx behavioral2/memory/1764-111-0x00007FF6AF1A0000-0x00007FF6AF4F1000-memory.dmp upx behavioral2/memory/2976-103-0x00007FF7C2E30000-0x00007FF7C3181000-memory.dmp upx behavioral2/memory/2460-96-0x00007FF6FC3D0000-0x00007FF6FC721000-memory.dmp upx behavioral2/files/0x0009000000023bbd-93.dat upx behavioral2/files/0x0008000000023bbc-91.dat upx behavioral2/files/0x0008000000023bba-88.dat upx behavioral2/files/0x0008000000023bbb-86.dat upx behavioral2/files/0x000c000000023b8f-84.dat upx behavioral2/memory/5084-83-0x00007FF7CF230000-0x00007FF7CF581000-memory.dmp upx behavioral2/memory/4676-82-0x00007FF734A20000-0x00007FF734D71000-memory.dmp upx behavioral2/files/0x0008000000023bb9-79.dat upx behavioral2/memory/2156-74-0x00007FF715620000-0x00007FF715971000-memory.dmp upx behavioral2/files/0x0008000000023bb6-65.dat upx behavioral2/memory/4048-54-0x00007FF775180000-0x00007FF7754D1000-memory.dmp upx behavioral2/memory/2400-46-0x00007FF6D9470000-0x00007FF6D97C1000-memory.dmp upx behavioral2/memory/2832-45-0x00007FF766730000-0x00007FF766A81000-memory.dmp upx behavioral2/memory/2260-33-0x00007FF720DF0000-0x00007FF721141000-memory.dmp upx behavioral2/memory/4836-29-0x00007FF7877C0000-0x00007FF787B11000-memory.dmp upx behavioral2/files/0x0012000000023ba7-28.dat upx behavioral2/files/0x000a000000023b99-15.dat upx behavioral2/memory/1764-131-0x00007FF6AF1A0000-0x00007FF6AF4F1000-memory.dmp upx behavioral2/memory/4744-142-0x00007FF6A1930000-0x00007FF6A1C81000-memory.dmp upx behavioral2/memory/5084-146-0x00007FF7CF230000-0x00007FF7CF581000-memory.dmp upx behavioral2/memory/928-151-0x00007FF72DBC0000-0x00007FF72DF11000-memory.dmp upx behavioral2/memory/1152-149-0x00007FF6C7500000-0x00007FF6C7851000-memory.dmp upx behavioral2/memory/3240-148-0x00007FF7BF300000-0x00007FF7BF651000-memory.dmp upx behavioral2/memory/4676-144-0x00007FF734A20000-0x00007FF734D71000-memory.dmp upx behavioral2/memory/2156-141-0x00007FF715620000-0x00007FF715971000-memory.dmp upx behavioral2/memory/4048-140-0x00007FF775180000-0x00007FF7754D1000-memory.dmp upx behavioral2/memory/2400-139-0x00007FF6D9470000-0x00007FF6D97C1000-memory.dmp upx behavioral2/memory/2260-137-0x00007FF720DF0000-0x00007FF721141000-memory.dmp upx behavioral2/memory/4836-135-0x00007FF7877C0000-0x00007FF787B11000-memory.dmp upx behavioral2/memory/2152-133-0x00007FF6BF8B0000-0x00007FF6BFC01000-memory.dmp upx behavioral2/memory/2732-147-0x00007FF644950000-0x00007FF644CA1000-memory.dmp upx behavioral2/memory/3576-138-0x00007FF71EB30000-0x00007FF71EE81000-memory.dmp upx behavioral2/memory/2832-136-0x00007FF766730000-0x00007FF766A81000-memory.dmp upx behavioral2/memory/1632-152-0x00007FF6389D0000-0x00007FF638D21000-memory.dmp upx behavioral2/memory/1764-153-0x00007FF6AF1A0000-0x00007FF6AF4F1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\cdVLYuS.exe 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\airEmQp.exe 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EuZmSCO.exe 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\OEBkNnE.exe 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\eronHPT.exe 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GeerTYM.exe 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\tNGYyhO.exe 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kqUmsBO.exe 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\UKgCkED.exe 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PxElHep.exe 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NNmfyLp.exe 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DjKfyzb.exe 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rbmzQux.exe 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cEQVkAm.exe 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XYSTzlS.exe 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xYRTiBL.exe 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\quvZurg.exe 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ciZwxCz.exe 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\meiumHc.exe 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\sPceonp.exe 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gnvFqke.exe 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1764 wrote to memory of 4712 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 1764 wrote to memory of 4712 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 1764 wrote to memory of 2152 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 1764 wrote to memory of 2152 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 1764 wrote to memory of 1832 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 1764 wrote to memory of 1832 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 1764 wrote to memory of 4836 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 1764 wrote to memory of 4836 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 1764 wrote to memory of 2832 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 1764 wrote to memory of 2832 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 1764 wrote to memory of 2260 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 1764 wrote to memory of 2260 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 1764 wrote to memory of 3576 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 1764 wrote to memory of 3576 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 1764 wrote to memory of 2400 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 1764 wrote to memory of 2400 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 1764 wrote to memory of 4048 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 1764 wrote to memory of 4048 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 1764 wrote to memory of 2156 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 1764 wrote to memory of 2156 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 1764 wrote to memory of 4744 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 1764 wrote to memory of 4744 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 1764 wrote to memory of 2460 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 1764 wrote to memory of 2460 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 1764 wrote to memory of 4676 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 1764 wrote to memory of 4676 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 1764 wrote to memory of 2976 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 1764 wrote to memory of 2976 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 1764 wrote to memory of 5084 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 1764 wrote to memory of 5084 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 1764 wrote to memory of 2732 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 1764 wrote to memory of 2732 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 1764 wrote to memory of 3240 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 1764 wrote to memory of 3240 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 1764 wrote to memory of 1152 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 1764 wrote to memory of 1152 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 1764 wrote to memory of 1820 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 1764 wrote to memory of 1820 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 1764 wrote to memory of 928 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 1764 wrote to memory of 928 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 1764 wrote to memory of 1632 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 1764 wrote to memory of 1632 1764 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\System\xYRTiBL.exeC:\Windows\System\xYRTiBL.exe2⤵
- Executes dropped EXE
PID:4712
-
-
C:\Windows\System\OEBkNnE.exeC:\Windows\System\OEBkNnE.exe2⤵
- Executes dropped EXE
PID:2152
-
-
C:\Windows\System\kqUmsBO.exeC:\Windows\System\kqUmsBO.exe2⤵
- Executes dropped EXE
PID:1832
-
-
C:\Windows\System\quvZurg.exeC:\Windows\System\quvZurg.exe2⤵
- Executes dropped EXE
PID:4836
-
-
C:\Windows\System\UKgCkED.exeC:\Windows\System\UKgCkED.exe2⤵
- Executes dropped EXE
PID:2832
-
-
C:\Windows\System\PxElHep.exeC:\Windows\System\PxElHep.exe2⤵
- Executes dropped EXE
PID:2260
-
-
C:\Windows\System\cdVLYuS.exeC:\Windows\System\cdVLYuS.exe2⤵
- Executes dropped EXE
PID:3576
-
-
C:\Windows\System\ciZwxCz.exeC:\Windows\System\ciZwxCz.exe2⤵
- Executes dropped EXE
PID:2400
-
-
C:\Windows\System\NNmfyLp.exeC:\Windows\System\NNmfyLp.exe2⤵
- Executes dropped EXE
PID:4048
-
-
C:\Windows\System\eronHPT.exeC:\Windows\System\eronHPT.exe2⤵
- Executes dropped EXE
PID:2156
-
-
C:\Windows\System\meiumHc.exeC:\Windows\System\meiumHc.exe2⤵
- Executes dropped EXE
PID:4744
-
-
C:\Windows\System\airEmQp.exeC:\Windows\System\airEmQp.exe2⤵
- Executes dropped EXE
PID:2460
-
-
C:\Windows\System\sPceonp.exeC:\Windows\System\sPceonp.exe2⤵
- Executes dropped EXE
PID:4676
-
-
C:\Windows\System\gnvFqke.exeC:\Windows\System\gnvFqke.exe2⤵
- Executes dropped EXE
PID:2976
-
-
C:\Windows\System\DjKfyzb.exeC:\Windows\System\DjKfyzb.exe2⤵
- Executes dropped EXE
PID:5084
-
-
C:\Windows\System\EuZmSCO.exeC:\Windows\System\EuZmSCO.exe2⤵
- Executes dropped EXE
PID:2732
-
-
C:\Windows\System\GeerTYM.exeC:\Windows\System\GeerTYM.exe2⤵
- Executes dropped EXE
PID:3240
-
-
C:\Windows\System\tNGYyhO.exeC:\Windows\System\tNGYyhO.exe2⤵
- Executes dropped EXE
PID:1152
-
-
C:\Windows\System\cEQVkAm.exeC:\Windows\System\cEQVkAm.exe2⤵
- Executes dropped EXE
PID:1820
-
-
C:\Windows\System\rbmzQux.exeC:\Windows\System\rbmzQux.exe2⤵
- Executes dropped EXE
PID:928
-
-
C:\Windows\System\XYSTzlS.exeC:\Windows\System\XYSTzlS.exe2⤵
- Executes dropped EXE
PID:1632
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD56b68202c1eb383b2789d7b7788fc566b
SHA15299a754fb626ae651520e32a1557d0a8b8b77b4
SHA2561e2a4d72889b9f8a2777d6a421f68734143996ce9b18ee6f64b19b6d58d43d8c
SHA512fd5d0c5f8388387ffe94d034ec53e7e5c5b89844097dbdbebe9ad8d53d0b01b9a6534878f1dbefa60dde7b0201d253daa55a538ffb6f6e80455333286c214118
-
Filesize
5.2MB
MD58b319825fee8efd68608a28571d21ea6
SHA15a982fd1e726dad82030730d464ff604dc0d1bc5
SHA256e0c34f3307272ee9be693b4ab34899ea00acb62355cb81a28a84068cb2c5514c
SHA5123e14c4cd44fe931f5ffeedadbfda76cb89f122c54fe47b788d3fd585fe941b914994d5f5cd5bd2626dde8fef828503db1e513e521a4a6cd2cd9876b98dacdb6c
-
Filesize
5.2MB
MD51918521bdf85d4cbfc739919d78eb9b6
SHA1351ffdc2103f47d292d8ec8d6d918f951cef5f46
SHA256dda23a39930458db3764e0a432eb3480780b3b62c28076e4674ef385368258d7
SHA512399fbf8645851673a64ffb8998c2ac36fc85c838b8996c607fd20ba5f44c33d1e383047a2a9e0995513fc2acdf0412e0365cb51122f2d9d3bbbc7c62b29932bb
-
Filesize
5.2MB
MD5e9cf726d638199ad20b026381fe1f435
SHA1f26c26e69de06316ad796445f361ab975ca5beab
SHA25694f641c5c73a94f9c6cd35dedb140582184516461d7f98ae4c924e8b245a8806
SHA5128a40f2c4497df757fd3e7dbd539b8b181ca16e6a327da8e75962291b8543f4f96cbc3d2f72aa7fa74f2c3dea577fefdb8836a56d08c73d6a4352e91d996d2bd3
-
Filesize
5.2MB
MD56877319d6a4581cb6638f9bb483b8948
SHA14f88c3e88a4966e4ceab3f54757ffbaf71363252
SHA256d28e64625188244d1350ddb809fc256dc8f887d72d9bdf5961eca2b07e12ad59
SHA512551df79ecc84e8d0fa9f333724b761b58c7ece75e6b3b4eea1b9af329f300f0544240ccca1ba7b089aeb35269691bd3145ba7b766498fac1aabcd38b5527665b
-
Filesize
5.2MB
MD5db3e270ff2de41e5bdae44e3c4b9fbdc
SHA1de596da86f9ba11294888c2b0de02218428748f2
SHA25615dabc74d7ced974dc22e715842a4960285bf4d2504ea84a2b1dbe2750272841
SHA5125390ad86c5cab669e28050f458d653bb72cce82d952998c7c7d297a845318faff43c1b34e006ef422e73da21e24e48064c112dc50ba586757bdf20177e340597
-
Filesize
5.2MB
MD5ed953f1af87f9db21e729959bc8c5724
SHA17176a82d003c102d484547b1d0ce2a93edc36e77
SHA256ebcbbf4c5be2f5387c8bd2848e69605cc3beabb0f33abebd40883276353dc4b3
SHA51254839ab729bb3c8d8ed2d925a06229102fbbee9204c867b3cf2b8463f6aaca4d5eac3dfe4cb24eac3740ea5c2f47e7c2ebe98db98fab555c4c3a615b90df0665
-
Filesize
5.2MB
MD50ef9c51f8c314b1b635691aded2454b5
SHA19baf6c6a260201cd32836cbfc2f2d259fd86a06b
SHA2562786b7cdebc17916d2920e578303499200ab3cd3aadef6f8350f17b83d210324
SHA51210fe6c88e20a8bd32409f67d65ee60e1748b3b8e56e690c6f17a20c6b229ec3f90a38caf9c202b1a0de0d71cbda057f2e6a3ab143766e3d7d123fd1d4fadf1e4
-
Filesize
5.2MB
MD59e8474b04eb89821351fcce6cc3c6d87
SHA1789471e83557dad4e5f5c0d393624a15bb532ee4
SHA256d1a93d76012501e7be3145bd485795d1b497e694a47286e5ecf0ef848ff0c9cc
SHA51246bde7a59c3168a0c16286433430fe43cdafc0ff27e6cdc7afc7ffe0a817eaa1df75f82cc786a376916b2b634f20f72c1e7c035937249a9c60696c55dd66a11d
-
Filesize
5.2MB
MD5076a503b8e98484fffbd38304c38a1e0
SHA19191fceceab4e6db04de93b8139e44409365136c
SHA2566c4e31ec88f3cb8063db266dfe2633b32d74d4b3c2bb707be8f5fca766c900ad
SHA512c6d61ebcf30942042835d366f16f65c3e2d48a1759678f48c7f91fb921929d2d616acdf4899fe72bceccc70c84f54c3452613440cd9a4b29fe1c3e2ac0cf5102
-
Filesize
5.2MB
MD5f45e4930751bf4bcab51af034d4eff9d
SHA197cac6ba912653ae55874b9025f043bbfbf4f534
SHA2567a56278e674f1c42b8df4800b08bb2e6a13291bac208af97ae1ecd32f5e5a3df
SHA5120d69e10c0b10a5ff0ad4c4b5e0c6683d541c032435b74b5437fb7e700c0bae2305faf7e6f4dfe93030fea01e6eab11f622207126c0b64e2f51d4debdf84ef806
-
Filesize
5.2MB
MD50d1044c05834ec94897c4e2aee0a96c8
SHA1811626a07ff16790939e5ccb6f9c4b6f6f82d48a
SHA256e1370a21ace2cced062039316a9525a0abf481eec6f2856adba1bb1f356a2e96
SHA51245f6a5c10edd4ced8b74adbcaa48ffc98167a09039aed4d07f4eb8917669814d172b27f76a42201d16f94762521c6449aae135a4e0350a7b736960669ed0f523
-
Filesize
5.2MB
MD599038c48fc31504fedfb657ac3f30ba3
SHA1905dd45ea404beb8fde89ed9d6392ff103925f4f
SHA256c94a9fd3b3746cb05443c2cdf49f7ec6e7b8311b1b395c1116880595c6c53014
SHA5127178bcbd4e2b744d2f7082efbe5d18ea9ca9abd9736736ef3e57286bf783ea1ead08f22a377c99e5f48e9561a36908b3d27260e4157fdd7a7653d5c7cf70d91d
-
Filesize
5.2MB
MD583f2593e966952c9c438b22f45a92867
SHA194f25ef12a1da5c03fe33df6d4e7ca75d69f6643
SHA256cdb9f472e667da78142661369e30be4ab3b0c27eb5a5ea45883956ecb7485722
SHA5125786b8532b4b662fad021415da00016f1777dde7880f7428f1f02315220750d039b3dd82963207123a3051591f18356e6dd77b2b7473147ea6133de71213068a
-
Filesize
5.2MB
MD5cc7bc87fd84d3e17b69acf6dca12c500
SHA1c9ef9983a2c65716b067bee4cffc885d1e6fb0f6
SHA2569c548010736ba021333b47941c0061dd687ddb2e898bcdbb0a0f33f52b9d7600
SHA512b4304ad8e49f3697980dafe84d735e162d0193a926ce8bd2a60c1b9268c71fc0687e49c73debd17e077c70e8f33faa0f6129237bf637e9eed168634aef882f90
-
Filesize
5.2MB
MD56a6641cb6f89f0da18c0ff25b3869701
SHA123bcb0aaf62c17c813bcc4bdbe312021ae8e4cdc
SHA2569ff8b9ca387fc4d7439fc5e4eed0547f66d221220fb9ae597bee97e13c989a5a
SHA51209feb0f4bbf4c3ef00b03ea43ec4c74ad4e1ebe1f06cfce4c9a6e549cccca3a3de84aed41c57926d95d6ab9c826f047e3ce299ce1637a37cf290a3ae4b1d2e8e
-
Filesize
5.2MB
MD5dfc0c2e2f06acc1fd8c9aab4be6c7c77
SHA1c846b87fe7d1dea7fd987eb8400b00bdc1f9485a
SHA2560a39ed404ad491e55f066cd2d2cd40c94590bd33361040a8c3c23f5d65ff79cd
SHA51204c9425055c39d632eb45f1dd6aa1fbf0079a22ae2bd521106cc9e32d7e23eb9cc1757bf7d56ad28fee7e19371555cfaf6307b75c08c5bc49aa0dd0c6c365a11
-
Filesize
5.2MB
MD52ec8e702a090c1a41b714c015a32afba
SHA1f9d919216e0c5b2cce122e4e9506431c95ba4ef2
SHA256ded9b9f2d5b6808c3621967b8032676b457e999206834d48154bf033b456359b
SHA51220e2bebcd0913648a2e03b3f0e198b02f94418741a0c442bd4a9dc239d51d0c002578c822832fb45447eabfb1f97a945ff04f4a7ac29b748346518f6f096b4d6
-
Filesize
5.2MB
MD5dc88eda7c096224a449a99b083b8db11
SHA153eff5c672ff2edb73b71af969728f0010dc5b3f
SHA25604e77dc00098d938b08b0d4d08d77b0e2f78cbec1f23f7378c5046cd85a43c28
SHA512be26015e7bccdcdbea0d58fa58a6cc1ff1e805709aae145e2cb34761d4f3255c5a3f873f348881776765b98261ac570ffa5c384e9b5e57f86f4e6bdc9a2b7f72
-
Filesize
5.2MB
MD5cdb8dcede5ae2bc322d9dcfecb07cd7a
SHA1ce5937dd608063746bced7a496aac5c3998bae2e
SHA256d319687a2394d00359ef6059b93341b76fc1ece0b32782127fd4284d3a05e42b
SHA512f43512e54c992c3c33711ab83fb5656b77b62032dc79196a993dfabf82a77d96e53dff9fcc74347d0ceba1fc32ab14ee65baf9087de4dbe06f9fa91eb8b103f9
-
Filesize
5.2MB
MD5d72baa11ff66cd7b80fda0b3a6c3fb56
SHA1a9c1e3c51f79ff1a8f7e90ad2ef773cd3ac890b2
SHA256587b64e656ebd1880359c552c5aaaee39a4784692e3099d83ca9cd82d3e9c6fe
SHA512b74b2db2adcba74c81a1cd33a2645cd1d99ed6c97e2ad55cdd18b2d689bef6279214afdac120927c197a331a99684fd085b9e36d0016fb72af41019b050a17f8