Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 11:43
Behavioral task
behavioral1
Sample
2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
08d9c58acde848aa8bfa633343558c6b
-
SHA1
865533778cffc8f94ec2352ad330c002fe481d8e
-
SHA256
f4e34a310e209cda8c05991ca933c2c54aae34f99a269534dbea1ea0495ea60d
-
SHA512
3465f21808683f2e468210944717677360243660ed5ea8457802b080241408b0175ccb2e9db5749eaebce52e8bb2f54165fcd6ea77db511592931e616bccaab9
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lS:RWWBibd56utgpPFotBER/mQ32lU2
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000c000000023b70-4.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b7b-10.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b7c-9.dat cobalt_reflective_dll behavioral2/files/0x000c000000023b74-26.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b7e-23.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b80-38.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b7f-39.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b81-55.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b84-65.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b88-86.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b87-93.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8b-112.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8a-118.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8e-137.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8d-132.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8c-122.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b89-111.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b86-89.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b85-87.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b83-67.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b82-61.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/3708-105-0x00007FF7E3550000-0x00007FF7E38A1000-memory.dmp xmrig behavioral2/memory/4452-135-0x00007FF62B810000-0x00007FF62BB61000-memory.dmp xmrig behavioral2/memory/2488-129-0x00007FF630680000-0x00007FF6309D1000-memory.dmp xmrig behavioral2/memory/3792-120-0x00007FF7A3090000-0x00007FF7A33E1000-memory.dmp xmrig behavioral2/memory/3756-110-0x00007FF6E0190000-0x00007FF6E04E1000-memory.dmp xmrig behavioral2/memory/4824-104-0x00007FF62DA60000-0x00007FF62DDB1000-memory.dmp xmrig behavioral2/memory/460-96-0x00007FF6E5330000-0x00007FF6E5681000-memory.dmp xmrig behavioral2/memory/5064-92-0x00007FF603470000-0x00007FF6037C1000-memory.dmp xmrig behavioral2/memory/232-80-0x00007FF654830000-0x00007FF654B81000-memory.dmp xmrig behavioral2/memory/2276-79-0x00007FF6C3800000-0x00007FF6C3B51000-memory.dmp xmrig behavioral2/memory/2420-71-0x00007FF77F7F0000-0x00007FF77FB41000-memory.dmp xmrig behavioral2/memory/3488-60-0x00007FF72E6D0000-0x00007FF72EA21000-memory.dmp xmrig behavioral2/memory/3488-140-0x00007FF72E6D0000-0x00007FF72EA21000-memory.dmp xmrig behavioral2/memory/2480-147-0x00007FF7EC360000-0x00007FF7EC6B1000-memory.dmp xmrig behavioral2/memory/4536-146-0x00007FF6DF6C0000-0x00007FF6DFA11000-memory.dmp xmrig behavioral2/memory/4928-157-0x00007FF7E2CA0000-0x00007FF7E2FF1000-memory.dmp xmrig behavioral2/memory/4764-158-0x00007FF620690000-0x00007FF6209E1000-memory.dmp xmrig behavioral2/memory/848-159-0x00007FF6B1130000-0x00007FF6B1481000-memory.dmp xmrig behavioral2/memory/4920-162-0x00007FF694ED0000-0x00007FF695221000-memory.dmp xmrig behavioral2/memory/792-163-0x00007FF70A410000-0x00007FF70A761000-memory.dmp xmrig behavioral2/memory/4776-161-0x00007FF6CCB90000-0x00007FF6CCEE1000-memory.dmp xmrig behavioral2/memory/3096-160-0x00007FF6F43E0000-0x00007FF6F4731000-memory.dmp xmrig behavioral2/memory/4032-164-0x00007FF7C8CE0000-0x00007FF7C9031000-memory.dmp xmrig behavioral2/memory/3488-165-0x00007FF72E6D0000-0x00007FF72EA21000-memory.dmp xmrig behavioral2/memory/2420-214-0x00007FF77F7F0000-0x00007FF77FB41000-memory.dmp xmrig behavioral2/memory/2276-216-0x00007FF6C3800000-0x00007FF6C3B51000-memory.dmp xmrig behavioral2/memory/232-225-0x00007FF654830000-0x00007FF654B81000-memory.dmp xmrig behavioral2/memory/5064-227-0x00007FF603470000-0x00007FF6037C1000-memory.dmp xmrig behavioral2/memory/4824-229-0x00007FF62DA60000-0x00007FF62DDB1000-memory.dmp xmrig behavioral2/memory/460-231-0x00007FF6E5330000-0x00007FF6E5681000-memory.dmp xmrig behavioral2/memory/3708-233-0x00007FF7E3550000-0x00007FF7E38A1000-memory.dmp xmrig behavioral2/memory/3756-245-0x00007FF6E0190000-0x00007FF6E04E1000-memory.dmp xmrig behavioral2/memory/3792-247-0x00007FF7A3090000-0x00007FF7A33E1000-memory.dmp xmrig behavioral2/memory/2488-249-0x00007FF630680000-0x00007FF6309D1000-memory.dmp xmrig behavioral2/memory/4452-251-0x00007FF62B810000-0x00007FF62BB61000-memory.dmp xmrig behavioral2/memory/4536-253-0x00007FF6DF6C0000-0x00007FF6DFA11000-memory.dmp xmrig behavioral2/memory/2480-255-0x00007FF7EC360000-0x00007FF7EC6B1000-memory.dmp xmrig behavioral2/memory/848-257-0x00007FF6B1130000-0x00007FF6B1481000-memory.dmp xmrig behavioral2/memory/4928-259-0x00007FF7E2CA0000-0x00007FF7E2FF1000-memory.dmp xmrig behavioral2/memory/3096-261-0x00007FF6F43E0000-0x00007FF6F4731000-memory.dmp xmrig behavioral2/memory/4920-263-0x00007FF694ED0000-0x00007FF695221000-memory.dmp xmrig behavioral2/memory/4776-265-0x00007FF6CCB90000-0x00007FF6CCEE1000-memory.dmp xmrig behavioral2/memory/792-268-0x00007FF70A410000-0x00007FF70A761000-memory.dmp xmrig behavioral2/memory/4032-270-0x00007FF7C8CE0000-0x00007FF7C9031000-memory.dmp xmrig behavioral2/memory/4764-273-0x00007FF620690000-0x00007FF6209E1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2420 mreQECg.exe 2276 HkqbZsN.exe 232 cgETvJO.exe 5064 oChjBqi.exe 460 nBHtFnQ.exe 4824 OHPtLMm.exe 3708 YVZotDn.exe 3756 dXpysas.exe 3792 HkvenMA.exe 2488 LfUaFmH.exe 4452 dhcOTdH.exe 4536 IziXmUK.exe 2480 aoNgqeg.exe 848 YWuaHYM.exe 4928 yjekeIT.exe 4764 uKlqATs.exe 3096 IdeOTRQ.exe 4776 NhZODOb.exe 4920 LMKxTad.exe 792 AtDqQdf.exe 4032 MVMgsyl.exe -
resource yara_rule behavioral2/memory/3488-0-0x00007FF72E6D0000-0x00007FF72EA21000-memory.dmp upx behavioral2/files/0x000c000000023b70-4.dat upx behavioral2/memory/2420-7-0x00007FF77F7F0000-0x00007FF77FB41000-memory.dmp upx behavioral2/files/0x000a000000023b7b-10.dat upx behavioral2/files/0x000a000000023b7c-9.dat upx behavioral2/memory/2276-12-0x00007FF6C3800000-0x00007FF6C3B51000-memory.dmp upx behavioral2/memory/232-18-0x00007FF654830000-0x00007FF654B81000-memory.dmp upx behavioral2/files/0x000c000000023b74-26.dat upx behavioral2/memory/5064-24-0x00007FF603470000-0x00007FF6037C1000-memory.dmp upx behavioral2/files/0x000a000000023b7e-23.dat upx behavioral2/files/0x000a000000023b80-38.dat upx behavioral2/files/0x000a000000023b7f-39.dat upx behavioral2/files/0x000a000000023b81-55.dat upx behavioral2/files/0x000a000000023b84-65.dat upx behavioral2/memory/4536-81-0x00007FF6DF6C0000-0x00007FF6DFA11000-memory.dmp upx behavioral2/files/0x000a000000023b88-86.dat upx behavioral2/files/0x000a000000023b87-93.dat upx behavioral2/memory/3708-105-0x00007FF7E3550000-0x00007FF7E38A1000-memory.dmp upx behavioral2/files/0x000a000000023b8b-112.dat upx behavioral2/files/0x000a000000023b8a-118.dat upx behavioral2/memory/4452-135-0x00007FF62B810000-0x00007FF62BB61000-memory.dmp upx behavioral2/files/0x000a000000023b8e-137.dat upx behavioral2/memory/4032-136-0x00007FF7C8CE0000-0x00007FF7C9031000-memory.dmp upx behavioral2/files/0x000a000000023b8d-132.dat upx behavioral2/memory/792-131-0x00007FF70A410000-0x00007FF70A761000-memory.dmp upx behavioral2/memory/2488-129-0x00007FF630680000-0x00007FF6309D1000-memory.dmp upx behavioral2/files/0x000a000000023b8c-122.dat upx behavioral2/memory/4920-121-0x00007FF694ED0000-0x00007FF695221000-memory.dmp upx behavioral2/memory/3792-120-0x00007FF7A3090000-0x00007FF7A33E1000-memory.dmp upx behavioral2/memory/4776-116-0x00007FF6CCB90000-0x00007FF6CCEE1000-memory.dmp upx behavioral2/memory/3096-115-0x00007FF6F43E0000-0x00007FF6F4731000-memory.dmp upx behavioral2/files/0x000a000000023b89-111.dat upx behavioral2/memory/3756-110-0x00007FF6E0190000-0x00007FF6E04E1000-memory.dmp upx behavioral2/memory/4764-109-0x00007FF620690000-0x00007FF6209E1000-memory.dmp upx behavioral2/memory/4824-104-0x00007FF62DA60000-0x00007FF62DDB1000-memory.dmp upx behavioral2/memory/460-96-0x00007FF6E5330000-0x00007FF6E5681000-memory.dmp upx behavioral2/memory/4928-95-0x00007FF7E2CA0000-0x00007FF7E2FF1000-memory.dmp upx behavioral2/memory/5064-92-0x00007FF603470000-0x00007FF6037C1000-memory.dmp upx behavioral2/memory/848-91-0x00007FF6B1130000-0x00007FF6B1481000-memory.dmp upx behavioral2/files/0x000a000000023b86-89.dat upx behavioral2/files/0x000a000000023b85-87.dat upx behavioral2/memory/2480-85-0x00007FF7EC360000-0x00007FF7EC6B1000-memory.dmp upx behavioral2/memory/232-80-0x00007FF654830000-0x00007FF654B81000-memory.dmp upx behavioral2/memory/2276-79-0x00007FF6C3800000-0x00007FF6C3B51000-memory.dmp upx behavioral2/memory/4452-72-0x00007FF62B810000-0x00007FF62BB61000-memory.dmp upx behavioral2/memory/2420-71-0x00007FF77F7F0000-0x00007FF77FB41000-memory.dmp upx behavioral2/files/0x000a000000023b83-67.dat upx behavioral2/memory/2488-66-0x00007FF630680000-0x00007FF6309D1000-memory.dmp upx behavioral2/files/0x000a000000023b82-61.dat upx behavioral2/memory/3488-60-0x00007FF72E6D0000-0x00007FF72EA21000-memory.dmp upx behavioral2/memory/3792-59-0x00007FF7A3090000-0x00007FF7A33E1000-memory.dmp upx behavioral2/memory/3756-53-0x00007FF6E0190000-0x00007FF6E04E1000-memory.dmp upx behavioral2/memory/3708-41-0x00007FF7E3550000-0x00007FF7E38A1000-memory.dmp upx behavioral2/memory/4824-34-0x00007FF62DA60000-0x00007FF62DDB1000-memory.dmp upx behavioral2/memory/460-28-0x00007FF6E5330000-0x00007FF6E5681000-memory.dmp upx behavioral2/memory/3488-140-0x00007FF72E6D0000-0x00007FF72EA21000-memory.dmp upx behavioral2/memory/2480-147-0x00007FF7EC360000-0x00007FF7EC6B1000-memory.dmp upx behavioral2/memory/4536-146-0x00007FF6DF6C0000-0x00007FF6DFA11000-memory.dmp upx behavioral2/memory/4928-157-0x00007FF7E2CA0000-0x00007FF7E2FF1000-memory.dmp upx behavioral2/memory/4764-158-0x00007FF620690000-0x00007FF6209E1000-memory.dmp upx behavioral2/memory/848-159-0x00007FF6B1130000-0x00007FF6B1481000-memory.dmp upx behavioral2/memory/4920-162-0x00007FF694ED0000-0x00007FF695221000-memory.dmp upx behavioral2/memory/792-163-0x00007FF70A410000-0x00007FF70A761000-memory.dmp upx behavioral2/memory/4776-161-0x00007FF6CCB90000-0x00007FF6CCEE1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\cgETvJO.exe 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\oChjBqi.exe 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dXpysas.exe 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\IziXmUK.exe 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\IdeOTRQ.exe 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MVMgsyl.exe 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HkqbZsN.exe 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nBHtFnQ.exe 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dhcOTdH.exe 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\OHPtLMm.exe 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YVZotDn.exe 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LfUaFmH.exe 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uKlqATs.exe 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LMKxTad.exe 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AtDqQdf.exe 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mreQECg.exe 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HkvenMA.exe 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\aoNgqeg.exe 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YWuaHYM.exe 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yjekeIT.exe 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NhZODOb.exe 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3488 wrote to memory of 2420 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3488 wrote to memory of 2420 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3488 wrote to memory of 2276 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3488 wrote to memory of 2276 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3488 wrote to memory of 232 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3488 wrote to memory of 232 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3488 wrote to memory of 5064 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3488 wrote to memory of 5064 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3488 wrote to memory of 460 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3488 wrote to memory of 460 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3488 wrote to memory of 4824 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3488 wrote to memory of 4824 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3488 wrote to memory of 3708 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3488 wrote to memory of 3708 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3488 wrote to memory of 3756 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3488 wrote to memory of 3756 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3488 wrote to memory of 3792 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3488 wrote to memory of 3792 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3488 wrote to memory of 2488 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3488 wrote to memory of 2488 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3488 wrote to memory of 4452 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3488 wrote to memory of 4452 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3488 wrote to memory of 4536 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3488 wrote to memory of 4536 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3488 wrote to memory of 2480 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3488 wrote to memory of 2480 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3488 wrote to memory of 848 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3488 wrote to memory of 848 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3488 wrote to memory of 4928 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3488 wrote to memory of 4928 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3488 wrote to memory of 4764 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3488 wrote to memory of 4764 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3488 wrote to memory of 3096 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3488 wrote to memory of 3096 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3488 wrote to memory of 4776 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3488 wrote to memory of 4776 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3488 wrote to memory of 4920 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3488 wrote to memory of 4920 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3488 wrote to memory of 792 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 3488 wrote to memory of 792 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 3488 wrote to memory of 4032 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 3488 wrote to memory of 4032 3488 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\System\mreQECg.exeC:\Windows\System\mreQECg.exe2⤵
- Executes dropped EXE
PID:2420
-
-
C:\Windows\System\HkqbZsN.exeC:\Windows\System\HkqbZsN.exe2⤵
- Executes dropped EXE
PID:2276
-
-
C:\Windows\System\cgETvJO.exeC:\Windows\System\cgETvJO.exe2⤵
- Executes dropped EXE
PID:232
-
-
C:\Windows\System\oChjBqi.exeC:\Windows\System\oChjBqi.exe2⤵
- Executes dropped EXE
PID:5064
-
-
C:\Windows\System\nBHtFnQ.exeC:\Windows\System\nBHtFnQ.exe2⤵
- Executes dropped EXE
PID:460
-
-
C:\Windows\System\OHPtLMm.exeC:\Windows\System\OHPtLMm.exe2⤵
- Executes dropped EXE
PID:4824
-
-
C:\Windows\System\YVZotDn.exeC:\Windows\System\YVZotDn.exe2⤵
- Executes dropped EXE
PID:3708
-
-
C:\Windows\System\dXpysas.exeC:\Windows\System\dXpysas.exe2⤵
- Executes dropped EXE
PID:3756
-
-
C:\Windows\System\HkvenMA.exeC:\Windows\System\HkvenMA.exe2⤵
- Executes dropped EXE
PID:3792
-
-
C:\Windows\System\LfUaFmH.exeC:\Windows\System\LfUaFmH.exe2⤵
- Executes dropped EXE
PID:2488
-
-
C:\Windows\System\dhcOTdH.exeC:\Windows\System\dhcOTdH.exe2⤵
- Executes dropped EXE
PID:4452
-
-
C:\Windows\System\IziXmUK.exeC:\Windows\System\IziXmUK.exe2⤵
- Executes dropped EXE
PID:4536
-
-
C:\Windows\System\aoNgqeg.exeC:\Windows\System\aoNgqeg.exe2⤵
- Executes dropped EXE
PID:2480
-
-
C:\Windows\System\YWuaHYM.exeC:\Windows\System\YWuaHYM.exe2⤵
- Executes dropped EXE
PID:848
-
-
C:\Windows\System\yjekeIT.exeC:\Windows\System\yjekeIT.exe2⤵
- Executes dropped EXE
PID:4928
-
-
C:\Windows\System\uKlqATs.exeC:\Windows\System\uKlqATs.exe2⤵
- Executes dropped EXE
PID:4764
-
-
C:\Windows\System\IdeOTRQ.exeC:\Windows\System\IdeOTRQ.exe2⤵
- Executes dropped EXE
PID:3096
-
-
C:\Windows\System\NhZODOb.exeC:\Windows\System\NhZODOb.exe2⤵
- Executes dropped EXE
PID:4776
-
-
C:\Windows\System\LMKxTad.exeC:\Windows\System\LMKxTad.exe2⤵
- Executes dropped EXE
PID:4920
-
-
C:\Windows\System\AtDqQdf.exeC:\Windows\System\AtDqQdf.exe2⤵
- Executes dropped EXE
PID:792
-
-
C:\Windows\System\MVMgsyl.exeC:\Windows\System\MVMgsyl.exe2⤵
- Executes dropped EXE
PID:4032
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5ee74e5150d2bee55dd3f2adee815c364
SHA1333d343c9d79cc44a842d96c541b3fefea7efdae
SHA256f6ea05a25812d2be72d1b9e225774e81c71d9ed59224658a37f542f4a7f1abd1
SHA512b6d4bf682dcf536d30dfe84ba776238b4965d79d01dd16afaaf08f7441a6bfb6216c9c85e3e9343ca3f89e6df17016c36bf014ccf7b76842176e96cc56e4039e
-
Filesize
5.2MB
MD57fa95c123891770905e1bbb518cd5b8f
SHA1de3cb0291d96c769b3f3edae4b3b6b5f206298c4
SHA2566d4203c50ab1c38d60fb3356be6614b64ac29da350ac5b76095ef0ccddfe4034
SHA512f2b7d8b101d7b63e7c80673dcfd6bde9748a53b10d62bda8336e731a7bb39aeaee59fb951a97c1489c05abfbcc19c208ccd219005e4d1bed28955310ccff078e
-
Filesize
5.2MB
MD59f9fc86adedbebd711ee775cd153aac0
SHA102d267efc592ae8db0cb80556846c3e59a49e3d5
SHA2568225fe011fe84059e7a826fca5f66146094a49f80c955ae78e958881511ad71f
SHA5127d526ee45bfc4399e0c5d41984905d707efeb8941145c2481ec3c3ca80c1f83745831a0eb5cf4e5535c1cfbeed896c6a0b67aca20e1a1ef4e2a5e8b6082d248a
-
Filesize
5.2MB
MD5e59f27b4b8c9cbd15289fe68e41e1a37
SHA199a04cf88405c25ebca45dc4e6c87edf47a8c061
SHA256db48dff3b1549635c73eed4647c66daae1bcd526e5194dc5913e190d31188fdb
SHA51290e318565e56897c261dd5ad6340ac02ecdfed7a473502e33e04997c363c131450c55189887d7e2a52fc79e6030d605ef8fa8baaf76e75e994fc6b8a7a0dabe4
-
Filesize
5.2MB
MD53161485ebcc7622034e6dc9eba1dc3ac
SHA1c9abc717488f0608c945d9c62e92701684a0a12b
SHA2561d667d3720f9dc03cdee282adcddef825ff75dbc6c972186c96f6d14d6c773e6
SHA512d27dee0311fb1be670c1092eb1b76a10123512248df8ee28172986eb3bc181e13c7e79982ed50f38d86d20171dae7c6b0ef17dae745899d03cc1a89b5244ef68
-
Filesize
5.2MB
MD51c79aa03db1f8aa129c79aec32c85ee9
SHA1003f442abd5d6d0ee86afc0e96d2622e199937fe
SHA256f894ce64399ddd4ab9de3f572da5a8a955062598de77c0322a1f6f4bde007d8c
SHA5122744dabd63bf8c43a7a75fa45bfff12cd22183c849e597bac04285a8f3f1dfa94a677a8111e63b87b86a8a392aa230aad9db22a98f78f0f639b0b7f3f6084bc2
-
Filesize
5.2MB
MD55a838f2a87e3f0c898309c9e62fb3f8f
SHA12313f6de7fef974293d5a74edfa088a1abdca741
SHA256baccb1560000b518812297acf9a9f8f09b2ce9479e2b50c9bb8144d9e43c97ac
SHA512a802cb0b6174bb03a8069bbd7162d21494b3ac730572b662159f5e9d81ab664569b7e2a3c4f1a0dac872ce96990853efcd73f0d209c50d3559e6d4cfffbbe01c
-
Filesize
5.2MB
MD59fc7c87738741b6a62327d43c1f51b27
SHA1a48fb8463620532849ad4e4c241c48f02aa459ad
SHA256e41073bf463188b52c760a67e907cee5189fd987b8fe248e2ad2a46f02bbb474
SHA5126859af333d2c13ea958ed062d0531f58dd8ee7dbcfe299ee94cf8bef7835c170541f5c2a72a41d7e57b0aa8028119bed5701f1933e44dc28d4c3ea5bcc81aaa7
-
Filesize
5.2MB
MD57495709b70e6bf93d2394aba7e74a805
SHA1ab980f47fd92ab31c4035a6e8ca09a9c2c4cd340
SHA2565eaf251a1ead51784db78ff1801a8ed21b2abf971c718979a1197a0fcb13614e
SHA512cb3588a714e78eeff8fab1ab35d711eafb0509d484f98174a5d5056c84d0f7dd302e6386a94bbca06ae56693c70c58cd1a2616c7c3cac6238051c196a6c56e89
-
Filesize
5.2MB
MD5824d66c69cf88e080c5165f7404c6eef
SHA1d73c7139e12121eb07dbcb782a0d2d76beda51ef
SHA2562ffc36ee6deee1b759c0218bbdd7e03b9e7bd4596c895e9cc020524e5a80b06f
SHA51203b58440949919c2047e2142b53e798bbae2053ff50a02dedbb4ed2de0877aecf7c7631890cb74dd22c09fae314c1d1dba2c027678340f8901752f7944d3c59e
-
Filesize
5.2MB
MD582c10b5fdb3f702320702abeed7d54e6
SHA120432d2a6f589b2bbc208f98a27b383ee7866d8e
SHA2561533c7a6bb7333515609819c9113ec9a5bae4c07330c2322feabcfac1a9687f4
SHA512cb9605816cb3d4e8d36ff0e908ef838aacefaf849642be7c6f10e0c1e04a52bb4f96d1475cfedceb87e52f1043ac78834509109d9049c6972f180488261c64bf
-
Filesize
5.2MB
MD50a8e5cf6de7ee2c86c2b309d4275c5eb
SHA1b149cd6fc9b56de4bb98e0f244d4e6a19e58b54d
SHA256c7e89d2f1b4b6f75d299563d9cae512abe8e5543bb6e8baca7cea0eb07fbf99b
SHA512e9b8ccd6f1a039d9f2bbb4044fbeb64ebf937adafde03260af93decc1f67b392251eb3f792abe3b621379522cdfbfc8a84b09e0c68e063cae835eb1408cf51a8
-
Filesize
5.2MB
MD5aa72faaa3fb1c68ab723e8fef2bc646b
SHA1f1a8a4bb02cedb98c3a46067ce72d381c13a9d61
SHA256b9e9f94f4c3ac80e06bf081fc59c43e35c5f2582552b372c8b1f1c6dc4d5b3eb
SHA512d374c8c1c9c900a7529558bb3e6f67321d017bfc44401016f89f23a0fa7445df7b87b92e8f344f3e78a317f0084302e7436ffd6219386ffcd7e9992a7a18f8fe
-
Filesize
5.2MB
MD5dba1befb3e7791bb88e7ab6ed25e481a
SHA1c6868af175bdc7b8ec4bc8c7265e1bab4fc4489d
SHA256debda88bdec95ea58b6341677b1592912a0c42727950386bc93df7f99a681037
SHA512ed2395056d8de0a87e7fb377cb30eb554bc9c9603652bd37122eb5fa275d26b54a98c21578ffedf029f553966edd4028a414f343a23914c1aab0acd993ade6b6
-
Filesize
5.2MB
MD532a7077f7d55c82d803f9d1836079722
SHA1eac938cf4d4827a32bf2959468173ae08869be9a
SHA256fc5949383b6d21d644e3d77500f540b4c87c53afddfd1a245b2da53c5fd9800f
SHA512bfa7ab1114e1e082f0ca995b6c3a28e3f8bcd0aa9286317ef6d049d16a843fa5cbb962beed28c6c3f8d52c43d1029b3fd46b285e4bc55f19bc36e22e04b46188
-
Filesize
5.2MB
MD51c2115e6cf285527e81e4442863ca6c5
SHA151d0db905b54d575477bbfbc69f3609d3deacae2
SHA25689a0ee2f8580808c05e5105e930bb7367d5edf4a8a090e6a60496baf2569dc59
SHA51259b674d5720a801894976c9acc9030f01aeffa0f6b891f5845ffdf21d30c2638e910e7540ed32ad67b5b3caacc093697c39c3b9176ef5f61a230284e35e7ce61
-
Filesize
5.2MB
MD52f4f11716419523ebe57e50c21d6f65e
SHA186c9c793b38cd7249d647a4cdfdd5e7333084cf4
SHA256a87764ee35af9a05ff5c808c418bb5cba4d616c9ef0c3f83165c45a0ebbec8fe
SHA512e5f3539a2ba34a8c64ef67f5e33ad05d20e52779553bc29f43c6838374269071240701be32fcff87da0e4f13818e40ef0ea5ac3c03de5d08a4d31b5cae431715
-
Filesize
5.2MB
MD5beef062ae233e56124b6b12db672a618
SHA197769465b1154c05a98163a2517bfcc93b7b3958
SHA256cdccf741f6a1f46053d79fa8b80707681dece4330af1db2697674eaa079fd3eb
SHA512516ba6640a604f0132af0ab01f09e9c6511b22505c6ead0b7377bafa812babf18fb3ed0d361b42218f8ace2009ac06ca8604613ad8c6d3639b9314c506d41709
-
Filesize
5.2MB
MD588a77514059a4bf12161adbe8fd3126e
SHA173f017689cec5412400a37765147c47fd378cf75
SHA25621306f179ce2909e4cb2b5964287ede1bdc1097c603496ec9478eb80653d2c72
SHA512611a09bb702fabb0f3e7e9300f07663601a7cb7679ed6a0aa51a5be10d6960faa2c2b94131e48be371459f3597c546fd5b4d41d04db8a31038bb0c3ae30f781b
-
Filesize
5.2MB
MD5fe53d4d456f45e03d7f74ba0764625c9
SHA1bdd8b46d9ae5e6025e6f4fa07efbaf709ac859a7
SHA25613edcfa8db68c4385bba9a2bb420172b2a1d0ed72d3c3a988a36c1b36eb0a430
SHA512f9a33cd33d0ad6c0396d5d220cf21ea6b17a7c3b27d3d062b84464b08e8f54816a8146f3c177e90ef03315b13f27faeadc2d2c4e79cde83708442fc104e49598
-
Filesize
5.2MB
MD52a1a596804f4b2a29c78562f66424e32
SHA13914b8546cfd185137cee519ec62eafaafccebd9
SHA256da2914cc0f30faa6f3b4b9b61220cd3c405006c3b4606d20c8c369a5f81527d2
SHA512452bf5756cd36aed09e1eed2b62d32da4cc185f02600251fb6a489d9be927647f5ab5c3ac42fe232fcd653cd453e8ed8af981cef6abb671afae9c592f2ddee55