Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 11:43
Behavioral task
behavioral1
Sample
2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
0b1f5a6d0b17fb6b2290043a09e4c754
-
SHA1
00780c41b56d11150c7591247340825840443a3a
-
SHA256
3db359e40e4eeadef105229bf5a086079238aefa2c4f315e75a41512b8ceeab5
-
SHA512
19cc9f910fa24e4e9353e2159b4265209f9834b73d84cecdbb0bdcbc7dc0e6b525346642936b3130e00fc3c100583ebee0780bbe12f381ecd8832570362e50af
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lh:RWWBibd56utgpPFotBER/mQ32lUF
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000b000000023ba4-4.dat cobalt_reflective_dll behavioral2/files/0x000a000000023ba9-9.dat cobalt_reflective_dll behavioral2/files/0x000a000000023ba8-11.dat cobalt_reflective_dll behavioral2/files/0x000a000000023baa-23.dat cobalt_reflective_dll behavioral2/files/0x000a000000023bac-27.dat cobalt_reflective_dll behavioral2/files/0x000b000000023baf-47.dat cobalt_reflective_dll behavioral2/files/0x000e000000023bbf-64.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bc8-71.dat cobalt_reflective_dll behavioral2/files/0x0009000000023bcd-79.dat cobalt_reflective_dll behavioral2/files/0x000a000000023bb8-69.dat cobalt_reflective_dll behavioral2/files/0x000b000000023bae-61.dat cobalt_reflective_dll behavioral2/files/0x000b000000023bb0-59.dat cobalt_reflective_dll behavioral2/files/0x000a000000023bad-52.dat cobalt_reflective_dll behavioral2/files/0x000a000000023bab-32.dat cobalt_reflective_dll behavioral2/files/0x0009000000023bce-90.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bda-121.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bd9-122.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bd5-111.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bd8-110.dat cobalt_reflective_dll behavioral2/files/0x000e000000023bd3-103.dat cobalt_reflective_dll behavioral2/files/0x0009000000023bcf-96.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 46 IoCs
resource yara_rule behavioral2/memory/2908-26-0x00007FF7B96A0000-0x00007FF7B99F1000-memory.dmp xmrig behavioral2/memory/4084-85-0x00007FF7ADB70000-0x00007FF7ADEC1000-memory.dmp xmrig behavioral2/memory/4632-86-0x00007FF6A8130000-0x00007FF6A8481000-memory.dmp xmrig behavioral2/memory/812-84-0x00007FF731630000-0x00007FF731981000-memory.dmp xmrig behavioral2/memory/3380-82-0x00007FF63CD00000-0x00007FF63D051000-memory.dmp xmrig behavioral2/memory/3600-77-0x00007FF652DC0000-0x00007FF653111000-memory.dmp xmrig behavioral2/memory/2544-74-0x00007FF699800000-0x00007FF699B51000-memory.dmp xmrig behavioral2/memory/1856-67-0x00007FF695BB0000-0x00007FF695F01000-memory.dmp xmrig behavioral2/memory/2468-62-0x00007FF7C7070000-0x00007FF7C73C1000-memory.dmp xmrig behavioral2/memory/1264-119-0x00007FF7B4640000-0x00007FF7B4991000-memory.dmp xmrig behavioral2/memory/3620-126-0x00007FF680410000-0x00007FF680761000-memory.dmp xmrig behavioral2/memory/2472-129-0x00007FF6238A0000-0x00007FF623BF1000-memory.dmp xmrig behavioral2/memory/1564-128-0x00007FF629DC0000-0x00007FF62A111000-memory.dmp xmrig behavioral2/memory/1996-130-0x00007FF7D7DA0000-0x00007FF7D80F1000-memory.dmp xmrig behavioral2/memory/1632-131-0x00007FF7AE840000-0x00007FF7AEB91000-memory.dmp xmrig behavioral2/memory/4120-127-0x00007FF6B42B0000-0x00007FF6B4601000-memory.dmp xmrig behavioral2/memory/1040-92-0x00007FF709C90000-0x00007FF709FE1000-memory.dmp xmrig behavioral2/memory/3784-132-0x00007FF7DEAF0000-0x00007FF7DEE41000-memory.dmp xmrig behavioral2/memory/3612-133-0x00007FF6A87F0000-0x00007FF6A8B41000-memory.dmp xmrig behavioral2/memory/3620-134-0x00007FF680410000-0x00007FF680761000-memory.dmp xmrig behavioral2/memory/1040-149-0x00007FF709C90000-0x00007FF709FE1000-memory.dmp xmrig behavioral2/memory/3936-151-0x00007FF63EF70000-0x00007FF63F2C1000-memory.dmp xmrig behavioral2/memory/1692-150-0x00007FF7A0090000-0x00007FF7A03E1000-memory.dmp xmrig behavioral2/memory/2360-152-0x00007FF70F380000-0x00007FF70F6D1000-memory.dmp xmrig behavioral2/memory/3620-160-0x00007FF680410000-0x00007FF680761000-memory.dmp xmrig behavioral2/memory/2472-214-0x00007FF6238A0000-0x00007FF623BF1000-memory.dmp xmrig behavioral2/memory/2908-216-0x00007FF7B96A0000-0x00007FF7B99F1000-memory.dmp xmrig behavioral2/memory/3600-218-0x00007FF652DC0000-0x00007FF653111000-memory.dmp xmrig behavioral2/memory/2468-227-0x00007FF7C7070000-0x00007FF7C73C1000-memory.dmp xmrig behavioral2/memory/1996-228-0x00007FF7D7DA0000-0x00007FF7D80F1000-memory.dmp xmrig behavioral2/memory/2544-235-0x00007FF699800000-0x00007FF699B51000-memory.dmp xmrig behavioral2/memory/812-233-0x00007FF731630000-0x00007FF731981000-memory.dmp xmrig behavioral2/memory/1632-238-0x00007FF7AE840000-0x00007FF7AEB91000-memory.dmp xmrig behavioral2/memory/1856-236-0x00007FF695BB0000-0x00007FF695F01000-memory.dmp xmrig behavioral2/memory/3380-231-0x00007FF63CD00000-0x00007FF63D051000-memory.dmp xmrig behavioral2/memory/4084-242-0x00007FF7ADB70000-0x00007FF7ADEC1000-memory.dmp xmrig behavioral2/memory/3784-246-0x00007FF7DEAF0000-0x00007FF7DEE41000-memory.dmp xmrig behavioral2/memory/4632-245-0x00007FF6A8130000-0x00007FF6A8481000-memory.dmp xmrig behavioral2/memory/3612-241-0x00007FF6A87F0000-0x00007FF6A8B41000-memory.dmp xmrig behavioral2/memory/1040-255-0x00007FF709C90000-0x00007FF709FE1000-memory.dmp xmrig behavioral2/memory/1692-257-0x00007FF7A0090000-0x00007FF7A03E1000-memory.dmp xmrig behavioral2/memory/3936-259-0x00007FF63EF70000-0x00007FF63F2C1000-memory.dmp xmrig behavioral2/memory/2360-262-0x00007FF70F380000-0x00007FF70F6D1000-memory.dmp xmrig behavioral2/memory/1264-263-0x00007FF7B4640000-0x00007FF7B4991000-memory.dmp xmrig behavioral2/memory/4120-265-0x00007FF6B42B0000-0x00007FF6B4601000-memory.dmp xmrig behavioral2/memory/1564-267-0x00007FF629DC0000-0x00007FF62A111000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2472 KHYRIRS.exe 2908 TzyZOWR.exe 3600 qhBWNSy.exe 1996 mqGotzV.exe 1632 nuyniPQ.exe 2468 EGLuNjS.exe 3380 WKnMQBb.exe 812 WxZasJF.exe 1856 CGyYIBi.exe 2544 AHpQJUU.exe 3784 bluUQLK.exe 4084 KaPOtUi.exe 4632 TWDvdiL.exe 3612 uXhTQup.exe 1040 nlqSvUa.exe 1692 XeKzmZn.exe 3936 KgCBYTr.exe 2360 VkBrETh.exe 1264 fzEIlPG.exe 4120 WHfBIJJ.exe 1564 SuSkgyK.exe -
resource yara_rule behavioral2/memory/3620-0-0x00007FF680410000-0x00007FF680761000-memory.dmp upx behavioral2/files/0x000b000000023ba4-4.dat upx behavioral2/files/0x000a000000023ba9-9.dat upx behavioral2/files/0x000a000000023ba8-11.dat upx behavioral2/files/0x000a000000023baa-23.dat upx behavioral2/files/0x000a000000023bac-27.dat upx behavioral2/memory/2908-26-0x00007FF7B96A0000-0x00007FF7B99F1000-memory.dmp upx behavioral2/files/0x000b000000023baf-47.dat upx behavioral2/memory/1996-41-0x00007FF7D7DA0000-0x00007FF7D80F1000-memory.dmp upx behavioral2/files/0x000e000000023bbf-64.dat upx behavioral2/files/0x0008000000023bc8-71.dat upx behavioral2/memory/3784-75-0x00007FF7DEAF0000-0x00007FF7DEE41000-memory.dmp upx behavioral2/files/0x0009000000023bcd-79.dat upx behavioral2/memory/4084-85-0x00007FF7ADB70000-0x00007FF7ADEC1000-memory.dmp upx behavioral2/memory/4632-86-0x00007FF6A8130000-0x00007FF6A8481000-memory.dmp upx behavioral2/memory/812-84-0x00007FF731630000-0x00007FF731981000-memory.dmp upx behavioral2/memory/3380-82-0x00007FF63CD00000-0x00007FF63D051000-memory.dmp upx behavioral2/memory/3600-77-0x00007FF652DC0000-0x00007FF653111000-memory.dmp upx behavioral2/memory/3612-76-0x00007FF6A87F0000-0x00007FF6A8B41000-memory.dmp upx behavioral2/memory/2544-74-0x00007FF699800000-0x00007FF699B51000-memory.dmp upx behavioral2/files/0x000a000000023bb8-69.dat upx behavioral2/memory/1856-67-0x00007FF695BB0000-0x00007FF695F01000-memory.dmp upx behavioral2/memory/2468-62-0x00007FF7C7070000-0x00007FF7C73C1000-memory.dmp upx behavioral2/files/0x000b000000023bae-61.dat upx behavioral2/files/0x000b000000023bb0-59.dat upx behavioral2/memory/1632-53-0x00007FF7AE840000-0x00007FF7AEB91000-memory.dmp upx behavioral2/files/0x000a000000023bad-52.dat upx behavioral2/files/0x000a000000023bab-32.dat upx behavioral2/memory/2472-7-0x00007FF6238A0000-0x00007FF623BF1000-memory.dmp upx behavioral2/files/0x0009000000023bce-90.dat upx behavioral2/memory/2360-115-0x00007FF70F380000-0x00007FF70F6D1000-memory.dmp upx behavioral2/files/0x0008000000023bda-121.dat upx behavioral2/files/0x0008000000023bd9-122.dat upx behavioral2/memory/1264-119-0x00007FF7B4640000-0x00007FF7B4991000-memory.dmp upx behavioral2/files/0x0008000000023bd5-111.dat upx behavioral2/files/0x0008000000023bd8-110.dat upx behavioral2/memory/3936-106-0x00007FF63EF70000-0x00007FF63F2C1000-memory.dmp upx behavioral2/files/0x000e000000023bd3-103.dat upx behavioral2/memory/1692-100-0x00007FF7A0090000-0x00007FF7A03E1000-memory.dmp upx behavioral2/memory/3620-126-0x00007FF680410000-0x00007FF680761000-memory.dmp upx behavioral2/memory/2472-129-0x00007FF6238A0000-0x00007FF623BF1000-memory.dmp upx behavioral2/memory/1564-128-0x00007FF629DC0000-0x00007FF62A111000-memory.dmp upx behavioral2/memory/1996-130-0x00007FF7D7DA0000-0x00007FF7D80F1000-memory.dmp upx behavioral2/memory/1632-131-0x00007FF7AE840000-0x00007FF7AEB91000-memory.dmp upx behavioral2/memory/4120-127-0x00007FF6B42B0000-0x00007FF6B4601000-memory.dmp upx behavioral2/files/0x0009000000023bcf-96.dat upx behavioral2/memory/1040-92-0x00007FF709C90000-0x00007FF709FE1000-memory.dmp upx behavioral2/memory/3784-132-0x00007FF7DEAF0000-0x00007FF7DEE41000-memory.dmp upx behavioral2/memory/3612-133-0x00007FF6A87F0000-0x00007FF6A8B41000-memory.dmp upx behavioral2/memory/3620-134-0x00007FF680410000-0x00007FF680761000-memory.dmp upx behavioral2/memory/1040-149-0x00007FF709C90000-0x00007FF709FE1000-memory.dmp upx behavioral2/memory/3936-151-0x00007FF63EF70000-0x00007FF63F2C1000-memory.dmp upx behavioral2/memory/1692-150-0x00007FF7A0090000-0x00007FF7A03E1000-memory.dmp upx behavioral2/memory/2360-152-0x00007FF70F380000-0x00007FF70F6D1000-memory.dmp upx behavioral2/memory/3620-160-0x00007FF680410000-0x00007FF680761000-memory.dmp upx behavioral2/memory/2472-214-0x00007FF6238A0000-0x00007FF623BF1000-memory.dmp upx behavioral2/memory/2908-216-0x00007FF7B96A0000-0x00007FF7B99F1000-memory.dmp upx behavioral2/memory/3600-218-0x00007FF652DC0000-0x00007FF653111000-memory.dmp upx behavioral2/memory/2468-227-0x00007FF7C7070000-0x00007FF7C73C1000-memory.dmp upx behavioral2/memory/1996-228-0x00007FF7D7DA0000-0x00007FF7D80F1000-memory.dmp upx behavioral2/memory/2544-235-0x00007FF699800000-0x00007FF699B51000-memory.dmp upx behavioral2/memory/812-233-0x00007FF731630000-0x00007FF731981000-memory.dmp upx behavioral2/memory/1632-238-0x00007FF7AE840000-0x00007FF7AEB91000-memory.dmp upx behavioral2/memory/1856-236-0x00007FF695BB0000-0x00007FF695F01000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\mqGotzV.exe 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AHpQJUU.exe 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WxZasJF.exe 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uXhTQup.exe 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nlqSvUa.exe 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fzEIlPG.exe 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qhBWNSy.exe 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WKnMQBb.exe 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CGyYIBi.exe 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XeKzmZn.exe 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SuSkgyK.exe 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KHYRIRS.exe 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TzyZOWR.exe 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bluUQLK.exe 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TWDvdiL.exe 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VkBrETh.exe 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nuyniPQ.exe 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EGLuNjS.exe 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KaPOtUi.exe 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KgCBYTr.exe 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WHfBIJJ.exe 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3620 wrote to memory of 2472 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3620 wrote to memory of 2472 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3620 wrote to memory of 2908 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3620 wrote to memory of 2908 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3620 wrote to memory of 1996 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3620 wrote to memory of 1996 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3620 wrote to memory of 3600 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3620 wrote to memory of 3600 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3620 wrote to memory of 1632 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3620 wrote to memory of 1632 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3620 wrote to memory of 2468 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3620 wrote to memory of 2468 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3620 wrote to memory of 3380 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3620 wrote to memory of 3380 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3620 wrote to memory of 2544 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3620 wrote to memory of 2544 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3620 wrote to memory of 812 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3620 wrote to memory of 812 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3620 wrote to memory of 1856 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3620 wrote to memory of 1856 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3620 wrote to memory of 3784 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3620 wrote to memory of 3784 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3620 wrote to memory of 4084 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3620 wrote to memory of 4084 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3620 wrote to memory of 4632 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3620 wrote to memory of 4632 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3620 wrote to memory of 3612 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3620 wrote to memory of 3612 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3620 wrote to memory of 1040 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3620 wrote to memory of 1040 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3620 wrote to memory of 1692 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3620 wrote to memory of 1692 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3620 wrote to memory of 3936 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3620 wrote to memory of 3936 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3620 wrote to memory of 2360 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3620 wrote to memory of 2360 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3620 wrote to memory of 1264 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3620 wrote to memory of 1264 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3620 wrote to memory of 4120 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3620 wrote to memory of 4120 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3620 wrote to memory of 1564 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3620 wrote to memory of 1564 3620 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\System\KHYRIRS.exeC:\Windows\System\KHYRIRS.exe2⤵
- Executes dropped EXE
PID:2472
-
-
C:\Windows\System\TzyZOWR.exeC:\Windows\System\TzyZOWR.exe2⤵
- Executes dropped EXE
PID:2908
-
-
C:\Windows\System\mqGotzV.exeC:\Windows\System\mqGotzV.exe2⤵
- Executes dropped EXE
PID:1996
-
-
C:\Windows\System\qhBWNSy.exeC:\Windows\System\qhBWNSy.exe2⤵
- Executes dropped EXE
PID:3600
-
-
C:\Windows\System\nuyniPQ.exeC:\Windows\System\nuyniPQ.exe2⤵
- Executes dropped EXE
PID:1632
-
-
C:\Windows\System\EGLuNjS.exeC:\Windows\System\EGLuNjS.exe2⤵
- Executes dropped EXE
PID:2468
-
-
C:\Windows\System\WKnMQBb.exeC:\Windows\System\WKnMQBb.exe2⤵
- Executes dropped EXE
PID:3380
-
-
C:\Windows\System\AHpQJUU.exeC:\Windows\System\AHpQJUU.exe2⤵
- Executes dropped EXE
PID:2544
-
-
C:\Windows\System\WxZasJF.exeC:\Windows\System\WxZasJF.exe2⤵
- Executes dropped EXE
PID:812
-
-
C:\Windows\System\CGyYIBi.exeC:\Windows\System\CGyYIBi.exe2⤵
- Executes dropped EXE
PID:1856
-
-
C:\Windows\System\bluUQLK.exeC:\Windows\System\bluUQLK.exe2⤵
- Executes dropped EXE
PID:3784
-
-
C:\Windows\System\KaPOtUi.exeC:\Windows\System\KaPOtUi.exe2⤵
- Executes dropped EXE
PID:4084
-
-
C:\Windows\System\TWDvdiL.exeC:\Windows\System\TWDvdiL.exe2⤵
- Executes dropped EXE
PID:4632
-
-
C:\Windows\System\uXhTQup.exeC:\Windows\System\uXhTQup.exe2⤵
- Executes dropped EXE
PID:3612
-
-
C:\Windows\System\nlqSvUa.exeC:\Windows\System\nlqSvUa.exe2⤵
- Executes dropped EXE
PID:1040
-
-
C:\Windows\System\XeKzmZn.exeC:\Windows\System\XeKzmZn.exe2⤵
- Executes dropped EXE
PID:1692
-
-
C:\Windows\System\KgCBYTr.exeC:\Windows\System\KgCBYTr.exe2⤵
- Executes dropped EXE
PID:3936
-
-
C:\Windows\System\VkBrETh.exeC:\Windows\System\VkBrETh.exe2⤵
- Executes dropped EXE
PID:2360
-
-
C:\Windows\System\fzEIlPG.exeC:\Windows\System\fzEIlPG.exe2⤵
- Executes dropped EXE
PID:1264
-
-
C:\Windows\System\WHfBIJJ.exeC:\Windows\System\WHfBIJJ.exe2⤵
- Executes dropped EXE
PID:4120
-
-
C:\Windows\System\SuSkgyK.exeC:\Windows\System\SuSkgyK.exe2⤵
- Executes dropped EXE
PID:1564
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5981658d898cd276ce9bea8355f6b38c8
SHA134459c9bdc2e5866f16a0da0eae5d37107f3f247
SHA25688f4c3e4ebd37cb7dd21962267fdded8bc332f0c23560109fcc096aced22f6ed
SHA512b5986ad32b83c6f9b2a04b3cc2b467db2e3785ea499220ca7c3d79566e0f4e751d8a8f2d2a5a098470ed2287c4c29e73b1b863f7aa14395a506c0e7f0547950e
-
Filesize
5.2MB
MD5f3a56ae2ccaaa9da2586d0716d6bb302
SHA12f5e6808f970eee217047536c94e7a2bf5992518
SHA2565ab730f7cdb140465ec0b91dbac9d8e503e8ae9080a28e0dcea81b2bc23d1311
SHA5126f5d1b36bda3edeeabd5651ab53cde7bcf8dfb37c20bd04c053128756022f4c6b3e3b303526f36aa18f9a83ac2ff673895f8f9a787307eb6bf5fe0ae6156acf0
-
Filesize
5.2MB
MD5a63352dd3684d50d6950d03101c657d4
SHA137fe5552310c562f2d1ee50544ab8593909b50ed
SHA256329f1e791a11a8b1b3b18dc04b4acd267d2f4945e53d9171e392023311b24289
SHA512e8857c31527cfa445fb60dc710ab8bc9eb813b7093d4367068714e6c4883360e732e62d8901341c88fe62c12400500d2678f39b63b4d235a7dda74652d131f6f
-
Filesize
5.2MB
MD58fe6c15089db5e9909d925cc002c84aa
SHA1d3fb891698a4c5161ed5f9ef6ba7dcc7d2c50e55
SHA2569508af0b425adc6e56a3ab34dd5144d749c6361cb85d96e72476355c6865a91b
SHA512bdc708752ab87b33d7ca15f0cd66b35d5609d71ab179e942ddfd18fbe40370576b7e3464cbe4ad0dfe4caeabc3f4332c95bd6772a8102134b7c4788bc70a4957
-
Filesize
5.2MB
MD52d1e8e475825b86ee5417f1ec0089332
SHA1671001d1ed9323008ee0984bd1dc188d6e608856
SHA25686ade7804151f3b8fc68c8cdd468a727eb8e0743060e15522a39b122436b17c3
SHA512b1ece08abe5996f135a401c5cccc8455800ae988b965bef50f96684fca2e8ad92556f821df8ea2e29b3f17b9ff5e5ace2b5281e26a71e335dba2d200c712a134
-
Filesize
5.2MB
MD51f138966560b4d651fb979f4f71e6721
SHA1ecbbdf24046487665e632543331dbe8182da0b3d
SHA25635e78fb6c6e7619850fa26fe2fe0a8473e83a7585e0becd143070e8bd9c2823c
SHA512d4096744b056b36c7c043e0cb806bad7e536ac5d046dba17ae348f47eacaf76f6800c87cdb5ad8787552cd03432c86edc131a6a12af7dd12009969e9e963508a
-
Filesize
5.2MB
MD5d14667efb4c0e79f8d8768ac0c2f2fa4
SHA1e970642fa737e755240058435f5091fd128222a9
SHA2567fb33dedcf5d022cbb6f322634eeb8eaf6e9bb543b23161fcd1f1b74b110755a
SHA512a6aa407fe68c00c4f909f59e813ffc709abed0d0704653f8b81f1e4b3be960918114417701e435d94da8d116104f955022f17c67791f97392aebeaefeeeea839
-
Filesize
5.2MB
MD505675cdfe7a95f7b0038bbb4f136fd75
SHA179ecbfa6b3960e4dc95617434a0b80640c71c459
SHA256ce3746e6b73632cc274d7a50a4057dea385cc4830dfe77e981da087c1d1f37ba
SHA512dce3ce454c14fa0e651270ef42435a2156df997df3a8fde9e8958aa0f987bfbe7f1a84359750395c9955d5a931890d7e3f3973782a907313f810dc020ff53863
-
Filesize
5.2MB
MD509a3749af18a8d9ced617071dade77a0
SHA110e0a62c16633a1b6f1953ccebe752c0b4183de6
SHA2566ca47ef9c40bfff0c907962dcf4ea6c14bea04e0c4500616af4c44cae4968eaa
SHA512f9f949a7ffaefd3e6318bb42a9c989e64463079900a1ad6343f81a7b68b554e17555c1d0a1c52c516aec2c464224d499f011a78ec519086ddc8320bea64c95b7
-
Filesize
5.2MB
MD5b09455d43a61eedcbcaf6055c797a852
SHA1af6e0950e543479fb7298935a6f6391ca56b44e2
SHA256e5af2565b6dc829c8cc7414d48ef1b1e554f37543e9cac742d6f163fc429e3bd
SHA512789ad17c13a7e919f077b031686f3ecb582f5a23d5bbfd0fae80bae169fc386e43ec42b5b056f28a735efcc5ad62275bde70a109cbbafbe3085dd993a4b91ae0
-
Filesize
5.2MB
MD5dd1108ba905719b597d87855c18b67e5
SHA1224dc98c10f580ecce4bb7cb86b89cfe28114dfe
SHA2561f5c419ff88aeede61098337a1ef2104107823ee730105a5b01d4f57e400c919
SHA512568e3a2809369a49dd1e9cd9f34f6672e14e4bd97f10e1a92d5d4a4bd783ab400b90c68792ee46a132287999c2f6a36d7d43d8023e1d7924fa427a7d60f7140a
-
Filesize
5.2MB
MD53535c450e4a48740b4b8a297b46727f0
SHA1dd4a7ef7def254c8fb45192ab690fb7b315970cd
SHA256072cd0aad843a785af5b79b697b853441317f4905e51e73029c564c010f79007
SHA512c4896105796a2670e2ea09585450bcd8daeaaa93e1f231d9dc62bbb1600b07da8b09eed410a2213d0d82acbc5b24d9e47a778cb7a41b63439b0054be56a0bba8
-
Filesize
5.2MB
MD5502acc8c294009ed8f844a30d3ea54a5
SHA17a42cb2981b90d44a4eaa91090bb57735c9fb7c6
SHA2563fbd67dd514a2a12c78f42b781f5df845bb882deb9db28f87855225651bfe625
SHA512289a6e7b2ff2e4f126a02c35247f8b88b05b03d8498ed399744244ee215b54cfde01fdc4d9c005cdf8476e7d25dca45ddc1cd262a6ada3e8d2307712fb2dcdb9
-
Filesize
5.2MB
MD5c10e837830a64a93cb1f0df82dfffb06
SHA13cdacd2c32687073c317f2b0e31a764e7b292934
SHA256c2e9c4f1715e5365171c22a1929e997ec2deb3495d3167f9d7497432bbfe15a3
SHA51285fc53a70fc8dbce3cff081fd0b2548a46bf1229560fac0b3005c87f9bbfce91eb36c8534caa434ef79abbe4458ef9657441c4ba76cef99f2a7e4e158b3012bd
-
Filesize
5.2MB
MD58bbbe288fb9670267c0cff8c60734b25
SHA16131e021c2473efdfd79f0bede3afcfe8e392e8c
SHA256fde8dc76a5d485425b5ccc330f34ef41583678b25407a2a30cc5741eab0fecce
SHA51220ab45d5054fe46e918575f632a712c2ec9ee44019daeefcb43cc119fb9434d73ecbae9c8f86481827926c4f19d2de7b8c62c653e73fdc5393cc82659c0e7851
-
Filesize
5.2MB
MD52628d9f09a29e149505aa5e5aa5340c5
SHA1a653ccc4724f058eda9f371941a35a7d82bbf088
SHA2564ae65e5e8a4a6e2c90fcf7fdb983292962278b47c9380de3a26716001ce945ae
SHA512bd7b8c02f333b079fdd52a572672d9e3c76de5f7c332a1f99aa0f917a14d3a71932f42cd5cd11c19434148d409364d25ac6157e2bdb6ce8e68b34468c655c14d
-
Filesize
5.2MB
MD59d67be0afb749b0e3402caf1d67b9adc
SHA125f87ae8e44f309ddb87adc93cdf97042ea9d42c
SHA256b2bd9f8bed2e22e9cdb3daa837c174817e330ab9249c7f37a1c336962c872173
SHA512230a553ed72c43606a1b00d5c9e6122c9b1f305baa27be83bb3ede55bf2d573f7b46f4dffd35d6205acd14a381ee8ec2d90d56951c474da66a0f6065a60a725d
-
Filesize
5.2MB
MD59c7ceb9d65fa7030766b8411f55f0f8d
SHA1424c08e9588e70ba357223b3a00e4a79fb7ee6e8
SHA256cafb9dc4dcd93d075f93e3b1593b5aa150ec9a9e57c71dd2db9edd65f95fb11e
SHA51265dc1d69ec4aa65ed809e6696d3bb178c4f2d857b2f3f38b19f595733144b54f5827975805e8d8120c023dd57f4b5fc4f73a423fe7d47ca5f60d1ed877792a66
-
Filesize
5.2MB
MD506f8117a8296c1f488445cfd7e785308
SHA19f9ea9c4b31e0887af39176d8e0229d7b4843b2e
SHA25620a0e1b51e74821a92ff6fb6ab0d14102a8d3e7a7b3135d31e79a0be79d95c79
SHA51209fcaa49150bbeddb3b5c92e176e8c03b8f65699e4c883a6be05ffab90d283cbcf82cc75f14e3aa1d20e4941056a18310a1ea7731a3a82c85e4aa8af9128a3e7
-
Filesize
5.2MB
MD59ebe4b6820150aca124a5ae45072738f
SHA16b7ccdda5786282213536fc6fe2110900a83073e
SHA256658922695235798b80801f626fe6fff149415798df334b20c9d97a8c0a019514
SHA512a1326be6d7b8fb3b9147dae2b063bb7ba78adb391db3037bfece89f76ad92e6269dcf42ecb1c98001de795a640250960b22edc34e2fd38090f638d83ab32e9c3
-
Filesize
5.2MB
MD50a479d2de06167f240907a00973d3f99
SHA13b7e2c0e0dbf256292217db2bac64418a7c104d7
SHA256e952a9144d5c50761b54b7a22255a21e9f670fbff951ce2029a9e6979d20a35e
SHA5124ea8e122272c75eb0dfba6928c949f61af89fae751c2063e12fbb287ab330ab2df67c6f23db7112e3b2083e1ab1d7300c0322751f6585edddaa3f3972b6efca5