Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 11:44
Behavioral task
behavioral1
Sample
2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240729-en
General
-
Target
2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
0cd80e2cdb30e9b76d22bb3c1908858e
-
SHA1
ea3204c085028411152f25ca9da52981b4bf9789
-
SHA256
a9f13cd1daa00a11d71ce2d1f3fda74900bb4a5be35ebe6d6701df9b1b9308f5
-
SHA512
f76d174ecc6d6c323d6cb2034cec095d6fd0566dfc576cbfac1e587240e9c5a2a2d1e020e516ce036adb25a13ed49af093948e0e144e0953692062f1848d231b
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ln:RWWBibd56utgpPFotBER/mQ32lUj
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000c000000023b38-4.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b9b-11.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b9c-10.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b9e-23.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b9d-28.dat cobalt_reflective_dll behavioral2/files/0x000b000000023ba0-37.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b9f-46.dat cobalt_reflective_dll behavioral2/files/0x000a000000023baa-56.dat cobalt_reflective_dll behavioral2/files/0x000b000000023ba2-62.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bc7-90.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bcc-111.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bcb-121.dat cobalt_reflective_dll behavioral2/files/0x000b000000023b98-117.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bca-115.dat cobalt_reflective_dll behavioral2/files/0x000e000000023bc5-108.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bba-96.dat cobalt_reflective_dll behavioral2/files/0x0009000000023bbf-95.dat cobalt_reflective_dll behavioral2/files/0x0009000000023bc0-91.dat cobalt_reflective_dll behavioral2/files/0x0009000000023bc1-82.dat cobalt_reflective_dll behavioral2/files/0x000e000000023bb1-79.dat cobalt_reflective_dll behavioral2/files/0x000b000000023ba1-65.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/1576-123-0x00007FF65F130000-0x00007FF65F481000-memory.dmp xmrig behavioral2/memory/1076-114-0x00007FF7AC800000-0x00007FF7ACB51000-memory.dmp xmrig behavioral2/memory/4816-113-0x00007FF75EB00000-0x00007FF75EE51000-memory.dmp xmrig behavioral2/memory/3636-102-0x00007FF6359F0000-0x00007FF635D41000-memory.dmp xmrig behavioral2/memory/3884-61-0x00007FF70CA50000-0x00007FF70CDA1000-memory.dmp xmrig behavioral2/memory/5060-58-0x00007FF7CCC30000-0x00007FF7CCF81000-memory.dmp xmrig behavioral2/memory/1476-124-0x00007FF715DE0000-0x00007FF716131000-memory.dmp xmrig behavioral2/memory/2368-125-0x00007FF6A06D0000-0x00007FF6A0A21000-memory.dmp xmrig behavioral2/memory/2412-127-0x00007FF7475A0000-0x00007FF7478F1000-memory.dmp xmrig behavioral2/memory/4944-126-0x00007FF708FA0000-0x00007FF7092F1000-memory.dmp xmrig behavioral2/memory/4524-128-0x00007FF686900000-0x00007FF686C51000-memory.dmp xmrig behavioral2/memory/2928-130-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp xmrig behavioral2/memory/1048-129-0x00007FF7379D0000-0x00007FF737D21000-memory.dmp xmrig behavioral2/memory/2620-136-0x00007FF6D9740000-0x00007FF6D9A91000-memory.dmp xmrig behavioral2/memory/4140-137-0x00007FF7A37A0000-0x00007FF7A3AF1000-memory.dmp xmrig behavioral2/memory/1612-146-0x00007FF60D910000-0x00007FF60DC61000-memory.dmp xmrig behavioral2/memory/3216-139-0x00007FF709E10000-0x00007FF70A161000-memory.dmp xmrig behavioral2/memory/2876-135-0x00007FF655480000-0x00007FF6557D1000-memory.dmp xmrig behavioral2/memory/1460-133-0x00007FF6B9500000-0x00007FF6B9851000-memory.dmp xmrig behavioral2/memory/4820-144-0x00007FF664390000-0x00007FF6646E1000-memory.dmp xmrig behavioral2/memory/2920-140-0x00007FF6CBC10000-0x00007FF6CBF61000-memory.dmp xmrig behavioral2/memory/2316-132-0x00007FF791330000-0x00007FF791681000-memory.dmp xmrig behavioral2/memory/4944-150-0x00007FF708FA0000-0x00007FF7092F1000-memory.dmp xmrig behavioral2/memory/4944-151-0x00007FF708FA0000-0x00007FF7092F1000-memory.dmp xmrig behavioral2/memory/1048-212-0x00007FF7379D0000-0x00007FF737D21000-memory.dmp xmrig behavioral2/memory/2928-214-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp xmrig behavioral2/memory/5060-216-0x00007FF7CCC30000-0x00007FF7CCF81000-memory.dmp xmrig behavioral2/memory/2316-218-0x00007FF791330000-0x00007FF791681000-memory.dmp xmrig behavioral2/memory/1460-221-0x00007FF6B9500000-0x00007FF6B9851000-memory.dmp xmrig behavioral2/memory/2876-222-0x00007FF655480000-0x00007FF6557D1000-memory.dmp xmrig behavioral2/memory/3884-224-0x00007FF70CA50000-0x00007FF70CDA1000-memory.dmp xmrig behavioral2/memory/4140-226-0x00007FF7A37A0000-0x00007FF7A3AF1000-memory.dmp xmrig behavioral2/memory/2620-234-0x00007FF6D9740000-0x00007FF6D9A91000-memory.dmp xmrig behavioral2/memory/3216-242-0x00007FF709E10000-0x00007FF70A161000-memory.dmp xmrig behavioral2/memory/1076-244-0x00007FF7AC800000-0x00007FF7ACB51000-memory.dmp xmrig behavioral2/memory/2920-246-0x00007FF6CBC10000-0x00007FF6CBF61000-memory.dmp xmrig behavioral2/memory/1576-240-0x00007FF65F130000-0x00007FF65F481000-memory.dmp xmrig behavioral2/memory/4816-239-0x00007FF75EB00000-0x00007FF75EE51000-memory.dmp xmrig behavioral2/memory/3636-237-0x00007FF6359F0000-0x00007FF635D41000-memory.dmp xmrig behavioral2/memory/4524-257-0x00007FF686900000-0x00007FF686C51000-memory.dmp xmrig behavioral2/memory/2368-258-0x00007FF6A06D0000-0x00007FF6A0A21000-memory.dmp xmrig behavioral2/memory/2412-255-0x00007FF7475A0000-0x00007FF7478F1000-memory.dmp xmrig behavioral2/memory/1476-251-0x00007FF715DE0000-0x00007FF716131000-memory.dmp xmrig behavioral2/memory/1612-253-0x00007FF60D910000-0x00007FF60DC61000-memory.dmp xmrig behavioral2/memory/4820-249-0x00007FF664390000-0x00007FF6646E1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 1048 kHnGXGw.exe 2928 zyJQFjR.exe 5060 fsqoRzg.exe 2316 LUITuWs.exe 1460 MOecgQT.exe 3884 FXeidgD.exe 2876 WlrdmpY.exe 2620 xqjmWYR.exe 4140 guudmYD.exe 4816 FYtfVUd.exe 3216 nArzAfI.exe 1076 bFJetjc.exe 2920 DUsvgvx.exe 1576 kliznop.exe 3636 TUuFGvR.exe 4820 IdQMgPl.exe 1476 clpXIry.exe 1612 hcAUOws.exe 2368 lLGfCfI.exe 4524 aNnvcJH.exe 2412 GNojxul.exe -
resource yara_rule behavioral2/memory/4944-0-0x00007FF708FA0000-0x00007FF7092F1000-memory.dmp upx behavioral2/files/0x000c000000023b38-4.dat upx behavioral2/memory/1048-8-0x00007FF7379D0000-0x00007FF737D21000-memory.dmp upx behavioral2/files/0x000a000000023b9b-11.dat upx behavioral2/files/0x000a000000023b9c-10.dat upx behavioral2/memory/2316-32-0x00007FF791330000-0x00007FF791681000-memory.dmp upx behavioral2/files/0x000a000000023b9e-23.dat upx behavioral2/files/0x000a000000023b9d-28.dat upx behavioral2/files/0x000b000000023ba0-37.dat upx behavioral2/files/0x000a000000023b9f-46.dat upx behavioral2/files/0x000a000000023baa-56.dat upx behavioral2/files/0x000b000000023ba2-62.dat upx behavioral2/memory/4140-74-0x00007FF7A37A0000-0x00007FF7A3AF1000-memory.dmp upx behavioral2/files/0x0008000000023bc7-90.dat upx behavioral2/memory/4820-103-0x00007FF664390000-0x00007FF6646E1000-memory.dmp upx behavioral2/files/0x0008000000023bcc-111.dat upx behavioral2/files/0x0008000000023bcb-121.dat upx behavioral2/memory/1576-123-0x00007FF65F130000-0x00007FF65F481000-memory.dmp upx behavioral2/files/0x000b000000023b98-117.dat upx behavioral2/files/0x0008000000023bca-115.dat upx behavioral2/memory/1076-114-0x00007FF7AC800000-0x00007FF7ACB51000-memory.dmp upx behavioral2/memory/4816-113-0x00007FF75EB00000-0x00007FF75EE51000-memory.dmp upx behavioral2/memory/1612-110-0x00007FF60D910000-0x00007FF60DC61000-memory.dmp upx behavioral2/files/0x000e000000023bc5-108.dat upx behavioral2/memory/3636-102-0x00007FF6359F0000-0x00007FF635D41000-memory.dmp upx behavioral2/files/0x0008000000023bba-96.dat upx behavioral2/files/0x0009000000023bbf-95.dat upx behavioral2/files/0x0009000000023bc0-91.dat upx behavioral2/memory/2920-86-0x00007FF6CBC10000-0x00007FF6CBF61000-memory.dmp upx behavioral2/memory/3216-85-0x00007FF709E10000-0x00007FF70A161000-memory.dmp upx behavioral2/files/0x0009000000023bc1-82.dat upx behavioral2/files/0x000e000000023bb1-79.dat upx behavioral2/memory/3884-61-0x00007FF70CA50000-0x00007FF70CDA1000-memory.dmp upx behavioral2/memory/5060-58-0x00007FF7CCC30000-0x00007FF7CCF81000-memory.dmp upx behavioral2/files/0x000b000000023ba1-65.dat upx behavioral2/memory/2620-53-0x00007FF6D9740000-0x00007FF6D9A91000-memory.dmp upx behavioral2/memory/2876-50-0x00007FF655480000-0x00007FF6557D1000-memory.dmp upx behavioral2/memory/1460-42-0x00007FF6B9500000-0x00007FF6B9851000-memory.dmp upx behavioral2/memory/2928-19-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp upx behavioral2/memory/1476-124-0x00007FF715DE0000-0x00007FF716131000-memory.dmp upx behavioral2/memory/2368-125-0x00007FF6A06D0000-0x00007FF6A0A21000-memory.dmp upx behavioral2/memory/2412-127-0x00007FF7475A0000-0x00007FF7478F1000-memory.dmp upx behavioral2/memory/4944-126-0x00007FF708FA0000-0x00007FF7092F1000-memory.dmp upx behavioral2/memory/4524-128-0x00007FF686900000-0x00007FF686C51000-memory.dmp upx behavioral2/memory/2928-130-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp upx behavioral2/memory/1048-129-0x00007FF7379D0000-0x00007FF737D21000-memory.dmp upx behavioral2/memory/2620-136-0x00007FF6D9740000-0x00007FF6D9A91000-memory.dmp upx behavioral2/memory/4140-137-0x00007FF7A37A0000-0x00007FF7A3AF1000-memory.dmp upx behavioral2/memory/1612-146-0x00007FF60D910000-0x00007FF60DC61000-memory.dmp upx behavioral2/memory/3216-139-0x00007FF709E10000-0x00007FF70A161000-memory.dmp upx behavioral2/memory/2876-135-0x00007FF655480000-0x00007FF6557D1000-memory.dmp upx behavioral2/memory/1460-133-0x00007FF6B9500000-0x00007FF6B9851000-memory.dmp upx behavioral2/memory/4820-144-0x00007FF664390000-0x00007FF6646E1000-memory.dmp upx behavioral2/memory/2920-140-0x00007FF6CBC10000-0x00007FF6CBF61000-memory.dmp upx behavioral2/memory/2316-132-0x00007FF791330000-0x00007FF791681000-memory.dmp upx behavioral2/memory/4944-150-0x00007FF708FA0000-0x00007FF7092F1000-memory.dmp upx behavioral2/memory/4944-151-0x00007FF708FA0000-0x00007FF7092F1000-memory.dmp upx behavioral2/memory/1048-212-0x00007FF7379D0000-0x00007FF737D21000-memory.dmp upx behavioral2/memory/2928-214-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp upx behavioral2/memory/5060-216-0x00007FF7CCC30000-0x00007FF7CCF81000-memory.dmp upx behavioral2/memory/2316-218-0x00007FF791330000-0x00007FF791681000-memory.dmp upx behavioral2/memory/1460-221-0x00007FF6B9500000-0x00007FF6B9851000-memory.dmp upx behavioral2/memory/2876-222-0x00007FF655480000-0x00007FF6557D1000-memory.dmp upx behavioral2/memory/3884-224-0x00007FF70CA50000-0x00007FF70CDA1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\FXeidgD.exe 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DUsvgvx.exe 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kliznop.exe 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\clpXIry.exe 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hcAUOws.exe 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xqjmWYR.exe 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FYtfVUd.exe 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bFJetjc.exe 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lLGfCfI.exe 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zyJQFjR.exe 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fsqoRzg.exe 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\guudmYD.exe 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TUuFGvR.exe 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\aNnvcJH.exe 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\IdQMgPl.exe 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GNojxul.exe 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kHnGXGw.exe 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LUITuWs.exe 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MOecgQT.exe 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WlrdmpY.exe 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nArzAfI.exe 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4944 wrote to memory of 1048 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4944 wrote to memory of 1048 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4944 wrote to memory of 2928 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4944 wrote to memory of 2928 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4944 wrote to memory of 5060 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4944 wrote to memory of 5060 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4944 wrote to memory of 2316 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4944 wrote to memory of 2316 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4944 wrote to memory of 1460 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4944 wrote to memory of 1460 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4944 wrote to memory of 3884 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4944 wrote to memory of 3884 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4944 wrote to memory of 2876 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4944 wrote to memory of 2876 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4944 wrote to memory of 2620 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4944 wrote to memory of 2620 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4944 wrote to memory of 4140 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4944 wrote to memory of 4140 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4944 wrote to memory of 4816 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4944 wrote to memory of 4816 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4944 wrote to memory of 3216 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4944 wrote to memory of 3216 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4944 wrote to memory of 2920 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4944 wrote to memory of 2920 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4944 wrote to memory of 1076 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4944 wrote to memory of 1076 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4944 wrote to memory of 1576 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4944 wrote to memory of 1576 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4944 wrote to memory of 3636 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4944 wrote to memory of 3636 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4944 wrote to memory of 4820 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4944 wrote to memory of 4820 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4944 wrote to memory of 1476 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4944 wrote to memory of 1476 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4944 wrote to memory of 1612 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4944 wrote to memory of 1612 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4944 wrote to memory of 2368 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4944 wrote to memory of 2368 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4944 wrote to memory of 2412 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4944 wrote to memory of 2412 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4944 wrote to memory of 4524 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4944 wrote to memory of 4524 4944 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\System\kHnGXGw.exeC:\Windows\System\kHnGXGw.exe2⤵
- Executes dropped EXE
PID:1048
-
-
C:\Windows\System\zyJQFjR.exeC:\Windows\System\zyJQFjR.exe2⤵
- Executes dropped EXE
PID:2928
-
-
C:\Windows\System\fsqoRzg.exeC:\Windows\System\fsqoRzg.exe2⤵
- Executes dropped EXE
PID:5060
-
-
C:\Windows\System\LUITuWs.exeC:\Windows\System\LUITuWs.exe2⤵
- Executes dropped EXE
PID:2316
-
-
C:\Windows\System\MOecgQT.exeC:\Windows\System\MOecgQT.exe2⤵
- Executes dropped EXE
PID:1460
-
-
C:\Windows\System\FXeidgD.exeC:\Windows\System\FXeidgD.exe2⤵
- Executes dropped EXE
PID:3884
-
-
C:\Windows\System\WlrdmpY.exeC:\Windows\System\WlrdmpY.exe2⤵
- Executes dropped EXE
PID:2876
-
-
C:\Windows\System\xqjmWYR.exeC:\Windows\System\xqjmWYR.exe2⤵
- Executes dropped EXE
PID:2620
-
-
C:\Windows\System\guudmYD.exeC:\Windows\System\guudmYD.exe2⤵
- Executes dropped EXE
PID:4140
-
-
C:\Windows\System\FYtfVUd.exeC:\Windows\System\FYtfVUd.exe2⤵
- Executes dropped EXE
PID:4816
-
-
C:\Windows\System\nArzAfI.exeC:\Windows\System\nArzAfI.exe2⤵
- Executes dropped EXE
PID:3216
-
-
C:\Windows\System\DUsvgvx.exeC:\Windows\System\DUsvgvx.exe2⤵
- Executes dropped EXE
PID:2920
-
-
C:\Windows\System\bFJetjc.exeC:\Windows\System\bFJetjc.exe2⤵
- Executes dropped EXE
PID:1076
-
-
C:\Windows\System\kliznop.exeC:\Windows\System\kliznop.exe2⤵
- Executes dropped EXE
PID:1576
-
-
C:\Windows\System\TUuFGvR.exeC:\Windows\System\TUuFGvR.exe2⤵
- Executes dropped EXE
PID:3636
-
-
C:\Windows\System\IdQMgPl.exeC:\Windows\System\IdQMgPl.exe2⤵
- Executes dropped EXE
PID:4820
-
-
C:\Windows\System\clpXIry.exeC:\Windows\System\clpXIry.exe2⤵
- Executes dropped EXE
PID:1476
-
-
C:\Windows\System\hcAUOws.exeC:\Windows\System\hcAUOws.exe2⤵
- Executes dropped EXE
PID:1612
-
-
C:\Windows\System\lLGfCfI.exeC:\Windows\System\lLGfCfI.exe2⤵
- Executes dropped EXE
PID:2368
-
-
C:\Windows\System\GNojxul.exeC:\Windows\System\GNojxul.exe2⤵
- Executes dropped EXE
PID:2412
-
-
C:\Windows\System\aNnvcJH.exeC:\Windows\System\aNnvcJH.exe2⤵
- Executes dropped EXE
PID:4524
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5db1dcabcc46b096b7c0bf41c0b11621b
SHA19fe838ee8590fbb7b050d4da8d43756b0498046d
SHA2566ef909208da4df854aea4dba292b24f427f92dc607133a094698f35bb114c005
SHA512aa56162f1c0e318876aa0559a44a7f0554da4b56f01f7106dd50482e71448dd27eaf191a1fdc315fea0643162e5b061986daa391cd3b7ccfcfd2b2edc1b7089e
-
Filesize
5.2MB
MD54bf793afc3e04b654cc428e016644963
SHA197b75fa97a8cc76d0e04adff890bf546e7e18896
SHA256b2c141096f0141960a98e7af6bfe2d7d5d8b72e4a0f4fe18e76f217b4874ccb5
SHA5126fbe452064bd424d4488a7e50e48e7524aa986d3ab768e2c96ce8dedbac30c2f398b5771cc67d81a518ef8ec0752fe17c173285e19677fe1edbe05319d19b64d
-
Filesize
5.2MB
MD51b43a9b88ae8b364ed7a1234ebebb3ee
SHA186bb8b5e38fa2ca333f5da80b5a511e493a5fc85
SHA256bcf39f4a1095e09a623a819b75d5dc331e99e9be0a02bec6860944e0fb296fd8
SHA51238975aa61a336ada2e32471951c946a8c7888abd1810b2450ded089b58ef8edbbf7e0111cd29907454d9b2763d237e5b874de3f5266ba73abd57a50e84463929
-
Filesize
5.2MB
MD5d565fcb8821455db31e8b78c8bc22d14
SHA14e9f50ca6d79eee16efb04312f778a8f096ce032
SHA2565a400feaae7fed720609b1e8cbf75a845c7a8559f443f8cd14d8a2150ec38ff6
SHA5121d86d5af6c462b835b965395bc9f57a2db03f46d98790070c3176da47bf72d8292889f503e00adc6040fe39b0faef078ed90d4683600d779a42cc82464c190bf
-
Filesize
5.2MB
MD5d7fd38ac14bd146288e517b62c2af468
SHA11dff7b858f9a60b680be37f37293c185f4f7713c
SHA2560aa38476efd525ed435e6dc20d20f827edb5a7314d754383d23e50a0debd2bfc
SHA512f0f05e6164c517483cbe103b44a6358da94195fa6094dddac019406348ae255da1974029dba324ba42c90c3e99be7cddcb7d4cd11c4299cc62b16b1ee8042285
-
Filesize
5.2MB
MD5c2fc36a9db23ea0978ac726b62f8192e
SHA18ba77b3114d17115068a023b28d7b35763ddc3b1
SHA256944f90b089578a8106158e1de707a9e91ea8d2d981702e9f524323c494daa502
SHA5127f30b56d575811a01a7607a049256d0d600b359df8c5778b220564ed91e527ce1b335c864a642cd01124d4817d45787632b3bf6963762a3653b9f882fd25ceb8
-
Filesize
5.2MB
MD5e0593249f634e3955f2155286488077a
SHA1f9751469dbb2a5593be958acd97bbebd995bd0be
SHA25627e3181c0c5d67db2b19edddd0c707560b51ff4fbcedf7249d9767c00f94e636
SHA5120213b7c6bc217edc7274206cb99d74feb00f302cd462910135276a75c58d2e41a4c3a00394b8cd840fec17da4e03ae22432e3eba9882d54d8b7a6a8bb1bc89af
-
Filesize
5.2MB
MD5b9c819155e5ebcb8bd2dd69ed0a077c0
SHA1ddcf8cf7687c9e5ecfe5b7598f70906b82f9c84b
SHA256fcb6843770b9572de55a8e433e6d1fa13540fea2d4d81fb5dd912a314385fe53
SHA5122312cc73f8534f8e8012bb40b88e7998b6dd8482dec5e61a2a8bb78ccd6af481eee972d60302927358c575ffc403a2897fead1c56ad81fd7f3d015a7cdd0eac1
-
Filesize
5.2MB
MD5f961c87fecdb9152a73891daca92e28f
SHA174d050cf5f3fe422afd3b0d4d1af835733a448f8
SHA2566c92def8ed7e4a5821a5a6d9932692aa30d36571081582692829cfe4a9490dc2
SHA512d4960034ea16e1998e6ec233934eb93c20c85dc763aff49d431dfa635452276d236439cae0d2499b52344222f7e5e6473d06029ed5c829c90087f6f77f7e69cc
-
Filesize
5.2MB
MD5e9478fa5e44b8e44bd3900030b878c30
SHA1dfcaf787d34ddda5c6fd9e4b15038f04c58fd8d6
SHA256331dc2f04544c5330c7813c720890901b34ee223900593ab96468f3f23418b73
SHA512a1bba36409cf18efe875f703df21d80a7d1610d553c526e4beb528accb8b04a408efb9db266b177214a3bd238df646cfc1b6afd5d5788a1e06e1b875fa7d3ae4
-
Filesize
5.2MB
MD5e4810fd7256dfbf89fea97b94ad548ad
SHA1f3badfe9d8629d60833007e6eca3bc2a1d6eef19
SHA256b8953d567e91177ac50ca92d308cf88a46eb59fd629ac37470e412b2b40686f1
SHA5124a38d229a8de4338baf3ea6521b7b319d07cd624ba1901f2326fc522af6dbd08428fc4f9600cd7ba68331d808c6f07afdfb16918f2f757da9436c2c8642c06ce
-
Filesize
5.2MB
MD5703aa7e5c87549cbd5ffb47fda3045d4
SHA1e49c720e11cf2d2e54da87c98cafd92daf4a3435
SHA256de16d21357872e867139266a8c400b11e5a62711a77980b2c213919439bad0ce
SHA512f2d6b43e90278530b5e9b194e54aebb86b77850e1bcf7a5c0baf31b96d128074b2169dbdc44a89e186b779e4e00f78e57d43425f03d53ee2ebc32a10ddb9a3b4
-
Filesize
5.2MB
MD588d4f75a5d506c5600036073c7705b4a
SHA147e86ab7f424bf219b35496f68cd4e4a8ad5aa61
SHA2560507ee181a373f11b913abfbcaff06e7856869f9a839d09e1bd38f679762a1f4
SHA5128939f6ff1bc3aea98825b7b267bf1eff81113e0ec1e3a1b5700c30c1cce4fc6323d41c90c8caec21ff0168e9ca9e0dacd79b62e36b851e0c33745c8dccf4d017
-
Filesize
5.2MB
MD51b1ea34a4aa8c6a28258b49cc28cda49
SHA18c61d60cbc56153a6cd90af199d4ddf7862ea8a7
SHA2563b79f2c26613614e5d330ef1377aad673772e93c952a89380cdc2dd646551449
SHA5128dcf884f564b86356b7497e0c77dfa3a31c8f9acfebad3ac2fde5b643a2971db9dca28fc86798ec43664f500c3710ef7657da7d10393e2b4124f4ffdc4447a62
-
Filesize
5.2MB
MD554d1e4c391c4310ef5877f53c2ed4147
SHA1c41ca2e2e1db09e29cd555041c8c6fb63d88dad6
SHA2565145ac0230ac5ef70e069c960d356462743c7d645638872c18c1731532977b9d
SHA512818a209c8cb670377a40da03ebc38fa08d82d9f966a41501833da41deaff9aeeef951cb2c8a496cd3b84eb813edce33e530ebb33da1ac6809b3385d2b779c594
-
Filesize
5.2MB
MD5e7d16f9a8a05bf96ef6eb43d779975a9
SHA17176efa9a9506da232d1b1854ee1facf12b154e1
SHA256d6d8c6c75a3bed7e1bb5df2774d131b53a6feff1afc469d4c60641984069cc74
SHA51298cdf57e822ddd917623ae82e2dcf53a9bb883ae6c526ff38c3a8905e05e12b7f7eef77ed6b39a4d8e479ec1fbb799d96f994f0e9b922eee2c5f66859ad9b008
-
Filesize
5.2MB
MD5367e21b07be9a369c2939a9fef7ffbc3
SHA132adb0f2fae1d63a9b625b7538e595696226e9ae
SHA256027a2884461c15803178b01d290c975d91f876cd576dfd66f0ef6baa7c2362ac
SHA512e67487137b69e36cc2eb1f72c0ae0416276ad8b2ec481db9632dbe9a90bbc943d3d1c43e96869717e89d0650c00101bb310346755badda998bddcb584f63bafe
-
Filesize
5.2MB
MD5d915d8327df222365fb0f4323eca1932
SHA1467537fed5980ddbb16645c4397a983c88ed3d58
SHA256d27a2ea3abc708ea2c0a8e33ba24129b8aa7c4f8bf6638ea3f1213117e46eb98
SHA512b770eecdb48065a21f0e847ffafb667c9a33e0e35f6dfaf353f0980f78f4a8cdb210adc3a83c5f70b15a196e3d802fb1fbd9f1c109210de15d85f61939935333
-
Filesize
5.2MB
MD5f5b556fe4c61a164211e5598e4bf789d
SHA17269f1f6e44048ccae2c1702512a549d03638c5a
SHA2560ace602c353d36e5e06af206f6d314c911171c2770a3d21b1531eaf64690b97f
SHA512ef4cdf6e2b3fcd347f73ef99ba54e049182fdd12c81beb4592187c9b6e5657510727bd24e094b85174cfdbc6bb0babc258b2a485c14d04c8d2f031b8b9900184
-
Filesize
5.2MB
MD5f18ec446fed7b1fdbb997d7d08a6817a
SHA1f0be1d74808ecb30be7bc42786bb320309ce447b
SHA2560997bb93d743401af54e4a8826aa00550b830aebfb046939ec5951e5e5c7677d
SHA5129d0bd9443f70c9e48356c2383f2980570fa4fdb1ccba6359ac4a633427bf7f7c870a4fafede9174691b850e1cd2298c8ce4b9e23f1abd1ff01fe26536532967d
-
Filesize
5.2MB
MD5d33a46878c6deaa4255661190d831125
SHA1a6f0d4db0f4ba889c4a337844dfcb8736abe227d
SHA256a3f00c4c5a7e3300384c705639d25b8bd4abdd136b9fb7c88d3b9b2b3c1413ee
SHA512fd2924b7d66912a972d17ff341f6740abfdc8943346a6f8762539ec5781f120f3be9b94e9d83b4cf51d114149638fe9613fbd41c39ec03ab904e3504b5ce8948