Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 11:44
Behavioral task
behavioral1
Sample
2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240708-en
General
-
Target
2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
107df4901265f66641bc2b5c9c6fc2fb
-
SHA1
24317f38783dbd506bbfcf20d2b44460eaac47bd
-
SHA256
6de8ba516b58e04a387136fb3ba0f971416ea4d33914c1b4668039c4ada51ed9
-
SHA512
a48eef67979700c328f7bf443b37994a9d0e296aed3186de6a50937573a642412b8b76a6d932d816c379510ed11a489c3a9484b1875a15ba0b6598ddf31a6e52
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lh:RWWBibd56utgpPFotBER/mQ32lUt
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0007000000023c76-10.dat cobalt_reflective_dll behavioral2/files/0x0009000000023c6d-9.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c77-8.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c78-21.dat cobalt_reflective_dll behavioral2/files/0x000a000000023c73-29.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c7b-41.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c7c-49.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c7d-55.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c79-37.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c7e-60.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c83-86.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c80-90.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c85-104.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c88-118.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c8a-136.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c89-132.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c87-119.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c86-105.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c84-100.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c82-80.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c81-76.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/736-53-0x00007FF69A420000-0x00007FF69A771000-memory.dmp xmrig behavioral2/memory/4968-58-0x00007FF776F40000-0x00007FF777291000-memory.dmp xmrig behavioral2/memory/4244-124-0x00007FF61B580000-0x00007FF61B8D1000-memory.dmp xmrig behavioral2/memory/4248-129-0x00007FF65BEC0000-0x00007FF65C211000-memory.dmp xmrig behavioral2/memory/4360-125-0x00007FF7AC720000-0x00007FF7ACA71000-memory.dmp xmrig behavioral2/memory/2996-115-0x00007FF629550000-0x00007FF6298A1000-memory.dmp xmrig behavioral2/memory/4556-112-0x00007FF7E4C90000-0x00007FF7E4FE1000-memory.dmp xmrig behavioral2/memory/4884-107-0x00007FF71C9B0000-0x00007FF71CD01000-memory.dmp xmrig behavioral2/memory/1036-98-0x00007FF758170000-0x00007FF7584C1000-memory.dmp xmrig behavioral2/memory/3492-92-0x00007FF701FD0000-0x00007FF702321000-memory.dmp xmrig behavioral2/memory/2424-88-0x00007FF639490000-0x00007FF6397E1000-memory.dmp xmrig behavioral2/memory/4736-71-0x00007FF7A6EF0000-0x00007FF7A7241000-memory.dmp xmrig behavioral2/memory/1380-67-0x00007FF682690000-0x00007FF6829E1000-memory.dmp xmrig behavioral2/memory/4340-64-0x00007FF7EDF00000-0x00007FF7EE251000-memory.dmp xmrig behavioral2/memory/736-138-0x00007FF69A420000-0x00007FF69A771000-memory.dmp xmrig behavioral2/memory/3604-153-0x00007FF768480000-0x00007FF7687D1000-memory.dmp xmrig behavioral2/memory/3304-154-0x00007FF7754F0000-0x00007FF775841000-memory.dmp xmrig behavioral2/memory/3124-160-0x00007FF6DC880000-0x00007FF6DCBD1000-memory.dmp xmrig behavioral2/memory/4656-158-0x00007FF683DC0000-0x00007FF684111000-memory.dmp xmrig behavioral2/memory/1100-152-0x00007FF6DD0B0000-0x00007FF6DD401000-memory.dmp xmrig behavioral2/memory/3316-159-0x00007FF799DC0000-0x00007FF79A111000-memory.dmp xmrig behavioral2/memory/1560-156-0x00007FF6BB460000-0x00007FF6BB7B1000-memory.dmp xmrig behavioral2/memory/3044-149-0x00007FF772DB0000-0x00007FF773101000-memory.dmp xmrig behavioral2/memory/736-161-0x00007FF69A420000-0x00007FF69A771000-memory.dmp xmrig behavioral2/memory/4968-210-0x00007FF776F40000-0x00007FF777291000-memory.dmp xmrig behavioral2/memory/4340-212-0x00007FF7EDF00000-0x00007FF7EE251000-memory.dmp xmrig behavioral2/memory/4736-220-0x00007FF7A6EF0000-0x00007FF7A7241000-memory.dmp xmrig behavioral2/memory/3492-222-0x00007FF701FD0000-0x00007FF702321000-memory.dmp xmrig behavioral2/memory/1036-224-0x00007FF758170000-0x00007FF7584C1000-memory.dmp xmrig behavioral2/memory/4884-226-0x00007FF71C9B0000-0x00007FF71CD01000-memory.dmp xmrig behavioral2/memory/4248-228-0x00007FF65BEC0000-0x00007FF65C211000-memory.dmp xmrig behavioral2/memory/2996-232-0x00007FF629550000-0x00007FF6298A1000-memory.dmp xmrig behavioral2/memory/4360-231-0x00007FF7AC720000-0x00007FF7ACA71000-memory.dmp xmrig behavioral2/memory/1380-242-0x00007FF682690000-0x00007FF6829E1000-memory.dmp xmrig behavioral2/memory/3124-245-0x00007FF6DC880000-0x00007FF6DCBD1000-memory.dmp xmrig behavioral2/memory/2424-246-0x00007FF639490000-0x00007FF6397E1000-memory.dmp xmrig behavioral2/memory/3604-252-0x00007FF768480000-0x00007FF7687D1000-memory.dmp xmrig behavioral2/memory/4556-254-0x00007FF7E4C90000-0x00007FF7E4FE1000-memory.dmp xmrig behavioral2/memory/4244-257-0x00007FF61B580000-0x00007FF61B8D1000-memory.dmp xmrig behavioral2/memory/3304-264-0x00007FF7754F0000-0x00007FF775841000-memory.dmp xmrig behavioral2/memory/3044-263-0x00007FF772DB0000-0x00007FF773101000-memory.dmp xmrig behavioral2/memory/1100-261-0x00007FF6DD0B0000-0x00007FF6DD401000-memory.dmp xmrig behavioral2/memory/1560-259-0x00007FF6BB460000-0x00007FF6BB7B1000-memory.dmp xmrig behavioral2/memory/4656-266-0x00007FF683DC0000-0x00007FF684111000-memory.dmp xmrig behavioral2/memory/3316-268-0x00007FF799DC0000-0x00007FF79A111000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4968 LICuuvi.exe 4340 gpLPwwK.exe 4736 YubogAr.exe 3492 nHHZaam.exe 1036 cqLKeRO.exe 4884 GoFXClv.exe 2996 dMClBdU.exe 4360 uhdAkTO.exe 4248 xsQofnK.exe 1380 AiouZoZ.exe 3124 xOUcTWM.exe 3044 yQpekzG.exe 2424 bwPEBkt.exe 1100 bzaYDqp.exe 3604 AvrlSWz.exe 3304 mVeRaEj.exe 4556 vpTsrOF.exe 1560 lUHwYSE.exe 4244 jXALLmJ.exe 4656 rTxYdXU.exe 3316 rfAPYUx.exe -
resource yara_rule behavioral2/memory/736-0-0x00007FF69A420000-0x00007FF69A771000-memory.dmp upx behavioral2/files/0x0007000000023c76-10.dat upx behavioral2/files/0x0009000000023c6d-9.dat upx behavioral2/memory/4340-12-0x00007FF7EDF00000-0x00007FF7EE251000-memory.dmp upx behavioral2/files/0x0007000000023c77-8.dat upx behavioral2/memory/4968-6-0x00007FF776F40000-0x00007FF777291000-memory.dmp upx behavioral2/files/0x0007000000023c78-21.dat upx behavioral2/memory/4736-22-0x00007FF7A6EF0000-0x00007FF7A7241000-memory.dmp upx behavioral2/files/0x000a000000023c73-29.dat upx behavioral2/memory/1036-30-0x00007FF758170000-0x00007FF7584C1000-memory.dmp upx behavioral2/memory/3492-26-0x00007FF701FD0000-0x00007FF702321000-memory.dmp upx behavioral2/files/0x0007000000023c7b-41.dat upx behavioral2/memory/2996-42-0x00007FF629550000-0x00007FF6298A1000-memory.dmp upx behavioral2/files/0x0007000000023c7c-49.dat upx behavioral2/memory/4248-54-0x00007FF65BEC0000-0x00007FF65C211000-memory.dmp upx behavioral2/files/0x0007000000023c7d-55.dat upx behavioral2/memory/736-53-0x00007FF69A420000-0x00007FF69A771000-memory.dmp upx behavioral2/memory/4360-48-0x00007FF7AC720000-0x00007FF7ACA71000-memory.dmp upx behavioral2/files/0x0007000000023c79-37.dat upx behavioral2/memory/4884-36-0x00007FF71C9B0000-0x00007FF71CD01000-memory.dmp upx behavioral2/memory/4968-58-0x00007FF776F40000-0x00007FF777291000-memory.dmp upx behavioral2/files/0x0007000000023c7e-60.dat upx behavioral2/files/0x0007000000023c83-86.dat upx behavioral2/files/0x0007000000023c80-90.dat upx behavioral2/files/0x0007000000023c85-104.dat upx behavioral2/files/0x0007000000023c88-118.dat upx behavioral2/memory/4244-124-0x00007FF61B580000-0x00007FF61B8D1000-memory.dmp upx behavioral2/memory/4248-129-0x00007FF65BEC0000-0x00007FF65C211000-memory.dmp upx behavioral2/files/0x0007000000023c8a-136.dat upx behavioral2/memory/3316-135-0x00007FF799DC0000-0x00007FF79A111000-memory.dmp upx behavioral2/files/0x0007000000023c89-132.dat upx behavioral2/memory/4656-130-0x00007FF683DC0000-0x00007FF684111000-memory.dmp upx behavioral2/memory/4360-125-0x00007FF7AC720000-0x00007FF7ACA71000-memory.dmp upx behavioral2/memory/1560-123-0x00007FF6BB460000-0x00007FF6BB7B1000-memory.dmp upx behavioral2/files/0x0007000000023c87-119.dat upx behavioral2/memory/2996-115-0x00007FF629550000-0x00007FF6298A1000-memory.dmp upx behavioral2/memory/4556-112-0x00007FF7E4C90000-0x00007FF7E4FE1000-memory.dmp upx behavioral2/memory/4884-107-0x00007FF71C9B0000-0x00007FF71CD01000-memory.dmp upx behavioral2/files/0x0007000000023c86-105.dat upx behavioral2/files/0x0007000000023c84-100.dat upx behavioral2/memory/3304-99-0x00007FF7754F0000-0x00007FF775841000-memory.dmp upx behavioral2/memory/1036-98-0x00007FF758170000-0x00007FF7584C1000-memory.dmp upx behavioral2/memory/1100-97-0x00007FF6DD0B0000-0x00007FF6DD401000-memory.dmp upx behavioral2/memory/3492-92-0x00007FF701FD0000-0x00007FF702321000-memory.dmp upx behavioral2/memory/3604-91-0x00007FF768480000-0x00007FF7687D1000-memory.dmp upx behavioral2/memory/2424-88-0x00007FF639490000-0x00007FF6397E1000-memory.dmp upx behavioral2/memory/3044-85-0x00007FF772DB0000-0x00007FF773101000-memory.dmp upx behavioral2/files/0x0007000000023c82-80.dat upx behavioral2/files/0x0007000000023c81-76.dat upx behavioral2/memory/3124-72-0x00007FF6DC880000-0x00007FF6DCBD1000-memory.dmp upx behavioral2/memory/4736-71-0x00007FF7A6EF0000-0x00007FF7A7241000-memory.dmp upx behavioral2/memory/1380-67-0x00007FF682690000-0x00007FF6829E1000-memory.dmp upx behavioral2/memory/4340-64-0x00007FF7EDF00000-0x00007FF7EE251000-memory.dmp upx behavioral2/memory/736-138-0x00007FF69A420000-0x00007FF69A771000-memory.dmp upx behavioral2/memory/3604-153-0x00007FF768480000-0x00007FF7687D1000-memory.dmp upx behavioral2/memory/3304-154-0x00007FF7754F0000-0x00007FF775841000-memory.dmp upx behavioral2/memory/3124-160-0x00007FF6DC880000-0x00007FF6DCBD1000-memory.dmp upx behavioral2/memory/4656-158-0x00007FF683DC0000-0x00007FF684111000-memory.dmp upx behavioral2/memory/1100-152-0x00007FF6DD0B0000-0x00007FF6DD401000-memory.dmp upx behavioral2/memory/3316-159-0x00007FF799DC0000-0x00007FF79A111000-memory.dmp upx behavioral2/memory/1560-156-0x00007FF6BB460000-0x00007FF6BB7B1000-memory.dmp upx behavioral2/memory/3044-149-0x00007FF772DB0000-0x00007FF773101000-memory.dmp upx behavioral2/memory/736-161-0x00007FF69A420000-0x00007FF69A771000-memory.dmp upx behavioral2/memory/4968-210-0x00007FF776F40000-0x00007FF777291000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\bzaYDqp.exe 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vpTsrOF.exe 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lUHwYSE.exe 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rfAPYUx.exe 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GoFXClv.exe 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xOUcTWM.exe 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YubogAr.exe 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nHHZaam.exe 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uhdAkTO.exe 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xsQofnK.exe 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AvrlSWz.exe 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jXALLmJ.exe 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LICuuvi.exe 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gpLPwwK.exe 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yQpekzG.exe 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mVeRaEj.exe 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cqLKeRO.exe 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AiouZoZ.exe 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rTxYdXU.exe 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dMClBdU.exe 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bwPEBkt.exe 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 736 wrote to memory of 4968 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 736 wrote to memory of 4968 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 736 wrote to memory of 4340 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 736 wrote to memory of 4340 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 736 wrote to memory of 4736 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 736 wrote to memory of 4736 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 736 wrote to memory of 3492 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 736 wrote to memory of 3492 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 736 wrote to memory of 1036 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 736 wrote to memory of 1036 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 736 wrote to memory of 4884 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 736 wrote to memory of 4884 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 736 wrote to memory of 2996 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 736 wrote to memory of 2996 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 736 wrote to memory of 4360 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 736 wrote to memory of 4360 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 736 wrote to memory of 4248 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 736 wrote to memory of 4248 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 736 wrote to memory of 1380 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 736 wrote to memory of 1380 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 736 wrote to memory of 3044 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 736 wrote to memory of 3044 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 736 wrote to memory of 3124 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 736 wrote to memory of 3124 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 736 wrote to memory of 2424 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 736 wrote to memory of 2424 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 736 wrote to memory of 1100 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 736 wrote to memory of 1100 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 736 wrote to memory of 3604 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 736 wrote to memory of 3604 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 736 wrote to memory of 3304 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 736 wrote to memory of 3304 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 736 wrote to memory of 4556 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 736 wrote to memory of 4556 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 736 wrote to memory of 1560 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 736 wrote to memory of 1560 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 736 wrote to memory of 4244 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 736 wrote to memory of 4244 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 736 wrote to memory of 4656 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 736 wrote to memory of 4656 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 736 wrote to memory of 3316 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 110 PID 736 wrote to memory of 3316 736 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\System\LICuuvi.exeC:\Windows\System\LICuuvi.exe2⤵
- Executes dropped EXE
PID:4968
-
-
C:\Windows\System\gpLPwwK.exeC:\Windows\System\gpLPwwK.exe2⤵
- Executes dropped EXE
PID:4340
-
-
C:\Windows\System\YubogAr.exeC:\Windows\System\YubogAr.exe2⤵
- Executes dropped EXE
PID:4736
-
-
C:\Windows\System\nHHZaam.exeC:\Windows\System\nHHZaam.exe2⤵
- Executes dropped EXE
PID:3492
-
-
C:\Windows\System\cqLKeRO.exeC:\Windows\System\cqLKeRO.exe2⤵
- Executes dropped EXE
PID:1036
-
-
C:\Windows\System\GoFXClv.exeC:\Windows\System\GoFXClv.exe2⤵
- Executes dropped EXE
PID:4884
-
-
C:\Windows\System\dMClBdU.exeC:\Windows\System\dMClBdU.exe2⤵
- Executes dropped EXE
PID:2996
-
-
C:\Windows\System\uhdAkTO.exeC:\Windows\System\uhdAkTO.exe2⤵
- Executes dropped EXE
PID:4360
-
-
C:\Windows\System\xsQofnK.exeC:\Windows\System\xsQofnK.exe2⤵
- Executes dropped EXE
PID:4248
-
-
C:\Windows\System\AiouZoZ.exeC:\Windows\System\AiouZoZ.exe2⤵
- Executes dropped EXE
PID:1380
-
-
C:\Windows\System\yQpekzG.exeC:\Windows\System\yQpekzG.exe2⤵
- Executes dropped EXE
PID:3044
-
-
C:\Windows\System\xOUcTWM.exeC:\Windows\System\xOUcTWM.exe2⤵
- Executes dropped EXE
PID:3124
-
-
C:\Windows\System\bwPEBkt.exeC:\Windows\System\bwPEBkt.exe2⤵
- Executes dropped EXE
PID:2424
-
-
C:\Windows\System\bzaYDqp.exeC:\Windows\System\bzaYDqp.exe2⤵
- Executes dropped EXE
PID:1100
-
-
C:\Windows\System\AvrlSWz.exeC:\Windows\System\AvrlSWz.exe2⤵
- Executes dropped EXE
PID:3604
-
-
C:\Windows\System\mVeRaEj.exeC:\Windows\System\mVeRaEj.exe2⤵
- Executes dropped EXE
PID:3304
-
-
C:\Windows\System\vpTsrOF.exeC:\Windows\System\vpTsrOF.exe2⤵
- Executes dropped EXE
PID:4556
-
-
C:\Windows\System\lUHwYSE.exeC:\Windows\System\lUHwYSE.exe2⤵
- Executes dropped EXE
PID:1560
-
-
C:\Windows\System\jXALLmJ.exeC:\Windows\System\jXALLmJ.exe2⤵
- Executes dropped EXE
PID:4244
-
-
C:\Windows\System\rTxYdXU.exeC:\Windows\System\rTxYdXU.exe2⤵
- Executes dropped EXE
PID:4656
-
-
C:\Windows\System\rfAPYUx.exeC:\Windows\System\rfAPYUx.exe2⤵
- Executes dropped EXE
PID:3316
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5c24d72cf94bde2182a6e3f9b9b606726
SHA12525e787763ac167d2dfef9690af3e4682844174
SHA256cbc3a918133532ecc55b9bb09f9b93a06cc9a8f17389df1e90b089b778c78a35
SHA5120ccf991a4a2bf962e3c6613fd45b45219ec6e95c311e926ad884bfc57c9b880c85d7a5c7fd2aa74331602970a29c9f67c766fc0ec507167422ef3be9c7605f95
-
Filesize
5.2MB
MD5a282da00d456777da2c752ee5def6388
SHA189fea047f23a5a8288c4b6c44a1725ac71602b66
SHA256e2273d8d2e8c1e9284c15a08acc61fbed4aa76d9897409acb3331f71c8c68f51
SHA5123955657503b55b452b670dcfb10fd83c90c42d00cab8d0a96d9b4c145b8dae4759288fc1da5e4bbbd7bfa3e71fa71b018cba85057e7f5687ec2e1c68988c33b7
-
Filesize
5.2MB
MD572b990755e7bed0f23bef657b7973c2b
SHA18fe111338fd15833333310b38774ce7c14c52586
SHA2567e6eb111ee6c794a87363df1183cbcbd5a19d6f2f3790b7384e7933cd41d8e74
SHA512b9f8609ee7e4261dbe6a2c51e0d60a647f403ce7f49c2d62055ebb9640204fcead2a125824de8d79bac447742c01ae4c18a17d9d929c726324606609a53392bf
-
Filesize
5.2MB
MD5c44897545e36a760699593e4799fd846
SHA1cc1e16c8027fd90a8e65b13e214bd490621307a0
SHA25640f3362d86115dd2eac123d418224988ef73e1f88ce67f1ecc1e0152352014c5
SHA512c15dfb9c393ba8a8544658e99922f0f8c597ffdd62d9bcd6aaf6ef978f76af3fdc3eb809ed2f7b5532efdb81d24319ab91ae2fbbbd28406dd51a0cd6f4f0202b
-
Filesize
5.2MB
MD5b3f431064b241702a9535bc8a667f2e1
SHA1edf2b691f01d8df41b87f9c994a618f380625252
SHA256f5a51ebb1079d4d25096cba554a2adb93ba042b613b609e109ecebf5ac1bcfc3
SHA512ef6e11b09505cffee21c7f4d4ee4995d49be0bec4aef9c4054c75e448f37e5a54ed5f78725c39981b40452161c62c968702afe5c386643842bcca29c6f363d2f
-
Filesize
5.2MB
MD516bac7458cb47f0d346ed4fed1ca19e0
SHA1ca790b200827b10cf3ef8a5a177e7f2cf3f4208e
SHA2562428f1275f9c6a38d849cf27ee2cf8ad47e68b12c880596229928d8eb70e8fdb
SHA512f697734e4758e57b580f636c2cd791b1a6063468d64816df21bc3364cb916ac3924475b4a41e46ca4faeff26d99fadc7b1d7458cd92454218708dfdbad043e0e
-
Filesize
5.2MB
MD52e30e8a29fab014a0439fb909c19acd5
SHA1a121d8029697058ab1f2796feaa65f7b6f4df48c
SHA256dc04edcc99ef9f1645be4d9e99630ea69c654bf191f2ecc13045a0492acb8f86
SHA512c15d5bc571fc25f3187d20e3fc63539656162a5b1979929ca582b461de0c5837c5bf775818d075f4e1db162bd2783bbfb504d21f6aa9aa472604e1a505379302
-
Filesize
5.2MB
MD5f03a38de50319478b359bd4f82833139
SHA1112d66194762f6adc2b3c380da042d9d5971e91a
SHA256c3a816c0c46e7e9ac3a49fbff59d3de7695694d3dbade7728a4d277cac2a5cf5
SHA512a388d8f23480020cc2ebd52747591022dbc1341f2d0d60b8cd3cea0554b770eea2311ba4b9f928e6a92a31be69af5b8ca25f4fc6d635e6241e8950e103503cad
-
Filesize
5.2MB
MD599bb52ec7f5f6172ded83083672078b5
SHA117371c6388a5a1cf138e6663edb1f2dedf756e1b
SHA256c0668dcbbcd759c3e6358d48f43a9c4b6fdf644d92d56c7bea3e34f8c2735955
SHA512ec09153f58a3fce54ca28370f39e0877e8defc51474f6b6831c4d63c25a400d2ce321e6735071728d51a237cfee04e6734570d7f45062e3f04bfcb7c430ac726
-
Filesize
5.2MB
MD59cb055380bb13fcd9c8f34250b24fd20
SHA1ff5fb465354ce5e7d783b005796cd6f7f61316c8
SHA2569c50c25b861d7d61fbae9d07afe4851c3dd6288e9cc12d7f0b725736c1a00ca7
SHA512cfaef5354ab85439e839e394a62776c9d135f5d67d8c95f5e4d58c34733b88abd5a4981c32edc231f05803e889bf0ac4f02438d0e5606c8eccdc4602589d1498
-
Filesize
5.2MB
MD5102931901869d0b51b7a706452561ee5
SHA198368a2cfbdda54acc233ba05fd3125de8240ccd
SHA256089eb11e5079bc254a2afed217cf4b247be66f8f9acddfcbb479fdf44545602d
SHA512e95fe0a18c546bf4e0e028c6a2cead3710b1cbf0e2b9cb06404e723ff3f090af67ae789fb18419483b9fe0da04d64fb474e3992b047eaa95f4399e1ba4941b90
-
Filesize
5.2MB
MD5b5c480e3dc89bc1978c5f30c78ecddf4
SHA1bf0f1cf153db55865ba744d01146a973ee6e95c5
SHA256e98f65d2981cff9d21434ae53537f5df4212ff67a89694c05ed7c52baede7ce8
SHA5122f81a84cefdf806ef1a3d93b314ca0055cf7027f52f996cd1c7ca2b1e6e3d60ec6826b296da6540ee1df8519e7fc39620ef85232c68210078a8310a9a38bb730
-
Filesize
5.2MB
MD5a1e665f800c5a617395c7d044b991503
SHA1883ecd035224a3d8baeb7a49d37d4ae6a40051c3
SHA256ecd5ba35440c413a8e8b0ab03ab480e3254ecee7ed4a833336ca1e1796c4c528
SHA5128a4a6264b5895a70f0d6d6a38511ac0acb80a4859489f051aab7d90ee4ff6bfc16654acd3bc9f0d5a5f358ebfda99bc8f992e4eb6ce935c1069c1f7b6b4810a1
-
Filesize
5.2MB
MD5be06bd2193c5b7e9c6a6250c3f5e177f
SHA17670ecaedbdcaec8683f0a45aa772761982773d5
SHA2562c8f546999abf141bed4a66c989d65dc976f50b43638e9965d34164b474d44a2
SHA512d9860187df8096748cbc9298252e5b6678e26287c127c6143fad29dc5d44319d5d3f0a94f24e91bbba326bcea8161096b0aa4c9ecec645582927fce2917094e4
-
Filesize
5.2MB
MD5fd71ac00f8d3cbd0f68acf4e76d6634e
SHA15f4e161974b61f0b4b510bcda9ba71b617826549
SHA25634a31f169904c03acb69cd289a2494219cb7a1bafeace72e68d9313a88343359
SHA51276a672eac3d0d6f87f18f806696ede042d809dbf770caff82f4df12cbbfd9c21b9be73d5ba07ee3409c9632c8b9d2d1489df2efab5d5be8a9bf3d8cd8249e237
-
Filesize
5.2MB
MD56afe80759103b9b6e7dfdd62e2f5b0aa
SHA1ab43ec813fc2af0bb62e3ddb6e82bcf111ce340c
SHA256d071df460622a419f48f47ec8e2b7a61dd0aed76e3f0720c9caffae1761defe7
SHA5123928fbb95b67bc5c1e03ea162d4cf6898a6878288427ce542a5f5648dba01dc53558c2fd9bc27f3dfd0af292658add83a89280bfa8a73e8126ea3adce212e630
-
Filesize
5.2MB
MD5a185f42175d2aa4394d74743b43f1593
SHA10d8a390718216c1587d6cb07e3bca43e7326205e
SHA256a6bd83ef63baa09aac1061d4fb5f27cd5c14df4fc5b39095de8d9f07810461d1
SHA51202443496fd2ea30f0522e2a776cdbd305022623ee6e004e7e92130d16ac48ae0d62aaad385abdfc4c261252c3c4440ef3de1dfed72e465e93ae4c6b027ef4a58
-
Filesize
5.2MB
MD5e2fef4a261635fd3c516f8b1da63ae5c
SHA1c9d81097c667599f93588f53fbcc80c7fd725bd7
SHA2561a366c21848039d7920e18eb746db046ef9fc707aae3fbe750bca242cccf4a24
SHA5127f26827e4b8e4971cb26075998bce767eed20403c3422a1ad243af17c12f2278c5ad8f7b40fc3e92a268a93c899805d9b764314c3879ecd4f24d28385e4fe106
-
Filesize
5.2MB
MD58b5c1817b61496be90263f45e67aef4b
SHA13b4946a2dfe8a189415cab596bcf1e4423175d59
SHA25660c68c112f740d0a0331ac8fdcc01ca79ece72cccaeb8b6e28531c8296da9a82
SHA512982bf1879dfc63a3058e39364ac9a897693ae266a63c323f784651466d83b62892d2535bb6cb306240ca4a6ef1a7e5a4d9c86f28a6d39dd7e2a341fc0f2913f5
-
Filesize
5.2MB
MD51685535d81b4887ae5d5a2bcac745a3b
SHA14fa186ca96d5e424159b87ff49d51b773b098060
SHA256aaa56911b3fd8fdf30af655b08ed779ab5f7ae30392da12844be5aeb117339f1
SHA512beb586bfef85b8822ae37290014e3fb1211a9e4ade161a46b3e9319c60aeaf1b82a80f9c8a601dc1740241819b829ff4103cda19071a1ddd79bab9d3d7796442
-
Filesize
5.2MB
MD51a3ec7b10f9715299fb125e81bbe5f61
SHA10a273f7c45a373d646154a06ba64d8ee5de4fe44
SHA25695c97c15cb05c3cbfcf4d87e3254a25b4d487d32faa3440d69e8d193c6b2e5e7
SHA512e4c85555359cfad2010734897c6dc1dee462bad6fc9b5d1bc061e93562788865456feabd05cc2e479591894da3c6802a9bc431ec1c640ddb36dc283292338c58