Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 11:46
Behavioral task
behavioral1
Sample
2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
2482ca548318dc88278059bd29f3139c
-
SHA1
8dd89553d9ebfd110c558e9dfbb5e6be193f7827
-
SHA256
135b5adf75a2385b655369f95dfbc995ef9afe247cc4dbd888580e2316c33be7
-
SHA512
354044f285067a56526e39dc3050e325594582a59f55c8ad0651473eddb4977e78f3d3a102b2c570310c90d6af4054d61181cff8295ce9af655e37d246b47efc
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l3:RWWBibd56utgpPFotBER/mQ32lUL
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0008000000023c97-5.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9c-9.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9b-15.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9e-34.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca1-37.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca0-53.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca3-65.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca4-67.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9f-52.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca2-47.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9d-30.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca5-71.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca6-76.dat cobalt_reflective_dll behavioral2/files/0x0008000000023c98-77.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca8-88.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca7-93.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca9-96.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cad-132.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cac-131.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cab-129.dat cobalt_reflective_dll behavioral2/files/0x0007000000023caa-117.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/3000-60-0x00007FF7B8BD0000-0x00007FF7B8F21000-memory.dmp xmrig behavioral2/memory/1876-62-0x00007FF708E10000-0x00007FF709161000-memory.dmp xmrig behavioral2/memory/5060-63-0x00007FF6E8050000-0x00007FF6E83A1000-memory.dmp xmrig behavioral2/memory/3608-89-0x00007FF6F0FE0000-0x00007FF6F1331000-memory.dmp xmrig behavioral2/memory/3968-98-0x00007FF745E50000-0x00007FF7461A1000-memory.dmp xmrig behavioral2/memory/3220-128-0x00007FF6B7FD0000-0x00007FF6B8321000-memory.dmp xmrig behavioral2/memory/3316-127-0x00007FF67CFD0000-0x00007FF67D321000-memory.dmp xmrig behavioral2/memory/1532-125-0x00007FF6269F0000-0x00007FF626D41000-memory.dmp xmrig behavioral2/memory/1680-124-0x00007FF695490000-0x00007FF6957E1000-memory.dmp xmrig behavioral2/memory/1484-123-0x00007FF63F220000-0x00007FF63F571000-memory.dmp xmrig behavioral2/memory/4528-115-0x00007FF6C9830000-0x00007FF6C9B81000-memory.dmp xmrig behavioral2/memory/3828-146-0x00007FF73D790000-0x00007FF73DAE1000-memory.dmp xmrig behavioral2/memory/2284-147-0x00007FF6739A0000-0x00007FF673CF1000-memory.dmp xmrig behavioral2/memory/4700-145-0x00007FF7009F0000-0x00007FF700D41000-memory.dmp xmrig behavioral2/memory/3968-135-0x00007FF745E50000-0x00007FF7461A1000-memory.dmp xmrig behavioral2/memory/4572-153-0x00007FF686700000-0x00007FF686A51000-memory.dmp xmrig behavioral2/memory/2640-155-0x00007FF64BAA0000-0x00007FF64BDF1000-memory.dmp xmrig behavioral2/memory/4508-156-0x00007FF6F0030000-0x00007FF6F0381000-memory.dmp xmrig behavioral2/memory/624-154-0x00007FF7FD310000-0x00007FF7FD661000-memory.dmp xmrig behavioral2/memory/4416-152-0x00007FF7257A0000-0x00007FF725AF1000-memory.dmp xmrig behavioral2/memory/1028-151-0x00007FF720FA0000-0x00007FF7212F1000-memory.dmp xmrig behavioral2/memory/4088-150-0x00007FF66C5A0000-0x00007FF66C8F1000-memory.dmp xmrig behavioral2/memory/3924-148-0x00007FF669A10000-0x00007FF669D61000-memory.dmp xmrig behavioral2/memory/3968-157-0x00007FF745E50000-0x00007FF7461A1000-memory.dmp xmrig behavioral2/memory/4528-215-0x00007FF6C9830000-0x00007FF6C9B81000-memory.dmp xmrig behavioral2/memory/1484-217-0x00007FF63F220000-0x00007FF63F571000-memory.dmp xmrig behavioral2/memory/1680-219-0x00007FF695490000-0x00007FF6957E1000-memory.dmp xmrig behavioral2/memory/1532-221-0x00007FF6269F0000-0x00007FF626D41000-memory.dmp xmrig behavioral2/memory/3316-223-0x00007FF67CFD0000-0x00007FF67D321000-memory.dmp xmrig behavioral2/memory/5060-226-0x00007FF6E8050000-0x00007FF6E83A1000-memory.dmp xmrig behavioral2/memory/1876-231-0x00007FF708E10000-0x00007FF709161000-memory.dmp xmrig behavioral2/memory/3220-230-0x00007FF6B7FD0000-0x00007FF6B8321000-memory.dmp xmrig behavioral2/memory/3000-228-0x00007FF7B8BD0000-0x00007FF7B8F21000-memory.dmp xmrig behavioral2/memory/4700-233-0x00007FF7009F0000-0x00007FF700D41000-memory.dmp xmrig behavioral2/memory/3828-235-0x00007FF73D790000-0x00007FF73DAE1000-memory.dmp xmrig behavioral2/memory/3608-245-0x00007FF6F0FE0000-0x00007FF6F1331000-memory.dmp xmrig behavioral2/memory/2284-247-0x00007FF6739A0000-0x00007FF673CF1000-memory.dmp xmrig behavioral2/memory/4088-250-0x00007FF66C5A0000-0x00007FF66C8F1000-memory.dmp xmrig behavioral2/memory/3924-251-0x00007FF669A10000-0x00007FF669D61000-memory.dmp xmrig behavioral2/memory/4572-256-0x00007FF686700000-0x00007FF686A51000-memory.dmp xmrig behavioral2/memory/4416-259-0x00007FF7257A0000-0x00007FF725AF1000-memory.dmp xmrig behavioral2/memory/1028-260-0x00007FF720FA0000-0x00007FF7212F1000-memory.dmp xmrig behavioral2/memory/624-255-0x00007FF7FD310000-0x00007FF7FD661000-memory.dmp xmrig behavioral2/memory/4508-263-0x00007FF6F0030000-0x00007FF6F0381000-memory.dmp xmrig behavioral2/memory/2640-264-0x00007FF64BAA0000-0x00007FF64BDF1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4528 tOzTglr.exe 1484 ycCoRbI.exe 1680 QDZKkql.exe 1532 TSZsKQA.exe 3316 QIxSCzc.exe 1876 elWNuBD.exe 3220 lPiJhfb.exe 3000 hzutVqL.exe 5060 ctpHZxL.exe 4700 OpesDuH.exe 3828 sLAMOpg.exe 2284 sQHMBya.exe 3608 CfnIxGa.exe 3924 pgSvtGz.exe 1028 AKeLOff.exe 4088 rAfaCEq.exe 4416 semRLeX.exe 4572 LZtmuod.exe 624 PZDhaty.exe 2640 iFVgjGS.exe 4508 ADnjmkX.exe -
resource yara_rule behavioral2/memory/3968-0-0x00007FF745E50000-0x00007FF7461A1000-memory.dmp upx behavioral2/files/0x0008000000023c97-5.dat upx behavioral2/files/0x0007000000023c9c-9.dat upx behavioral2/files/0x0007000000023c9b-15.dat upx behavioral2/files/0x0007000000023c9e-34.dat upx behavioral2/files/0x0007000000023ca1-37.dat upx behavioral2/memory/3316-39-0x00007FF67CFD0000-0x00007FF67D321000-memory.dmp upx behavioral2/files/0x0007000000023ca0-53.dat upx behavioral2/memory/3000-60-0x00007FF7B8BD0000-0x00007FF7B8F21000-memory.dmp upx behavioral2/memory/1876-62-0x00007FF708E10000-0x00007FF709161000-memory.dmp upx behavioral2/files/0x0007000000023ca3-65.dat upx behavioral2/files/0x0007000000023ca4-67.dat upx behavioral2/memory/4700-64-0x00007FF7009F0000-0x00007FF700D41000-memory.dmp upx behavioral2/memory/5060-63-0x00007FF6E8050000-0x00007FF6E83A1000-memory.dmp upx behavioral2/memory/3828-61-0x00007FF73D790000-0x00007FF73DAE1000-memory.dmp upx behavioral2/files/0x0007000000023c9f-52.dat upx behavioral2/memory/3220-50-0x00007FF6B7FD0000-0x00007FF6B8321000-memory.dmp upx behavioral2/files/0x0007000000023ca2-47.dat upx behavioral2/files/0x0007000000023c9d-30.dat upx behavioral2/memory/1532-27-0x00007FF6269F0000-0x00007FF626D41000-memory.dmp upx behavioral2/memory/1680-24-0x00007FF695490000-0x00007FF6957E1000-memory.dmp upx behavioral2/memory/1484-14-0x00007FF63F220000-0x00007FF63F571000-memory.dmp upx behavioral2/memory/4528-6-0x00007FF6C9830000-0x00007FF6C9B81000-memory.dmp upx behavioral2/files/0x0007000000023ca5-71.dat upx behavioral2/files/0x0007000000023ca6-76.dat upx behavioral2/memory/2284-78-0x00007FF6739A0000-0x00007FF673CF1000-memory.dmp upx behavioral2/files/0x0008000000023c98-77.dat upx behavioral2/memory/3608-89-0x00007FF6F0FE0000-0x00007FF6F1331000-memory.dmp upx behavioral2/files/0x0007000000023ca8-88.dat upx behavioral2/memory/3924-84-0x00007FF669A10000-0x00007FF669D61000-memory.dmp upx behavioral2/memory/1028-95-0x00007FF720FA0000-0x00007FF7212F1000-memory.dmp upx behavioral2/files/0x0007000000023ca7-93.dat upx behavioral2/files/0x0007000000023ca9-96.dat upx behavioral2/memory/4088-101-0x00007FF66C5A0000-0x00007FF66C8F1000-memory.dmp upx behavioral2/memory/3968-98-0x00007FF745E50000-0x00007FF7461A1000-memory.dmp upx behavioral2/memory/4416-109-0x00007FF7257A0000-0x00007FF725AF1000-memory.dmp upx behavioral2/memory/2640-116-0x00007FF64BAA0000-0x00007FF64BDF1000-memory.dmp upx behavioral2/memory/624-122-0x00007FF7FD310000-0x00007FF7FD661000-memory.dmp upx behavioral2/memory/4508-126-0x00007FF6F0030000-0x00007FF6F0381000-memory.dmp upx behavioral2/files/0x0007000000023cad-132.dat upx behavioral2/files/0x0007000000023cac-131.dat upx behavioral2/files/0x0007000000023cab-129.dat upx behavioral2/memory/3220-128-0x00007FF6B7FD0000-0x00007FF6B8321000-memory.dmp upx behavioral2/memory/3316-127-0x00007FF67CFD0000-0x00007FF67D321000-memory.dmp upx behavioral2/memory/1532-125-0x00007FF6269F0000-0x00007FF626D41000-memory.dmp upx behavioral2/memory/1680-124-0x00007FF695490000-0x00007FF6957E1000-memory.dmp upx behavioral2/memory/1484-123-0x00007FF63F220000-0x00007FF63F571000-memory.dmp upx behavioral2/memory/4572-120-0x00007FF686700000-0x00007FF686A51000-memory.dmp upx behavioral2/files/0x0007000000023caa-117.dat upx behavioral2/memory/4528-115-0x00007FF6C9830000-0x00007FF6C9B81000-memory.dmp upx behavioral2/memory/3828-146-0x00007FF73D790000-0x00007FF73DAE1000-memory.dmp upx behavioral2/memory/2284-147-0x00007FF6739A0000-0x00007FF673CF1000-memory.dmp upx behavioral2/memory/4700-145-0x00007FF7009F0000-0x00007FF700D41000-memory.dmp upx behavioral2/memory/3968-135-0x00007FF745E50000-0x00007FF7461A1000-memory.dmp upx behavioral2/memory/4572-153-0x00007FF686700000-0x00007FF686A51000-memory.dmp upx behavioral2/memory/2640-155-0x00007FF64BAA0000-0x00007FF64BDF1000-memory.dmp upx behavioral2/memory/4508-156-0x00007FF6F0030000-0x00007FF6F0381000-memory.dmp upx behavioral2/memory/624-154-0x00007FF7FD310000-0x00007FF7FD661000-memory.dmp upx behavioral2/memory/4416-152-0x00007FF7257A0000-0x00007FF725AF1000-memory.dmp upx behavioral2/memory/1028-151-0x00007FF720FA0000-0x00007FF7212F1000-memory.dmp upx behavioral2/memory/4088-150-0x00007FF66C5A0000-0x00007FF66C8F1000-memory.dmp upx behavioral2/memory/3924-148-0x00007FF669A10000-0x00007FF669D61000-memory.dmp upx behavioral2/memory/3968-157-0x00007FF745E50000-0x00007FF7461A1000-memory.dmp upx behavioral2/memory/4528-215-0x00007FF6C9830000-0x00007FF6C9B81000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\OpesDuH.exe 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\sLAMOpg.exe 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\sQHMBya.exe 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\pgSvtGz.exe 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ycCoRbI.exe 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QDZKkql.exe 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QIxSCzc.exe 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rAfaCEq.exe 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AKeLOff.exe 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\semRLeX.exe 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\tOzTglr.exe 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\elWNuBD.exe 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lPiJhfb.exe 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\iFVgjGS.exe 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ADnjmkX.exe 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TSZsKQA.exe 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ctpHZxL.exe 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LZtmuod.exe 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hzutVqL.exe 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CfnIxGa.exe 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PZDhaty.exe 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3968 wrote to memory of 4528 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3968 wrote to memory of 4528 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3968 wrote to memory of 1484 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3968 wrote to memory of 1484 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3968 wrote to memory of 1680 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3968 wrote to memory of 1680 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3968 wrote to memory of 1532 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3968 wrote to memory of 1532 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3968 wrote to memory of 3316 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3968 wrote to memory of 3316 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3968 wrote to memory of 1876 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3968 wrote to memory of 1876 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3968 wrote to memory of 3220 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3968 wrote to memory of 3220 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3968 wrote to memory of 3000 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3968 wrote to memory of 3000 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3968 wrote to memory of 5060 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3968 wrote to memory of 5060 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3968 wrote to memory of 4700 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3968 wrote to memory of 4700 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3968 wrote to memory of 3828 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3968 wrote to memory of 3828 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3968 wrote to memory of 2284 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3968 wrote to memory of 2284 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3968 wrote to memory of 3924 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3968 wrote to memory of 3924 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3968 wrote to memory of 3608 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3968 wrote to memory of 3608 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3968 wrote to memory of 4088 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3968 wrote to memory of 4088 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3968 wrote to memory of 1028 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3968 wrote to memory of 1028 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3968 wrote to memory of 4416 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3968 wrote to memory of 4416 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3968 wrote to memory of 4572 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3968 wrote to memory of 4572 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3968 wrote to memory of 624 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3968 wrote to memory of 624 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3968 wrote to memory of 2640 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3968 wrote to memory of 2640 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3968 wrote to memory of 4508 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3968 wrote to memory of 4508 3968 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\System\tOzTglr.exeC:\Windows\System\tOzTglr.exe2⤵
- Executes dropped EXE
PID:4528
-
-
C:\Windows\System\ycCoRbI.exeC:\Windows\System\ycCoRbI.exe2⤵
- Executes dropped EXE
PID:1484
-
-
C:\Windows\System\QDZKkql.exeC:\Windows\System\QDZKkql.exe2⤵
- Executes dropped EXE
PID:1680
-
-
C:\Windows\System\TSZsKQA.exeC:\Windows\System\TSZsKQA.exe2⤵
- Executes dropped EXE
PID:1532
-
-
C:\Windows\System\QIxSCzc.exeC:\Windows\System\QIxSCzc.exe2⤵
- Executes dropped EXE
PID:3316
-
-
C:\Windows\System\elWNuBD.exeC:\Windows\System\elWNuBD.exe2⤵
- Executes dropped EXE
PID:1876
-
-
C:\Windows\System\lPiJhfb.exeC:\Windows\System\lPiJhfb.exe2⤵
- Executes dropped EXE
PID:3220
-
-
C:\Windows\System\hzutVqL.exeC:\Windows\System\hzutVqL.exe2⤵
- Executes dropped EXE
PID:3000
-
-
C:\Windows\System\ctpHZxL.exeC:\Windows\System\ctpHZxL.exe2⤵
- Executes dropped EXE
PID:5060
-
-
C:\Windows\System\OpesDuH.exeC:\Windows\System\OpesDuH.exe2⤵
- Executes dropped EXE
PID:4700
-
-
C:\Windows\System\sLAMOpg.exeC:\Windows\System\sLAMOpg.exe2⤵
- Executes dropped EXE
PID:3828
-
-
C:\Windows\System\sQHMBya.exeC:\Windows\System\sQHMBya.exe2⤵
- Executes dropped EXE
PID:2284
-
-
C:\Windows\System\pgSvtGz.exeC:\Windows\System\pgSvtGz.exe2⤵
- Executes dropped EXE
PID:3924
-
-
C:\Windows\System\CfnIxGa.exeC:\Windows\System\CfnIxGa.exe2⤵
- Executes dropped EXE
PID:3608
-
-
C:\Windows\System\rAfaCEq.exeC:\Windows\System\rAfaCEq.exe2⤵
- Executes dropped EXE
PID:4088
-
-
C:\Windows\System\AKeLOff.exeC:\Windows\System\AKeLOff.exe2⤵
- Executes dropped EXE
PID:1028
-
-
C:\Windows\System\semRLeX.exeC:\Windows\System\semRLeX.exe2⤵
- Executes dropped EXE
PID:4416
-
-
C:\Windows\System\LZtmuod.exeC:\Windows\System\LZtmuod.exe2⤵
- Executes dropped EXE
PID:4572
-
-
C:\Windows\System\PZDhaty.exeC:\Windows\System\PZDhaty.exe2⤵
- Executes dropped EXE
PID:624
-
-
C:\Windows\System\iFVgjGS.exeC:\Windows\System\iFVgjGS.exe2⤵
- Executes dropped EXE
PID:2640
-
-
C:\Windows\System\ADnjmkX.exeC:\Windows\System\ADnjmkX.exe2⤵
- Executes dropped EXE
PID:4508
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5fb65b4e5de88b6a0b864e0d0b8b3973a
SHA18912c8e69e146e6183002c76243e2cfa68670fa6
SHA2566e228deb06d71fdb34b291fb473faaf5bd482ca24ba4354fd743fd914347861e
SHA512aa7538e384916d8d6d59e29b265ab222980eee38632ad98f456050c476c5bf0519c7e0ea1273a2d108d4cc1aca15b8e2e82daa3e8cd5ecac4c02a26e714367fb
-
Filesize
5.2MB
MD5e7cae8da166f910000ebc8e94eb21b8b
SHA1e90dd16d57e6ad9cf6060ba53dcb68349f7dde75
SHA25625ed4536f2d1af6fac6ddecc4c7884533468fc178a7f91f4730696e3706e4c81
SHA512b92e99f44c71caae6bb1fbd87f61f8405deb794c89d124f8ed88c822f2f5f4e7006f626d47a4fe7ce5c770bd0ea5d1b5bfa6fc5ac21512f88600f45870d29b43
-
Filesize
5.2MB
MD529aafe434109ae374ffe92888d0dd610
SHA18c31e5d3298065ca25d72369275409c75b724f90
SHA25632e50780e5d9da8ae058cedffa88f48690a9a291b4079719c59d80f62574f48d
SHA512e3c336628a1b8dad2ebde9d9e07e8e871165abd5b6531a9db157aa9b62c3ace40b22b16c2fe9fec617c70e48a5a52f390e41e7fde05736614ecf89c23b698482
-
Filesize
5.2MB
MD531ed77359378d33115ecbd6f88313cca
SHA1321950704e6677b10cc5ed3f2a8dbd3c15c27878
SHA256bcb341c038a260723b11a2bb077b006a4f07b2bcb77f8592f2693d23a061d42e
SHA512d4b85b809830bc708318b6fbd5ff20ee78a66fe034557014bd1dfbd9706993504c11308e24818d3c8e802e945ddb2a94ce89530215fc677615b8f2896fccd310
-
Filesize
5.2MB
MD5cd928bb41133664d21c5e834ffff4043
SHA1d67bdacb77ad3093183eafd394e5742c519a599c
SHA256eed9e9dd6fbb453dbb7388650b1b7a5292adea80b487b4f47727f92db4a2dbaa
SHA512bd61f986dc917fdd0f39d96183ef9187248873ec6bf58b1648b289c0629b50ac43c61fa4dd058b211844b036663472a9436631ce1c92ad8e1bc7a11a6830840b
-
Filesize
5.2MB
MD517a79e6abf93fecaccd9eb8268fb3a01
SHA14619d4fbe3180ac335341402fcafbf93e466e01b
SHA256790ed8a9468c41ff1344f9110ed5d6ee2ee9dbe3e7feaab259ad98faf7dd1255
SHA51234e7d7c0c810ba913fe16b5ee389bd8442a858d1e8fe395b5d8674ad5827159b93ad303d982479b3385d24376637b1828c4a32f9f5c671b017f9e536eb6d6fa1
-
Filesize
5.2MB
MD5cd4faeba48db1387b3d824e8026545e7
SHA12ced960985dac5dd191c720ecd2158a16fb7f361
SHA25670771adb36dddae91e34292817cdb9491dae02d5ccb804f3d2b579965606bd8b
SHA512153eaae7a7161a57d79f51a9ebba8d22a97bb740adb51873a14cbbc2be718d8f728753745b6cb1356657ee651c879c8322985710e3755364820b0c7cabc14fe1
-
Filesize
5.2MB
MD5a20cb17982e51a4bbf35e59540b32ca9
SHA1e71289aaa21130db2b22010ba1650475b48f72eb
SHA25676fd8821bf1b772c67b405ecb4b38f5399305af40b765ccd9fab5ed9026a1931
SHA512a3f27ae89b0270039544bb6bd282cd4bdf674b29b108bfd1a220c6579dddcb381e8e80a3bde47676c6a949d00153ce90b76c6d95d2a7accb6cce52ede040d8a3
-
Filesize
5.2MB
MD5f0e13f056b68a3f7f1ca3ce5eecd8277
SHA1dc6cb4aa2e74b9f2827d04104772e3aa31a3a311
SHA25674b029d2419df53939fd338dacc17ad8087c91bfe96f0b7a1c0adbf5bd901f14
SHA51272239fb36ac081d548423a64a47d189aa978301c02c664dc59a1507c1790e5d8f834a2ee66773fd4b2bdf1c86216bc668d84312eb585163bff955c77dc6bda0d
-
Filesize
5.2MB
MD53d4a989ae72b37062799a4201c434c47
SHA18835dfb94be51fef63100274c9fb04ef7a16ff87
SHA25684769a269b6e29f9f31d64f1865ab5ba899429aa819648b33dbabe12e7b2fd3d
SHA512b275d9d32b1c3aa399a46ed5ef80affc7a0f8c0a74f6f822211f963734181be681b447f61e2fa5196f9d51f5840667a8cc78e14fd0c619fd490eb8b44e791baa
-
Filesize
5.2MB
MD5187e559809525051c68a959905846632
SHA1d238f3d9a1f5c5cc4e1178ef48e0ed75d0e97c19
SHA256e98e60f20c5a73c1fa5809b1d89326d80f1038db10caefe8ed2ac9cea7dfa832
SHA512b32f15b19838bdacdd039291671867d1c0e3afd4648ab05caff63b5d21205c7ad1ca6735b937ad8b51e3ce04271549784071eb7444ae2a2697831e34509eec97
-
Filesize
5.2MB
MD5e5ffcd1a7afc0c62c9ee132fd74e9ce2
SHA10bf0522fb0a1b57d98148a6a79eb1ab913c779cc
SHA25695e950d077fc6dc41cffb776096a71155ab451efe9d628ba82d51297eabb059b
SHA512728abaf09fd6f33453eb99729fbf51af4795ba264013a9c8db00c380411ab0d11705defd34b056abf385d5f783b738c29051b8b9c5063ecb8882f15f1403a93b
-
Filesize
5.2MB
MD56fbb3ed4e7eb82204ec74fc066ea6639
SHA1e7d4f2e588d98ee60f3d68d6722ce06a7ffc1d1e
SHA256dc88b937c08d90ae6b74de0dd0a5037439329396fa72bb2e7977ae238af6f5f4
SHA512c4a54a152a06994c51a19e1ca418d4b7cc5ef5bff9c0d23f7a77c77511ec1520472a8ce2cfd67d9ad5ebebb292a8f4b239f8bf58bcf7ddf0859bf84f3a2e529a
-
Filesize
5.2MB
MD56047c1da5c9e818399a1baac814012a8
SHA1ee229501579a4e3195ca70c607318d1746a87358
SHA2562761912ed5ad9a3264033274ad68f4a341357aa778a305c84014d3cc3ef79604
SHA512c841cd6f124de003e405bc2c94037d6a7ab81b328fc51dbd6e4b482ee116bad642e94fe6d3accb58ed444eedfe083d6bf2f2b1957130c6dc217a2a8f12073155
-
Filesize
5.2MB
MD54bb2d0e3dbe0a311ea8a860922703f0a
SHA1702b97478ff1e4c83cc4ec432f9ca51f0e0aece7
SHA2561dbafba11e0baa6235af8f87f3a8328ece43659288c19386f3e88e39a93776f8
SHA512be11bead6748be1a8d727115e05d02c6c6ce66ac4af57a0c362c362d8bb7361a3cfe60f24bff40d5f9f708a4d20ded9b469acaf4b4fd7a0f11abff949d0b630c
-
Filesize
5.2MB
MD5a82c9b5b27d19046ee069acab7e8e111
SHA16ca71219a3da97a9ae0c7c0056c573e83469e469
SHA2560b5ced242173d4145f5084b118e8178b58ecd9a4862b8d1c20686dabc7164053
SHA512149d0539e9232ae896eecdcea159e7f7a6c3cae79f633e97ab2d6ff8f657adf602e90e292d58c43f9772b73c5706a013d9279cf5804a7e41ecae4b614270df5a
-
Filesize
5.2MB
MD5aa43aacce55a02fe0a1cedb19412bad8
SHA18b31b9333f7ee028cfd8760af07940579bbdf6f1
SHA2568e4544837ef67e86e2aa9cd8fa53e633fc5365fc462fedfc9eb21911714696c9
SHA5126827d19b086d483d13dc61466f97f645d83867c468cd8e17522475dfee5c523ef08e5c726fef09606b93d371bd46d0e3c38376cc25dd51c3d9a1db19ffec9428
-
Filesize
5.2MB
MD546afdf19369fb9945efb88b75a9fbc24
SHA111034b5da14b617f856b8412c916074154731db2
SHA256262adce2acae2caa379e71df50f14af961cb27209b7987b2b7d26baa4f3fed8e
SHA51277653341bfa62a5236ac69714679ce46b8464ba34d28e80f20a2c4ff7e5082af66d931f73289ac125db438b074997c0eebedd55db87156e1e1e5f9eb601ac6a8
-
Filesize
5.2MB
MD58f08b0537e14557a73a322b6476246d9
SHA17db3397375502100fb5a933fc3d156e561b067ea
SHA256a4ce68bdb051f4e6b3a28c6cdbae497f886bb5c3d03504df7cab61491d1b4502
SHA5126a8cc9cba59cb5e67ce74259f3b767b02b37714c6879a73121f463daea191602894e738dca5a060c85200065bb050488616b698a32e1168eb976ccdfba83ef9f
-
Filesize
5.2MB
MD5e531c914053f64aa4a33ce996f5cd762
SHA1c5c01f66eea88db3bd1e52f41c1d53d6e2847575
SHA25658a06146ae33041c177c8cb373872f2f09b6d168d6dd50a9f545f967b59b4f72
SHA51222d2a5470cf32d76232179099be7ac825e74333b1a5353c38a83035c55b079261bb631a05e8b47f2f1be193be41bee4a5286058c072d8b3e5f729c6e7e853a72
-
Filesize
5.2MB
MD5111f4ab6f9e707109c2f0ce1101d34fa
SHA1724347f553e6ab4cdaa3a777ca91ce83e8ea9dd8
SHA25671f39e052410906a5aa626f20d851c4439f84744ff9633f8a17f760b667ba997
SHA512eab6471ea153accb69e0e2342553afa885ea78d3636b60d781dfcf33db60838c0193cc7c59b4c826fd29115ac27a6bdeba02e7c389709b7aed2ed3dba50e4a0c