Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 11:46
Behavioral task
behavioral1
Sample
2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
27044029b7bc7f2761e7d8103b26ddd8
-
SHA1
a648c5ea9bac0a79043fda1a3cfe630ebe313baf
-
SHA256
9bd8e2de1d92fd326b3e8314dd7dd793599cf03f73413998febb72731bf07e2a
-
SHA512
c840ab8b493599d5ed48d660ad164fde5247d67e352e692c674037724259741f43b3beea0cd741982df21536a78b77121e3c75049551be7e8bf94db0bb6acf8f
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lk:RWWBibd56utgpPFotBER/mQ32lUo
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000c000000023b2d-5.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8f-11.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b93-30.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b94-42.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b92-38.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b91-27.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b90-24.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b95-46.dat cobalt_reflective_dll behavioral2/files/0x000b000000023b8c-53.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b97-59.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b98-68.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b99-74.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b9a-84.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b9b-93.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b9c-99.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b9d-104.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b9f-118.dat cobalt_reflective_dll behavioral2/files/0x000e000000023a84-122.dat cobalt_reflective_dll behavioral2/files/0x000a000000023ba1-131.dat cobalt_reflective_dll behavioral2/files/0x000a000000023ba2-141.dat cobalt_reflective_dll behavioral2/files/0x000a000000023ba0-137.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/452-62-0x00007FF7716C0000-0x00007FF771A11000-memory.dmp xmrig behavioral2/memory/4428-82-0x00007FF72C6E0000-0x00007FF72CA31000-memory.dmp xmrig behavioral2/memory/2960-77-0x00007FF61FDF0000-0x00007FF620141000-memory.dmp xmrig behavioral2/memory/4884-60-0x00007FF7AB0A0000-0x00007FF7AB3F1000-memory.dmp xmrig behavioral2/memory/4416-54-0x00007FF7E78D0000-0x00007FF7E7C21000-memory.dmp xmrig behavioral2/memory/4660-98-0x00007FF7758C0000-0x00007FF775C11000-memory.dmp xmrig behavioral2/memory/4448-90-0x00007FF79A280000-0x00007FF79A5D1000-memory.dmp xmrig behavioral2/memory/4220-88-0x00007FF627890000-0x00007FF627BE1000-memory.dmp xmrig behavioral2/memory/3828-130-0x00007FF6EAF80000-0x00007FF6EB2D1000-memory.dmp xmrig behavioral2/memory/2992-129-0x00007FF752390000-0x00007FF7526E1000-memory.dmp xmrig behavioral2/memory/4952-143-0x00007FF798E30000-0x00007FF799181000-memory.dmp xmrig behavioral2/memory/2236-145-0x00007FF7E8930000-0x00007FF7E8C81000-memory.dmp xmrig behavioral2/memory/1692-146-0x00007FF7159C0000-0x00007FF715D11000-memory.dmp xmrig behavioral2/memory/4636-149-0x00007FF63C5A0000-0x00007FF63C8F1000-memory.dmp xmrig behavioral2/memory/3248-151-0x00007FF6A4A80000-0x00007FF6A4DD1000-memory.dmp xmrig behavioral2/memory/3220-150-0x00007FF66DB60000-0x00007FF66DEB1000-memory.dmp xmrig behavioral2/memory/3688-148-0x00007FF740FA0000-0x00007FF7412F1000-memory.dmp xmrig behavioral2/memory/4140-147-0x00007FF7100E0000-0x00007FF710431000-memory.dmp xmrig behavioral2/memory/1816-152-0x00007FF704B30000-0x00007FF704E81000-memory.dmp xmrig behavioral2/memory/5000-153-0x00007FF73DB10000-0x00007FF73DE61000-memory.dmp xmrig behavioral2/memory/4416-154-0x00007FF7E78D0000-0x00007FF7E7C21000-memory.dmp xmrig behavioral2/memory/3476-164-0x00007FF7CD0D0000-0x00007FF7CD421000-memory.dmp xmrig behavioral2/memory/1764-166-0x00007FF7FEE40000-0x00007FF7FF191000-memory.dmp xmrig behavioral2/memory/4416-176-0x00007FF7E78D0000-0x00007FF7E7C21000-memory.dmp xmrig behavioral2/memory/4884-207-0x00007FF7AB0A0000-0x00007FF7AB3F1000-memory.dmp xmrig behavioral2/memory/452-209-0x00007FF7716C0000-0x00007FF771A11000-memory.dmp xmrig behavioral2/memory/2960-211-0x00007FF61FDF0000-0x00007FF620141000-memory.dmp xmrig behavioral2/memory/4428-213-0x00007FF72C6E0000-0x00007FF72CA31000-memory.dmp xmrig behavioral2/memory/4220-215-0x00007FF627890000-0x00007FF627BE1000-memory.dmp xmrig behavioral2/memory/4448-217-0x00007FF79A280000-0x00007FF79A5D1000-memory.dmp xmrig behavioral2/memory/4660-219-0x00007FF7758C0000-0x00007FF775C11000-memory.dmp xmrig behavioral2/memory/2992-228-0x00007FF752390000-0x00007FF7526E1000-memory.dmp xmrig behavioral2/memory/2236-235-0x00007FF7E8930000-0x00007FF7E8C81000-memory.dmp xmrig behavioral2/memory/4140-237-0x00007FF7100E0000-0x00007FF710431000-memory.dmp xmrig behavioral2/memory/3688-239-0x00007FF740FA0000-0x00007FF7412F1000-memory.dmp xmrig behavioral2/memory/4636-241-0x00007FF63C5A0000-0x00007FF63C8F1000-memory.dmp xmrig behavioral2/memory/3220-243-0x00007FF66DB60000-0x00007FF66DEB1000-memory.dmp xmrig behavioral2/memory/3248-247-0x00007FF6A4A80000-0x00007FF6A4DD1000-memory.dmp xmrig behavioral2/memory/1816-249-0x00007FF704B30000-0x00007FF704E81000-memory.dmp xmrig behavioral2/memory/3828-259-0x00007FF6EAF80000-0x00007FF6EB2D1000-memory.dmp xmrig behavioral2/memory/5000-258-0x00007FF73DB10000-0x00007FF73DE61000-memory.dmp xmrig behavioral2/memory/4952-262-0x00007FF798E30000-0x00007FF799181000-memory.dmp xmrig behavioral2/memory/3476-264-0x00007FF7CD0D0000-0x00007FF7CD421000-memory.dmp xmrig behavioral2/memory/1692-265-0x00007FF7159C0000-0x00007FF715D11000-memory.dmp xmrig behavioral2/memory/1764-267-0x00007FF7FEE40000-0x00007FF7FF191000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4884 QdudlAd.exe 452 KkLfGFM.exe 2960 aNafrgt.exe 4428 OxufWsI.exe 4220 QBgFWac.exe 4448 dsLOwQj.exe 4660 jNwpEeP.exe 2992 MbvTmkn.exe 2236 sGSvfuQ.exe 4140 GQIrzJi.exe 3688 hHJaMWr.exe 4636 mkoLIzy.exe 3220 rGHKhBf.exe 3248 RoaCGdL.exe 1816 YDqQKQx.exe 5000 ceDUBlj.exe 3828 uhSEQgy.exe 4952 SUVPotj.exe 3476 jMxAtqj.exe 1692 DTwjbuw.exe 1764 ycAfikw.exe -
resource yara_rule behavioral2/memory/4416-0-0x00007FF7E78D0000-0x00007FF7E7C21000-memory.dmp upx behavioral2/files/0x000c000000023b2d-5.dat upx behavioral2/files/0x000a000000023b8f-11.dat upx behavioral2/memory/452-15-0x00007FF7716C0000-0x00007FF771A11000-memory.dmp upx behavioral2/memory/2960-18-0x00007FF61FDF0000-0x00007FF620141000-memory.dmp upx behavioral2/files/0x000a000000023b93-30.dat upx behavioral2/memory/4448-35-0x00007FF79A280000-0x00007FF79A5D1000-memory.dmp upx behavioral2/memory/4660-37-0x00007FF7758C0000-0x00007FF775C11000-memory.dmp upx behavioral2/files/0x000a000000023b94-42.dat upx behavioral2/files/0x000a000000023b92-38.dat upx behavioral2/memory/4220-33-0x00007FF627890000-0x00007FF627BE1000-memory.dmp upx behavioral2/files/0x000a000000023b91-27.dat upx behavioral2/memory/4428-25-0x00007FF72C6E0000-0x00007FF72CA31000-memory.dmp upx behavioral2/files/0x000a000000023b90-24.dat upx behavioral2/memory/4884-10-0x00007FF7AB0A0000-0x00007FF7AB3F1000-memory.dmp upx behavioral2/files/0x000a000000023b95-46.dat upx behavioral2/memory/2992-49-0x00007FF752390000-0x00007FF7526E1000-memory.dmp upx behavioral2/files/0x000b000000023b8c-53.dat upx behavioral2/files/0x000a000000023b97-59.dat upx behavioral2/memory/4140-63-0x00007FF7100E0000-0x00007FF710431000-memory.dmp upx behavioral2/memory/452-62-0x00007FF7716C0000-0x00007FF771A11000-memory.dmp upx behavioral2/files/0x000a000000023b98-68.dat upx behavioral2/files/0x000a000000023b99-74.dat upx behavioral2/memory/3220-83-0x00007FF66DB60000-0x00007FF66DEB1000-memory.dmp upx behavioral2/files/0x000a000000023b9a-84.dat upx behavioral2/memory/4428-82-0x00007FF72C6E0000-0x00007FF72CA31000-memory.dmp upx behavioral2/memory/4636-78-0x00007FF63C5A0000-0x00007FF63C8F1000-memory.dmp upx behavioral2/memory/2960-77-0x00007FF61FDF0000-0x00007FF620141000-memory.dmp upx behavioral2/memory/3688-69-0x00007FF740FA0000-0x00007FF7412F1000-memory.dmp upx behavioral2/memory/4884-60-0x00007FF7AB0A0000-0x00007FF7AB3F1000-memory.dmp upx behavioral2/memory/2236-55-0x00007FF7E8930000-0x00007FF7E8C81000-memory.dmp upx behavioral2/memory/4416-54-0x00007FF7E78D0000-0x00007FF7E7C21000-memory.dmp upx behavioral2/files/0x000a000000023b9b-93.dat upx behavioral2/memory/1816-96-0x00007FF704B30000-0x00007FF704E81000-memory.dmp upx behavioral2/files/0x000a000000023b9c-99.dat upx behavioral2/memory/4660-98-0x00007FF7758C0000-0x00007FF775C11000-memory.dmp upx behavioral2/memory/3248-95-0x00007FF6A4A80000-0x00007FF6A4DD1000-memory.dmp upx behavioral2/memory/4448-90-0x00007FF79A280000-0x00007FF79A5D1000-memory.dmp upx behavioral2/memory/4220-88-0x00007FF627890000-0x00007FF627BE1000-memory.dmp upx behavioral2/files/0x000a000000023b9d-104.dat upx behavioral2/files/0x000a000000023b9f-118.dat upx behavioral2/files/0x000e000000023a84-122.dat upx behavioral2/files/0x000a000000023ba1-131.dat upx behavioral2/memory/3476-135-0x00007FF7CD0D0000-0x00007FF7CD421000-memory.dmp upx behavioral2/memory/1764-140-0x00007FF7FEE40000-0x00007FF7FF191000-memory.dmp upx behavioral2/files/0x000a000000023ba2-141.dat upx behavioral2/files/0x000a000000023ba0-137.dat upx behavioral2/memory/3828-130-0x00007FF6EAF80000-0x00007FF6EB2D1000-memory.dmp upx behavioral2/memory/2992-129-0x00007FF752390000-0x00007FF7526E1000-memory.dmp upx behavioral2/memory/5000-121-0x00007FF73DB10000-0x00007FF73DE61000-memory.dmp upx behavioral2/memory/4952-143-0x00007FF798E30000-0x00007FF799181000-memory.dmp upx behavioral2/memory/2236-145-0x00007FF7E8930000-0x00007FF7E8C81000-memory.dmp upx behavioral2/memory/1692-146-0x00007FF7159C0000-0x00007FF715D11000-memory.dmp upx behavioral2/memory/4636-149-0x00007FF63C5A0000-0x00007FF63C8F1000-memory.dmp upx behavioral2/memory/3248-151-0x00007FF6A4A80000-0x00007FF6A4DD1000-memory.dmp upx behavioral2/memory/3220-150-0x00007FF66DB60000-0x00007FF66DEB1000-memory.dmp upx behavioral2/memory/3688-148-0x00007FF740FA0000-0x00007FF7412F1000-memory.dmp upx behavioral2/memory/4140-147-0x00007FF7100E0000-0x00007FF710431000-memory.dmp upx behavioral2/memory/1816-152-0x00007FF704B30000-0x00007FF704E81000-memory.dmp upx behavioral2/memory/5000-153-0x00007FF73DB10000-0x00007FF73DE61000-memory.dmp upx behavioral2/memory/4416-154-0x00007FF7E78D0000-0x00007FF7E7C21000-memory.dmp upx behavioral2/memory/3476-164-0x00007FF7CD0D0000-0x00007FF7CD421000-memory.dmp upx behavioral2/memory/1764-166-0x00007FF7FEE40000-0x00007FF7FF191000-memory.dmp upx behavioral2/memory/4416-176-0x00007FF7E78D0000-0x00007FF7E7C21000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\uhSEQgy.exe 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QBgFWac.exe 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GQIrzJi.exe 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hHJaMWr.exe 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YDqQKQx.exe 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SUVPotj.exe 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jMxAtqj.exe 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KkLfGFM.exe 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\OxufWsI.exe 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jNwpEeP.exe 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mkoLIzy.exe 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ceDUBlj.exe 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ycAfikw.exe 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QdudlAd.exe 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MbvTmkn.exe 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\sGSvfuQ.exe 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rGHKhBf.exe 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\aNafrgt.exe 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dsLOwQj.exe 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RoaCGdL.exe 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DTwjbuw.exe 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4416 wrote to memory of 4884 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4416 wrote to memory of 4884 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4416 wrote to memory of 452 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4416 wrote to memory of 452 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4416 wrote to memory of 2960 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4416 wrote to memory of 2960 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4416 wrote to memory of 4428 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4416 wrote to memory of 4428 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4416 wrote to memory of 4220 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4416 wrote to memory of 4220 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4416 wrote to memory of 4448 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4416 wrote to memory of 4448 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4416 wrote to memory of 4660 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4416 wrote to memory of 4660 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4416 wrote to memory of 2992 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4416 wrote to memory of 2992 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4416 wrote to memory of 2236 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4416 wrote to memory of 2236 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4416 wrote to memory of 4140 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4416 wrote to memory of 4140 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4416 wrote to memory of 3688 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4416 wrote to memory of 3688 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4416 wrote to memory of 4636 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4416 wrote to memory of 4636 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4416 wrote to memory of 3220 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4416 wrote to memory of 3220 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4416 wrote to memory of 3248 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4416 wrote to memory of 3248 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4416 wrote to memory of 1816 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4416 wrote to memory of 1816 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4416 wrote to memory of 5000 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4416 wrote to memory of 5000 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4416 wrote to memory of 3828 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 4416 wrote to memory of 3828 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 4416 wrote to memory of 4952 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 4416 wrote to memory of 4952 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 4416 wrote to memory of 3476 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 110 PID 4416 wrote to memory of 3476 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 110 PID 4416 wrote to memory of 1692 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 111 PID 4416 wrote to memory of 1692 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 111 PID 4416 wrote to memory of 1764 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 112 PID 4416 wrote to memory of 1764 4416 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\System\QdudlAd.exeC:\Windows\System\QdudlAd.exe2⤵
- Executes dropped EXE
PID:4884
-
-
C:\Windows\System\KkLfGFM.exeC:\Windows\System\KkLfGFM.exe2⤵
- Executes dropped EXE
PID:452
-
-
C:\Windows\System\aNafrgt.exeC:\Windows\System\aNafrgt.exe2⤵
- Executes dropped EXE
PID:2960
-
-
C:\Windows\System\OxufWsI.exeC:\Windows\System\OxufWsI.exe2⤵
- Executes dropped EXE
PID:4428
-
-
C:\Windows\System\QBgFWac.exeC:\Windows\System\QBgFWac.exe2⤵
- Executes dropped EXE
PID:4220
-
-
C:\Windows\System\dsLOwQj.exeC:\Windows\System\dsLOwQj.exe2⤵
- Executes dropped EXE
PID:4448
-
-
C:\Windows\System\jNwpEeP.exeC:\Windows\System\jNwpEeP.exe2⤵
- Executes dropped EXE
PID:4660
-
-
C:\Windows\System\MbvTmkn.exeC:\Windows\System\MbvTmkn.exe2⤵
- Executes dropped EXE
PID:2992
-
-
C:\Windows\System\sGSvfuQ.exeC:\Windows\System\sGSvfuQ.exe2⤵
- Executes dropped EXE
PID:2236
-
-
C:\Windows\System\GQIrzJi.exeC:\Windows\System\GQIrzJi.exe2⤵
- Executes dropped EXE
PID:4140
-
-
C:\Windows\System\hHJaMWr.exeC:\Windows\System\hHJaMWr.exe2⤵
- Executes dropped EXE
PID:3688
-
-
C:\Windows\System\mkoLIzy.exeC:\Windows\System\mkoLIzy.exe2⤵
- Executes dropped EXE
PID:4636
-
-
C:\Windows\System\rGHKhBf.exeC:\Windows\System\rGHKhBf.exe2⤵
- Executes dropped EXE
PID:3220
-
-
C:\Windows\System\RoaCGdL.exeC:\Windows\System\RoaCGdL.exe2⤵
- Executes dropped EXE
PID:3248
-
-
C:\Windows\System\YDqQKQx.exeC:\Windows\System\YDqQKQx.exe2⤵
- Executes dropped EXE
PID:1816
-
-
C:\Windows\System\ceDUBlj.exeC:\Windows\System\ceDUBlj.exe2⤵
- Executes dropped EXE
PID:5000
-
-
C:\Windows\System\uhSEQgy.exeC:\Windows\System\uhSEQgy.exe2⤵
- Executes dropped EXE
PID:3828
-
-
C:\Windows\System\SUVPotj.exeC:\Windows\System\SUVPotj.exe2⤵
- Executes dropped EXE
PID:4952
-
-
C:\Windows\System\jMxAtqj.exeC:\Windows\System\jMxAtqj.exe2⤵
- Executes dropped EXE
PID:3476
-
-
C:\Windows\System\DTwjbuw.exeC:\Windows\System\DTwjbuw.exe2⤵
- Executes dropped EXE
PID:1692
-
-
C:\Windows\System\ycAfikw.exeC:\Windows\System\ycAfikw.exe2⤵
- Executes dropped EXE
PID:1764
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5d04ffed4e2c95ac963902983535a4934
SHA13d80ddb6db3b92203802219c435db034def7249e
SHA256d70d0441c0e964001bc56ccaa3dbea2b395b21907f0737e3fbbb675b8ffb6c0e
SHA5122e1491932dfbd63c412368252613d3fa3f64832c9b785dedb636f3aa79dd340dbf1d8bc7ace1d1d004ee6c8903563d344decdce77766d68ca088131cb75d4947
-
Filesize
5.2MB
MD51a5076b3f5eeea334266e49f52effa0a
SHA187d15eb14fd585509d66bfe9f4af0c5c9cd8686d
SHA25634c357011e099f0096ac8855e6d848ce56fceb7222286a38b190b460c4071434
SHA5122d9660138954b8384490231d6baf2df590221843ab659c091f3538c301d8c5a681241e94b2d0667fd5a1bdc92d2b6b39dd3bda5daba27c82c3a806fc042b8f69
-
Filesize
5.2MB
MD5189ab21b01ed3377a51be3c575939e9b
SHA1cb364a0880c9ceeeda0188bdf2bb57e191648994
SHA25694e18a3d7e11b7b0a058db1157314c4d27e492f5500c623a89f6888ec1617850
SHA51275cac9e295b2ab2c9b86ce1aefbe5ecd2f6eeae64a9cb553f2d14e665999a14f7525edaf7a411579aff7a2cb5930c138a7052f084c1148faee89437fcdcf67e7
-
Filesize
5.2MB
MD5e394f7fcd6046ddf136e019334d5b63f
SHA194ec2abade8542ab2c8125cd63b23c355652c2bf
SHA256e48b7b440c354ca579255bf6f09fede2aad57c0635362bffae5c7649da6bcefa
SHA51219eb7897f2e87b1f4512ae1b28082243e7b3ba3924ba9fa70347fe1cda706ab994657dcee150d33c39a00001ef340edd0833db7684ca8c2d1bc09b88e00c5615
-
Filesize
5.2MB
MD502387e2a734c020dcf0df7904e866a1c
SHA12637984f4d92bc0462c0c9f4a31b05a284e071d8
SHA256aa9c880e114845b4e5d4aafac0dc277b2422d7cb0b67b2da443b9a1f12342663
SHA512932be74e93ff490ab81890d76301eae7fd14e1190105db0faed4b3bef83aa9223f3525be90078f5ba6e41955b3ffb2e9df886b0996a8106c746dece3d0c7da66
-
Filesize
5.2MB
MD577d51b4de19fbb38c809e30b894af765
SHA1657d1313ee61956d9aca2c556dec108cb446edbf
SHA256d5b3d236e75528a5d7530ea3bf9c67cf8b42ca018250c1f3fca3002724d43bc2
SHA512450b88f9c3093208d9795526f875e7d1f3e8d9bc26245e9643b77eb865595ce1b74149020ce61ed349ac605bea39ec0aeddbdea902804acc7d4093186a664814
-
Filesize
5.2MB
MD5dd025472bba6e592e623479fe42e09b0
SHA14d3ba66432eab299a77aca8a5c29a97628f233e5
SHA256926d84c12512578cf3769f8fa64d101dc6ffe65dd4e2bc205ae9a85ea14dd351
SHA512b958f5e1a41a0736ae397e4ec059ccdecbcf4535a631ec95ca6c4b0ef20ed6811f3a291c6fe365f64ca7d30b64cd85bf487a70d4ecc5ad2742db18bd8a995360
-
Filesize
5.2MB
MD5e9b65c50f0cc30482b5fd4b368f1a251
SHA12cd8d6db9fcc32ee5573623657f6f3246eefcc0e
SHA256c7c5162be65e39a6b79e8d3ab608e216a139386c2907f2f1c9fe92cf76b7b9d6
SHA5126fb32127701c8410d2f951569d3cb43b4dd17ef9d8294103cffcad231494b5da669c833bd9cdd183db2b0eabd192a3f073edb87f6051de77895c5644fa609961
-
Filesize
5.2MB
MD5bf61f45a45a828f994c1f768985177cd
SHA1394f3bd759995a2b6b9ce8f0e684c571fc2e618e
SHA256755d86c56191575cb3dba4b95eb9d81a09b4ec2de44bba0d5512a77b5a2db801
SHA512ca379440e2ce73d879c26c078a18de3f0d248aab1aaed7707c240b6e8dd312f22be3df4b835f1ba6db78c65e64db3d1007794bf3a2eca56ade0da8c9f57225ba
-
Filesize
5.2MB
MD55ddcae08ed93dbb60b6f2e7d3c2ab63f
SHA1f0e4f85de3949738b77d45f96ffc19960c256409
SHA256cac0238ffeba1da452ec82ff63ea571e1778107aeaf24dd7afb98a5699d4cb5a
SHA512a9b38ffc22e13c10234b7704ab870cff53eb223cb6473802d7ed9d72fe3d5372170d98ad9c953bf20d88a8d794a5e001bd51810a25fffe9256e4fa1e42bd63d9
-
Filesize
5.2MB
MD58c44a9ffb7fba9db9c20f8f9f55d24c3
SHA1529f40f25fbc29d37e0b42d46104f60c43d79e54
SHA256e3a6f8e75918ec3afc1977476f4033aa6d83a931a092a0b5d32dd7fd27f6a492
SHA512fcdfc6e2d6d49c29e1a613e4a2d6238197879796c177aee2fcc8da1f55fb22fefebf7f7273fb4af3c5c994b8657b7e3a09bae5d98b015cf5e57964a90dea3c87
-
Filesize
5.2MB
MD57b2b71adeb52507a36fcc31403c8dd31
SHA132171ca8af05823f968bc22f3f647e8127223ec0
SHA25649c2c84e170a800779a6966efab2fdefa679d5a3dfdce81b5a04af761aa28d83
SHA5122816fc170191c1990eb9f02f1d810794b6041bd1f8f465713e728873a0cddf6ae67b8884c592b2c70e1bdfca4663025f3e293f23486ab21ef098b046aa4c5e2c
-
Filesize
5.2MB
MD5e9187230eb440806057b075004506e44
SHA1cd6048f6db9cb8a28caf9b902fb92b051042cdb6
SHA256b994dedf31bca3367d62a4a9e4175f47ae4a05dee05ee292d5123fe2cb933106
SHA512faa0247fe68636443c88325de2a4e112a5b95e2f4042875839501a6e7fa0c383e71539c30e2b921a024ae30d5489b7adf74e76113a8be4fd156d9c3380aa1dc0
-
Filesize
5.2MB
MD5b20f3111483101de215aa90aa8c9f566
SHA15f7ae6756ad7bee6849d328168cc09a85e38ac83
SHA25612a176c60c36278d27164c0c80d06d8f55a0bf79ce318b98c7d8b47a1c517912
SHA51203825584ff516d73782a714ff784a24db2ce93ad52940a7f8e43d2ef104011dca6d7bbfcf4530968d8f885e0709a7c1f62a0c5d2deec31ff489f3c6e7a09507d
-
Filesize
5.2MB
MD5f8d90a28471b0fc29d83bc68d64cc448
SHA1578282f0848fc878edae008fb92a526f2a835628
SHA25639252b734cf67e5127c6239ab3a68f4953510b483b1e0eaaac3901749fe234b3
SHA5122f40a4f1de72146ba9a699ffe8a17ceba28426f202d5d800556c25144241ee08fd705bc0fd3707ee7ba3b49ad4cc708cb70cf5971e89f9039066222547acd717
-
Filesize
5.2MB
MD51bbd1eb71217a6562ad6300a40e11662
SHA19ec3d053b8d209da18cb8dc19cddf3b100ba9bcf
SHA25684d08dcb72a202d7e16d141f81f00072b17d90408400e6d9433f44e6cd8c1a32
SHA512ad4cfebda61fd445291e530d439924f2fe80b952fe2c5bfc93fbf4cd6902d27e52854c7299b4713d091a801f62618374a9cdee1d94fabb603bddd864c0816114
-
Filesize
5.2MB
MD58af275f30d752f3455c448f0231c5d60
SHA10e534c87a61066be055f449d08f3dda004c41046
SHA256c7dca2ac16c60ff580e92913c594c3ec4eaa99dc4a710dbee1418966e51ceed2
SHA5128b7fa8a3ba43f2bfae94f9ea7246820eea326e691b80579aa5b25037de67d95ed783c96a078fc2e7a34a59c68794869224215f0ddd15788b93bbf80b72d85a2f
-
Filesize
5.2MB
MD560831d30c07d4befef05fee997b8c473
SHA13faa8dae04edb268b0f5eacdacc11eed3b180c0f
SHA2562a1c53d42b2aa4a93735aee7bb45f24957da7fc6e61eec0e1e33057f4132b980
SHA512eaef674c41538e488724891fa1b92ad82e3499708db4436266192f7de86f246db8f5ccb2e2d87541ad223b99620c62869b5e72397986ac20f7720db4b03ec15d
-
Filesize
5.2MB
MD5258b5740001aae64eccccede232aa45b
SHA184dffcc3c64bc6e86c7366141d6b1fc6aa296931
SHA256430447edb4ef9b6f41807dbe663be8e210733ab2abe3bac76afec28d77f685f7
SHA512459e1e1b91bca435f628359d6213d0451938bbb796167f8c3858774125b8f982ee0c0507480f39a72fec5c593933df85c324f6587ab69edfda8311b1f2f1f672
-
Filesize
5.2MB
MD5bb0c5dc94c5ed591d468516640ce70f5
SHA159525d9444acdbd5b4d0a89286d9b23779d8d9d4
SHA256b4114d62aad4e47fe6f62c83748f0af258fb0e6645af030f8d91a384f9521f51
SHA5120b9244fa99982e252bea21d8d608782434609366aa2561d85d6a03fe007463e966d057569f14fbabc659866733afbe4a15da4e01e76ba0ae893b0e7ed1e25fd9
-
Filesize
5.2MB
MD5faefe76c74cf04f80cd5825b01c4be82
SHA1f189fcb06e791edcc108995641d94efb87151f85
SHA256dce9ee0a64b0e124cc689c88e1b81433f91adb65ebe5db209f2d2db63e0a6526
SHA5122a7e303731446c61065b6bf79b067231f3a49d3633c967ed524688399d6d962701850348a22d8dd21afd9eee53ac47cc59e26702c844ed08e89c510bdde1e8c6