Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 11:48
Behavioral task
behavioral1
Sample
2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
66512785f2fd362ce92ea065d9043361
-
SHA1
7763bce6b65424196ed217710dda7681b72b153d
-
SHA256
ad054e33da8cc51d62113c63a681aebc22d9f6fb6bad7f5d3ba9e169ccb14547
-
SHA512
21b6e25bdd2518dd120875b5e936612d93c133b6eba43923339be2ea718a75a91b6388dbc1d26cb4f751da2620599fb0da35d97e23d67181d028dec37ba10e8e
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lE:RWWBibd56utgpPFotBER/mQ32lUQ
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0009000000023c94-4.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9b-9.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9f-52.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca3-62.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca1-69.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca4-90.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca6-98.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca8-103.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca7-101.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca5-92.dat cobalt_reflective_dll behavioral2/files/0x000a000000023c97-89.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca2-80.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca0-47.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9c-36.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9d-35.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9e-33.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9a-20.dat cobalt_reflective_dll behavioral2/files/0x0007000000023caa-111.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cab-117.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cac-120.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca9-110.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/5064-24-0x00007FF6DEDA0000-0x00007FF6DF0F1000-memory.dmp xmrig behavioral2/memory/4272-119-0x00007FF6167E0000-0x00007FF616B31000-memory.dmp xmrig behavioral2/memory/668-116-0x00007FF78C530000-0x00007FF78C881000-memory.dmp xmrig behavioral2/memory/668-130-0x00007FF78C530000-0x00007FF78C881000-memory.dmp xmrig behavioral2/memory/2184-131-0x00007FF6A3A00000-0x00007FF6A3D51000-memory.dmp xmrig behavioral2/memory/4804-133-0x00007FF6ABD60000-0x00007FF6AC0B1000-memory.dmp xmrig behavioral2/memory/1272-132-0x00007FF6E17C0000-0x00007FF6E1B11000-memory.dmp xmrig behavioral2/memory/3068-138-0x00007FF6D5300000-0x00007FF6D5651000-memory.dmp xmrig behavioral2/memory/1260-140-0x00007FF64BCE0000-0x00007FF64C031000-memory.dmp xmrig behavioral2/memory/2492-142-0x00007FF7E1A90000-0x00007FF7E1DE1000-memory.dmp xmrig behavioral2/memory/3236-150-0x00007FF666520000-0x00007FF666871000-memory.dmp xmrig behavioral2/memory/3336-151-0x00007FF6EF570000-0x00007FF6EF8C1000-memory.dmp xmrig behavioral2/memory/1924-149-0x00007FF65C3E0000-0x00007FF65C731000-memory.dmp xmrig behavioral2/memory/4252-152-0x00007FF659330000-0x00007FF659681000-memory.dmp xmrig behavioral2/memory/848-147-0x00007FF7363A0000-0x00007FF7366F1000-memory.dmp xmrig behavioral2/memory/928-145-0x00007FF7B69F0000-0x00007FF7B6D41000-memory.dmp xmrig behavioral2/memory/4080-148-0x00007FF7890E0000-0x00007FF789431000-memory.dmp xmrig behavioral2/memory/2316-146-0x00007FF762B90000-0x00007FF762EE1000-memory.dmp xmrig behavioral2/memory/2772-144-0x00007FF61C950000-0x00007FF61CCA1000-memory.dmp xmrig behavioral2/memory/2020-143-0x00007FF60CBB0000-0x00007FF60CF01000-memory.dmp xmrig behavioral2/memory/5000-153-0x00007FF746FD0000-0x00007FF747321000-memory.dmp xmrig behavioral2/memory/4600-157-0x00007FF72C600000-0x00007FF72C951000-memory.dmp xmrig behavioral2/memory/3500-158-0x00007FF774D80000-0x00007FF7750D1000-memory.dmp xmrig behavioral2/memory/668-159-0x00007FF78C530000-0x00007FF78C881000-memory.dmp xmrig behavioral2/memory/4272-222-0x00007FF6167E0000-0x00007FF616B31000-memory.dmp xmrig behavioral2/memory/5064-224-0x00007FF6DEDA0000-0x00007FF6DF0F1000-memory.dmp xmrig behavioral2/memory/2184-226-0x00007FF6A3A00000-0x00007FF6A3D51000-memory.dmp xmrig behavioral2/memory/4804-228-0x00007FF6ABD60000-0x00007FF6AC0B1000-memory.dmp xmrig behavioral2/memory/1272-230-0x00007FF6E17C0000-0x00007FF6E1B11000-memory.dmp xmrig behavioral2/memory/3068-232-0x00007FF6D5300000-0x00007FF6D5651000-memory.dmp xmrig behavioral2/memory/2492-234-0x00007FF7E1A90000-0x00007FF7E1DE1000-memory.dmp xmrig behavioral2/memory/1260-236-0x00007FF64BCE0000-0x00007FF64C031000-memory.dmp xmrig behavioral2/memory/2020-239-0x00007FF60CBB0000-0x00007FF60CF01000-memory.dmp xmrig behavioral2/memory/928-241-0x00007FF7B69F0000-0x00007FF7B6D41000-memory.dmp xmrig behavioral2/memory/2316-243-0x00007FF762B90000-0x00007FF762EE1000-memory.dmp xmrig behavioral2/memory/4080-247-0x00007FF7890E0000-0x00007FF789431000-memory.dmp xmrig behavioral2/memory/848-251-0x00007FF7363A0000-0x00007FF7366F1000-memory.dmp xmrig behavioral2/memory/1924-250-0x00007FF65C3E0000-0x00007FF65C731000-memory.dmp xmrig behavioral2/memory/3236-253-0x00007FF666520000-0x00007FF666871000-memory.dmp xmrig behavioral2/memory/3336-255-0x00007FF6EF570000-0x00007FF6EF8C1000-memory.dmp xmrig behavioral2/memory/2772-246-0x00007FF61C950000-0x00007FF61CCA1000-memory.dmp xmrig behavioral2/memory/4252-260-0x00007FF659330000-0x00007FF659681000-memory.dmp xmrig behavioral2/memory/3500-262-0x00007FF774D80000-0x00007FF7750D1000-memory.dmp xmrig behavioral2/memory/4600-264-0x00007FF72C600000-0x00007FF72C951000-memory.dmp xmrig behavioral2/memory/5000-267-0x00007FF746FD0000-0x00007FF747321000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4272 puSzbBf.exe 2184 sxZTdKI.exe 5064 WbEzkXV.exe 1272 NCUUncM.exe 3068 FrkWvFa.exe 4804 VZAsvpt.exe 1260 oDRnLEx.exe 2492 ecsVelB.exe 2020 rOfEgVS.exe 928 CqWqVrq.exe 2316 ayaQpCA.exe 2772 vbbLbLA.exe 848 lPJikHz.exe 4080 UZHIung.exe 1924 iPDRyml.exe 3236 VpEwjWa.exe 3336 puIipWn.exe 4252 pHDwJwM.exe 5000 HWnGlBP.exe 4600 uBiaool.exe 3500 VmnOXyI.exe -
resource yara_rule behavioral2/memory/668-0-0x00007FF78C530000-0x00007FF78C881000-memory.dmp upx behavioral2/files/0x0009000000023c94-4.dat upx behavioral2/files/0x0007000000023c9b-9.dat upx behavioral2/memory/5064-24-0x00007FF6DEDA0000-0x00007FF6DF0F1000-memory.dmp upx behavioral2/memory/4804-40-0x00007FF6ABD60000-0x00007FF6AC0B1000-memory.dmp upx behavioral2/files/0x0007000000023c9f-52.dat upx behavioral2/files/0x0007000000023ca3-62.dat upx behavioral2/files/0x0007000000023ca1-69.dat upx behavioral2/files/0x0007000000023ca4-90.dat upx behavioral2/memory/2772-94-0x00007FF61C950000-0x00007FF61CCA1000-memory.dmp upx behavioral2/files/0x0007000000023ca6-98.dat upx behavioral2/files/0x0007000000023ca8-103.dat upx behavioral2/files/0x0007000000023ca7-101.dat upx behavioral2/memory/1924-95-0x00007FF65C3E0000-0x00007FF65C731000-memory.dmp upx behavioral2/memory/3336-93-0x00007FF6EF570000-0x00007FF6EF8C1000-memory.dmp upx behavioral2/files/0x0007000000023ca5-92.dat upx behavioral2/memory/3236-91-0x00007FF666520000-0x00007FF666871000-memory.dmp upx behavioral2/files/0x000a000000023c97-89.dat upx behavioral2/memory/4080-88-0x00007FF7890E0000-0x00007FF789431000-memory.dmp upx behavioral2/memory/848-87-0x00007FF7363A0000-0x00007FF7366F1000-memory.dmp upx behavioral2/files/0x0007000000023ca2-80.dat upx behavioral2/memory/928-77-0x00007FF7B69F0000-0x00007FF7B6D41000-memory.dmp upx behavioral2/memory/2316-67-0x00007FF762B90000-0x00007FF762EE1000-memory.dmp upx behavioral2/memory/2020-59-0x00007FF60CBB0000-0x00007FF60CF01000-memory.dmp upx behavioral2/memory/1260-56-0x00007FF64BCE0000-0x00007FF64C031000-memory.dmp upx behavioral2/files/0x0007000000023ca0-47.dat upx behavioral2/memory/3068-44-0x00007FF6D5300000-0x00007FF6D5651000-memory.dmp upx behavioral2/memory/2492-41-0x00007FF7E1A90000-0x00007FF7E1DE1000-memory.dmp upx behavioral2/files/0x0007000000023c9c-36.dat upx behavioral2/files/0x0007000000023c9d-35.dat upx behavioral2/files/0x0007000000023c9e-33.dat upx behavioral2/memory/1272-30-0x00007FF6E17C0000-0x00007FF6E1B11000-memory.dmp upx behavioral2/files/0x0007000000023c9a-20.dat upx behavioral2/memory/2184-16-0x00007FF6A3A00000-0x00007FF6A3D51000-memory.dmp upx behavioral2/memory/4272-8-0x00007FF6167E0000-0x00007FF616B31000-memory.dmp upx behavioral2/files/0x0007000000023caa-111.dat upx behavioral2/files/0x0007000000023cab-117.dat upx behavioral2/memory/5000-121-0x00007FF746FD0000-0x00007FF747321000-memory.dmp upx behavioral2/memory/4272-119-0x00007FF6167E0000-0x00007FF616B31000-memory.dmp upx behavioral2/files/0x0007000000023cac-120.dat upx behavioral2/memory/3500-124-0x00007FF774D80000-0x00007FF7750D1000-memory.dmp upx behavioral2/memory/4600-122-0x00007FF72C600000-0x00007FF72C951000-memory.dmp upx behavioral2/memory/668-116-0x00007FF78C530000-0x00007FF78C881000-memory.dmp upx behavioral2/memory/4252-113-0x00007FF659330000-0x00007FF659681000-memory.dmp upx behavioral2/files/0x0007000000023ca9-110.dat upx behavioral2/memory/668-130-0x00007FF78C530000-0x00007FF78C881000-memory.dmp upx behavioral2/memory/2184-131-0x00007FF6A3A00000-0x00007FF6A3D51000-memory.dmp upx behavioral2/memory/4804-133-0x00007FF6ABD60000-0x00007FF6AC0B1000-memory.dmp upx behavioral2/memory/1272-132-0x00007FF6E17C0000-0x00007FF6E1B11000-memory.dmp upx behavioral2/memory/3068-138-0x00007FF6D5300000-0x00007FF6D5651000-memory.dmp upx behavioral2/memory/1260-140-0x00007FF64BCE0000-0x00007FF64C031000-memory.dmp upx behavioral2/memory/2492-142-0x00007FF7E1A90000-0x00007FF7E1DE1000-memory.dmp upx behavioral2/memory/3236-150-0x00007FF666520000-0x00007FF666871000-memory.dmp upx behavioral2/memory/3336-151-0x00007FF6EF570000-0x00007FF6EF8C1000-memory.dmp upx behavioral2/memory/1924-149-0x00007FF65C3E0000-0x00007FF65C731000-memory.dmp upx behavioral2/memory/4252-152-0x00007FF659330000-0x00007FF659681000-memory.dmp upx behavioral2/memory/848-147-0x00007FF7363A0000-0x00007FF7366F1000-memory.dmp upx behavioral2/memory/928-145-0x00007FF7B69F0000-0x00007FF7B6D41000-memory.dmp upx behavioral2/memory/4080-148-0x00007FF7890E0000-0x00007FF789431000-memory.dmp upx behavioral2/memory/2316-146-0x00007FF762B90000-0x00007FF762EE1000-memory.dmp upx behavioral2/memory/2772-144-0x00007FF61C950000-0x00007FF61CCA1000-memory.dmp upx behavioral2/memory/2020-143-0x00007FF60CBB0000-0x00007FF60CF01000-memory.dmp upx behavioral2/memory/5000-153-0x00007FF746FD0000-0x00007FF747321000-memory.dmp upx behavioral2/memory/4600-157-0x00007FF72C600000-0x00007FF72C951000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\VpEwjWa.exe 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\pHDwJwM.exe 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HWnGlBP.exe 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\sxZTdKI.exe 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vbbLbLA.exe 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\iPDRyml.exe 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uBiaool.exe 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VmnOXyI.exe 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WbEzkXV.exe 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FrkWvFa.exe 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ecsVelB.exe 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\puIipWn.exe 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NCUUncM.exe 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rOfEgVS.exe 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CqWqVrq.exe 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ayaQpCA.exe 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lPJikHz.exe 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\UZHIung.exe 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\puSzbBf.exe 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VZAsvpt.exe 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\oDRnLEx.exe 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 668 wrote to memory of 4272 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 668 wrote to memory of 4272 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 668 wrote to memory of 2184 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 668 wrote to memory of 2184 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 668 wrote to memory of 5064 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 668 wrote to memory of 5064 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 668 wrote to memory of 1272 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 668 wrote to memory of 1272 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 668 wrote to memory of 3068 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 668 wrote to memory of 3068 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 668 wrote to memory of 4804 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 668 wrote to memory of 4804 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 668 wrote to memory of 1260 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 668 wrote to memory of 1260 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 668 wrote to memory of 2492 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 668 wrote to memory of 2492 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 668 wrote to memory of 2020 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 668 wrote to memory of 2020 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 668 wrote to memory of 2772 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 668 wrote to memory of 2772 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 668 wrote to memory of 928 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 668 wrote to memory of 928 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 668 wrote to memory of 2316 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 668 wrote to memory of 2316 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 668 wrote to memory of 848 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 668 wrote to memory of 848 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 668 wrote to memory of 4080 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 668 wrote to memory of 4080 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 668 wrote to memory of 1924 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 668 wrote to memory of 1924 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 668 wrote to memory of 3236 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 668 wrote to memory of 3236 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 668 wrote to memory of 3336 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 668 wrote to memory of 3336 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 668 wrote to memory of 4252 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 668 wrote to memory of 4252 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 668 wrote to memory of 5000 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 668 wrote to memory of 5000 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 668 wrote to memory of 4600 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 668 wrote to memory of 4600 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 668 wrote to memory of 3500 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 668 wrote to memory of 3500 668 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\System\puSzbBf.exeC:\Windows\System\puSzbBf.exe2⤵
- Executes dropped EXE
PID:4272
-
-
C:\Windows\System\sxZTdKI.exeC:\Windows\System\sxZTdKI.exe2⤵
- Executes dropped EXE
PID:2184
-
-
C:\Windows\System\WbEzkXV.exeC:\Windows\System\WbEzkXV.exe2⤵
- Executes dropped EXE
PID:5064
-
-
C:\Windows\System\NCUUncM.exeC:\Windows\System\NCUUncM.exe2⤵
- Executes dropped EXE
PID:1272
-
-
C:\Windows\System\FrkWvFa.exeC:\Windows\System\FrkWvFa.exe2⤵
- Executes dropped EXE
PID:3068
-
-
C:\Windows\System\VZAsvpt.exeC:\Windows\System\VZAsvpt.exe2⤵
- Executes dropped EXE
PID:4804
-
-
C:\Windows\System\oDRnLEx.exeC:\Windows\System\oDRnLEx.exe2⤵
- Executes dropped EXE
PID:1260
-
-
C:\Windows\System\ecsVelB.exeC:\Windows\System\ecsVelB.exe2⤵
- Executes dropped EXE
PID:2492
-
-
C:\Windows\System\rOfEgVS.exeC:\Windows\System\rOfEgVS.exe2⤵
- Executes dropped EXE
PID:2020
-
-
C:\Windows\System\vbbLbLA.exeC:\Windows\System\vbbLbLA.exe2⤵
- Executes dropped EXE
PID:2772
-
-
C:\Windows\System\CqWqVrq.exeC:\Windows\System\CqWqVrq.exe2⤵
- Executes dropped EXE
PID:928
-
-
C:\Windows\System\ayaQpCA.exeC:\Windows\System\ayaQpCA.exe2⤵
- Executes dropped EXE
PID:2316
-
-
C:\Windows\System\lPJikHz.exeC:\Windows\System\lPJikHz.exe2⤵
- Executes dropped EXE
PID:848
-
-
C:\Windows\System\UZHIung.exeC:\Windows\System\UZHIung.exe2⤵
- Executes dropped EXE
PID:4080
-
-
C:\Windows\System\iPDRyml.exeC:\Windows\System\iPDRyml.exe2⤵
- Executes dropped EXE
PID:1924
-
-
C:\Windows\System\VpEwjWa.exeC:\Windows\System\VpEwjWa.exe2⤵
- Executes dropped EXE
PID:3236
-
-
C:\Windows\System\puIipWn.exeC:\Windows\System\puIipWn.exe2⤵
- Executes dropped EXE
PID:3336
-
-
C:\Windows\System\pHDwJwM.exeC:\Windows\System\pHDwJwM.exe2⤵
- Executes dropped EXE
PID:4252
-
-
C:\Windows\System\HWnGlBP.exeC:\Windows\System\HWnGlBP.exe2⤵
- Executes dropped EXE
PID:5000
-
-
C:\Windows\System\uBiaool.exeC:\Windows\System\uBiaool.exe2⤵
- Executes dropped EXE
PID:4600
-
-
C:\Windows\System\VmnOXyI.exeC:\Windows\System\VmnOXyI.exe2⤵
- Executes dropped EXE
PID:3500
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5b95e72c402b6dc743466c71c5fc3de98
SHA118964d9077a8b3ee7cb866d944d32c06a0c0add0
SHA2563e1f014c5bb42b1b5c1cd465626f58c7571245fedabdcddb76d8bb127b427f03
SHA512aa856f3a99dcabc242d42238d7dedff1625bca81e20d52e6c9beecd97f09037173dbfacdaf1872dc1ca53adf23848210be65dfb01088b3acf2049b9ea0df0307
-
Filesize
5.2MB
MD554c8fc95d3c8f9258b6eb318f8063d08
SHA1550ece6923644b37c990f683ff9402019b599c70
SHA256327b9ea5b23e0427b8720daa885193bbb1e23f3eec13270808096bcd09b47959
SHA51281e76ac58f096bd9bc7f7989491dee8f1936da674f84610101c16e04f112541c9b939505893c24c59232e0044918eae4e83db2ce89bf3a73ce54ab10ea8859c9
-
Filesize
5.2MB
MD5f4567a1cde5b314500238290d3f59549
SHA153f5226244c6455fdf4b44942ecd09ac69ae0255
SHA256f6f1bfaca0edcb6ca50b3563ddff48b1863853fa6126f57a3e670310ebc2f83e
SHA51203ce9b4b0801477801d58ed7b111b617440ac67646f5fa31395d35b2ea7e754cd285a6c26ee7276c6fd032b77ca1881a6c32be87ba947e7dff07ff2929a05f57
-
Filesize
5.2MB
MD598a27e5aa4d1f0608705a1741cb85c40
SHA1f2c84d62540d2068f472d24397fb8411483cdcdc
SHA25688edecd8e1cdd61ceb5477785248c08cdf1eb52ef3b30a9624c4bace1cad8b5d
SHA512468e5ae625998164ae8533f1c2fe2ed90b3f052c9896628cc1192b2d23adc3341625addd6e5c1755da8904113e7db638d9bbca69c18807bd75728cfd368a204a
-
Filesize
5.2MB
MD5c4ed4aa36a58341943d8c4057f2f3775
SHA1d611ddb8309da1d92778662a81af50b67b7cb6a3
SHA2565a3e682e8c6ffcf4405af777a71b6a7635e240de7bea25b4b87a771dd7ea9512
SHA512540a3b4390f9cfa89d83b4cf7377ab40cb1d8b3a4ade94207b3de2d4337f2c3998d2158644922017562cf2f2b6cb1918dd43d68c33aa6b1b2eb049f55d6ad071
-
Filesize
5.2MB
MD5fa959285d6c2edabfc5580695c752ea7
SHA1d55b67dab1fa9f6c8574aebe9026e28fc456daa8
SHA2562b3e6ac5b3cbd0d439d3393b81e7af55aa71f07081682ad0e242b3f2796b1e28
SHA5129e8cd90a413e38dd5f3385faf5e2a73eb51c2cc7d5c1d1b96b0e841330f87a3bb9efeaaa7dd03b17e6059eba014257e2be43e70993b5f3225b13343fccbd9027
-
Filesize
5.2MB
MD5e54c2949f7f101998f1de75ea6e10e4a
SHA104e9cafad66007c7f6afef8ce28a4da34215ad58
SHA2561e50e0ddfafda86190ff72eaf772167f102d6cf7c1740d9593cc2c639c9aed88
SHA512d6bb5abf108a01df1ccb22e5a8a311fe341c41206151b2aa64af76f06a944afff85efe2a72fd72f7ecf7751bacfa4f94e1ce96fbc8bfa97b74c414bb53835b31
-
Filesize
5.2MB
MD5236ff1fea40bf27fee4754da0ba0c63d
SHA14519802102551ef6bdc6a93a001da3dad13c8c02
SHA2563a811106a0291e7200999d7d5a5d04ccd083a706847d2952992fffdc83d353e4
SHA512e7913557f09eb518cf3dfabb4d7e65c5268afb0bfbd63536d3301bacecfc07b74328663cb8ddd1ea3447dcdb8efbe3ae61ddef73a38b56b555b3b9307e5d7ed9
-
Filesize
5.2MB
MD5e20e483f3bbd064c72ee612c81d204b5
SHA1f392638acc7ffba97445528b1456cbb868bb3187
SHA256a0e4a28b8219e7504a737a734fcbfc5c04e2540dbf662b0d5896d61269fa2f1c
SHA5123c9fadf06746b450c4dfb07c52b578c7567a98ed3e1f5f73321e90c383ac4c45c94abd9ce6fce75d5bbd5a652fd49cd918f7f67136b2fff24e35ddef23f6a051
-
Filesize
5.2MB
MD5c2fff0624a0922854bf1407929bb42f1
SHA193c28b132cb0963b39b78bd563acf677945e57f3
SHA25647f4208998d35cef828f2ded900cdc6fe1fe6288301307400c514018cec07a9c
SHA51244384a7aa6116284490e642fe485c77e015e7408e91e4c4c6d502d7c680ada5a0e2a59848fde6c58bf971ba9f8d322843953c1f44f748d72c5a42a7705fbb850
-
Filesize
5.2MB
MD5329db940195b0a1d0046fbcf68060e75
SHA1a2910f0e912e9a63ae56657ed221d7de5671a60e
SHA256f8199ac1f26b1651c6a4fa42b50056291ec4950b2c0c16ba4f154690e4062698
SHA512d1d18388a4461ed5c221f27a5f820725b5a1ffa12382056779edafb1610ebeb18561f163068304fc403210d167759064adb24feedf42c4f51ebc70aba2173716
-
Filesize
5.2MB
MD506b4a4da1fe320b51118af44b38ff3d7
SHA17d63a8992e250044ba6cebc991d9fba5dc588e8e
SHA25639a0f85bc356c775b0b7c99a50abec6b95ba1e92879496c7354e5693f8f8b693
SHA512e6013a1022777d202fb6a7f89d031684269027e9b31938bddd86f61a0a95c207f46896df826f902fd5f1a313cf2281265dbae3f70497adbc4ac3bea39a78d7ee
-
Filesize
5.2MB
MD5b28467580b1edbd35fe92b8793dc3083
SHA1c65a06ffb4f14691c8b12c5d3038696ada532015
SHA256eef7571232c7de38bc65b8bff4354c93f8cd8210b844ae14ec4c97b3df3f6841
SHA5121037e95ff3389a46b4deb1e7499b09337bd4f70a1ba879e380f037a317d7af35ac3daac166674825f881d0e1577f7abc8ac8cd26db37a0da0d0a706830629895
-
Filesize
5.2MB
MD53459bf2ed24965688377eee7ef106914
SHA1b7e2d9591a3bb0650d6b7c1b98478bfbf4167595
SHA2568bc9f953f071f3f8d4dc60eb24a09539f2a0b49ecbed2dbf902804aa9b609bcd
SHA512befb6bf1ab07b3047948f007e4d60f2c535e753af1c2e85cb01941e7be1a07b4a6d1bbc4e74a217ae658083df5790038361268c734fd6b216d429a51b1debb7f
-
Filesize
5.2MB
MD5f91ceff39e1aa3b5475611bcaa802ae8
SHA19137aec9e098b370eb93183d77a09ae08e9581f6
SHA2568eae35bd9055ae1117c22d489008cdff3bef5bd01a019ba2d6e9af8a158c38fc
SHA5127fd5392c13372520ffb82df434a247102d2450bc277045c2a5bd42d79cf42181d25699075eefa75ad5b7f818792b3beb66c77d21b1d13cc42b16eb0b4ef41c80
-
Filesize
5.2MB
MD5231551b4a4a5a0e747bdbd95222bb46d
SHA124965bfdccb22403ce431b34915e3a808e35c767
SHA256a658619dfb03bd26cf4ee727cdf0b904e4826e34bf3594beeeb27e1e6c0afe2b
SHA512cefdd021e80bdb39103d08ad4821416d13ba61f5bca3fdd0ea479b9010922e19d99def1482bd9ada1ea9e8ac66f3ed1448e04cf0c469cb5e80e37153669e433f
-
Filesize
5.2MB
MD55138306d4ce66c75834ebda8ddf89b45
SHA1a4af81841481edfcfc555c1e789039c9b06072cf
SHA25622cefdefb1bf019a824a2f86b6f958efdc7e9b1312db3491308d8360d64e0422
SHA5123e92b147e173008373b09419557c4748f1a39c329f13f880b749515b28a48373d4afab006257d526cdae9e85b2d59359723f004faada0770de5c602d7fff4cf7
-
Filesize
5.2MB
MD59caef132c400b88b3fd749202ef5a20d
SHA1e28b1d4d77381974cdfbe050486df244101c9c83
SHA2567b901927357e955acb6961251b4856cfcf4d3e1be15e7051e9958c708641a91a
SHA51210448c3b58d2b12c3a14606638f6cde1e50e689dcdded49bcad4399709a766e235fa7af463fe5db0f6b97ab874df3e57f50045424a2c444b2bae4bfd2ecb8772
-
Filesize
5.2MB
MD59f66a830cdf14420812d683e908d5a63
SHA1b57ab6204c9a0f2b69516a09d5784c709bd1edc8
SHA25698c89b4685e8f84bfac0cf83b1dc0c177f636c4cd0d008cf149eddf31d5f1fc7
SHA51249f19c7a7fa90f7f7ecf2483d4b5e0df5c72788da58941662da45db6b0e18dbd3b847add0af73d0c9516020770ee134459ac4188c9b6fc51502b6fee864f37b2
-
Filesize
5.2MB
MD5effdd6786d1ec3fc9671df52bee1160c
SHA18c2ce5c342a7acf18e31db5ba2518c6149b0d20a
SHA256faa1b141ceba85197e7b8cfada5e66bb474992b5548f8f7d81c163146d780979
SHA512725bbaddb7535757384f954cf321c0233d885f819ace5f78af0505a77ba0100e38c59540de98cfa0c9b1f8b8f8862473c2d089d5d95dbdb72b0fe8de0021fea0
-
Filesize
5.2MB
MD52edab1c0fda98f5538df574e904daa16
SHA13465b0ecc8c8aa773ff3700a65ffc9ebe814a8dc
SHA256e4ecd918fe826caae2be454bf64ae38f00c00b05135445037913cf075dda13c6
SHA5120ce759d8309eb42160b88ab84a1b1a00539c1f81dcd3918df161a2ec9474301ec5688a59d412a512af70996770029d59f948e312dd794964a88c8b651f0d830a