Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/10/2024, 08:09
Behavioral task
behavioral1
Sample
2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240708-en
General
-
Target
2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.9MB
-
MD5
79cfa455a7475312ddd7046196206b64
-
SHA1
6445efa927d97ca04df74ac8a0ebd63708a32c90
-
SHA256
b4fa2fb5b500915e79f08d7ae82fe28c8b89bdea6fdb905dcf929765daa037bf
-
SHA512
41c254e79265e899217662c51f4bbd6e67d1b269a4e0b3f576878c63399b96ac1cf063925894747f6faf838a631715e598b8cb7bfb1c31a4dfd4843b76acf6af
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUM:Q+856utgpPF8u/7M
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0008000000023c9c-5.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca1-8.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca0-9.dat cobalt_reflective_dll behavioral2/files/0x0008000000023c9d-21.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca2-26.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca3-35.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca5-40.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca6-45.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca7-56.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca9-65.dat cobalt_reflective_dll behavioral2/files/0x0007000000023caa-77.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca8-70.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cab-83.dat cobalt_reflective_dll behavioral2/files/0x000500000001da19-88.dat cobalt_reflective_dll behavioral2/files/0x0002000000022a9d-97.dat cobalt_reflective_dll behavioral2/files/0x000400000001e56e-112.dat cobalt_reflective_dll behavioral2/files/0x0002000000022a9f-107.dat cobalt_reflective_dll behavioral2/files/0x000700000001e5c8-115.dat cobalt_reflective_dll behavioral2/files/0x000f000000023b56-126.dat cobalt_reflective_dll behavioral2/files/0x0008000000023cac-130.dat cobalt_reflective_dll behavioral2/files/0x0008000000023cae-135.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 64 IoCs
resource yara_rule behavioral2/memory/2884-0-0x00007FF7F2C90000-0x00007FF7F2FE4000-memory.dmp xmrig behavioral2/files/0x0008000000023c9c-5.dat xmrig behavioral2/files/0x0007000000023ca1-8.dat xmrig behavioral2/files/0x0007000000023ca0-9.dat xmrig behavioral2/memory/4476-14-0x00007FF7ABD10000-0x00007FF7AC064000-memory.dmp xmrig behavioral2/memory/2076-6-0x00007FF7830C0000-0x00007FF783414000-memory.dmp xmrig behavioral2/files/0x0008000000023c9d-21.dat xmrig behavioral2/files/0x0007000000023ca2-26.dat xmrig behavioral2/memory/5084-32-0x00007FF6C8840000-0x00007FF6C8B94000-memory.dmp xmrig behavioral2/memory/4192-31-0x00007FF784460000-0x00007FF7847B4000-memory.dmp xmrig behavioral2/memory/2740-20-0x00007FF6AC250000-0x00007FF6AC5A4000-memory.dmp xmrig behavioral2/files/0x0007000000023ca3-35.dat xmrig behavioral2/files/0x0007000000023ca5-40.dat xmrig behavioral2/memory/4724-42-0x00007FF6D4200000-0x00007FF6D4554000-memory.dmp xmrig behavioral2/files/0x0007000000023ca6-45.dat xmrig behavioral2/memory/2884-46-0x00007FF7F2C90000-0x00007FF7F2FE4000-memory.dmp xmrig behavioral2/memory/4912-47-0x00007FF66CA70000-0x00007FF66CDC4000-memory.dmp xmrig behavioral2/memory/564-36-0x00007FF7C0730000-0x00007FF7C0A84000-memory.dmp xmrig behavioral2/memory/2076-52-0x00007FF7830C0000-0x00007FF783414000-memory.dmp xmrig behavioral2/files/0x0007000000023ca7-56.dat xmrig behavioral2/memory/2088-61-0x00007FF7C1280000-0x00007FF7C15D4000-memory.dmp xmrig behavioral2/files/0x0007000000023ca9-65.dat xmrig behavioral2/memory/100-76-0x00007FF6F4B80000-0x00007FF6F4ED4000-memory.dmp xmrig behavioral2/files/0x0007000000023caa-77.dat xmrig behavioral2/memory/1780-75-0x00007FF7A2710000-0x00007FF7A2A64000-memory.dmp xmrig behavioral2/memory/4192-67-0x00007FF784460000-0x00007FF7847B4000-memory.dmp xmrig behavioral2/memory/1444-66-0x00007FF64C320000-0x00007FF64C674000-memory.dmp xmrig behavioral2/files/0x0007000000023ca8-70.dat xmrig behavioral2/memory/2740-62-0x00007FF6AC250000-0x00007FF6AC5A4000-memory.dmp xmrig behavioral2/files/0x0007000000023cab-83.dat xmrig behavioral2/memory/4244-82-0x00007FF79F8F0000-0x00007FF79FC44000-memory.dmp xmrig behavioral2/files/0x000500000001da19-88.dat xmrig behavioral2/memory/2084-92-0x00007FF67B2A0000-0x00007FF67B5F4000-memory.dmp xmrig behavioral2/memory/564-90-0x00007FF7C0730000-0x00007FF7C0A84000-memory.dmp xmrig behavioral2/memory/4724-94-0x00007FF6D4200000-0x00007FF6D4554000-memory.dmp xmrig behavioral2/files/0x0002000000022a9d-97.dat xmrig behavioral2/memory/2676-96-0x00007FF653140000-0x00007FF653494000-memory.dmp xmrig behavioral2/memory/4912-99-0x00007FF66CA70000-0x00007FF66CDC4000-memory.dmp xmrig behavioral2/memory/2088-103-0x00007FF7C1280000-0x00007FF7C15D4000-memory.dmp xmrig behavioral2/memory/924-104-0x00007FF756070000-0x00007FF7563C4000-memory.dmp xmrig behavioral2/files/0x000400000001e56e-112.dat xmrig behavioral2/memory/1620-111-0x00007FF647590000-0x00007FF6478E4000-memory.dmp xmrig behavioral2/memory/1444-110-0x00007FF64C320000-0x00007FF64C674000-memory.dmp xmrig behavioral2/files/0x0002000000022a9f-107.dat xmrig behavioral2/files/0x000700000001e5c8-115.dat xmrig behavioral2/memory/464-117-0x00007FF75BD80000-0x00007FF75C0D4000-memory.dmp xmrig behavioral2/memory/1780-116-0x00007FF7A2710000-0x00007FF7A2A64000-memory.dmp xmrig behavioral2/memory/100-124-0x00007FF6F4B80000-0x00007FF6F4ED4000-memory.dmp xmrig behavioral2/files/0x000f000000023b56-126.dat xmrig behavioral2/files/0x0008000000023cac-130.dat xmrig behavioral2/memory/2268-131-0x00007FF71A140000-0x00007FF71A494000-memory.dmp xmrig behavioral2/files/0x0008000000023cae-135.dat xmrig behavioral2/memory/3832-137-0x00007FF7B0150000-0x00007FF7B04A4000-memory.dmp xmrig behavioral2/memory/4244-136-0x00007FF79F8F0000-0x00007FF79FC44000-memory.dmp xmrig behavioral2/memory/652-125-0x00007FF6767B0000-0x00007FF676B04000-memory.dmp xmrig behavioral2/memory/2676-140-0x00007FF653140000-0x00007FF653494000-memory.dmp xmrig behavioral2/memory/924-141-0x00007FF756070000-0x00007FF7563C4000-memory.dmp xmrig behavioral2/memory/1620-142-0x00007FF647590000-0x00007FF6478E4000-memory.dmp xmrig behavioral2/memory/464-143-0x00007FF75BD80000-0x00007FF75C0D4000-memory.dmp xmrig behavioral2/memory/652-144-0x00007FF6767B0000-0x00007FF676B04000-memory.dmp xmrig behavioral2/memory/2268-145-0x00007FF71A140000-0x00007FF71A494000-memory.dmp xmrig behavioral2/memory/3832-146-0x00007FF7B0150000-0x00007FF7B04A4000-memory.dmp xmrig behavioral2/memory/4476-147-0x00007FF7ABD10000-0x00007FF7AC064000-memory.dmp xmrig behavioral2/memory/2076-148-0x00007FF7830C0000-0x00007FF783414000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2076 YTbEkPC.exe 4476 tIaYhHq.exe 2740 PVxXWGp.exe 4192 bBZblvc.exe 5084 nDEcwty.exe 564 XTVWKmc.exe 4724 SOkhteF.exe 4912 EMMVihc.exe 2088 btrTfKH.exe 1444 RiiBeas.exe 1780 PgIFhUg.exe 100 pIYyiRC.exe 4244 XEuZzSH.exe 2084 RQeGoSC.exe 2676 fIVqvmO.exe 924 QLXczht.exe 1620 PqiiUlk.exe 464 qXOJkBA.exe 652 fVRVBOM.exe 2268 CBUMvsu.exe 3832 dAcnonA.exe -
resource yara_rule behavioral2/memory/2884-0-0x00007FF7F2C90000-0x00007FF7F2FE4000-memory.dmp upx behavioral2/files/0x0008000000023c9c-5.dat upx behavioral2/files/0x0007000000023ca1-8.dat upx behavioral2/files/0x0007000000023ca0-9.dat upx behavioral2/memory/4476-14-0x00007FF7ABD10000-0x00007FF7AC064000-memory.dmp upx behavioral2/memory/2076-6-0x00007FF7830C0000-0x00007FF783414000-memory.dmp upx behavioral2/files/0x0008000000023c9d-21.dat upx behavioral2/files/0x0007000000023ca2-26.dat upx behavioral2/memory/5084-32-0x00007FF6C8840000-0x00007FF6C8B94000-memory.dmp upx behavioral2/memory/4192-31-0x00007FF784460000-0x00007FF7847B4000-memory.dmp upx behavioral2/memory/2740-20-0x00007FF6AC250000-0x00007FF6AC5A4000-memory.dmp upx behavioral2/files/0x0007000000023ca3-35.dat upx behavioral2/files/0x0007000000023ca5-40.dat upx behavioral2/memory/4724-42-0x00007FF6D4200000-0x00007FF6D4554000-memory.dmp upx behavioral2/files/0x0007000000023ca6-45.dat upx behavioral2/memory/2884-46-0x00007FF7F2C90000-0x00007FF7F2FE4000-memory.dmp upx behavioral2/memory/4912-47-0x00007FF66CA70000-0x00007FF66CDC4000-memory.dmp upx behavioral2/memory/564-36-0x00007FF7C0730000-0x00007FF7C0A84000-memory.dmp upx behavioral2/memory/2076-52-0x00007FF7830C0000-0x00007FF783414000-memory.dmp upx behavioral2/files/0x0007000000023ca7-56.dat upx behavioral2/memory/2088-61-0x00007FF7C1280000-0x00007FF7C15D4000-memory.dmp upx behavioral2/files/0x0007000000023ca9-65.dat upx behavioral2/memory/100-76-0x00007FF6F4B80000-0x00007FF6F4ED4000-memory.dmp upx behavioral2/files/0x0007000000023caa-77.dat upx behavioral2/memory/1780-75-0x00007FF7A2710000-0x00007FF7A2A64000-memory.dmp upx behavioral2/memory/4192-67-0x00007FF784460000-0x00007FF7847B4000-memory.dmp upx behavioral2/memory/1444-66-0x00007FF64C320000-0x00007FF64C674000-memory.dmp upx behavioral2/files/0x0007000000023ca8-70.dat upx behavioral2/memory/2740-62-0x00007FF6AC250000-0x00007FF6AC5A4000-memory.dmp upx behavioral2/files/0x0007000000023cab-83.dat upx behavioral2/memory/4244-82-0x00007FF79F8F0000-0x00007FF79FC44000-memory.dmp upx behavioral2/files/0x000500000001da19-88.dat upx behavioral2/memory/2084-92-0x00007FF67B2A0000-0x00007FF67B5F4000-memory.dmp upx behavioral2/memory/564-90-0x00007FF7C0730000-0x00007FF7C0A84000-memory.dmp upx behavioral2/memory/4724-94-0x00007FF6D4200000-0x00007FF6D4554000-memory.dmp upx behavioral2/files/0x0002000000022a9d-97.dat upx behavioral2/memory/2676-96-0x00007FF653140000-0x00007FF653494000-memory.dmp upx behavioral2/memory/4912-99-0x00007FF66CA70000-0x00007FF66CDC4000-memory.dmp upx behavioral2/memory/2088-103-0x00007FF7C1280000-0x00007FF7C15D4000-memory.dmp upx behavioral2/memory/924-104-0x00007FF756070000-0x00007FF7563C4000-memory.dmp upx behavioral2/files/0x000400000001e56e-112.dat upx behavioral2/memory/1620-111-0x00007FF647590000-0x00007FF6478E4000-memory.dmp upx behavioral2/memory/1444-110-0x00007FF64C320000-0x00007FF64C674000-memory.dmp upx behavioral2/files/0x0002000000022a9f-107.dat upx behavioral2/files/0x000700000001e5c8-115.dat upx behavioral2/memory/464-117-0x00007FF75BD80000-0x00007FF75C0D4000-memory.dmp upx behavioral2/memory/1780-116-0x00007FF7A2710000-0x00007FF7A2A64000-memory.dmp upx behavioral2/memory/100-124-0x00007FF6F4B80000-0x00007FF6F4ED4000-memory.dmp upx behavioral2/files/0x000f000000023b56-126.dat upx behavioral2/files/0x0008000000023cac-130.dat upx behavioral2/memory/2268-131-0x00007FF71A140000-0x00007FF71A494000-memory.dmp upx behavioral2/files/0x0008000000023cae-135.dat upx behavioral2/memory/3832-137-0x00007FF7B0150000-0x00007FF7B04A4000-memory.dmp upx behavioral2/memory/4244-136-0x00007FF79F8F0000-0x00007FF79FC44000-memory.dmp upx behavioral2/memory/652-125-0x00007FF6767B0000-0x00007FF676B04000-memory.dmp upx behavioral2/memory/2676-140-0x00007FF653140000-0x00007FF653494000-memory.dmp upx behavioral2/memory/924-141-0x00007FF756070000-0x00007FF7563C4000-memory.dmp upx behavioral2/memory/1620-142-0x00007FF647590000-0x00007FF6478E4000-memory.dmp upx behavioral2/memory/464-143-0x00007FF75BD80000-0x00007FF75C0D4000-memory.dmp upx behavioral2/memory/652-144-0x00007FF6767B0000-0x00007FF676B04000-memory.dmp upx behavioral2/memory/2268-145-0x00007FF71A140000-0x00007FF71A494000-memory.dmp upx behavioral2/memory/3832-146-0x00007FF7B0150000-0x00007FF7B04A4000-memory.dmp upx behavioral2/memory/4476-147-0x00007FF7ABD10000-0x00007FF7AC064000-memory.dmp upx behavioral2/memory/2076-148-0x00007FF7830C0000-0x00007FF783414000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\SOkhteF.exe 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\pIYyiRC.exe 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RQeGoSC.exe 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\tIaYhHq.exe 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PgIFhUg.exe 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fIVqvmO.exe 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fVRVBOM.exe 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CBUMvsu.exe 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dAcnonA.exe 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bBZblvc.exe 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nDEcwty.exe 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XTVWKmc.exe 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EMMVihc.exe 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\btrTfKH.exe 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XEuZzSH.exe 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YTbEkPC.exe 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PVxXWGp.exe 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RiiBeas.exe 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QLXczht.exe 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PqiiUlk.exe 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qXOJkBA.exe 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2884 wrote to memory of 2076 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 2884 wrote to memory of 2076 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 2884 wrote to memory of 4476 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2884 wrote to memory of 4476 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2884 wrote to memory of 2740 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2884 wrote to memory of 2740 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2884 wrote to memory of 4192 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2884 wrote to memory of 4192 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2884 wrote to memory of 5084 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2884 wrote to memory of 5084 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2884 wrote to memory of 564 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2884 wrote to memory of 564 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2884 wrote to memory of 4724 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2884 wrote to memory of 4724 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2884 wrote to memory of 4912 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2884 wrote to memory of 4912 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2884 wrote to memory of 2088 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2884 wrote to memory of 2088 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2884 wrote to memory of 1444 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2884 wrote to memory of 1444 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2884 wrote to memory of 1780 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2884 wrote to memory of 1780 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2884 wrote to memory of 100 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2884 wrote to memory of 100 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2884 wrote to memory of 4244 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2884 wrote to memory of 4244 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2884 wrote to memory of 2084 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2884 wrote to memory of 2084 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2884 wrote to memory of 2676 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2884 wrote to memory of 2676 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2884 wrote to memory of 924 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2884 wrote to memory of 924 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2884 wrote to memory of 1620 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 2884 wrote to memory of 1620 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 2884 wrote to memory of 464 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 2884 wrote to memory of 464 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 2884 wrote to memory of 652 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 2884 wrote to memory of 652 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 2884 wrote to memory of 2268 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 110 PID 2884 wrote to memory of 2268 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 110 PID 2884 wrote to memory of 3832 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 111 PID 2884 wrote to memory of 3832 2884 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\System\YTbEkPC.exeC:\Windows\System\YTbEkPC.exe2⤵
- Executes dropped EXE
PID:2076
-
-
C:\Windows\System\tIaYhHq.exeC:\Windows\System\tIaYhHq.exe2⤵
- Executes dropped EXE
PID:4476
-
-
C:\Windows\System\PVxXWGp.exeC:\Windows\System\PVxXWGp.exe2⤵
- Executes dropped EXE
PID:2740
-
-
C:\Windows\System\bBZblvc.exeC:\Windows\System\bBZblvc.exe2⤵
- Executes dropped EXE
PID:4192
-
-
C:\Windows\System\nDEcwty.exeC:\Windows\System\nDEcwty.exe2⤵
- Executes dropped EXE
PID:5084
-
-
C:\Windows\System\XTVWKmc.exeC:\Windows\System\XTVWKmc.exe2⤵
- Executes dropped EXE
PID:564
-
-
C:\Windows\System\SOkhteF.exeC:\Windows\System\SOkhteF.exe2⤵
- Executes dropped EXE
PID:4724
-
-
C:\Windows\System\EMMVihc.exeC:\Windows\System\EMMVihc.exe2⤵
- Executes dropped EXE
PID:4912
-
-
C:\Windows\System\btrTfKH.exeC:\Windows\System\btrTfKH.exe2⤵
- Executes dropped EXE
PID:2088
-
-
C:\Windows\System\RiiBeas.exeC:\Windows\System\RiiBeas.exe2⤵
- Executes dropped EXE
PID:1444
-
-
C:\Windows\System\PgIFhUg.exeC:\Windows\System\PgIFhUg.exe2⤵
- Executes dropped EXE
PID:1780
-
-
C:\Windows\System\pIYyiRC.exeC:\Windows\System\pIYyiRC.exe2⤵
- Executes dropped EXE
PID:100
-
-
C:\Windows\System\XEuZzSH.exeC:\Windows\System\XEuZzSH.exe2⤵
- Executes dropped EXE
PID:4244
-
-
C:\Windows\System\RQeGoSC.exeC:\Windows\System\RQeGoSC.exe2⤵
- Executes dropped EXE
PID:2084
-
-
C:\Windows\System\fIVqvmO.exeC:\Windows\System\fIVqvmO.exe2⤵
- Executes dropped EXE
PID:2676
-
-
C:\Windows\System\QLXczht.exeC:\Windows\System\QLXczht.exe2⤵
- Executes dropped EXE
PID:924
-
-
C:\Windows\System\PqiiUlk.exeC:\Windows\System\PqiiUlk.exe2⤵
- Executes dropped EXE
PID:1620
-
-
C:\Windows\System\qXOJkBA.exeC:\Windows\System\qXOJkBA.exe2⤵
- Executes dropped EXE
PID:464
-
-
C:\Windows\System\fVRVBOM.exeC:\Windows\System\fVRVBOM.exe2⤵
- Executes dropped EXE
PID:652
-
-
C:\Windows\System\CBUMvsu.exeC:\Windows\System\CBUMvsu.exe2⤵
- Executes dropped EXE
PID:2268
-
-
C:\Windows\System\dAcnonA.exeC:\Windows\System\dAcnonA.exe2⤵
- Executes dropped EXE
PID:3832
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD53d81d419eb4d38e06fa9432a063a343b
SHA13f2898ca7d20ee013d39cdae71745e0a072e22e7
SHA2569fa1fb5cd7c94a18933532ac3254ec3fc6dec0e8eca84179b1eb1768093eb4e3
SHA512e2dd8599eca2bbd7054827d34670759f613f6ab25b0908b2d02c095c32cfae8aa050ad1de6dae4ab6c968b0418c5ed3f981c6ccc219ec9197288c0d6139ca185
-
Filesize
5.9MB
MD5542fee9f4589ff5906d816474c1af4e3
SHA1c157fcb7c7c9cae74c8ccce5229d84027d682ac4
SHA256bdb60821794d34de6249d90cd5e42809eee7c1969fc8a82418c25a30968b7c30
SHA51208c55a0584b929d3a693b3200aa42838a47df7dd3483662d0e4a80aba1a30f2c409e12603781231bf532efc9ddbfff3c77d8211772477d4225c55297c9c57e6b
-
Filesize
5.9MB
MD5677599c398b0f0b609a618a0e1fcea3c
SHA1c0663243544a0dc22e687be0f5142c9df21d8d0f
SHA2560eafb559a25ad592648fccf582454220d2761b46f77c5fad89195c9e9c48c2b5
SHA5124e33bc13204020e39fa4cd12522af809ea09e901153c727ee30265b6914f365c6d15dc7d0096cebc8ff7564a5e574c4f57a9c258c9b1323a789493d9b3fee281
-
Filesize
5.9MB
MD56001b10572dcaf7012234360d3b6140b
SHA159ef2de36af5a65f4c8729ee36a229c47393db9b
SHA256730565fbc5acb340611489f2cc798131b02d0fd91250f6ac1a82ee85c0b54da4
SHA51279e1c5de0c461de5012cee211175643f557628c66bc86c7dc878342a18cf03ee1cc6a6f395c2ece38114116e8d3066734a249623b4fb2f8f26ecf7202052b3e2
-
Filesize
5.9MB
MD53f658c0f6bee5188ebae59dc0cde0bad
SHA1133cb7623374adcb879a7aca88817930fe0aee9d
SHA256285ec3548ea9d0834c30c60deb8fb39e700b7da858f4b858c2a828c3d7fa4bad
SHA51281d059c4ba391a7ae51a5de0f056039bbd916f1ee98bd1719be5fe6fe7f776f93cf143909c1085f386c3a74782fd0c63a323d4fff3a4876463a82a81a3335434
-
Filesize
5.9MB
MD5e6ba6c64202c45ce190b2eda1638c3f4
SHA1bf32902f374af113ec9172be7a1fd5bae4a0cc40
SHA2564e98b665c6e04d5ac618bd89f0c27e58f3c24b75e9ab0d8d179f1586d79064ed
SHA51200b6b0b4f975f03f9819f2cd2ae10498c21d3cfed4df0d282dc04b92ecb416dcc28a411edce8a8ed62e0cc13364237a627ef00a473862635741eb5a47bdd95af
-
Filesize
5.9MB
MD54d5df144fd633a324a08e89e1b7ee699
SHA169d740b4c0eb8540409179722473be2633ef1a32
SHA256ebf6d814383afc3ba5e242efde13aecbee03ac590bbf292cc084cb2db1b0f01b
SHA5127b4d4a37d95dda5cbf0b132376a74b83243f2f9ffba34c7ccdb91613742c288b48063c6fd1b9efdd4725426b59e5e116778bed242e7371406dd405d3576a298c
-
Filesize
5.9MB
MD52fd724adaaee04b4eaea3c70b65018d8
SHA1044d38b465cb4843e087d85d4abc9f67372649dd
SHA25683a379108aaf46bf2d7be97965d6e4737c2aac64f7bb287ec31bf54c0978b735
SHA512a66b0d7e8357348dcdce8e7c650b5f000e994a6ace55d01d7d2efdd75ec62156a46a475214c822ade219449470b59633ab69900fcebba4713d1a630375c5ecf6
-
Filesize
5.9MB
MD55b4a909a6c9f1b3ea3dd4d19c964a183
SHA1140c96e512c141410e2a6c7faa1dff5918bff700
SHA25605124766391d6320478be8183b8ebf673aa1183191a94e25ac8a4e632c572d13
SHA512400b50bacf5c8104cb75f7b434d844eeaa9a9ef2c63fdcbcae6af54d9faa20e493cb1557026d1038f81ef61dbc890c0f3894e75171d96e7f1666a01cc5dab305
-
Filesize
5.9MB
MD557e34f6db90145013d23c873a9c3ef04
SHA1e3afd3ea016c4fb6c31fc08056b9db2b5b133260
SHA256beca7bb084927228f6049ec8b4157a3ea60d33debc1520b146481fa57bc0f80f
SHA5126b5cd0165b92f6e375ad86401022820f7ea6afae573416efbee1e33fa70ff1080c10654339b1f50a4360e64307394e90086f75d995df4bc58a2a684c79693345
-
Filesize
5.9MB
MD5879a8abf41bd39bd2f43d9fb6d0f5446
SHA1119857551598ed85aa7b8a72b6e0513c50f36347
SHA256041839934a5ca715233dc2badca664d7e1b8a57df30245c45ee31eb1435ed147
SHA512a28d26c3da9f08b25ead51ddbc909f91207c6a0f1f70e900e841d08c899a3ebfa28e7542b40c6a73eb7d052d502fbe2da9ad1a9f2e1d2f81a19399128283efe5
-
Filesize
5.9MB
MD5dd66a2c5322056d989dcc480853af3e3
SHA1bc4ef536f6d13751670b4d6ec24481acb9c2faed
SHA2568d03b108ad39483a18c8df9f34468c833a50093aaf658682c25b32487af5b80e
SHA512a87bb287b151e2bba1c1f311e7e924a9469c01bffff7951549fd9506629b915808fa27b07927a55d4773521d26cd82d87aceb5e3aca749de99e3a2e5cde4730c
-
Filesize
5.9MB
MD51a6ce6156dc8d8ad34633976fa603b72
SHA1b1866ad4b5b293bb24c15eb64ae69da7e8c093bf
SHA2568eba42e4c0b381994730b415027c7bf81a63f85bf3fc23939684e8cdec019946
SHA51265027670c0b76d62f050576f600a8863dadbf28804832175befe3e67d7ccb7f15cad980a2265c8049728c578e6ab8c4aa55d3d440de0682da99b99cd1965a362
-
Filesize
5.9MB
MD5401418ec7479777cfd10b176e53ff207
SHA145eaed19818a695cadcc38e7bba71ec816b6be8e
SHA2560be2f8fda6eb74b4b574e87c673e13232922b07260a39ed278a5a1477ec51baf
SHA5121f2dccc7f6261e25274a0aebe3dbcfc8ee3bcf782659cf64d216b29b36cdd0efb8a522f4ddd2eea2fbae142ad7e00329f2b3bfe6a64bf8150bcd5e37e249e9e5
-
Filesize
5.9MB
MD5fc5133fa2746a1350451e57490df69d6
SHA103365b7a4decb1346179bed7db62b254332a73ad
SHA2562b60bd382d39dd8bdc948efff989cdff809496db0c55c191d344e63609ee66da
SHA5120a11422f23db3b1acf214d793d8bdc9e9f7bb71c254be3ccaa949c5db76c3862b0ffb8f75a8aebae104bce69ac4e23cece124f0c9ef8500a7b740a9adf716414
-
Filesize
5.9MB
MD594b1ee4c7013549f38343c2d46287ace
SHA13c7f01dbbc98645cfe4e86b2128e4c97dade5f1e
SHA2563263c262871ee8a6fb4b0932580dc33cea41c801e2c7b05469059d4cd1748893
SHA5121c3914b9d7e3eb19d8884b019a6a43c8c76216765541cd0145814776cc9010dc0e95189133a471ed2ad131d3153883e750e7e743b2afc0553e95cd4ace922bd1
-
Filesize
5.9MB
MD557942433141b6f0942e6eb324c73bf3c
SHA1c9c87b235c3fc0e5d8368bac4f7b662c25d1d0ac
SHA2565183db18d45d94faed9f2cf16ff96c923a2381aa8adf3b7404ff2572d2362b18
SHA512c073749503cfec3776bdce8369254c7abafa4e1259bd87881482248e682ee06061db350d405577e2fe55046b485fb4c2df6d4807f6a7b9088495da538a1d39de
-
Filesize
5.9MB
MD54e107e092f20d8dd52812cd848a0055d
SHA1680385cfb451bbfcec994617b947426b505346a4
SHA256d9b34fccc23e967380eddcf665b6f05b8e2f592e51988e86c6f7af70b3ac3e56
SHA51288502aa64806d490904ca82c1b659da08cf49a3d83ad49bb0b8b3029c4156c7926af84f8954dd76550931093a6f6fce612f1300eb1148cdc248c78c86299b012
-
Filesize
5.9MB
MD5bc3aee856a70d0f8cc2e1a0baef0e88a
SHA1d2a5cfe8fbd36f8df82f467b31f3d1ffd0048b69
SHA256b14d24b060f792ede7d3cc5b2ee09cc26e739a9f6560d87a5222b36956895a05
SHA5128765fcd5db25c5fbe761734495efe4ff8107a094bde7867305c7dbbe152223b183ff9820acf1f76ba8168049ab52ba04cff0477424ed2419f4a49054050c81b1
-
Filesize
5.9MB
MD563625f67893c95577b3d385396923960
SHA1451d7bd856b2354be8dc411edbe355c16c96a414
SHA256c9f4b9917f8c264113885de6885ba8ce54621536df5b343e16f7a1856f76b0ee
SHA512ef346660e18789848c9057e17360bdb5efee87f06c8d8d4984eb4f61f44f32e20a9f0f4218727c401041087578404b183c678dffcd96187d558f54316dcbd0d6
-
Filesize
5.9MB
MD5e469b3a46ccd6220eb3c3c4f49695417
SHA13067ff8585b60f00c46ee5912802ff2137e404b7
SHA256b7137a423c21d2c769ebdea5e06e30f7750515b357d066a9c26cddabe4253303
SHA512ffaea29f713ed333f0318c7a7817bb7a659c3e13f8e6ffdb7d826274e38f3e93cad139ba98ec53b7769442752c3ba3f8332700e48f99ef40c8602b04cab6247c