Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2024, 04:24
Behavioral task
behavioral1
Sample
2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
ba2cfae820b48b90488536770b7d5b73
-
SHA1
65ea5d166e2dce4eb49b24ddc0689c985e709f5d
-
SHA256
953fed62f0a7328e96c4626e0bac4f00e3a427040f4467724b1c8a5ce1c76e8b
-
SHA512
cdbdd3854d7a7ee8f82493df2d65381247c6df6971a69465a83a77b4034139555590c70734f1907614319ded59af030ab1bfb9eaa713626250ea3d72b4531392
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l+:RWWBibd56utgpPFotBER/mQ32lUK
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000c000000023b23-4.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b81-9.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b80-11.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b83-29.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b82-21.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b84-31.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b85-38.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b87-49.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b89-65.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b88-63.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b86-52.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8a-74.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8b-80.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8d-92.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8c-93.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8f-106.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b91-115.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b90-112.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8e-101.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b92-141.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b93-142.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/4516-60-0x00007FF7219E0000-0x00007FF721D31000-memory.dmp xmrig behavioral2/memory/372-66-0x00007FF6F5060000-0x00007FF6F53B1000-memory.dmp xmrig behavioral2/memory/4524-70-0x00007FF66A930000-0x00007FF66AC81000-memory.dmp xmrig behavioral2/memory/2820-86-0x00007FF6E3DC0000-0x00007FF6E4111000-memory.dmp xmrig behavioral2/memory/4316-95-0x00007FF67B6D0000-0x00007FF67BA21000-memory.dmp xmrig behavioral2/memory/2964-113-0x00007FF78B600000-0x00007FF78B951000-memory.dmp xmrig behavioral2/memory/4820-116-0x00007FF74A220000-0x00007FF74A571000-memory.dmp xmrig behavioral2/memory/4992-118-0x00007FF6C6D20000-0x00007FF6C7071000-memory.dmp xmrig behavioral2/memory/2184-119-0x00007FF7DD820000-0x00007FF7DDB71000-memory.dmp xmrig behavioral2/memory/512-114-0x00007FF62BD10000-0x00007FF62C061000-memory.dmp xmrig behavioral2/memory/2204-89-0x00007FF6E7CD0000-0x00007FF6E8021000-memory.dmp xmrig behavioral2/memory/2780-88-0x00007FF737950000-0x00007FF737CA1000-memory.dmp xmrig behavioral2/memory/4612-82-0x00007FF68DD50000-0x00007FF68E0A1000-memory.dmp xmrig behavioral2/memory/972-133-0x00007FF6A1AB0000-0x00007FF6A1E01000-memory.dmp xmrig behavioral2/memory/4744-136-0x00007FF6C8130000-0x00007FF6C8481000-memory.dmp xmrig behavioral2/memory/1604-135-0x00007FF7655F0000-0x00007FF765941000-memory.dmp xmrig behavioral2/memory/2364-134-0x00007FF74A320000-0x00007FF74A671000-memory.dmp xmrig behavioral2/memory/3732-148-0x00007FF635B10000-0x00007FF635E61000-memory.dmp xmrig behavioral2/memory/2820-149-0x00007FF6E3DC0000-0x00007FF6E4111000-memory.dmp xmrig behavioral2/memory/2708-156-0x00007FF78B5D0000-0x00007FF78B921000-memory.dmp xmrig behavioral2/memory/5112-157-0x00007FF7F4BC0000-0x00007FF7F4F11000-memory.dmp xmrig behavioral2/memory/4516-158-0x00007FF7219E0000-0x00007FF721D31000-memory.dmp xmrig behavioral2/memory/3372-162-0x00007FF639440000-0x00007FF639791000-memory.dmp xmrig behavioral2/memory/4496-173-0x00007FF611980000-0x00007FF611CD1000-memory.dmp xmrig behavioral2/memory/372-209-0x00007FF6F5060000-0x00007FF6F53B1000-memory.dmp xmrig behavioral2/memory/4524-211-0x00007FF66A930000-0x00007FF66AC81000-memory.dmp xmrig behavioral2/memory/4612-221-0x00007FF68DD50000-0x00007FF68E0A1000-memory.dmp xmrig behavioral2/memory/2780-223-0x00007FF737950000-0x00007FF737CA1000-memory.dmp xmrig behavioral2/memory/2964-227-0x00007FF78B600000-0x00007FF78B951000-memory.dmp xmrig behavioral2/memory/2204-226-0x00007FF6E7CD0000-0x00007FF6E8021000-memory.dmp xmrig behavioral2/memory/972-231-0x00007FF6A1AB0000-0x00007FF6A1E01000-memory.dmp xmrig behavioral2/memory/2184-234-0x00007FF7DD820000-0x00007FF7DDB71000-memory.dmp xmrig behavioral2/memory/1604-235-0x00007FF7655F0000-0x00007FF765941000-memory.dmp xmrig behavioral2/memory/2364-230-0x00007FF74A320000-0x00007FF74A671000-memory.dmp xmrig behavioral2/memory/4744-239-0x00007FF6C8130000-0x00007FF6C8481000-memory.dmp xmrig behavioral2/memory/3732-246-0x00007FF635B10000-0x00007FF635E61000-memory.dmp xmrig behavioral2/memory/2820-248-0x00007FF6E3DC0000-0x00007FF6E4111000-memory.dmp xmrig behavioral2/memory/4316-253-0x00007FF67B6D0000-0x00007FF67BA21000-memory.dmp xmrig behavioral2/memory/512-255-0x00007FF62BD10000-0x00007FF62C061000-memory.dmp xmrig behavioral2/memory/4992-257-0x00007FF6C6D20000-0x00007FF6C7071000-memory.dmp xmrig behavioral2/memory/4820-259-0x00007FF74A220000-0x00007FF74A571000-memory.dmp xmrig behavioral2/memory/5112-261-0x00007FF7F4BC0000-0x00007FF7F4F11000-memory.dmp xmrig behavioral2/memory/2708-263-0x00007FF78B5D0000-0x00007FF78B921000-memory.dmp xmrig behavioral2/memory/3372-268-0x00007FF639440000-0x00007FF639791000-memory.dmp xmrig behavioral2/memory/4496-270-0x00007FF611980000-0x00007FF611CD1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 372 mRQLVRU.exe 4524 vGlFjMQ.exe 4612 GkLwGdC.exe 2780 DgxhDJt.exe 2964 wMdeBKq.exe 2204 GPBDtXJ.exe 2184 iRrUCrO.exe 972 DQhLWsb.exe 2364 HRCpIfY.exe 1604 LjQiQzM.exe 4744 VnwJAtc.exe 3732 QysedPq.exe 2820 LYZnAmh.exe 4316 NOkWqTW.exe 512 fHwxncM.exe 4992 KCQiTsV.exe 4820 MKhgWEn.exe 2708 cVfOTwD.exe 5112 zZrmOKH.exe 3372 QdNftHv.exe 4496 ndrHcns.exe -
resource yara_rule behavioral2/memory/4516-0-0x00007FF7219E0000-0x00007FF721D31000-memory.dmp upx behavioral2/files/0x000c000000023b23-4.dat upx behavioral2/files/0x000a000000023b81-9.dat upx behavioral2/memory/372-7-0x00007FF6F5060000-0x00007FF6F53B1000-memory.dmp upx behavioral2/files/0x000a000000023b80-11.dat upx behavioral2/memory/4524-12-0x00007FF66A930000-0x00007FF66AC81000-memory.dmp upx behavioral2/memory/4612-20-0x00007FF68DD50000-0x00007FF68E0A1000-memory.dmp upx behavioral2/files/0x000a000000023b83-29.dat upx behavioral2/memory/2780-26-0x00007FF737950000-0x00007FF737CA1000-memory.dmp upx behavioral2/files/0x000a000000023b82-21.dat upx behavioral2/files/0x000a000000023b84-31.dat upx behavioral2/memory/2964-35-0x00007FF78B600000-0x00007FF78B951000-memory.dmp upx behavioral2/files/0x000a000000023b85-38.dat upx behavioral2/files/0x000a000000023b87-49.dat upx behavioral2/memory/2364-51-0x00007FF74A320000-0x00007FF74A671000-memory.dmp upx behavioral2/memory/4516-60-0x00007FF7219E0000-0x00007FF721D31000-memory.dmp upx behavioral2/files/0x000a000000023b89-65.dat upx behavioral2/memory/4744-67-0x00007FF6C8130000-0x00007FF6C8481000-memory.dmp upx behavioral2/memory/372-66-0x00007FF6F5060000-0x00007FF6F53B1000-memory.dmp upx behavioral2/files/0x000a000000023b88-63.dat upx behavioral2/memory/1604-62-0x00007FF7655F0000-0x00007FF765941000-memory.dmp upx behavioral2/files/0x000a000000023b86-52.dat upx behavioral2/memory/972-50-0x00007FF6A1AB0000-0x00007FF6A1E01000-memory.dmp upx behavioral2/memory/2184-44-0x00007FF7DD820000-0x00007FF7DDB71000-memory.dmp upx behavioral2/memory/2204-43-0x00007FF6E7CD0000-0x00007FF6E8021000-memory.dmp upx behavioral2/memory/4524-70-0x00007FF66A930000-0x00007FF66AC81000-memory.dmp upx behavioral2/files/0x000a000000023b8a-74.dat upx behavioral2/memory/3732-75-0x00007FF635B10000-0x00007FF635E61000-memory.dmp upx behavioral2/files/0x000a000000023b8b-80.dat upx behavioral2/memory/2820-86-0x00007FF6E3DC0000-0x00007FF6E4111000-memory.dmp upx behavioral2/files/0x000a000000023b8d-92.dat upx behavioral2/files/0x000a000000023b8c-93.dat upx behavioral2/memory/4316-95-0x00007FF67B6D0000-0x00007FF67BA21000-memory.dmp upx behavioral2/files/0x000a000000023b8f-106.dat upx behavioral2/memory/2964-113-0x00007FF78B600000-0x00007FF78B951000-memory.dmp upx behavioral2/memory/4820-116-0x00007FF74A220000-0x00007FF74A571000-memory.dmp upx behavioral2/memory/4992-118-0x00007FF6C6D20000-0x00007FF6C7071000-memory.dmp upx behavioral2/memory/5112-120-0x00007FF7F4BC0000-0x00007FF7F4F11000-memory.dmp upx behavioral2/memory/2184-119-0x00007FF7DD820000-0x00007FF7DDB71000-memory.dmp upx behavioral2/memory/2708-117-0x00007FF78B5D0000-0x00007FF78B921000-memory.dmp upx behavioral2/files/0x000a000000023b91-115.dat upx behavioral2/memory/512-114-0x00007FF62BD10000-0x00007FF62C061000-memory.dmp upx behavioral2/files/0x000a000000023b90-112.dat upx behavioral2/files/0x000a000000023b8e-101.dat upx behavioral2/memory/2204-89-0x00007FF6E7CD0000-0x00007FF6E8021000-memory.dmp upx behavioral2/memory/2780-88-0x00007FF737950000-0x00007FF737CA1000-memory.dmp upx behavioral2/memory/4612-82-0x00007FF68DD50000-0x00007FF68E0A1000-memory.dmp upx behavioral2/memory/972-133-0x00007FF6A1AB0000-0x00007FF6A1E01000-memory.dmp upx behavioral2/memory/4744-136-0x00007FF6C8130000-0x00007FF6C8481000-memory.dmp upx behavioral2/files/0x000a000000023b92-141.dat upx behavioral2/files/0x000a000000023b93-142.dat upx behavioral2/memory/4496-147-0x00007FF611980000-0x00007FF611CD1000-memory.dmp upx behavioral2/memory/3372-144-0x00007FF639440000-0x00007FF639791000-memory.dmp upx behavioral2/memory/1604-135-0x00007FF7655F0000-0x00007FF765941000-memory.dmp upx behavioral2/memory/2364-134-0x00007FF74A320000-0x00007FF74A671000-memory.dmp upx behavioral2/memory/3732-148-0x00007FF635B10000-0x00007FF635E61000-memory.dmp upx behavioral2/memory/2820-149-0x00007FF6E3DC0000-0x00007FF6E4111000-memory.dmp upx behavioral2/memory/2708-156-0x00007FF78B5D0000-0x00007FF78B921000-memory.dmp upx behavioral2/memory/5112-157-0x00007FF7F4BC0000-0x00007FF7F4F11000-memory.dmp upx behavioral2/memory/4516-158-0x00007FF7219E0000-0x00007FF721D31000-memory.dmp upx behavioral2/memory/3372-162-0x00007FF639440000-0x00007FF639791000-memory.dmp upx behavioral2/memory/4496-173-0x00007FF611980000-0x00007FF611CD1000-memory.dmp upx behavioral2/memory/372-209-0x00007FF6F5060000-0x00007FF6F53B1000-memory.dmp upx behavioral2/memory/4524-211-0x00007FF66A930000-0x00007FF66AC81000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\NOkWqTW.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MKhgWEn.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mRQLVRU.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\wMdeBKq.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GPBDtXJ.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HRCpIfY.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KCQiTsV.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zZrmOKH.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QdNftHv.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vGlFjMQ.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GkLwGdC.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DQhLWsb.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LjQiQzM.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VnwJAtc.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QysedPq.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DgxhDJt.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\iRrUCrO.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LYZnAmh.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fHwxncM.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cVfOTwD.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ndrHcns.exe 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4516 wrote to memory of 372 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4516 wrote to memory of 372 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4516 wrote to memory of 4524 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4516 wrote to memory of 4524 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4516 wrote to memory of 4612 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4516 wrote to memory of 4612 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4516 wrote to memory of 2780 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4516 wrote to memory of 2780 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4516 wrote to memory of 2964 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4516 wrote to memory of 2964 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4516 wrote to memory of 2204 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4516 wrote to memory of 2204 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4516 wrote to memory of 2184 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4516 wrote to memory of 2184 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4516 wrote to memory of 972 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4516 wrote to memory of 972 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4516 wrote to memory of 2364 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4516 wrote to memory of 2364 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4516 wrote to memory of 1604 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4516 wrote to memory of 1604 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4516 wrote to memory of 4744 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4516 wrote to memory of 4744 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4516 wrote to memory of 3732 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4516 wrote to memory of 3732 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4516 wrote to memory of 2820 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4516 wrote to memory of 2820 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4516 wrote to memory of 4316 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4516 wrote to memory of 4316 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4516 wrote to memory of 512 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4516 wrote to memory of 512 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4516 wrote to memory of 4992 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4516 wrote to memory of 4992 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4516 wrote to memory of 4820 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4516 wrote to memory of 4820 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4516 wrote to memory of 2708 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4516 wrote to memory of 2708 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4516 wrote to memory of 5112 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4516 wrote to memory of 5112 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4516 wrote to memory of 3372 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 4516 wrote to memory of 3372 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 4516 wrote to memory of 4496 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 4516 wrote to memory of 4496 4516 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\System\mRQLVRU.exeC:\Windows\System\mRQLVRU.exe2⤵
- Executes dropped EXE
PID:372
-
-
C:\Windows\System\vGlFjMQ.exeC:\Windows\System\vGlFjMQ.exe2⤵
- Executes dropped EXE
PID:4524
-
-
C:\Windows\System\GkLwGdC.exeC:\Windows\System\GkLwGdC.exe2⤵
- Executes dropped EXE
PID:4612
-
-
C:\Windows\System\DgxhDJt.exeC:\Windows\System\DgxhDJt.exe2⤵
- Executes dropped EXE
PID:2780
-
-
C:\Windows\System\wMdeBKq.exeC:\Windows\System\wMdeBKq.exe2⤵
- Executes dropped EXE
PID:2964
-
-
C:\Windows\System\GPBDtXJ.exeC:\Windows\System\GPBDtXJ.exe2⤵
- Executes dropped EXE
PID:2204
-
-
C:\Windows\System\iRrUCrO.exeC:\Windows\System\iRrUCrO.exe2⤵
- Executes dropped EXE
PID:2184
-
-
C:\Windows\System\DQhLWsb.exeC:\Windows\System\DQhLWsb.exe2⤵
- Executes dropped EXE
PID:972
-
-
C:\Windows\System\HRCpIfY.exeC:\Windows\System\HRCpIfY.exe2⤵
- Executes dropped EXE
PID:2364
-
-
C:\Windows\System\LjQiQzM.exeC:\Windows\System\LjQiQzM.exe2⤵
- Executes dropped EXE
PID:1604
-
-
C:\Windows\System\VnwJAtc.exeC:\Windows\System\VnwJAtc.exe2⤵
- Executes dropped EXE
PID:4744
-
-
C:\Windows\System\QysedPq.exeC:\Windows\System\QysedPq.exe2⤵
- Executes dropped EXE
PID:3732
-
-
C:\Windows\System\LYZnAmh.exeC:\Windows\System\LYZnAmh.exe2⤵
- Executes dropped EXE
PID:2820
-
-
C:\Windows\System\NOkWqTW.exeC:\Windows\System\NOkWqTW.exe2⤵
- Executes dropped EXE
PID:4316
-
-
C:\Windows\System\fHwxncM.exeC:\Windows\System\fHwxncM.exe2⤵
- Executes dropped EXE
PID:512
-
-
C:\Windows\System\KCQiTsV.exeC:\Windows\System\KCQiTsV.exe2⤵
- Executes dropped EXE
PID:4992
-
-
C:\Windows\System\MKhgWEn.exeC:\Windows\System\MKhgWEn.exe2⤵
- Executes dropped EXE
PID:4820
-
-
C:\Windows\System\cVfOTwD.exeC:\Windows\System\cVfOTwD.exe2⤵
- Executes dropped EXE
PID:2708
-
-
C:\Windows\System\zZrmOKH.exeC:\Windows\System\zZrmOKH.exe2⤵
- Executes dropped EXE
PID:5112
-
-
C:\Windows\System\QdNftHv.exeC:\Windows\System\QdNftHv.exe2⤵
- Executes dropped EXE
PID:3372
-
-
C:\Windows\System\ndrHcns.exeC:\Windows\System\ndrHcns.exe2⤵
- Executes dropped EXE
PID:4496
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5cf441bfa7e65c48abdc919b69694f922
SHA1ad5874b4a5881ecefdada7f0fd18e4024f6ef765
SHA256d92152641b93e00afbbe8c37c2e0069b1aece73a3b7789eff664bc7700d2ecd4
SHA512e93c4678e183fb37dabaa308957ac1ba8eeb7d524e40088f7361a64c8f3d23a1188bd46713b52e9a68f7f5c553c8ab73a0ec698f7fa646035732d130479a708d
-
Filesize
5.2MB
MD5e7ab49e273cc6abfec5ba44e0657b222
SHA17c87fe9a470d0cff16d2678e9b6ba2a2fa788283
SHA25624af2bf4e2f2d01a4df9f45684785e190379ea157e2662fea346967d875ed835
SHA512f1af31fc5849664683f4c564d6fbdd03ed8378a70634288924c7882fb2117e4756960afab2042fe8bca5e7e9aea4f544947b87a69dfb630db582e3ab7325af0d
-
Filesize
5.2MB
MD55bd69306bfe3a3bb3dd7b1946bb97557
SHA11de90c05b54a18757e054ebae9dca2034ade5d20
SHA256ebbba21aa8ada1b3b226cd1e0a2060152b6042ae1491766b202a794844210091
SHA5125e255ba9cd0559ef5ce1532c96d298681cc3f9fd5ee1b73b61f3ac25448dc9bf3df43dee1699398b3c3a8cf6fa5780fb1ad35c29adfc55646ac1b4c68393efe8
-
Filesize
5.2MB
MD50fbeb471a644231f4410d7d29fade268
SHA1afbead12b0fe5b8167640cf1c8623a2a62e8ab57
SHA256a37303f66b38b3e1291767ca42f8cb5afa9e3a804b3c8dc69c9b22d47210a761
SHA51265393efa2b57848f4de1f04504873d989955ab5e44fb813fdc2bf5057f4927294eebcfcb607af49fd2b692ac3160f665318fd7f6c7982a5a83ff615cf2c5978c
-
Filesize
5.2MB
MD584200ff8311afd0d50c67a30e139911a
SHA1c05cc42b768356e0a2c0615329b0824c103df9c0
SHA25656d2a047bc0f123e1b006042958dea1b681ef744c42bee2fbf4098193f4405dc
SHA51227306e01381f89b8cfad5863a815edee7fe7de3570c66568947791d0c274866ae9f5b4b67442ccadd755087681ec88835f107034279133b55115a641545d7dc4
-
Filesize
5.2MB
MD51eaeb46198548a7b0ac38f28bc432f98
SHA1d56a60055b82fafbd061cfcbfb8fd5c5304df8c8
SHA2563b2b674d1f08387582d88b5a73b10d996a7ad511ab4eae2d975e877e01dd7edd
SHA51277e5f11d0160855e61fc7a9037035c2c20309edc118a8c1f213e8de99f484c28873def1c47900743064025ef77573e5e30fdd8f8fdb7a2042fbcb20024999dc3
-
Filesize
5.2MB
MD504aa99884df19bc2a35ef0303678996f
SHA108e4f84b64886d110596e884000af0ae3dd23494
SHA2569f0a0fd1972997f1cea5e31518a8a67fe168d0d98ae864c8b4e1d9c4db00069a
SHA512aa663002b0808b99f488fc86db7f40fd12f7e0b8a13d7f59dd533b12ac5e2ab129c397d605b330eb7acd0bd5f232c51507be09304cbb35b0f3074d2b1f3164aa
-
Filesize
5.2MB
MD528c2a268709f39979e61fa35b569b919
SHA1df03f63deb6c1ba0d1dc9f6ead12fcb1030d0356
SHA256db3904f18d71ba50820db0cccd4cc274637fb53d5455f336cb9beddcf8627ca8
SHA51248099b94dac5d219bc4e8d58ad705d37d54240e100715d0e114b008501fdc237c9302e8e1a926f21c00a8bbd21e6b11051d0abc5cd053d3a211887b52f91ceb5
-
Filesize
5.2MB
MD5da3d556930b03ea63f54d1e77f313345
SHA1bd77a2e54d1044ae1302c29d676698eb1b40ec26
SHA256318e48ed9e7305c55ebd954e283e073392e61b3b4e7a5db3c74d492d16293923
SHA51209fe4903913a16f56a44abd2adecfb3418aa24177b1b8f0b6b5268d522a1fb22c8f39f70b8a0a04f887553ee46f247fcac94aabbe2d804ec7f323f56fd3c20e3
-
Filesize
5.2MB
MD584951bceaaf1a164418d439bfe8dea24
SHA10ba5a3f1a613267d9dc52a1788ae6066e27cd073
SHA2564fbcbcbd36a28bbdb3f9f7e28ec58e3197804259638946690cf6b9f42b73210f
SHA512e2573decc80e3b68b44df1dd3ded48221ec6f4a193be649a8b38abd7c5c28bf5527e57478da1c26f190fc5a1b05c9f7248352d68a6cd5fb347f2762ee5a5781e
-
Filesize
5.2MB
MD50e0fe668542a1061d86b2dd76e73d6f1
SHA1e32a8003022eb8cffa3eade5d370773be5f42f2e
SHA256c87fcda703358ba8aba9491f78c10e582154a4b5a4bad5c9d3c731e518f5da43
SHA512a987a530985e57dc489afb4c7ef66c9ee7c81b3e7dd96b1a21ba6066bbbbcfe5fcc143827b9e06d4ef360aa367c1e0133cf2f9e8d5669c65929f2769745a2c02
-
Filesize
5.2MB
MD5f0452a0a7130ef39a2095cbb0494b57f
SHA1d1cc189f678a795fc3d4a324bf0ac967ca77f313
SHA256eaa6ed4b56dc6285f413a27835b8b3bbf7a45bee29f7c9432b6acb75dab3df3b
SHA512c07dbe7c95c3a41ed4bebcf57034a174c8f8e171f73290500abb94e506a2614637df7036fbad8fbbe80e4c77173e1b35cebda77404b77564f4f41ef6ca474faf
-
Filesize
5.2MB
MD5e5c90b80ac23cd41376519717edf380a
SHA1b409fb49d2cf05bd2f4206bb30fd260568f2ec68
SHA2566f9a455a7a91f3fe33f6659418f220a1533f564eb83f300f5be44c2aefefdca6
SHA512594c95cc93102c4f3a00f7ae1eed0c9107ee9d27f5287df1457e8ddcfe7aebcb3633866dfb7bac8ec98923fffe787823a570eecf81b55571a97be37002dbdca7
-
Filesize
5.2MB
MD5222f22dea2210524fb9beab7a35f83f0
SHA19d148d8b5f651dfb0480ed749870931a45ccb5e9
SHA256732af093dc0be8eea3b1d8294739de4416988f59b30027ecfdad5240e02e075b
SHA51220efc86e4e58d88b5ca5eae0ab5775cc18cab8de8ed26d800bac494bc80a105008ee7fe05a05b5b55e7b0f1bc74936afece9fd830c4672a3eb73d08121c17490
-
Filesize
5.2MB
MD5aa7ea32bb0ffeb0c891eb76e3f5822da
SHA1f58f65830c9cd91d137313cf642a67bd0140323f
SHA256971983d40235071bdfeb193040e9c1c681f97ccad1bc730c4c8543b290e823ce
SHA5128f43d0a06274080ff3cc3f51c93ff2cfdda50cca3e6e20e09ad998992a8d098a5e20aeedbeea9896a3e6efe8d41d5887e7a94470643f86cdf76255cc3444b51b
-
Filesize
5.2MB
MD54ce1915625b6b9ca3e07c1373bbf3cd7
SHA1393982f93d4fcd8a3ec19c1f0273e19120b95c08
SHA2567b065bb2eea17c40a5d9a1c85ca3f7dfec037296f8a896a358e621761f1c1a9f
SHA5129030b64ff1e4bd40f6366cb334682cd759e6e13034511a75f15b9480c32d46cdc97846a8c3b6672229b54fdb456a20ff0c949a076e2a578766a0aefbd23ea0e3
-
Filesize
5.2MB
MD541ec2fc56131d536fb6389562c289205
SHA1f0fb645c218089b483d2051e365b035e3bd836f3
SHA256a56518c1a7bed7091dde2a35111aa668e71d8f91117ddc259e669b035a8c2acd
SHA51250e3c459acde9acf9472c52374ba4210ea774d37f4a80d98db2b02f8e3b210d3c1344fc9df8c7cae13d283b968d7ba44dbc3025b5cfa6b1fc2d266dcdf8f40e6
-
Filesize
5.2MB
MD5cc366d2d8d4077fff8e6b550dd1bce99
SHA13772aa184281ec10fb1510688b19e05bd82d73b5
SHA256940c0aaca5802dcf9e402b97ea02d823c406f434d92963236c3b47d6a8999817
SHA512f3d36acd66084b12946f1074e706404d2f330ff2c910d34c5d08975534f95c5659691cbba2dc1989801a08be610a7b09e7540bd42d0597a5c24e02fe1b5c1c31
-
Filesize
5.2MB
MD549e4ea8d05e643feee9bba73735c958f
SHA1ff7ed2156b905fb87a00b16e5ee66f3ea476de55
SHA2569e59ce1675204e88c2479a73357ac92b4068470a4ad0695e1239d2ac8d3a5a42
SHA512219d2f7b375d5593deb30b2f1d372e7ea8565d3d4024a3fc81e8e1e85a26ac8466ae7567f339468247fc267ad510267f290786cc4e462034ddb8e0a03828b98f
-
Filesize
5.2MB
MD53591026ef9fe2232a8cee7850b34f944
SHA11546702addf32c7a3107264902b272f0235c9579
SHA256ff29eac87170eece6e7d2b654415f43704fa050ecf5004ac3d8ffd69c4ed4eb6
SHA5120fa218b59771445a08be01345df7fc0d3ee46071f625b3657dea10d3ebfbccbf15973874acbf7c1c687ef761d4be738369d660a04a8831d073fe3aeddde39b72
-
Filesize
5.2MB
MD58207ad73776225da657854da82fed1df
SHA1d7db7b1a2fbd171360162e062f2f56138b792bd0
SHA25615f4f5f95494c7f93d222098a2214f2771c2cfcba641dd8e121e0f134622bef4
SHA51261b66a547622a1c8437982a084da266889c6f160b02eee7fe9cb46ed4f95ed76a18de94e94868ff36f6b0957edf6e74b6613c2e74a88ef59cc1d81010a1735dc