Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2024, 04:34
Behavioral task
behavioral1
Sample
2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20241010-en
General
-
Target
2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
df2cd50a48bf0ed8b685da5e003b78cb
-
SHA1
a106a8e7b4c4d91e7fa7e3cb254c8a6246d14a04
-
SHA256
a46c616f9f113294a8bbe7db4c3d5102805abbab78d747a3a6752ce2a15006b6
-
SHA512
a59e3fdc418fc9656f92cacf4a966f8e4d3e8705dfdbf1d389829fa0611e9093d7982c46d8f96daa682a65c333fa2d550774086ee074045a364ae30d6e3b1504
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ld:RWWBibd56utgpPFotBER/mQ32lU5
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0007000000023cb8-9.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb9-17.dat cobalt_reflective_dll behavioral2/files/0x0008000000023cb4-19.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cba-25.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbd-38.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbe-59.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbf-67.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cc0-81.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cc3-90.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cca-125.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cc9-119.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cc8-117.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cc7-114.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cc6-108.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cc2-107.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cc5-106.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cc4-100.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cc1-88.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbc-46.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbb-44.dat cobalt_reflective_dll behavioral2/files/0x000a000000023c10-6.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/1500-71-0x00007FF681FE0000-0x00007FF682331000-memory.dmp xmrig behavioral2/memory/5024-121-0x00007FF637B10000-0x00007FF637E61000-memory.dmp xmrig behavioral2/memory/5048-124-0x00007FF6E78E0000-0x00007FF6E7C31000-memory.dmp xmrig behavioral2/memory/4344-120-0x00007FF6785E0000-0x00007FF678931000-memory.dmp xmrig behavioral2/memory/828-96-0x00007FF730B70000-0x00007FF730EC1000-memory.dmp xmrig behavioral2/memory/3196-80-0x00007FF7F3920000-0x00007FF7F3C71000-memory.dmp xmrig behavioral2/memory/1004-57-0x00007FF69DEC0000-0x00007FF69E211000-memory.dmp xmrig behavioral2/memory/928-39-0x00007FF73F500000-0x00007FF73F851000-memory.dmp xmrig behavioral2/memory/1340-133-0x00007FF638DE0000-0x00007FF639131000-memory.dmp xmrig behavioral2/memory/5000-128-0x00007FF75CDF0000-0x00007FF75D141000-memory.dmp xmrig behavioral2/memory/2000-135-0x00007FF69CF80000-0x00007FF69D2D1000-memory.dmp xmrig behavioral2/memory/5116-140-0x00007FF7AEDE0000-0x00007FF7AF131000-memory.dmp xmrig behavioral2/memory/1796-138-0x00007FF63A860000-0x00007FF63ABB1000-memory.dmp xmrig behavioral2/memory/1184-132-0x00007FF6D69B0000-0x00007FF6D6D01000-memory.dmp xmrig behavioral2/memory/704-130-0x00007FF7EA700000-0x00007FF7EAA51000-memory.dmp xmrig behavioral2/memory/4256-129-0x00007FF711E80000-0x00007FF7121D1000-memory.dmp xmrig behavioral2/memory/3436-139-0x00007FF7F5060000-0x00007FF7F53B1000-memory.dmp xmrig behavioral2/memory/3556-148-0x00007FF721DD0000-0x00007FF722121000-memory.dmp xmrig behavioral2/memory/1440-149-0x00007FF7C5760000-0x00007FF7C5AB1000-memory.dmp xmrig behavioral2/memory/532-147-0x00007FF7DF1B0000-0x00007FF7DF501000-memory.dmp xmrig behavioral2/memory/1696-143-0x00007FF7B5230000-0x00007FF7B5581000-memory.dmp xmrig behavioral2/memory/1744-145-0x00007FF7A4680000-0x00007FF7A49D1000-memory.dmp xmrig behavioral2/memory/5000-150-0x00007FF75CDF0000-0x00007FF75D141000-memory.dmp xmrig behavioral2/memory/5000-151-0x00007FF75CDF0000-0x00007FF75D141000-memory.dmp xmrig behavioral2/memory/4256-202-0x00007FF711E80000-0x00007FF7121D1000-memory.dmp xmrig behavioral2/memory/704-216-0x00007FF7EA700000-0x00007FF7EAA51000-memory.dmp xmrig behavioral2/memory/928-222-0x00007FF73F500000-0x00007FF73F851000-memory.dmp xmrig behavioral2/memory/1184-224-0x00007FF6D69B0000-0x00007FF6D6D01000-memory.dmp xmrig behavioral2/memory/1340-226-0x00007FF638DE0000-0x00007FF639131000-memory.dmp xmrig behavioral2/memory/1500-230-0x00007FF681FE0000-0x00007FF682331000-memory.dmp xmrig behavioral2/memory/2000-228-0x00007FF69CF80000-0x00007FF69D2D1000-memory.dmp xmrig behavioral2/memory/3196-233-0x00007FF7F3920000-0x00007FF7F3C71000-memory.dmp xmrig behavioral2/memory/1004-236-0x00007FF69DEC0000-0x00007FF69E211000-memory.dmp xmrig behavioral2/memory/1796-234-0x00007FF63A860000-0x00007FF63ABB1000-memory.dmp xmrig behavioral2/memory/828-240-0x00007FF730B70000-0x00007FF730EC1000-memory.dmp xmrig behavioral2/memory/1696-239-0x00007FF7B5230000-0x00007FF7B5581000-memory.dmp xmrig behavioral2/memory/5048-252-0x00007FF6E78E0000-0x00007FF6E7C31000-memory.dmp xmrig behavioral2/memory/5024-251-0x00007FF637B10000-0x00007FF637E61000-memory.dmp xmrig behavioral2/memory/4344-248-0x00007FF6785E0000-0x00007FF678931000-memory.dmp xmrig behavioral2/memory/1744-247-0x00007FF7A4680000-0x00007FF7A49D1000-memory.dmp xmrig behavioral2/memory/3436-245-0x00007FF7F5060000-0x00007FF7F53B1000-memory.dmp xmrig behavioral2/memory/5116-243-0x00007FF7AEDE0000-0x00007FF7AF131000-memory.dmp xmrig behavioral2/memory/3556-257-0x00007FF721DD0000-0x00007FF722121000-memory.dmp xmrig behavioral2/memory/1440-255-0x00007FF7C5760000-0x00007FF7C5AB1000-memory.dmp xmrig behavioral2/memory/532-258-0x00007FF7DF1B0000-0x00007FF7DF501000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4256 FCERGWZ.exe 704 uPPyebN.exe 928 gtxAIvM.exe 1184 mquPQIX.exe 1340 KXMYMgK.exe 1500 CKuHHgU.exe 2000 TAZVylb.exe 1004 WSCqWsH.exe 3196 bGQssQH.exe 1796 lYRZdRa.exe 3436 fwGhAPA.exe 5116 lEYykPZ.exe 4344 fOPiDzY.exe 828 hjPquFn.exe 1696 zRMvMXv.exe 5024 XkcILPv.exe 1744 SdVxgiL.exe 5048 YmKNfUq.exe 532 QqtTUTW.exe 3556 uQkshDF.exe 1440 dSUBEmy.exe -
resource yara_rule behavioral2/memory/5000-0-0x00007FF75CDF0000-0x00007FF75D141000-memory.dmp upx behavioral2/files/0x0007000000023cb8-9.dat upx behavioral2/files/0x0007000000023cb9-17.dat upx behavioral2/files/0x0008000000023cb4-19.dat upx behavioral2/files/0x0007000000023cba-25.dat upx behavioral2/memory/1184-28-0x00007FF6D69B0000-0x00007FF6D6D01000-memory.dmp upx behavioral2/files/0x0007000000023cbd-38.dat upx behavioral2/files/0x0007000000023cbe-59.dat upx behavioral2/files/0x0007000000023cbf-67.dat upx behavioral2/memory/1500-71-0x00007FF681FE0000-0x00007FF682331000-memory.dmp upx behavioral2/files/0x0007000000023cc0-81.dat upx behavioral2/files/0x0007000000023cc3-90.dat upx behavioral2/memory/1744-105-0x00007FF7A4680000-0x00007FF7A49D1000-memory.dmp upx behavioral2/memory/3556-113-0x00007FF721DD0000-0x00007FF722121000-memory.dmp upx behavioral2/memory/5024-121-0x00007FF637B10000-0x00007FF637E61000-memory.dmp upx behavioral2/memory/1440-127-0x00007FF7C5760000-0x00007FF7C5AB1000-memory.dmp upx behavioral2/files/0x0007000000023cca-125.dat upx behavioral2/memory/5048-124-0x00007FF6E78E0000-0x00007FF6E7C31000-memory.dmp upx behavioral2/memory/4344-120-0x00007FF6785E0000-0x00007FF678931000-memory.dmp upx behavioral2/files/0x0007000000023cc9-119.dat upx behavioral2/files/0x0007000000023cc8-117.dat upx behavioral2/files/0x0007000000023cc7-114.dat upx behavioral2/memory/532-112-0x00007FF7DF1B0000-0x00007FF7DF501000-memory.dmp upx behavioral2/files/0x0007000000023cc6-108.dat upx behavioral2/files/0x0007000000023cc2-107.dat upx behavioral2/files/0x0007000000023cc5-106.dat upx behavioral2/memory/1696-104-0x00007FF7B5230000-0x00007FF7B5581000-memory.dmp upx behavioral2/files/0x0007000000023cc4-100.dat upx behavioral2/memory/828-96-0x00007FF730B70000-0x00007FF730EC1000-memory.dmp upx behavioral2/memory/3436-95-0x00007FF7F5060000-0x00007FF7F53B1000-memory.dmp upx behavioral2/files/0x0007000000023cc1-88.dat upx behavioral2/memory/3196-80-0x00007FF7F3920000-0x00007FF7F3C71000-memory.dmp upx behavioral2/memory/5116-68-0x00007FF7AEDE0000-0x00007FF7AF131000-memory.dmp upx behavioral2/memory/1796-64-0x00007FF63A860000-0x00007FF63ABB1000-memory.dmp upx behavioral2/memory/1004-57-0x00007FF69DEC0000-0x00007FF69E211000-memory.dmp upx behavioral2/memory/2000-56-0x00007FF69CF80000-0x00007FF69D2D1000-memory.dmp upx behavioral2/files/0x0007000000023cbc-46.dat upx behavioral2/files/0x0007000000023cbb-44.dat upx behavioral2/memory/1340-43-0x00007FF638DE0000-0x00007FF639131000-memory.dmp upx behavioral2/memory/928-39-0x00007FF73F500000-0x00007FF73F851000-memory.dmp upx behavioral2/memory/704-23-0x00007FF7EA700000-0x00007FF7EAA51000-memory.dmp upx behavioral2/memory/4256-10-0x00007FF711E80000-0x00007FF7121D1000-memory.dmp upx behavioral2/files/0x000a000000023c10-6.dat upx behavioral2/memory/1340-133-0x00007FF638DE0000-0x00007FF639131000-memory.dmp upx behavioral2/memory/5000-128-0x00007FF75CDF0000-0x00007FF75D141000-memory.dmp upx behavioral2/memory/2000-135-0x00007FF69CF80000-0x00007FF69D2D1000-memory.dmp upx behavioral2/memory/5116-140-0x00007FF7AEDE0000-0x00007FF7AF131000-memory.dmp upx behavioral2/memory/1796-138-0x00007FF63A860000-0x00007FF63ABB1000-memory.dmp upx behavioral2/memory/1184-132-0x00007FF6D69B0000-0x00007FF6D6D01000-memory.dmp upx behavioral2/memory/704-130-0x00007FF7EA700000-0x00007FF7EAA51000-memory.dmp upx behavioral2/memory/4256-129-0x00007FF711E80000-0x00007FF7121D1000-memory.dmp upx behavioral2/memory/3436-139-0x00007FF7F5060000-0x00007FF7F53B1000-memory.dmp upx behavioral2/memory/3556-148-0x00007FF721DD0000-0x00007FF722121000-memory.dmp upx behavioral2/memory/1440-149-0x00007FF7C5760000-0x00007FF7C5AB1000-memory.dmp upx behavioral2/memory/532-147-0x00007FF7DF1B0000-0x00007FF7DF501000-memory.dmp upx behavioral2/memory/1696-143-0x00007FF7B5230000-0x00007FF7B5581000-memory.dmp upx behavioral2/memory/1744-145-0x00007FF7A4680000-0x00007FF7A49D1000-memory.dmp upx behavioral2/memory/5000-150-0x00007FF75CDF0000-0x00007FF75D141000-memory.dmp upx behavioral2/memory/5000-151-0x00007FF75CDF0000-0x00007FF75D141000-memory.dmp upx behavioral2/memory/4256-202-0x00007FF711E80000-0x00007FF7121D1000-memory.dmp upx behavioral2/memory/704-216-0x00007FF7EA700000-0x00007FF7EAA51000-memory.dmp upx behavioral2/memory/928-222-0x00007FF73F500000-0x00007FF73F851000-memory.dmp upx behavioral2/memory/1184-224-0x00007FF6D69B0000-0x00007FF6D6D01000-memory.dmp upx behavioral2/memory/1340-226-0x00007FF638DE0000-0x00007FF639131000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\XkcILPv.exe 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SdVxgiL.exe 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QqtTUTW.exe 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KXMYMgK.exe 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CKuHHgU.exe 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lEYykPZ.exe 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mquPQIX.exe 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uQkshDF.exe 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hjPquFn.exe 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zRMvMXv.exe 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YmKNfUq.exe 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dSUBEmy.exe 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uPPyebN.exe 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WSCqWsH.exe 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fwGhAPA.exe 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bGQssQH.exe 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lYRZdRa.exe 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fOPiDzY.exe 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FCERGWZ.exe 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gtxAIvM.exe 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TAZVylb.exe 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 5000 wrote to memory of 4256 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 5000 wrote to memory of 4256 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 5000 wrote to memory of 704 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 5000 wrote to memory of 704 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 5000 wrote to memory of 928 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 5000 wrote to memory of 928 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 5000 wrote to memory of 1184 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 5000 wrote to memory of 1184 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 5000 wrote to memory of 1340 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 5000 wrote to memory of 1340 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 5000 wrote to memory of 1500 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 5000 wrote to memory of 1500 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 5000 wrote to memory of 2000 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 5000 wrote to memory of 2000 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 5000 wrote to memory of 1004 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 5000 wrote to memory of 1004 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 5000 wrote to memory of 3196 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 5000 wrote to memory of 3196 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 5000 wrote to memory of 1796 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 5000 wrote to memory of 1796 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 5000 wrote to memory of 3436 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 5000 wrote to memory of 3436 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 5000 wrote to memory of 5116 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 5000 wrote to memory of 5116 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 5000 wrote to memory of 4344 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 5000 wrote to memory of 4344 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 5000 wrote to memory of 828 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 5000 wrote to memory of 828 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 5000 wrote to memory of 1696 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 5000 wrote to memory of 1696 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 5000 wrote to memory of 5024 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 5000 wrote to memory of 5024 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 5000 wrote to memory of 1744 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 5000 wrote to memory of 1744 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 5000 wrote to memory of 5048 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 5000 wrote to memory of 5048 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 5000 wrote to memory of 532 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 5000 wrote to memory of 532 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 5000 wrote to memory of 3556 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 5000 wrote to memory of 3556 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 5000 wrote to memory of 1440 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 5000 wrote to memory of 1440 5000 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\System\FCERGWZ.exeC:\Windows\System\FCERGWZ.exe2⤵
- Executes dropped EXE
PID:4256
-
-
C:\Windows\System\uPPyebN.exeC:\Windows\System\uPPyebN.exe2⤵
- Executes dropped EXE
PID:704
-
-
C:\Windows\System\gtxAIvM.exeC:\Windows\System\gtxAIvM.exe2⤵
- Executes dropped EXE
PID:928
-
-
C:\Windows\System\mquPQIX.exeC:\Windows\System\mquPQIX.exe2⤵
- Executes dropped EXE
PID:1184
-
-
C:\Windows\System\KXMYMgK.exeC:\Windows\System\KXMYMgK.exe2⤵
- Executes dropped EXE
PID:1340
-
-
C:\Windows\System\CKuHHgU.exeC:\Windows\System\CKuHHgU.exe2⤵
- Executes dropped EXE
PID:1500
-
-
C:\Windows\System\TAZVylb.exeC:\Windows\System\TAZVylb.exe2⤵
- Executes dropped EXE
PID:2000
-
-
C:\Windows\System\WSCqWsH.exeC:\Windows\System\WSCqWsH.exe2⤵
- Executes dropped EXE
PID:1004
-
-
C:\Windows\System\bGQssQH.exeC:\Windows\System\bGQssQH.exe2⤵
- Executes dropped EXE
PID:3196
-
-
C:\Windows\System\lYRZdRa.exeC:\Windows\System\lYRZdRa.exe2⤵
- Executes dropped EXE
PID:1796
-
-
C:\Windows\System\fwGhAPA.exeC:\Windows\System\fwGhAPA.exe2⤵
- Executes dropped EXE
PID:3436
-
-
C:\Windows\System\lEYykPZ.exeC:\Windows\System\lEYykPZ.exe2⤵
- Executes dropped EXE
PID:5116
-
-
C:\Windows\System\fOPiDzY.exeC:\Windows\System\fOPiDzY.exe2⤵
- Executes dropped EXE
PID:4344
-
-
C:\Windows\System\hjPquFn.exeC:\Windows\System\hjPquFn.exe2⤵
- Executes dropped EXE
PID:828
-
-
C:\Windows\System\zRMvMXv.exeC:\Windows\System\zRMvMXv.exe2⤵
- Executes dropped EXE
PID:1696
-
-
C:\Windows\System\XkcILPv.exeC:\Windows\System\XkcILPv.exe2⤵
- Executes dropped EXE
PID:5024
-
-
C:\Windows\System\SdVxgiL.exeC:\Windows\System\SdVxgiL.exe2⤵
- Executes dropped EXE
PID:1744
-
-
C:\Windows\System\YmKNfUq.exeC:\Windows\System\YmKNfUq.exe2⤵
- Executes dropped EXE
PID:5048
-
-
C:\Windows\System\QqtTUTW.exeC:\Windows\System\QqtTUTW.exe2⤵
- Executes dropped EXE
PID:532
-
-
C:\Windows\System\uQkshDF.exeC:\Windows\System\uQkshDF.exe2⤵
- Executes dropped EXE
PID:3556
-
-
C:\Windows\System\dSUBEmy.exeC:\Windows\System\dSUBEmy.exe2⤵
- Executes dropped EXE
PID:1440
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5b22e0308ecb73dc9720a7cc276e4b02c
SHA11f7fffac0c9935f866755864ab695f14dce7551d
SHA2563e4dcc6b7d2dda614d05bc73d281a6d5de28c624c1e2a1dd0bc699c392134765
SHA512f21fd67c34077e60964adf3b537e734898a10d9c36ac24d2820aef8c1bd4130b6870e5317f2a3c50c83839a6f5cce5ac45e79257ec576ce7cea4ecb9c60c326b
-
Filesize
5.2MB
MD524780d04fa54332fb9896c4518e943e1
SHA1065ee74b69c31f78c05636f40757883cf4fff4b5
SHA2560e3cb2a990f5777f7c187bc1f5e5d60e3942e1b313ac6a9c342048abe3d8ec36
SHA512584ad8507016bd82854497f30e0ea7e400d9fbbbd7dab038eac43d0b88f4283799eb2b23425e110569dc69fffa5feb1fdd3815af16d8558030d6ce7f2c0f1226
-
Filesize
5.2MB
MD5a700391fd0cfc51210806172c640c508
SHA1d02ddc1df5cde07734b6565038c58dc675478ba2
SHA256fd45bb7fd764593bcf80ccfb8473b120b1232ad033cdefbda2f4b6ad062f6325
SHA512caf548aae7b4792dc9b033b7055c9689eff79b8958a8b619ee884738d306f8c6e449b6ce17b65eb412d661693aaec413eb7888974098ce57efd882325530dd99
-
Filesize
5.2MB
MD501817b7f4d80ad1d4cfd2535bcb3dd09
SHA13c164d02d6286a188485cc041215be691b68922c
SHA25691b9749dc9a8b6a40b19265ef367b1fe9e2774ff8ae19efd5695f97a3c61e406
SHA512193b8d9480ccb106fb4ea03748b262af03fa74f935708e6a17b6d07cfdef21b05130ae4f644b8b8571992c1dc808f007f6e4ef5051d2456970ef9713bd942931
-
Filesize
5.2MB
MD5b928fada5199c9b4453ffc43380fb6d9
SHA191b15727d1b8dfe3a5a7a7ffde28fb38dc4bdd0f
SHA2569f67ebab94c4ef4980178d7b4a3de5653c97db69843f94240956cff5a2b8ee9f
SHA512c72280d7f2bb79fc47f589e6ba13a2a27aa24064ef3fde04f6fff794dbfee6a253347c5f2f7356ed6c6dec3865d82cece7bf91e6e46bc298f23b2a4f18964cb3
-
Filesize
5.2MB
MD5ca16c460c0974be6f60f72ab5c016799
SHA1028cde7accc894ae71881cad604ba1c23d04fe50
SHA2560bc940c7669f66dbfb241ce765b5944115597c94452eae1ab2b59b8566933b78
SHA5124ef877a36f931f98f83b9b29aec6a4f97c2d8a6c63980bc632aa907936377630327165647696817bc7e343d69d09d91253fb7e2dae085dae6b93cf80a6753e8e
-
Filesize
5.2MB
MD5efe7bec85b58b687bb25db45cc406904
SHA12fe982772c6292bdc70bc5afb5c0281e7eb7d10d
SHA25605892bf5977c7e5002bca7cd9dbc48c6f470e099167b6caa5bb722ee89b63cf4
SHA512b6b0aafd22600f874768fc25c73c9d3a04c80817be3fe2aac9710e880d2f4f3d4461ac355abe0227b9df0f81ae9654136d28a02abec4795a91c62dcac27f44f5
-
Filesize
5.2MB
MD59ba22371af9d21f406c8f747b76db6ef
SHA1a3fa3c0c7dc5d37957e21d5f5cfcf61080ec52a1
SHA2568031ae297bbd2135a75757908676613467122a8c6138aab4db0b77c6d2a7251d
SHA5127c3da549da715c6f1573b0eab14bb73b727212152df46f934f657d5812627251f55f53b09aed0874026700b1ac897fd04a8580f68c14f17f9be2947364c9bbd7
-
Filesize
5.2MB
MD50c519caca025c08a4bdc3fae769e211a
SHA12d60768c9db5c648464f1ce73720ec0cbde0618b
SHA256390b57f4e4abea5f37c609bb3c2902623afcb0968292cf28bc16b2658a6db835
SHA512b5f6ed59436be08cecfd7677a978d8fcbca54c5bc725b74fd3c38455cd7266ef53b28a9d3e0f81e7cb598b0ba84bb81b307ffaf7ef8f9a79169557e1035cfcc6
-
Filesize
5.2MB
MD5ae6832fcb7959b0dc1ca1631a1992f89
SHA1eda30ff684152438814dd1c90480fd41d01846bb
SHA256a49f27c230370150e0c850e27ca61851f22fd91d083e811502f3675c14b880fd
SHA512756f5f8f40abb25b6c423853942c0d02c6267fcaab0c77e4a1a9b9f323779a60dd590df868048a8c86b2b8b0ab431ecb6deca9a97bb0dc933834855d2976d3ea
-
Filesize
5.2MB
MD571f14efef63ec9c2b2cf52668336e096
SHA12a4d6f43b7c5887ceba69498ca10e5564d66eef3
SHA256e847f3a2cf56593cd85932f163e54469536053dc3243af1906056b51e1844e2b
SHA512bcffde4acc857ebc2ecf3000c6ace845402bff5a824dc1108f85df19619b5acc997fc3d89a0d1cbcbbf68ad78140b568edd4e3d60c32ab8c625a50b0c8973244
-
Filesize
5.2MB
MD5b9ab7b711203669c1b727597803878a7
SHA155fb2c0b60777fcff1c17a6fa50fbe7df2c624d1
SHA256996f06985f5185340d73ff20c39d8b3aa0bf50d28712a40667112f133502e0af
SHA512558d25b1a1730c6e9150b17c78854cb7cb149444f0f4cbbb3db0289aa773689c488ced7102fb1313dd2d8f52a47a674d27071a0b26db5622fc86ab0518c238ec
-
Filesize
5.2MB
MD5326161f2f7355037ba09175dffa6202f
SHA1dac8aba9cccec2feeafbfbcdd45dd4b764ab504e
SHA2566fb2dc6dd4b28d17f8650a2e9256024bea0f20cf0ea96c68f5446c917b12d298
SHA512d140089823a66d348a03f5819242273f0d922bb402b9f4f18a6d8f137d7674c58581dbaa276ecaeb2797a1006a3c3c6a2b8a2238cfd2e9d7caf2146861bf397e
-
Filesize
5.2MB
MD5d489716cb29ebdfc60c6cfd8a6b188e3
SHA135b0b385c224e5c0afe0e2aec22a1bbe4f33e652
SHA256083858a645f2d2425021ec643c4b87a1473e99e1f019467dfa9a35c918a7cd5c
SHA5125ea29534e4785213585fbb3e65617db9eaf7c008881253402cf0b294543c001b7828ca9677eb895ec7088ea19de15b4293c683a206f07cd45c2e0df65ce6ad3b
-
Filesize
5.2MB
MD5f67d36177ed462bbe17bf4c2919f7590
SHA1d4d59cb97fd4bda3df2031c205cea54454f0af1b
SHA256ca7a9cd772cb3df92e8ee95694c279472308faddaa409fab23269c59c66388db
SHA512d4395db13c4c07b85af52e9f8a6205219f9ff66a94940345587b03d15f4fcdece90aa4c12cd4e16e043720bfb572c2550075b3be64be41131aaaa9b094920997
-
Filesize
5.2MB
MD5a008ab2033cbb5c08fb5ca667cde6cfd
SHA158643eb09ae57910a9356027565818381d9cda50
SHA2567ff62d19057c597277bd41010e8bcad9a870a09204d90451791e7913a169002e
SHA5126ed64b8778d2b7d65dfea8c922797503dfef19f07b727df6fb4c76cb16a5ed7ca94b6e3cad17bf75e965af4c5fbb5212f5425e7508e72ac554800c4c71e24438
-
Filesize
5.2MB
MD54d3b248f11fc550481c611530a2e3a1b
SHA17393d113d53f07e82225161dd92603a8265695eb
SHA25628c5cffa1d67cae91544bde228ac8a63a34a128d3764338cf37482eb4c5f88bc
SHA512122ddc9398a23ac99cd370e0e4686131ddf0659401f22e66d4e8b4c9a321f52719176113131a1355a5b9271ff0c0d9fad0acb5ade853fcd17d442c06c7b5e370
-
Filesize
5.2MB
MD5e9883eb7aab545627b9bf2afd1da6d8c
SHA17a0058d3fcd57481a7752125c8228dca2d9162d5
SHA2560aeef98a7da22b309c79affabf88f93a9d366cb7778c08f2fffdc3497c18fe73
SHA5126aa86962a64c6ad9c9d8dbf191d2c02398bb6bfb921cd1b4dcb272f2dff2885febda4d6af38dbc204cb9d4920f38dd51a5c20a96193424faa30634e92dabe681
-
Filesize
5.2MB
MD52974c589845eb2ee30f5573ad29e1b96
SHA13e6efb718ac159b39d792b1f0f4082af77978083
SHA25696fac8588bdeebe012a989cadf66033f55dac67911034873b866c73f55c8c032
SHA512c17e497af08f0f89a37432dd4ba8997abadd99c63e50f15b6115d179fdc418c07f38f27234c7d46af5113a844b8a678d7291748fb14fb0693ebf5a0a1188216c
-
Filesize
5.2MB
MD5981691877ffa1091b24a07b8d25099bb
SHA198312efe4e17eba2e2e6a0cc90b0ce679dc5bb2a
SHA256ed007f5ca81ec7734d2eb973b64300852ed8060ce99a67b154209da0386ba948
SHA512f27586c87ec86fb7a1eba2952fb24b11a7af17453ed05295ce1d6ccbafc59451cde1de5aa7a3de066f85eef1c4e67989bfbff8fabfe97f5de8cf4d8b82f247c7
-
Filesize
5.2MB
MD5f89e7166da7ddb7837634965df2465d2
SHA1fa8f73e89ae783fa42635a7ecc111056bcad0766
SHA256d11c6bdf821659b84eb1ee0d2f01ece288547958b1936c39e2f8195e7c7ef97e
SHA512c39536f8c16bf2969ee85ef9825ebcd87cf386aa0dbde851380b3e74f156d9e82da4ecaaa4f2a6304bd635bbcc0caaa23fbe607c198b691e306f9fcfc1c11056