Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2024, 04:38
Behavioral task
behavioral1
Sample
2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
e596b4b937b540e38c5b747c14972cfe
-
SHA1
cc99fd2e0b1c5c7508accd3324e0e8fd4430c054
-
SHA256
cdb51c813437685db3fbd116ecd6522a14e57ca10dd958f748b4156fe51fbc64
-
SHA512
c6d17ce8cb5f7e55465a31acdafda49b88d94d721c46ab4b334ab56cb052c387ae7ad59a2e3997a88eabc849c2e6acbe5b71ee7241170d6218357969df9b8ce4
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lc:RWWBibd56utgpPFotBER/mQ32lUA
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000a000000023bac-5.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c8a-10.dat cobalt_reflective_dll behavioral2/files/0x000a000000023c84-11.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c8b-23.dat cobalt_reflective_dll behavioral2/files/0x0008000000023c87-32.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c8f-41.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c91-54.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c92-59.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c94-66.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c97-85.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c99-95.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9c-126.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9d-122.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9a-120.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9b-119.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c96-104.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c98-114.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c95-97.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c93-79.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c90-46.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c8c-37.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/4664-130-0x00007FF7CF580000-0x00007FF7CF8D1000-memory.dmp xmrig behavioral2/memory/4928-128-0x00007FF7D3BF0000-0x00007FF7D3F41000-memory.dmp xmrig behavioral2/memory/2824-125-0x00007FF747660000-0x00007FF7479B1000-memory.dmp xmrig behavioral2/memory/4568-118-0x00007FF638FD0000-0x00007FF639321000-memory.dmp xmrig behavioral2/memory/4116-113-0x00007FF705F00000-0x00007FF706251000-memory.dmp xmrig behavioral2/memory/2584-112-0x00007FF709D20000-0x00007FF70A071000-memory.dmp xmrig behavioral2/memory/2552-78-0x00007FF665010000-0x00007FF665361000-memory.dmp xmrig behavioral2/memory/4936-77-0x00007FF6C0210000-0x00007FF6C0561000-memory.dmp xmrig behavioral2/memory/4960-62-0x00007FF7E6D30000-0x00007FF7E7081000-memory.dmp xmrig behavioral2/memory/384-132-0x00007FF7E8EE0000-0x00007FF7E9231000-memory.dmp xmrig behavioral2/memory/4960-133-0x00007FF7E6D30000-0x00007FF7E7081000-memory.dmp xmrig behavioral2/memory/1936-138-0x00007FF66B1B0000-0x00007FF66B501000-memory.dmp xmrig behavioral2/memory/2832-139-0x00007FF7E65C0000-0x00007FF7E6911000-memory.dmp xmrig behavioral2/memory/1796-140-0x00007FF6642C0000-0x00007FF664611000-memory.dmp xmrig behavioral2/memory/2004-142-0x00007FF6E2F60000-0x00007FF6E32B1000-memory.dmp xmrig behavioral2/memory/4620-141-0x00007FF7DFD40000-0x00007FF7E0091000-memory.dmp xmrig behavioral2/memory/3404-148-0x00007FF762790000-0x00007FF762AE1000-memory.dmp xmrig behavioral2/memory/3224-150-0x00007FF744000000-0x00007FF744351000-memory.dmp xmrig behavioral2/memory/4616-152-0x00007FF73CF90000-0x00007FF73D2E1000-memory.dmp xmrig behavioral2/memory/1172-145-0x00007FF65EB50000-0x00007FF65EEA1000-memory.dmp xmrig behavioral2/memory/1132-144-0x00007FF65D6E0000-0x00007FF65DA31000-memory.dmp xmrig behavioral2/memory/1916-153-0x00007FF701F10000-0x00007FF702261000-memory.dmp xmrig behavioral2/memory/2064-143-0x00007FF771C00000-0x00007FF771F51000-memory.dmp xmrig behavioral2/memory/4960-155-0x00007FF7E6D30000-0x00007FF7E7081000-memory.dmp xmrig behavioral2/memory/4936-204-0x00007FF6C0210000-0x00007FF6C0561000-memory.dmp xmrig behavioral2/memory/2552-208-0x00007FF665010000-0x00007FF665361000-memory.dmp xmrig behavioral2/memory/4664-210-0x00007FF7CF580000-0x00007FF7CF8D1000-memory.dmp xmrig behavioral2/memory/384-212-0x00007FF7E8EE0000-0x00007FF7E9231000-memory.dmp xmrig behavioral2/memory/1936-226-0x00007FF66B1B0000-0x00007FF66B501000-memory.dmp xmrig behavioral2/memory/2832-228-0x00007FF7E65C0000-0x00007FF7E6911000-memory.dmp xmrig behavioral2/memory/4620-232-0x00007FF7DFD40000-0x00007FF7E0091000-memory.dmp xmrig behavioral2/memory/1796-231-0x00007FF6642C0000-0x00007FF664611000-memory.dmp xmrig behavioral2/memory/2004-234-0x00007FF6E2F60000-0x00007FF6E32B1000-memory.dmp xmrig behavioral2/memory/1132-236-0x00007FF65D6E0000-0x00007FF65DA31000-memory.dmp xmrig behavioral2/memory/2064-242-0x00007FF771C00000-0x00007FF771F51000-memory.dmp xmrig behavioral2/memory/1172-244-0x00007FF65EB50000-0x00007FF65EEA1000-memory.dmp xmrig behavioral2/memory/2584-246-0x00007FF709D20000-0x00007FF70A071000-memory.dmp xmrig behavioral2/memory/4116-248-0x00007FF705F00000-0x00007FF706251000-memory.dmp xmrig behavioral2/memory/3404-252-0x00007FF762790000-0x00007FF762AE1000-memory.dmp xmrig behavioral2/memory/3224-254-0x00007FF744000000-0x00007FF744351000-memory.dmp xmrig behavioral2/memory/4568-251-0x00007FF638FD0000-0x00007FF639321000-memory.dmp xmrig behavioral2/memory/4928-260-0x00007FF7D3BF0000-0x00007FF7D3F41000-memory.dmp xmrig behavioral2/memory/4616-259-0x00007FF73CF90000-0x00007FF73D2E1000-memory.dmp xmrig behavioral2/memory/2824-262-0x00007FF747660000-0x00007FF7479B1000-memory.dmp xmrig behavioral2/memory/1916-257-0x00007FF701F10000-0x00007FF702261000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4936 smlUjnr.exe 2552 zYRLSqe.exe 4664 XCMBDxJ.exe 384 ustqoxO.exe 1936 rRVNpIO.exe 2832 YgdsyZC.exe 4620 SzYyHRW.exe 1796 IjfTcZX.exe 2004 KYOKlIU.exe 2064 XBEYyIk.exe 1132 yOnzGkV.exe 1172 GHKtyld.exe 2584 IFOCDno.exe 4116 zZMGLkm.exe 3404 VNWUtXU.exe 4568 hoEzqbm.exe 3224 DsjwAKj.exe 4616 weYIamj.exe 1916 rLSXZJl.exe 2824 UPnUpUX.exe 4928 yFfJJxH.exe -
resource yara_rule behavioral2/memory/4960-0-0x00007FF7E6D30000-0x00007FF7E7081000-memory.dmp upx behavioral2/files/0x000a000000023bac-5.dat upx behavioral2/memory/4936-8-0x00007FF6C0210000-0x00007FF6C0561000-memory.dmp upx behavioral2/files/0x0007000000023c8a-10.dat upx behavioral2/files/0x000a000000023c84-11.dat upx behavioral2/files/0x0007000000023c8b-23.dat upx behavioral2/memory/384-24-0x00007FF7E8EE0000-0x00007FF7E9231000-memory.dmp upx behavioral2/memory/4664-15-0x00007FF7CF580000-0x00007FF7CF8D1000-memory.dmp upx behavioral2/memory/2552-13-0x00007FF665010000-0x00007FF665361000-memory.dmp upx behavioral2/files/0x0008000000023c87-32.dat upx behavioral2/memory/1936-33-0x00007FF66B1B0000-0x00007FF66B501000-memory.dmp upx behavioral2/memory/2832-34-0x00007FF7E65C0000-0x00007FF7E6911000-memory.dmp upx behavioral2/files/0x0007000000023c8f-41.dat upx behavioral2/memory/1796-49-0x00007FF6642C0000-0x00007FF664611000-memory.dmp upx behavioral2/files/0x0007000000023c91-54.dat upx behavioral2/files/0x0007000000023c92-59.dat upx behavioral2/files/0x0007000000023c94-66.dat upx behavioral2/files/0x0007000000023c97-85.dat upx behavioral2/files/0x0007000000023c99-95.dat upx behavioral2/memory/1916-124-0x00007FF701F10000-0x00007FF702261000-memory.dmp upx behavioral2/memory/4664-130-0x00007FF7CF580000-0x00007FF7CF8D1000-memory.dmp upx behavioral2/memory/4616-129-0x00007FF73CF90000-0x00007FF73D2E1000-memory.dmp upx behavioral2/memory/4928-128-0x00007FF7D3BF0000-0x00007FF7D3F41000-memory.dmp upx behavioral2/files/0x0007000000023c9c-126.dat upx behavioral2/memory/2824-125-0x00007FF747660000-0x00007FF7479B1000-memory.dmp upx behavioral2/files/0x0007000000023c9d-122.dat upx behavioral2/files/0x0007000000023c9a-120.dat upx behavioral2/files/0x0007000000023c9b-119.dat upx behavioral2/memory/4568-118-0x00007FF638FD0000-0x00007FF639321000-memory.dmp upx behavioral2/memory/4116-113-0x00007FF705F00000-0x00007FF706251000-memory.dmp upx behavioral2/memory/2584-112-0x00007FF709D20000-0x00007FF70A071000-memory.dmp upx behavioral2/files/0x0007000000023c96-104.dat upx behavioral2/memory/3224-102-0x00007FF744000000-0x00007FF744351000-memory.dmp upx behavioral2/memory/3404-101-0x00007FF762790000-0x00007FF762AE1000-memory.dmp upx behavioral2/files/0x0007000000023c98-114.dat upx behavioral2/files/0x0007000000023c95-97.dat upx behavioral2/memory/1132-92-0x00007FF65D6E0000-0x00007FF65DA31000-memory.dmp upx behavioral2/files/0x0007000000023c93-79.dat upx behavioral2/memory/2552-78-0x00007FF665010000-0x00007FF665361000-memory.dmp upx behavioral2/memory/4936-77-0x00007FF6C0210000-0x00007FF6C0561000-memory.dmp upx behavioral2/memory/1172-70-0x00007FF65EB50000-0x00007FF65EEA1000-memory.dmp upx behavioral2/memory/2064-69-0x00007FF771C00000-0x00007FF771F51000-memory.dmp upx behavioral2/memory/4960-62-0x00007FF7E6D30000-0x00007FF7E7081000-memory.dmp upx behavioral2/memory/2004-61-0x00007FF6E2F60000-0x00007FF6E32B1000-memory.dmp upx behavioral2/files/0x0007000000023c90-46.dat upx behavioral2/memory/4620-42-0x00007FF7DFD40000-0x00007FF7E0091000-memory.dmp upx behavioral2/files/0x0007000000023c8c-37.dat upx behavioral2/memory/384-132-0x00007FF7E8EE0000-0x00007FF7E9231000-memory.dmp upx behavioral2/memory/4960-133-0x00007FF7E6D30000-0x00007FF7E7081000-memory.dmp upx behavioral2/memory/1936-138-0x00007FF66B1B0000-0x00007FF66B501000-memory.dmp upx behavioral2/memory/2832-139-0x00007FF7E65C0000-0x00007FF7E6911000-memory.dmp upx behavioral2/memory/1796-140-0x00007FF6642C0000-0x00007FF664611000-memory.dmp upx behavioral2/memory/2004-142-0x00007FF6E2F60000-0x00007FF6E32B1000-memory.dmp upx behavioral2/memory/4620-141-0x00007FF7DFD40000-0x00007FF7E0091000-memory.dmp upx behavioral2/memory/3404-148-0x00007FF762790000-0x00007FF762AE1000-memory.dmp upx behavioral2/memory/3224-150-0x00007FF744000000-0x00007FF744351000-memory.dmp upx behavioral2/memory/4616-152-0x00007FF73CF90000-0x00007FF73D2E1000-memory.dmp upx behavioral2/memory/1172-145-0x00007FF65EB50000-0x00007FF65EEA1000-memory.dmp upx behavioral2/memory/1132-144-0x00007FF65D6E0000-0x00007FF65DA31000-memory.dmp upx behavioral2/memory/1916-153-0x00007FF701F10000-0x00007FF702261000-memory.dmp upx behavioral2/memory/2064-143-0x00007FF771C00000-0x00007FF771F51000-memory.dmp upx behavioral2/memory/4960-155-0x00007FF7E6D30000-0x00007FF7E7081000-memory.dmp upx behavioral2/memory/4936-204-0x00007FF6C0210000-0x00007FF6C0561000-memory.dmp upx behavioral2/memory/2552-208-0x00007FF665010000-0x00007FF665361000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\YgdsyZC.exe 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SzYyHRW.exe 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XBEYyIk.exe 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zZMGLkm.exe 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\UPnUpUX.exe 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rRVNpIO.exe 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\IjfTcZX.exe 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yOnzGkV.exe 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hoEzqbm.exe 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DsjwAKj.exe 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rLSXZJl.exe 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zYRLSqe.exe 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XCMBDxJ.exe 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ustqoxO.exe 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KYOKlIU.exe 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\weYIamj.exe 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yFfJJxH.exe 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\smlUjnr.exe 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GHKtyld.exe 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\IFOCDno.exe 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VNWUtXU.exe 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4960 wrote to memory of 4936 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4960 wrote to memory of 4936 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4960 wrote to memory of 2552 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4960 wrote to memory of 2552 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4960 wrote to memory of 4664 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4960 wrote to memory of 4664 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4960 wrote to memory of 384 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4960 wrote to memory of 384 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4960 wrote to memory of 1936 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4960 wrote to memory of 1936 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4960 wrote to memory of 2832 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4960 wrote to memory of 2832 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4960 wrote to memory of 1796 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4960 wrote to memory of 1796 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4960 wrote to memory of 4620 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4960 wrote to memory of 4620 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4960 wrote to memory of 2004 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4960 wrote to memory of 2004 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4960 wrote to memory of 2064 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4960 wrote to memory of 2064 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4960 wrote to memory of 1132 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4960 wrote to memory of 1132 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4960 wrote to memory of 1172 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4960 wrote to memory of 1172 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4960 wrote to memory of 2584 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4960 wrote to memory of 2584 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4960 wrote to memory of 4116 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4960 wrote to memory of 4116 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4960 wrote to memory of 3404 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4960 wrote to memory of 3404 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4960 wrote to memory of 4568 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4960 wrote to memory of 4568 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4960 wrote to memory of 3224 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4960 wrote to memory of 3224 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4960 wrote to memory of 2824 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4960 wrote to memory of 2824 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4960 wrote to memory of 4616 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4960 wrote to memory of 4616 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4960 wrote to memory of 1916 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4960 wrote to memory of 1916 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4960 wrote to memory of 4928 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 4960 wrote to memory of 4928 4960 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\System\smlUjnr.exeC:\Windows\System\smlUjnr.exe2⤵
- Executes dropped EXE
PID:4936
-
-
C:\Windows\System\zYRLSqe.exeC:\Windows\System\zYRLSqe.exe2⤵
- Executes dropped EXE
PID:2552
-
-
C:\Windows\System\XCMBDxJ.exeC:\Windows\System\XCMBDxJ.exe2⤵
- Executes dropped EXE
PID:4664
-
-
C:\Windows\System\ustqoxO.exeC:\Windows\System\ustqoxO.exe2⤵
- Executes dropped EXE
PID:384
-
-
C:\Windows\System\rRVNpIO.exeC:\Windows\System\rRVNpIO.exe2⤵
- Executes dropped EXE
PID:1936
-
-
C:\Windows\System\YgdsyZC.exeC:\Windows\System\YgdsyZC.exe2⤵
- Executes dropped EXE
PID:2832
-
-
C:\Windows\System\IjfTcZX.exeC:\Windows\System\IjfTcZX.exe2⤵
- Executes dropped EXE
PID:1796
-
-
C:\Windows\System\SzYyHRW.exeC:\Windows\System\SzYyHRW.exe2⤵
- Executes dropped EXE
PID:4620
-
-
C:\Windows\System\KYOKlIU.exeC:\Windows\System\KYOKlIU.exe2⤵
- Executes dropped EXE
PID:2004
-
-
C:\Windows\System\XBEYyIk.exeC:\Windows\System\XBEYyIk.exe2⤵
- Executes dropped EXE
PID:2064
-
-
C:\Windows\System\yOnzGkV.exeC:\Windows\System\yOnzGkV.exe2⤵
- Executes dropped EXE
PID:1132
-
-
C:\Windows\System\GHKtyld.exeC:\Windows\System\GHKtyld.exe2⤵
- Executes dropped EXE
PID:1172
-
-
C:\Windows\System\IFOCDno.exeC:\Windows\System\IFOCDno.exe2⤵
- Executes dropped EXE
PID:2584
-
-
C:\Windows\System\zZMGLkm.exeC:\Windows\System\zZMGLkm.exe2⤵
- Executes dropped EXE
PID:4116
-
-
C:\Windows\System\VNWUtXU.exeC:\Windows\System\VNWUtXU.exe2⤵
- Executes dropped EXE
PID:3404
-
-
C:\Windows\System\hoEzqbm.exeC:\Windows\System\hoEzqbm.exe2⤵
- Executes dropped EXE
PID:4568
-
-
C:\Windows\System\DsjwAKj.exeC:\Windows\System\DsjwAKj.exe2⤵
- Executes dropped EXE
PID:3224
-
-
C:\Windows\System\UPnUpUX.exeC:\Windows\System\UPnUpUX.exe2⤵
- Executes dropped EXE
PID:2824
-
-
C:\Windows\System\weYIamj.exeC:\Windows\System\weYIamj.exe2⤵
- Executes dropped EXE
PID:4616
-
-
C:\Windows\System\rLSXZJl.exeC:\Windows\System\rLSXZJl.exe2⤵
- Executes dropped EXE
PID:1916
-
-
C:\Windows\System\yFfJJxH.exeC:\Windows\System\yFfJJxH.exe2⤵
- Executes dropped EXE
PID:4928
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5772435871c1ae1dafb756d130d46339a
SHA1c82e7cf5578cda9877b7249cff04aa328526c2c9
SHA25691bb1ca6e2d63025610ffb57856ca805e1f3f9399a4d44b50a7e0b3e7ee6da64
SHA5122c595f4ada0b27cded5296a16bf04cc1a125e55d5dffbe6f299704b978fca420f64e7101d94f12420851a10d2f5928f4e937b56e3efc047917953eb5644b9584
-
Filesize
5.2MB
MD5c8c2b8a67f81a7519331476a0e26ba00
SHA1f42d00836fc843cd3e9f5a5707709403728acd5f
SHA256c725e46fe08ecb396356181830003f2bd65d83041faffd9613c8db5ef2f09388
SHA512c119fafcfd2a04112f13af23761704b8045408c87134237b18daa4661f94674cc5aa9482c4c5d2a3d5db8bcb25d5e9087db399bf5cdde19ea1084cdf60853336
-
Filesize
5.2MB
MD5f518981dfbd9eaabfb1169c1cbbe8589
SHA1a2e7a07d06f339041d8d100bb58717cf1db6911d
SHA256e1b901ef9f1685b2b0cf5b05681f97e32d333e784a6c2d2af57a9be2696f6d04
SHA512f26a6ae8c1ae07bdde48021b96acc12f723305946363b6e54edb548c1131aa488e3493db2a816c222d4cf259eca3fcf16c112c79ac44a6c9569508e63597edd4
-
Filesize
5.2MB
MD52c2640ac9eed8ed79bbad9c6a605f472
SHA1ec939cd2358849e2676752486c5fe26f0c0cc98f
SHA256e178c6ccf1237718cee1807e4572379e0130348dea5d20f8de2b598258522a63
SHA512e03c33fb411317205cbc504d0a294459907c912f8e4d50392477c943de937393dbe63b679fa1a9420de88660c85da40e84efdd5e768584b33f3282538c35839a
-
Filesize
5.2MB
MD5e9c5bb137f7d493cafe84140f52fd15f
SHA1d8c567ca4b2f89d2e42d4213e286831668c79619
SHA256f466c486a32a67fe8e214e2b5a33b91f36b1912475f4c09fa96f4c057e38b3b3
SHA51254551ac2e0b421fe1e17e154f16822931d34e769b6d26e0a12f26fc6ea1122054361bdfbc3988cb177fcd54a6373e98196136cc798a3edd6448b163122aee5ae
-
Filesize
5.2MB
MD5217f6b22ca587af978bd39e75080ae57
SHA107c35c5a1ae7ac2b723fa1e30f9b2895f6313d0e
SHA256b8eb1346a991058f139b44edf4b58f235c9d1fe4e272ef4457009985bf1d9e1c
SHA512a97bcf80fe2edd3ae7bd1b90560a82d42380714debb7517984c24fb8ddaf091fccb9e6ad7b8d7f0ad0233bbac233d79ce5607ca649caab9e48e0ef6ce1d242a8
-
Filesize
5.2MB
MD5cbc737f339a9d7bd6e77d34b89368eaf
SHA1d0a74499f28c665f7723b16b66f97027b708a67a
SHA256c1b9a5a8a2bd575c9195fab67bdcaf88ebe30b95f447982fb716b32f40b86976
SHA512568111174ab5645fe0852eb5d970a5097e007923434bc537647133ff497adf5e9b49e3794c0090610efe23aec06aab4d535b84c55fa44733d5c75b96313d10b8
-
Filesize
5.2MB
MD58ed47bd4484fac484f6c9ffe960e1b9c
SHA19736cec0c9582cecc473bc4eb0137ac7718b8aef
SHA25673e3e14099460293a139109eef08bb541a18e11d83c4ddc6b4eabba275ca3772
SHA5122868e057f9f569d960d5ef2e74d932c52bac47ae11b69b0066dc7192544ea4f92e22e770bb7ff14ef375be720d6294709e33377a39f1a77b53bf4db8bb945196
-
Filesize
5.2MB
MD578594d1b93326a67781d1bb490cb50a2
SHA1338d49f13222146cdda7f62bd201752be06f423e
SHA25686788bb1d369f0683bac2ef54ba61e7e71faed4fa4239c6eeb6bee96c575d580
SHA512da1ee6d4413a91d7631734971489d4144dd136cb7a29fe53bdbfd86d422df656287be81a1a63438dfdb826a259dea97aedb7958d2b53d48a57906f42bfa99d3e
-
Filesize
5.2MB
MD593ebb467f9b66f60b49ea98fc3d38d7a
SHA15a210f6093cc51feee4dabda1ad6165f24a20327
SHA25630e975ded8edaa634cdb8e72f7626496e3cc4c753f795b0f4416469cdc5e4b0e
SHA512d606cbcd0930a858e3dd5814ed49ab8059ca59927b8618900cf41b42575dbf452cd12a3cacd17295b81a574a375631747d45b37f7168aa518972fc7a6a1e31e2
-
Filesize
5.2MB
MD5140b6f8f138e2e51411a2c2ec199c907
SHA161a986a89a06b1bc0f67608dc1aedff179ea28a7
SHA2565ba64213d862b2bc578538cf6b5b95ab1c0661372c6416114372c3261a52fedb
SHA51261a1b41c4fa7cde386255f31b2315f12c1efb153a88af3e419c2a7feda2b27867c9ef6f8a2eef8e382c1e050c8826512d132aaae2b6acc5bfc174f5bdf2f223b
-
Filesize
5.2MB
MD50260c5d41cce7411666ec923d9e21531
SHA114a0ae976b74eeff372998bc5e274f98a4327698
SHA25633ff2accfd8dea886f77655c3cbe3015a9d29abb14fb81c609ab555ee6043c5a
SHA512145e27a3bb5ea69d4de4248d388b1c584f9f4a1b64449ce0a64a7c994cac3f6ca8fde7641c77b6e9e4251abf8c66b718fdcd827c4e21c6f08bb9cbcae03b0cc6
-
Filesize
5.2MB
MD51f7dd2c68833ca454faba85da3652cfe
SHA1bf2c7f45302279c10f332eb07dae49a9a5d38f1d
SHA25671a8ea5f29fcc6836bd10867840f6b426785399554a6f486c500978224938a2f
SHA5126d3592b99d3c67f64f329ad6f6ad86a9fad083ea45bef450d347243e7af953d1cb69656e998f2a0f02ca8dca87431bc3743176d50926140b0d1393e76cc59200
-
Filesize
5.2MB
MD5022ff5d37de9c88d75d37e90c48077f2
SHA15bcc19ad9d17a3590a32777db12c5f5988c774c6
SHA25657acb7a0feec1858e60ee432d356800c35c5a987c80c7d5043778e035aa95ef8
SHA512711a040da47c9110f2ba14be4346bb1effe266e62104e7923b9e7ffe7c1bff40e4e305c55b12a9c6e991bd1f5407e2de73b23d0ed43d2a4579bc734ca3048e04
-
Filesize
5.2MB
MD55756d6991c9d3f091efdc8812809b7aa
SHA1563a747acfcb76f559a046cdcd15e2d28c751cde
SHA256a3dba698730c7de87a2dfca1dcd2e39e99b452c0ef890ca636bc6e6136f69dca
SHA512e2a59ded82631fa577f6197a79334dc54dbdf955d82fca68e1dc736d44bfeca5373f6b360323909bd147e175ab397efc6fb866e536c243ea3b9ced7cc6b5b3ad
-
Filesize
5.2MB
MD57c94b56fed2e1c6458d245cbd8b0e217
SHA15ca0080eb9de0971b1d25e4737d1753d6b649474
SHA256b357737c567813098f659c10cdbe95c796726a4dd1ceef4128def600006bbcf6
SHA512a3d5123a65d477ffd7cdd20e85b8d7914a050e87dc9b2fd040f676920949dbf0bcab7f193083d9b4988166c280eea3deac27af395d24ce7b19146e448950fb75
-
Filesize
5.2MB
MD5d4e01206b136492ba1873f82eef288f3
SHA1823e537fc4879c1a5633af6a74e33df84f9e866f
SHA2569ca099e315ddb10e22201195e66420b024ad59973e3fede6035437d9fa3ff0e1
SHA512eb8a44eb1ff713c86b25d925abb5b309e3747a2b85796cb34269e43877632a846e7bb8eb896aa4f141b8d5e9638d61da3b398685d4dcade8490804b42e7dc9a0
-
Filesize
5.2MB
MD54e4e71a1b0e55eebf40722b576d61c22
SHA1af62eb20e2d8d2ac5f6aaf08552ab9894c0d2b51
SHA256a86424af3dc60f5b3a0a2f66dfe1b95ac7017f058f6b38f62445d8410ef532ed
SHA5128a02fc17734d43cbdc17a5337f70b7352e93f876ec83a2cef981cc566c8d9a113ea1d3749dc77b52090961455ac7a44ac02b5de8f717831d9946c5dd5e50d869
-
Filesize
5.2MB
MD5d70c4650764d59b421e4b848dc2448fc
SHA17e5977afcc39621fe32ce024abccfb883a37be25
SHA2560dbace26a16580e700cc140d10991ef67dc36f5240a39b432cb1e9b77b3134e2
SHA512749a5b2c3e5f358ccb309e55091620367769a15f02759086afd01426f5b64873fb9b4685162b4568cf6973801fd275027302028caba82a428981fa50fc56f051
-
Filesize
5.2MB
MD52eea7f32bd3b237ab80c20968761b76b
SHA11d207d4091f9401cf23698c1933d9507553fd493
SHA256a6c07ded74083ad009f52a5a4dc02d7aa42fc39eb1c105a9e4b8b0635174ed24
SHA51250564b81b9ebf894e6c93a2eaedd63993769f548ba9f94fe7264c59d28e14d69274a94037045b19c8892ef04c2eb134b39d23cae17cb06cf1779fa4f5a5736e5
-
Filesize
5.2MB
MD5ce92e3b12e4e21c205e2d8d03120a7a9
SHA15f750aa332f998586f908cc0ec3048ee9c345d95
SHA256f4ce984df512c92fc3935061d40478ef7908ebfc79ab6bb69df37ae25a7de409
SHA5120036c70c883cf675942ee0e56dd0a843dde96c562fcb010d84fb142bb8f2623c768500abfa9026f88155fb80bc22d34e8abd13cd37a9729c2369c971fa48b625