Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2024, 04:56
Behavioral task
behavioral1
Sample
2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20241010-en
General
-
Target
2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
38cd60aaa9444267c2673b5c089a11bc
-
SHA1
179194cbe8fd15a8b6c1ef8376b7389b016da9cd
-
SHA256
0f6ce4b1ea8b1d2c931d6729631fb8d058777e35ed9e2a454e5c17b6ccf29f5f
-
SHA512
5069df7946b08909a44d1cd8f063168bd6e68e438c7507add433c7e0093dc79e959f6c96484cbce5702a0cd4cbb4e360b7203d7244699eb8bc8fe6b5e2e85f24
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lr:RWWBibf56utgpPFotBER/mQ32lUH
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000a000000023bb1-4.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c7e-9.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c7d-12.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c7f-26.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c80-29.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c83-44.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c82-46.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c84-55.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c81-38.dat cobalt_reflective_dll behavioral2/files/0x0008000000023c7a-66.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c86-73.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c87-80.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c88-90.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c8a-101.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c8c-112.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c90-137.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c8f-133.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c8e-128.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c8d-124.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c8b-114.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c85-61.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/2136-60-0x00007FF6F9BF0000-0x00007FF6F9F41000-memory.dmp xmrig behavioral2/memory/2012-81-0x00007FF77F9A0000-0x00007FF77FCF1000-memory.dmp xmrig behavioral2/memory/5036-74-0x00007FF7A26C0000-0x00007FF7A2A11000-memory.dmp xmrig behavioral2/memory/2796-97-0x00007FF7E5C80000-0x00007FF7E5FD1000-memory.dmp xmrig behavioral2/memory/2420-120-0x00007FF7344A0000-0x00007FF7347F1000-memory.dmp xmrig behavioral2/memory/3268-130-0x00007FF775310000-0x00007FF775661000-memory.dmp xmrig behavioral2/memory/232-135-0x00007FF72E440000-0x00007FF72E791000-memory.dmp xmrig behavioral2/memory/3088-121-0x00007FF6C3780000-0x00007FF6C3AD1000-memory.dmp xmrig behavioral2/memory/2264-107-0x00007FF753120000-0x00007FF753471000-memory.dmp xmrig behavioral2/memory/1008-88-0x00007FF7BA840000-0x00007FF7BAB91000-memory.dmp xmrig behavioral2/memory/1048-67-0x00007FF7C7840000-0x00007FF7C7B91000-memory.dmp xmrig behavioral2/memory/1484-139-0x00007FF6188C0000-0x00007FF618C11000-memory.dmp xmrig behavioral2/memory/2188-140-0x00007FF6A46C0000-0x00007FF6A4A11000-memory.dmp xmrig behavioral2/memory/2040-142-0x00007FF7DDFA0000-0x00007FF7DE2F1000-memory.dmp xmrig behavioral2/memory/2136-141-0x00007FF6F9BF0000-0x00007FF6F9F41000-memory.dmp xmrig behavioral2/memory/2500-153-0x00007FF6878E0000-0x00007FF687C31000-memory.dmp xmrig behavioral2/memory/4296-163-0x00007FF61F620000-0x00007FF61F971000-memory.dmp xmrig behavioral2/memory/1916-162-0x00007FF74EC80000-0x00007FF74EFD1000-memory.dmp xmrig behavioral2/memory/1896-160-0x00007FF67A670000-0x00007FF67A9C1000-memory.dmp xmrig behavioral2/memory/1120-161-0x00007FF671B00000-0x00007FF671E51000-memory.dmp xmrig behavioral2/memory/2204-164-0x00007FF64D150000-0x00007FF64D4A1000-memory.dmp xmrig behavioral2/memory/2164-165-0x00007FF767FF0000-0x00007FF768341000-memory.dmp xmrig behavioral2/memory/728-166-0x00007FF7D8F60000-0x00007FF7D92B1000-memory.dmp xmrig behavioral2/memory/2136-167-0x00007FF6F9BF0000-0x00007FF6F9F41000-memory.dmp xmrig behavioral2/memory/1048-216-0x00007FF7C7840000-0x00007FF7C7B91000-memory.dmp xmrig behavioral2/memory/5036-218-0x00007FF7A26C0000-0x00007FF7A2A11000-memory.dmp xmrig behavioral2/memory/2012-227-0x00007FF77F9A0000-0x00007FF77FCF1000-memory.dmp xmrig behavioral2/memory/1008-229-0x00007FF7BA840000-0x00007FF7BAB91000-memory.dmp xmrig behavioral2/memory/2796-231-0x00007FF7E5C80000-0x00007FF7E5FD1000-memory.dmp xmrig behavioral2/memory/2264-233-0x00007FF753120000-0x00007FF753471000-memory.dmp xmrig behavioral2/memory/2420-235-0x00007FF7344A0000-0x00007FF7347F1000-memory.dmp xmrig behavioral2/memory/3088-237-0x00007FF6C3780000-0x00007FF6C3AD1000-memory.dmp xmrig behavioral2/memory/3268-239-0x00007FF775310000-0x00007FF775661000-memory.dmp xmrig behavioral2/memory/232-251-0x00007FF72E440000-0x00007FF72E791000-memory.dmp xmrig behavioral2/memory/1484-253-0x00007FF6188C0000-0x00007FF618C11000-memory.dmp xmrig behavioral2/memory/2188-255-0x00007FF6A46C0000-0x00007FF6A4A11000-memory.dmp xmrig behavioral2/memory/2040-257-0x00007FF7DDFA0000-0x00007FF7DE2F1000-memory.dmp xmrig behavioral2/memory/2500-259-0x00007FF6878E0000-0x00007FF687C31000-memory.dmp xmrig behavioral2/memory/1916-261-0x00007FF74EC80000-0x00007FF74EFD1000-memory.dmp xmrig behavioral2/memory/1896-263-0x00007FF67A670000-0x00007FF67A9C1000-memory.dmp xmrig behavioral2/memory/4296-265-0x00007FF61F620000-0x00007FF61F971000-memory.dmp xmrig behavioral2/memory/1120-268-0x00007FF671B00000-0x00007FF671E51000-memory.dmp xmrig behavioral2/memory/2204-270-0x00007FF64D150000-0x00007FF64D4A1000-memory.dmp xmrig behavioral2/memory/2164-272-0x00007FF767FF0000-0x00007FF768341000-memory.dmp xmrig behavioral2/memory/728-274-0x00007FF7D8F60000-0x00007FF7D92B1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 1048 oRRtTCI.exe 5036 Embmesa.exe 2012 KrUakhk.exe 1008 iLzYOVN.exe 2796 ictdtEJ.exe 2264 UfIxVZM.exe 2420 FkqZioe.exe 3088 REtyjwN.exe 3268 mNwxkki.exe 232 YBUCSmz.exe 1484 gPpDbmk.exe 2188 dudZkib.exe 2040 KAnawDp.exe 2500 vxEkuLR.exe 1916 iUUeLBg.exe 1896 WRxbUyK.exe 4296 zVdABjv.exe 1120 lOhJdGm.exe 2204 EPMExxR.exe 2164 vAJCkaN.exe 728 JdVzYaj.exe -
resource yara_rule behavioral2/memory/2136-0-0x00007FF6F9BF0000-0x00007FF6F9F41000-memory.dmp upx behavioral2/files/0x000a000000023bb1-4.dat upx behavioral2/memory/1048-10-0x00007FF7C7840000-0x00007FF7C7B91000-memory.dmp upx behavioral2/files/0x0007000000023c7e-9.dat upx behavioral2/files/0x0007000000023c7d-12.dat upx behavioral2/memory/5036-14-0x00007FF7A26C0000-0x00007FF7A2A11000-memory.dmp upx behavioral2/memory/2012-18-0x00007FF77F9A0000-0x00007FF77FCF1000-memory.dmp upx behavioral2/memory/1008-24-0x00007FF7BA840000-0x00007FF7BAB91000-memory.dmp upx behavioral2/files/0x0007000000023c7f-26.dat upx behavioral2/files/0x0007000000023c80-29.dat upx behavioral2/files/0x0007000000023c83-44.dat upx behavioral2/files/0x0007000000023c82-46.dat upx behavioral2/memory/3088-50-0x00007FF6C3780000-0x00007FF6C3AD1000-memory.dmp upx behavioral2/files/0x0007000000023c84-55.dat upx behavioral2/memory/3268-54-0x00007FF775310000-0x00007FF775661000-memory.dmp upx behavioral2/memory/2420-45-0x00007FF7344A0000-0x00007FF7347F1000-memory.dmp upx behavioral2/memory/2264-39-0x00007FF753120000-0x00007FF753471000-memory.dmp upx behavioral2/files/0x0007000000023c81-38.dat upx behavioral2/memory/2796-32-0x00007FF7E5C80000-0x00007FF7E5FD1000-memory.dmp upx behavioral2/memory/2136-60-0x00007FF6F9BF0000-0x00007FF6F9F41000-memory.dmp upx behavioral2/files/0x0008000000023c7a-66.dat upx behavioral2/memory/232-62-0x00007FF72E440000-0x00007FF72E791000-memory.dmp upx behavioral2/memory/1484-69-0x00007FF6188C0000-0x00007FF618C11000-memory.dmp upx behavioral2/files/0x0007000000023c86-73.dat upx behavioral2/memory/2188-76-0x00007FF6A46C0000-0x00007FF6A4A11000-memory.dmp upx behavioral2/files/0x0007000000023c87-80.dat upx behavioral2/memory/2040-82-0x00007FF7DDFA0000-0x00007FF7DE2F1000-memory.dmp upx behavioral2/memory/2012-81-0x00007FF77F9A0000-0x00007FF77FCF1000-memory.dmp upx behavioral2/memory/5036-74-0x00007FF7A26C0000-0x00007FF7A2A11000-memory.dmp upx behavioral2/files/0x0007000000023c88-90.dat upx behavioral2/memory/2796-97-0x00007FF7E5C80000-0x00007FF7E5FD1000-memory.dmp upx behavioral2/files/0x0007000000023c8a-101.dat upx behavioral2/files/0x0007000000023c8c-112.dat upx behavioral2/memory/2420-120-0x00007FF7344A0000-0x00007FF7347F1000-memory.dmp upx behavioral2/memory/2204-126-0x00007FF64D150000-0x00007FF64D4A1000-memory.dmp upx behavioral2/memory/3268-130-0x00007FF775310000-0x00007FF775661000-memory.dmp upx behavioral2/files/0x0007000000023c90-137.dat upx behavioral2/memory/728-136-0x00007FF7D8F60000-0x00007FF7D92B1000-memory.dmp upx behavioral2/memory/232-135-0x00007FF72E440000-0x00007FF72E791000-memory.dmp upx behavioral2/files/0x0007000000023c8f-133.dat upx behavioral2/files/0x0007000000023c8e-128.dat upx behavioral2/memory/2164-127-0x00007FF767FF0000-0x00007FF768341000-memory.dmp upx behavioral2/files/0x0007000000023c8d-124.dat upx behavioral2/memory/1120-122-0x00007FF671B00000-0x00007FF671E51000-memory.dmp upx behavioral2/memory/3088-121-0x00007FF6C3780000-0x00007FF6C3AD1000-memory.dmp upx behavioral2/memory/4296-115-0x00007FF61F620000-0x00007FF61F971000-memory.dmp upx behavioral2/files/0x0007000000023c8b-114.dat upx behavioral2/memory/1896-108-0x00007FF67A670000-0x00007FF67A9C1000-memory.dmp upx behavioral2/memory/2264-107-0x00007FF753120000-0x00007FF753471000-memory.dmp upx behavioral2/memory/1916-98-0x00007FF74EC80000-0x00007FF74EFD1000-memory.dmp upx behavioral2/memory/2500-89-0x00007FF6878E0000-0x00007FF687C31000-memory.dmp upx behavioral2/memory/1008-88-0x00007FF7BA840000-0x00007FF7BAB91000-memory.dmp upx behavioral2/memory/1048-67-0x00007FF7C7840000-0x00007FF7C7B91000-memory.dmp upx behavioral2/files/0x0007000000023c85-61.dat upx behavioral2/memory/1484-139-0x00007FF6188C0000-0x00007FF618C11000-memory.dmp upx behavioral2/memory/2188-140-0x00007FF6A46C0000-0x00007FF6A4A11000-memory.dmp upx behavioral2/memory/2040-142-0x00007FF7DDFA0000-0x00007FF7DE2F1000-memory.dmp upx behavioral2/memory/2136-141-0x00007FF6F9BF0000-0x00007FF6F9F41000-memory.dmp upx behavioral2/memory/2500-153-0x00007FF6878E0000-0x00007FF687C31000-memory.dmp upx behavioral2/memory/4296-163-0x00007FF61F620000-0x00007FF61F971000-memory.dmp upx behavioral2/memory/1916-162-0x00007FF74EC80000-0x00007FF74EFD1000-memory.dmp upx behavioral2/memory/1896-160-0x00007FF67A670000-0x00007FF67A9C1000-memory.dmp upx behavioral2/memory/1120-161-0x00007FF671B00000-0x00007FF671E51000-memory.dmp upx behavioral2/memory/2204-164-0x00007FF64D150000-0x00007FF64D4A1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\iUUeLBg.exe 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gPpDbmk.exe 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KAnawDp.exe 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lOhJdGm.exe 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JdVzYaj.exe 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\oRRtTCI.exe 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\iLzYOVN.exe 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FkqZioe.exe 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\REtyjwN.exe 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YBUCSmz.exe 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WRxbUyK.exe 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\Embmesa.exe 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KrUakhk.exe 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ictdtEJ.exe 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vxEkuLR.exe 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zVdABjv.exe 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EPMExxR.exe 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vAJCkaN.exe 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\UfIxVZM.exe 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mNwxkki.exe 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dudZkib.exe 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2136 wrote to memory of 1048 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 2136 wrote to memory of 1048 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 2136 wrote to memory of 5036 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2136 wrote to memory of 5036 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2136 wrote to memory of 2012 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2136 wrote to memory of 2012 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2136 wrote to memory of 1008 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2136 wrote to memory of 1008 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2136 wrote to memory of 2796 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2136 wrote to memory of 2796 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2136 wrote to memory of 2264 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2136 wrote to memory of 2264 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2136 wrote to memory of 2420 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2136 wrote to memory of 2420 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2136 wrote to memory of 3088 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2136 wrote to memory of 3088 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2136 wrote to memory of 3268 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2136 wrote to memory of 3268 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2136 wrote to memory of 232 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2136 wrote to memory of 232 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2136 wrote to memory of 1484 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2136 wrote to memory of 1484 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2136 wrote to memory of 2188 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2136 wrote to memory of 2188 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2136 wrote to memory of 2040 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2136 wrote to memory of 2040 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2136 wrote to memory of 2500 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2136 wrote to memory of 2500 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2136 wrote to memory of 1916 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2136 wrote to memory of 1916 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2136 wrote to memory of 4296 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2136 wrote to memory of 4296 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2136 wrote to memory of 1896 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2136 wrote to memory of 1896 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2136 wrote to memory of 1120 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2136 wrote to memory of 1120 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2136 wrote to memory of 2204 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2136 wrote to memory of 2204 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2136 wrote to memory of 2164 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2136 wrote to memory of 2164 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2136 wrote to memory of 728 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 2136 wrote to memory of 728 2136 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\System\oRRtTCI.exeC:\Windows\System\oRRtTCI.exe2⤵
- Executes dropped EXE
PID:1048
-
-
C:\Windows\System\Embmesa.exeC:\Windows\System\Embmesa.exe2⤵
- Executes dropped EXE
PID:5036
-
-
C:\Windows\System\KrUakhk.exeC:\Windows\System\KrUakhk.exe2⤵
- Executes dropped EXE
PID:2012
-
-
C:\Windows\System\iLzYOVN.exeC:\Windows\System\iLzYOVN.exe2⤵
- Executes dropped EXE
PID:1008
-
-
C:\Windows\System\ictdtEJ.exeC:\Windows\System\ictdtEJ.exe2⤵
- Executes dropped EXE
PID:2796
-
-
C:\Windows\System\UfIxVZM.exeC:\Windows\System\UfIxVZM.exe2⤵
- Executes dropped EXE
PID:2264
-
-
C:\Windows\System\FkqZioe.exeC:\Windows\System\FkqZioe.exe2⤵
- Executes dropped EXE
PID:2420
-
-
C:\Windows\System\REtyjwN.exeC:\Windows\System\REtyjwN.exe2⤵
- Executes dropped EXE
PID:3088
-
-
C:\Windows\System\mNwxkki.exeC:\Windows\System\mNwxkki.exe2⤵
- Executes dropped EXE
PID:3268
-
-
C:\Windows\System\YBUCSmz.exeC:\Windows\System\YBUCSmz.exe2⤵
- Executes dropped EXE
PID:232
-
-
C:\Windows\System\gPpDbmk.exeC:\Windows\System\gPpDbmk.exe2⤵
- Executes dropped EXE
PID:1484
-
-
C:\Windows\System\dudZkib.exeC:\Windows\System\dudZkib.exe2⤵
- Executes dropped EXE
PID:2188
-
-
C:\Windows\System\KAnawDp.exeC:\Windows\System\KAnawDp.exe2⤵
- Executes dropped EXE
PID:2040
-
-
C:\Windows\System\vxEkuLR.exeC:\Windows\System\vxEkuLR.exe2⤵
- Executes dropped EXE
PID:2500
-
-
C:\Windows\System\iUUeLBg.exeC:\Windows\System\iUUeLBg.exe2⤵
- Executes dropped EXE
PID:1916
-
-
C:\Windows\System\zVdABjv.exeC:\Windows\System\zVdABjv.exe2⤵
- Executes dropped EXE
PID:4296
-
-
C:\Windows\System\WRxbUyK.exeC:\Windows\System\WRxbUyK.exe2⤵
- Executes dropped EXE
PID:1896
-
-
C:\Windows\System\lOhJdGm.exeC:\Windows\System\lOhJdGm.exe2⤵
- Executes dropped EXE
PID:1120
-
-
C:\Windows\System\EPMExxR.exeC:\Windows\System\EPMExxR.exe2⤵
- Executes dropped EXE
PID:2204
-
-
C:\Windows\System\vAJCkaN.exeC:\Windows\System\vAJCkaN.exe2⤵
- Executes dropped EXE
PID:2164
-
-
C:\Windows\System\JdVzYaj.exeC:\Windows\System\JdVzYaj.exe2⤵
- Executes dropped EXE
PID:728
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD54d9659b0568feb3f43cb023f77e237c4
SHA17a435d048501f320b1c32c32203ca49f8376d1b4
SHA25613ad9471df6945f07e9e4c462a4857ede81aba94db039655dc33f4c8f8f49a58
SHA512254e764f0c7643c59ae9b66143652af13cd70a5ff4ccb276f9660d4840bb18fb8c59afddb091ef27e0d262a89a62009b9a49cb7c3ca1e666754e4d9ac797dc2b
-
Filesize
5.2MB
MD50e556ec8c4b4bcb2ebca98d71594f3c4
SHA15c7f330c346a0d9cc4b96492cf8a306448baa526
SHA256a2a19b3de04b80df71d1fab5e0baa4cea3f9deab6d3bbe6073394311f1da3be2
SHA512fedc2e8e291b5ce63b1fad5e164a8e7da6811a1933b0455179ef3a0854e1c6548303dd8fb43b5dd63fb7d4c9a4aafe7e261c34e985d706c05158fb0bb8243276
-
Filesize
5.2MB
MD534674eacb0e9f16914c90fa40185e6ac
SHA1e2cd938ba22481fe740b8d5d14469b31e1eab4ff
SHA2561a78ef9a889c55b2a5cc660a00210524dbd504644a3e39dd0ed1746d3663247b
SHA512fb9586731c475edcef2390f8ad2f99c4b0b5cf404666237a4222fb97e4a06ed8e7e2f18ff1139d72dc047be318a33e7770de9dae96dfdbb59165cacbe130b836
-
Filesize
5.2MB
MD5aa8fdbb5fb52bfd1a1cafcdc6e1b3d28
SHA171d3336a565fbe4dd3dd55f153aba6e8a32ad111
SHA256931434d1cf24a8f6b70b6567892afb90aaae1e7b37a4e847a933072ae660fe39
SHA51228b2bf853055a8bff18add15439ad7243b35b0cf82f7ae9f8d0fde2950ec37aab9ba724e711f25f0efefd97b57f1f15dd9449911562906c8ab517d91d8033ed5
-
Filesize
5.2MB
MD5835f32bd285f902ae57a82eb2fa1b5bf
SHA1db41677036a49ffc6b09b4c9e17652763a7d9d6e
SHA256e34c899f734c8430684dd888cc5ae42f5306e3b94e44ed6d4c4995f49ce4ffc3
SHA51234489b001cc836e9ef3236549c654144e4cd7f5e086f12b5085eb3cda09d57836e8392d03b6b183b022e1577ae9291139d59c3c66a6f78264e93d0eb24115889
-
Filesize
5.2MB
MD52198cfe0ee6c551a6d54724e0a6a46d6
SHA137452e4c655ce78ab70bc99754f1af8ef1464b7f
SHA256ba6ac49873d71a52f90d8609dd6dad37e8df179324279ca444d4a72c6e131ba2
SHA51271721dee3c04bec04c53b160fbb5cc44d0bf3504133e06e59648013bd2f8c574018999aec0337d48cb0b9d0f8bacde809b44b8300ffd582c7ffb6b06cd938b65
-
Filesize
5.2MB
MD57c0cc1f9b82e2ce6e51b791f6262a717
SHA1fc4035b68b0b6f83841f8273b0b4d544c2e223e6
SHA2567ec94258e6fceb0a58e50f4c236f4cbc8a5d5c7ee429295529025de816013cc7
SHA512908768b8fd10f3e5f6a110388a287ffdd71ca51f6ac95685bfbe60b4f3dbdb558d26ead5b40f97d4a2590f7ff6db3d03bd3cfc1824b8fb463197e82d147da6da
-
Filesize
5.2MB
MD5a1f4acd27d19a26cd71bff0ea77f5643
SHA1c27672b17526de1c68559a06db9d4d27d0887d92
SHA25611c89f2d846a79cb5a78d64240c83ada0119f8987d3bc2906899ae715b31a153
SHA512c1b54bc2639e91042676e5b35a2cc2bf45a0ef0be784ea8feb523050e366f00206431f77123ac569b39b1b6b737063af5dbda2eec385d69ee2f718e8b34eeb29
-
Filesize
5.2MB
MD5fcb04ef8ac51b614bde32923491dc794
SHA1236ed00b27fd38d31c0e2eab791f4afe0565729b
SHA2561228ca18039cdb2159089a36f3d4fca39b5f3c0aac75852c1bb767bed485d14a
SHA512205f0a1be1c083e525b291a0f1765fc902d1d052a37d9f01c24f563c1d8fb45453984247727b9553c45c72fdeedb1a561fc8294f42fcf5a8c90dcf58d33f5ef3
-
Filesize
5.2MB
MD5e841d30528acfe339f56cef7a4fe1bf3
SHA1c26a4354a39f3d2748efc1df903f7dab4a760a9c
SHA256d6a740d38641f31be8335a581fc9bc9618ad1444b2c875f3c5ce12190e66ffba
SHA512fe37af22de9e31bc450244db52a3ec3e94c5eb09004ab911dbb6de3cdadd7e38dfe7ba2c39e8f2bebc1e12289b71adb08e5d5a8c8fb96d4afe697bd614e127a5
-
Filesize
5.2MB
MD53c54aceccd38a1d905ab0312b3eaf67f
SHA1a4f4f19ec7f2a1025ffa11721f926406abd08465
SHA2561edf5fede5152dd711b118095c2c2ee71324d105f87a56e88b8564b918f478e2
SHA5120da61d1b64eaa82ffb8ea8bedef7e9abb3edd41f0dcdcf874c94cf4c3bc42c440e322086d3124831984c4a9db5a821910e49ea429fb66a55f10a57fbdc36c66c
-
Filesize
5.2MB
MD5d91a826b4fbafbea5a3933d23846f5c9
SHA186c69c602c5c7b529381b62d984a26ebe3486f64
SHA25685dcc126bb75a5761b6c3ddb773b5bf2a6f05b2c23294160e20e4f110d02c213
SHA5128aeda76537fa3f0f0238534fbeea252cf84f81bf612e1e8542c3367a1daa2a89377474b8bbf9ad8473419573f1d01682d8263299672272ba0576c7e113cf5215
-
Filesize
5.2MB
MD50fd89f2fa5c4efa1e159e641de02dc83
SHA19ed26af9ff6edd0579f03491f72e40564407291e
SHA256db2f515659390abec83bd948aeaaff3d4b4a2bd56af346931120351fde95b991
SHA512f5564266de7477f3f9a64f8b7bec8617fb07a21a5d4a21b1ea074df9afd409cf4d88f917f6bfb1a80a02a64602ce6206a25d41512f277ab4737c98115f67ca6e
-
Filesize
5.2MB
MD51084d995ed9b19bb30f8e116ca7d3f41
SHA1327f57d3193fc3554cf5d025d40b53a09c2e8eed
SHA25673e280c9c3caff31d3cc43930725ea15aa7e6adf7775ddfe1b264e8bf608b946
SHA512aafb60d35494ead3f52d6b83db8da373e0207dd6a80f769770d8aa6aee0b301a549aa24c1a9f6f072abbfe360cc997e893a4cb4375e3752a470bf715b56542ea
-
Filesize
5.2MB
MD595225f581166c12ed95a3e80c92f85a1
SHA13186aa1d745526deabca19e8a3c6f985fd01a0c8
SHA256ff6e3305f1bc6f335d826501727f43bef8850b00b229486fcdbd0a23ebf4c3e0
SHA5128459f2a593bb88009f1b22ecb890276ab528996c9ae3cc778577bd0c31fa7d7ec836a22c423f0f555e1328f091641c2bc0e50bfc9024a2b27797456e507acc8c
-
Filesize
5.2MB
MD5bb7e32b71515bbd56edd4b84f3e6b4f5
SHA175a6d84d7963678e50d98af5a8fb30f56224c6a8
SHA2567a83318a2e483d426d526642fd406b257ec729cd304f3f30a14af856a6499c9c
SHA51208a16ed7ae898349d86b01cd4b967b9abb0de392fdad32d4c8ae95e58fff2c942b64346d6a8576b3e34b3ad9ee5108a851c14c8e7eab0ee9957a21257e7067de
-
Filesize
5.2MB
MD5425d33574ae02336a558f6189c824351
SHA14a86067dfaea7d25fca397ddfc1c174f48b3cbe9
SHA256b0ee595d1545f366648a0ee442cf60adc981b56b1f69295471f38798784a3ac8
SHA5124b065e8d8fd5b7bdf86081df07eeeaddcadcfb4759407ea956861f04ed6217ae9f63e879e208e343fe6cef328c8671f722c754aa656267aeba2fa9e5b8cd7ddd
-
Filesize
5.2MB
MD55eab4f5dcf43bfec40f8074c16b07851
SHA1db5bd80d105e7f1d1400d99bea6a40d058417bdd
SHA25634c3191c3623f0f763d29b1029844bf56b9923897f34751f6092e06dcded4c55
SHA512a22d1814fd7ee7911068fd0e02fb0f21a6e2edd3115706977548b26125e3c3127fd0638eb96acc1650a8eb818fb1e1bdedc5dd9e2364f87fff2f39b1c2886849
-
Filesize
5.2MB
MD50647931659a2d119e0d4825e35c12ebd
SHA10fd6ffaaec4d548c88e5f75f1dc005f38d53b193
SHA25694ac23713c55ef8ce9ceea96469f18fafe42eae74a8dd77277bc96e683847417
SHA512549e600cf6d77ad5af01597fef3f482daf4741d61233a43772565e146f393483e57fc6898a6b776104ed362f5e43c94103716c5b4bf2a9583bb77286a4df7021
-
Filesize
5.2MB
MD593fee067550746c8e7a6d12552746847
SHA15141c2c2307421f9d979d2ceab7519421da00447
SHA25663c77860c0326d0f21d5abe9cd275a0779db52bb477806f96bcc755eb4837316
SHA5121bcb606a2f3ce2a0c6a686db4d12c3f1392afa8b56ef7a0da861be9e0943e3463b506bd5f0c3b72ab1c061b3698ee425844dde83a7fc607d6d9a2da1c9ee3b75
-
Filesize
5.2MB
MD5102ff6daeb52dd11bac1b0e670d96b15
SHA120d4b79c56cbe7ab05eb5ab154236514a480c169
SHA256991f2e3a5b4b9a4fb0ea42654417a040901701345cb19626a077a36e8b040cd8
SHA512dc6e10912fb55bc36c58c4f20c66da90b80eafc398da3df3c1ab1e4d9352891b8975685f47d32bf1e9b7cd0375d856d9fd6a21994dad33042efa274cb16df693