Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2024, 05:09
Behavioral task
behavioral1
Sample
2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20241010-en
General
-
Target
2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
6ff5e93034cdb528937a2784f31a1dc0
-
SHA1
e66cce1f569d0bab4f2cca45de16ed9d4821a7a6
-
SHA256
86256cba6711c887e414aaa9acdaac0e92f65adc08fee3717d39253c5859d6b8
-
SHA512
ac56213627792da72f3073be83cfd694a94084849d9fdbbe50a9070278d663e0b2f467dd97a658d38fb4f07ccd352e3bb45885c52951ecc931124e325af4b535
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6li:RWWBibf56utgpPFotBER/mQ32lUe
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000a000000023c0f-6.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cad-11.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb3-41.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb5-52.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb8-73.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb9-86.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbe-102.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbf-112.dat cobalt_reflective_dll behavioral2/files/0x000a000000023ca5-114.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbd-108.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbc-106.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbb-98.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb6-97.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb7-95.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cba-80.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb4-61.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb2-56.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb0-46.dat cobalt_reflective_dll behavioral2/files/0x0007000000023caf-39.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb1-32.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cae-24.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/1776-44-0x00007FF73F7C0000-0x00007FF73FB11000-memory.dmp xmrig behavioral2/memory/1936-116-0x00007FF63B1F0000-0x00007FF63B541000-memory.dmp xmrig behavioral2/memory/3400-118-0x00007FF7AB900000-0x00007FF7ABC51000-memory.dmp xmrig behavioral2/memory/4824-119-0x00007FF7A9AF0000-0x00007FF7A9E41000-memory.dmp xmrig behavioral2/memory/2280-124-0x00007FF7D6940000-0x00007FF7D6C91000-memory.dmp xmrig behavioral2/memory/4276-131-0x00007FF67B6F0000-0x00007FF67BA41000-memory.dmp xmrig behavioral2/memory/1828-133-0x00007FF778A50000-0x00007FF778DA1000-memory.dmp xmrig behavioral2/memory/3856-132-0x00007FF68E310000-0x00007FF68E661000-memory.dmp xmrig behavioral2/memory/1136-130-0x00007FF75E450000-0x00007FF75E7A1000-memory.dmp xmrig behavioral2/memory/4928-129-0x00007FF730CE0000-0x00007FF731031000-memory.dmp xmrig behavioral2/memory/876-128-0x00007FF611E40000-0x00007FF612191000-memory.dmp xmrig behavioral2/memory/4820-127-0x00007FF6C1FA0000-0x00007FF6C22F1000-memory.dmp xmrig behavioral2/memory/1076-126-0x00007FF7644A0000-0x00007FF7647F1000-memory.dmp xmrig behavioral2/memory/2404-125-0x00007FF76E830000-0x00007FF76EB81000-memory.dmp xmrig behavioral2/memory/4700-123-0x00007FF6DD5B0000-0x00007FF6DD901000-memory.dmp xmrig behavioral2/memory/1476-121-0x00007FF6B6A80000-0x00007FF6B6DD1000-memory.dmp xmrig behavioral2/memory/3144-120-0x00007FF712B60000-0x00007FF712EB1000-memory.dmp xmrig behavioral2/memory/4972-117-0x00007FF69E330000-0x00007FF69E681000-memory.dmp xmrig behavioral2/memory/2320-134-0x00007FF778510000-0x00007FF778861000-memory.dmp xmrig behavioral2/memory/3048-137-0x00007FF68B4B0000-0x00007FF68B801000-memory.dmp xmrig behavioral2/memory/4832-136-0x00007FF6472C0000-0x00007FF647611000-memory.dmp xmrig behavioral2/memory/3444-135-0x00007FF691AE0000-0x00007FF691E31000-memory.dmp xmrig behavioral2/memory/1936-138-0x00007FF63B1F0000-0x00007FF63B541000-memory.dmp xmrig behavioral2/memory/1936-139-0x00007FF63B1F0000-0x00007FF63B541000-memory.dmp xmrig behavioral2/memory/4972-191-0x00007FF69E330000-0x00007FF69E681000-memory.dmp xmrig behavioral2/memory/3400-193-0x00007FF7AB900000-0x00007FF7ABC51000-memory.dmp xmrig behavioral2/memory/4824-206-0x00007FF7A9AF0000-0x00007FF7A9E41000-memory.dmp xmrig behavioral2/memory/1776-214-0x00007FF73F7C0000-0x00007FF73FB11000-memory.dmp xmrig behavioral2/memory/3144-213-0x00007FF712B60000-0x00007FF712EB1000-memory.dmp xmrig behavioral2/memory/4700-216-0x00007FF6DD5B0000-0x00007FF6DD901000-memory.dmp xmrig behavioral2/memory/1136-228-0x00007FF75E450000-0x00007FF75E7A1000-memory.dmp xmrig behavioral2/memory/2404-230-0x00007FF76E830000-0x00007FF76EB81000-memory.dmp xmrig behavioral2/memory/876-232-0x00007FF611E40000-0x00007FF612191000-memory.dmp xmrig behavioral2/memory/4820-234-0x00007FF6C1FA0000-0x00007FF6C22F1000-memory.dmp xmrig behavioral2/memory/4928-224-0x00007FF730CE0000-0x00007FF731031000-memory.dmp xmrig behavioral2/memory/1476-226-0x00007FF6B6A80000-0x00007FF6B6DD1000-memory.dmp xmrig behavioral2/memory/1076-219-0x00007FF7644A0000-0x00007FF7647F1000-memory.dmp xmrig behavioral2/memory/2280-223-0x00007FF7D6940000-0x00007FF7D6C91000-memory.dmp xmrig behavioral2/memory/4276-221-0x00007FF67B6F0000-0x00007FF67BA41000-memory.dmp xmrig behavioral2/memory/4832-243-0x00007FF6472C0000-0x00007FF647611000-memory.dmp xmrig behavioral2/memory/1828-245-0x00007FF778A50000-0x00007FF778DA1000-memory.dmp xmrig behavioral2/memory/3856-246-0x00007FF68E310000-0x00007FF68E661000-memory.dmp xmrig behavioral2/memory/2320-241-0x00007FF778510000-0x00007FF778861000-memory.dmp xmrig behavioral2/memory/3048-238-0x00007FF68B4B0000-0x00007FF68B801000-memory.dmp xmrig behavioral2/memory/3444-236-0x00007FF691AE0000-0x00007FF691E31000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4972 dioKWDf.exe 3400 dGkAbDO.exe 4824 bZWUChq.exe 3144 nAiXdkx.exe 1476 BxwHviW.exe 1776 AYFVATx.exe 4700 BaLMWvK.exe 2280 nZFLGnf.exe 2404 eVWJdId.exe 1076 gkMSHoC.exe 4928 ZXarzTp.exe 876 RcFOTMH.exe 4820 NabdSfH.exe 1136 XTwkKQo.exe 4276 hbwyyFA.exe 3856 SiUPAeO.exe 1828 rFufkAx.exe 2320 YFVmWYL.exe 4832 XpKyJpi.exe 3048 lLUrZGP.exe 3444 KpAggWA.exe -
resource yara_rule behavioral2/memory/1936-0-0x00007FF63B1F0000-0x00007FF63B541000-memory.dmp upx behavioral2/files/0x000a000000023c0f-6.dat upx behavioral2/memory/4972-9-0x00007FF69E330000-0x00007FF69E681000-memory.dmp upx behavioral2/files/0x0007000000023cad-11.dat upx behavioral2/memory/3144-34-0x00007FF712B60000-0x00007FF712EB1000-memory.dmp upx behavioral2/files/0x0007000000023cb3-41.dat upx behavioral2/files/0x0007000000023cb5-52.dat upx behavioral2/files/0x0007000000023cb8-73.dat upx behavioral2/files/0x0007000000023cb9-86.dat upx behavioral2/files/0x0007000000023cbe-102.dat upx behavioral2/files/0x0007000000023cbf-112.dat upx behavioral2/files/0x000a000000023ca5-114.dat upx behavioral2/files/0x0007000000023cbd-108.dat upx behavioral2/files/0x0007000000023cbc-106.dat upx behavioral2/memory/4820-100-0x00007FF6C1FA0000-0x00007FF6C22F1000-memory.dmp upx behavioral2/files/0x0007000000023cbb-98.dat upx behavioral2/files/0x0007000000023cb6-97.dat upx behavioral2/files/0x0007000000023cb7-95.dat upx behavioral2/memory/4928-82-0x00007FF730CE0000-0x00007FF731031000-memory.dmp upx behavioral2/files/0x0007000000023cba-80.dat upx behavioral2/memory/2404-64-0x00007FF76E830000-0x00007FF76EB81000-memory.dmp upx behavioral2/files/0x0007000000023cb4-61.dat upx behavioral2/memory/2280-54-0x00007FF7D6940000-0x00007FF7D6C91000-memory.dmp upx behavioral2/files/0x0007000000023cb2-56.dat upx behavioral2/files/0x0007000000023cb0-46.dat upx behavioral2/memory/1776-44-0x00007FF73F7C0000-0x00007FF73FB11000-memory.dmp upx behavioral2/files/0x0007000000023caf-39.dat upx behavioral2/files/0x0007000000023cb1-32.dat upx behavioral2/files/0x0007000000023cae-24.dat upx behavioral2/memory/4824-22-0x00007FF7A9AF0000-0x00007FF7A9E41000-memory.dmp upx behavioral2/memory/3400-18-0x00007FF7AB900000-0x00007FF7ABC51000-memory.dmp upx behavioral2/memory/1936-116-0x00007FF63B1F0000-0x00007FF63B541000-memory.dmp upx behavioral2/memory/3400-118-0x00007FF7AB900000-0x00007FF7ABC51000-memory.dmp upx behavioral2/memory/4824-119-0x00007FF7A9AF0000-0x00007FF7A9E41000-memory.dmp upx behavioral2/memory/2280-124-0x00007FF7D6940000-0x00007FF7D6C91000-memory.dmp upx behavioral2/memory/4276-131-0x00007FF67B6F0000-0x00007FF67BA41000-memory.dmp upx behavioral2/memory/1828-133-0x00007FF778A50000-0x00007FF778DA1000-memory.dmp upx behavioral2/memory/3856-132-0x00007FF68E310000-0x00007FF68E661000-memory.dmp upx behavioral2/memory/1136-130-0x00007FF75E450000-0x00007FF75E7A1000-memory.dmp upx behavioral2/memory/4928-129-0x00007FF730CE0000-0x00007FF731031000-memory.dmp upx behavioral2/memory/876-128-0x00007FF611E40000-0x00007FF612191000-memory.dmp upx behavioral2/memory/4820-127-0x00007FF6C1FA0000-0x00007FF6C22F1000-memory.dmp upx behavioral2/memory/1076-126-0x00007FF7644A0000-0x00007FF7647F1000-memory.dmp upx behavioral2/memory/2404-125-0x00007FF76E830000-0x00007FF76EB81000-memory.dmp upx behavioral2/memory/4700-123-0x00007FF6DD5B0000-0x00007FF6DD901000-memory.dmp upx behavioral2/memory/1476-121-0x00007FF6B6A80000-0x00007FF6B6DD1000-memory.dmp upx behavioral2/memory/3144-120-0x00007FF712B60000-0x00007FF712EB1000-memory.dmp upx behavioral2/memory/4972-117-0x00007FF69E330000-0x00007FF69E681000-memory.dmp upx behavioral2/memory/2320-134-0x00007FF778510000-0x00007FF778861000-memory.dmp upx behavioral2/memory/3048-137-0x00007FF68B4B0000-0x00007FF68B801000-memory.dmp upx behavioral2/memory/4832-136-0x00007FF6472C0000-0x00007FF647611000-memory.dmp upx behavioral2/memory/3444-135-0x00007FF691AE0000-0x00007FF691E31000-memory.dmp upx behavioral2/memory/1936-138-0x00007FF63B1F0000-0x00007FF63B541000-memory.dmp upx behavioral2/memory/1936-139-0x00007FF63B1F0000-0x00007FF63B541000-memory.dmp upx behavioral2/memory/4972-191-0x00007FF69E330000-0x00007FF69E681000-memory.dmp upx behavioral2/memory/3400-193-0x00007FF7AB900000-0x00007FF7ABC51000-memory.dmp upx behavioral2/memory/4824-206-0x00007FF7A9AF0000-0x00007FF7A9E41000-memory.dmp upx behavioral2/memory/1776-214-0x00007FF73F7C0000-0x00007FF73FB11000-memory.dmp upx behavioral2/memory/3144-213-0x00007FF712B60000-0x00007FF712EB1000-memory.dmp upx behavioral2/memory/4700-216-0x00007FF6DD5B0000-0x00007FF6DD901000-memory.dmp upx behavioral2/memory/1136-228-0x00007FF75E450000-0x00007FF75E7A1000-memory.dmp upx behavioral2/memory/2404-230-0x00007FF76E830000-0x00007FF76EB81000-memory.dmp upx behavioral2/memory/876-232-0x00007FF611E40000-0x00007FF612191000-memory.dmp upx behavioral2/memory/4820-234-0x00007FF6C1FA0000-0x00007FF6C22F1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\bZWUChq.exe 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nZFLGnf.exe 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\eVWJdId.exe 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hbwyyFA.exe 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lLUrZGP.exe 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dioKWDf.exe 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AYFVATx.exe 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BaLMWvK.exe 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RcFOTMH.exe 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SiUPAeO.exe 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XpKyJpi.exe 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nAiXdkx.exe 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gkMSHoC.exe 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XTwkKQo.exe 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KpAggWA.exe 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dGkAbDO.exe 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BxwHviW.exe 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NabdSfH.exe 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZXarzTp.exe 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rFufkAx.exe 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YFVmWYL.exe 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1936 wrote to memory of 4972 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 1936 wrote to memory of 4972 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 1936 wrote to memory of 3400 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 1936 wrote to memory of 3400 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 1936 wrote to memory of 4824 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 1936 wrote to memory of 4824 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 1936 wrote to memory of 3144 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 1936 wrote to memory of 3144 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 1936 wrote to memory of 1476 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 1936 wrote to memory of 1476 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 1936 wrote to memory of 1776 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 1936 wrote to memory of 1776 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 1936 wrote to memory of 4700 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 1936 wrote to memory of 4700 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 1936 wrote to memory of 2280 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 1936 wrote to memory of 2280 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 1936 wrote to memory of 2404 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 1936 wrote to memory of 2404 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 1936 wrote to memory of 1076 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 1936 wrote to memory of 1076 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 1936 wrote to memory of 4820 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 1936 wrote to memory of 4820 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 1936 wrote to memory of 876 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 1936 wrote to memory of 876 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 1936 wrote to memory of 4928 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 1936 wrote to memory of 4928 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 1936 wrote to memory of 1136 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 1936 wrote to memory of 1136 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 1936 wrote to memory of 4276 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 1936 wrote to memory of 4276 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 1936 wrote to memory of 3856 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 1936 wrote to memory of 3856 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 1936 wrote to memory of 1828 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 1936 wrote to memory of 1828 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 1936 wrote to memory of 2320 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 1936 wrote to memory of 2320 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 1936 wrote to memory of 3444 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 1936 wrote to memory of 3444 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 1936 wrote to memory of 4832 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 1936 wrote to memory of 4832 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 1936 wrote to memory of 3048 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 1936 wrote to memory of 3048 1936 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\System\dioKWDf.exeC:\Windows\System\dioKWDf.exe2⤵
- Executes dropped EXE
PID:4972
-
-
C:\Windows\System\dGkAbDO.exeC:\Windows\System\dGkAbDO.exe2⤵
- Executes dropped EXE
PID:3400
-
-
C:\Windows\System\bZWUChq.exeC:\Windows\System\bZWUChq.exe2⤵
- Executes dropped EXE
PID:4824
-
-
C:\Windows\System\nAiXdkx.exeC:\Windows\System\nAiXdkx.exe2⤵
- Executes dropped EXE
PID:3144
-
-
C:\Windows\System\BxwHviW.exeC:\Windows\System\BxwHviW.exe2⤵
- Executes dropped EXE
PID:1476
-
-
C:\Windows\System\AYFVATx.exeC:\Windows\System\AYFVATx.exe2⤵
- Executes dropped EXE
PID:1776
-
-
C:\Windows\System\BaLMWvK.exeC:\Windows\System\BaLMWvK.exe2⤵
- Executes dropped EXE
PID:4700
-
-
C:\Windows\System\nZFLGnf.exeC:\Windows\System\nZFLGnf.exe2⤵
- Executes dropped EXE
PID:2280
-
-
C:\Windows\System\eVWJdId.exeC:\Windows\System\eVWJdId.exe2⤵
- Executes dropped EXE
PID:2404
-
-
C:\Windows\System\gkMSHoC.exeC:\Windows\System\gkMSHoC.exe2⤵
- Executes dropped EXE
PID:1076
-
-
C:\Windows\System\NabdSfH.exeC:\Windows\System\NabdSfH.exe2⤵
- Executes dropped EXE
PID:4820
-
-
C:\Windows\System\RcFOTMH.exeC:\Windows\System\RcFOTMH.exe2⤵
- Executes dropped EXE
PID:876
-
-
C:\Windows\System\ZXarzTp.exeC:\Windows\System\ZXarzTp.exe2⤵
- Executes dropped EXE
PID:4928
-
-
C:\Windows\System\XTwkKQo.exeC:\Windows\System\XTwkKQo.exe2⤵
- Executes dropped EXE
PID:1136
-
-
C:\Windows\System\hbwyyFA.exeC:\Windows\System\hbwyyFA.exe2⤵
- Executes dropped EXE
PID:4276
-
-
C:\Windows\System\SiUPAeO.exeC:\Windows\System\SiUPAeO.exe2⤵
- Executes dropped EXE
PID:3856
-
-
C:\Windows\System\rFufkAx.exeC:\Windows\System\rFufkAx.exe2⤵
- Executes dropped EXE
PID:1828
-
-
C:\Windows\System\YFVmWYL.exeC:\Windows\System\YFVmWYL.exe2⤵
- Executes dropped EXE
PID:2320
-
-
C:\Windows\System\KpAggWA.exeC:\Windows\System\KpAggWA.exe2⤵
- Executes dropped EXE
PID:3444
-
-
C:\Windows\System\XpKyJpi.exeC:\Windows\System\XpKyJpi.exe2⤵
- Executes dropped EXE
PID:4832
-
-
C:\Windows\System\lLUrZGP.exeC:\Windows\System\lLUrZGP.exe2⤵
- Executes dropped EXE
PID:3048
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5b22a605671e71f6fec34da692835cf9b
SHA11aa09dbb8c804db873a5670e50b8cd8f0a3c243a
SHA256481f85bbc6e57169403d8faf16ae5eb912442ce3d73296cae3102ef153a68d74
SHA5123012b27527706ae376886db708dc603134437f63ec081787c1711c41ef47fb23c07df56d41e39dced3a688baba18d0249d4b51c55da70dff6f18b9fbc6637bf7
-
Filesize
5.2MB
MD55c7a9eb27baf41bd10c0c59857ffc101
SHA16ce4e94ae9ee220c4a34188df0c3ce9a7706979a
SHA2568f4eacc0cf2f7b41803b4dd9958535af711595b4011ef9692e4debfe1f0432f7
SHA512351788bfa6be17ea411ac7558b8ff13854e223fb60542bc13e0422982adef715d6f5e5172b3d5e2ebe7440b82677a556d3b742e91ac211e03cdcef2a7ba502a1
-
Filesize
5.2MB
MD51fe3f4c70b409662980e63cc0528d7c4
SHA121dd63392fb55f454ee1ff5a257e887c30f0fb2d
SHA2568e1032b3f9db429c87eb610c31c9625f84459dc93c50232b4d3fb1de896c73a1
SHA5128b8cda9b0a427e7d3d666c3f7d5e6cc15c57a6c06e05362a7bfca30d1e067619ef7ce33fc21c93dbf61901c87a5ab7a8a5cadc5637f4145c916c63714d904b30
-
Filesize
5.2MB
MD5bf0c8bfd7f22e6ff8e552a28e862fe48
SHA1c460ab22a49c17daeb088a99bb52e40d28b4368b
SHA25634edd75c920861f68d0f7fdb6e67a6039859431bc673fcc8ef897447e77d3473
SHA5128e64027e0fff581c3af3328f7e4bd0c57d66d0414486f2e4b9d3cca2444701ffca730f897afcff820e7d0d5da59669af70b87ae2e139e2a221d8d219ccbb2186
-
Filesize
5.2MB
MD58bd0e9b54931884bb46b2d740a6514ef
SHA12ff2c8c63dd839afe3e7ae8990e370487e5fe1a7
SHA256a510297fe96b37f880bef41578aff3c27ba0bc2e685d100999c2aef33c299f58
SHA5121a1ec044228e933f7ab1f5a9854e56abbeba25f542af593b4f249473d7e7232fb137d1076e7ec0d5cb87f1fab481ff53933ce3b343915d52e139817825263f19
-
Filesize
5.2MB
MD5f48157a9adff1091b37d4c7e4db4d78d
SHA1929f0598320fe66b20db7c4df6b3e6590ac1ff2f
SHA25663d109f1f03ce774eeff23e3c9a43d23ebe939b5b949a55d5d247495e5419c92
SHA512f1a5dd1826992362ac753aaa9aba83c3e88e90f9817227b2a52be51c7f89f6a1228d759347b0f42314d393c944075b554d5154842709a9886d1debb4287c0d72
-
Filesize
5.2MB
MD52cfc7fc8fcd083ede56767e5de3838d2
SHA1b406cf747831e78351df07ab4b655cd797f87ca7
SHA25697b4c4f8d3c3a3896fc4a1f36f4c0b42823255a3c3e56d489783cf0cb335119e
SHA5120981252e2a132711ab04c128bce674b96b3bcb43d16561a0c0ad947752b0939fa11ec48933d9bf070c21222cb2be7c6fb6d80d72e74336cf61c7f903d90a5455
-
Filesize
5.2MB
MD54c94fe49795e0d6be48022ad8b5902db
SHA1fa1143dcca5089d2f0d3818521bb7e18d33585fa
SHA256acdb3d95cf30e1372c05adc7b4d2c957a74d1eb47145c9aeaeef91a173454e8e
SHA5126f9d582bfa7112414a2c0c5727e077321ffcc296e214e76ceb5bdea49586a40846f896d0d652daab2efaa2e8f281a823248c330065760ab69959455e5dd8bd02
-
Filesize
5.2MB
MD5399e029107c74168559b21ac0d83efb5
SHA1a6fcf4782af02f147a23d0850dfd8dc690f92970
SHA2568077d2956bc4bb6905b71bc4b962c352c0eaf1ecd845042b6605d62573056a04
SHA512f63c70b4226284fa5869fd34e8814770533721e0abab003e2e6f8013924e9de53d341633ec155fc8dbadda1878f8c69570ae978a92900b1d0a393789ea9e6bc6
-
Filesize
5.2MB
MD50dddfd823e31748767b1d701941e577a
SHA1b64b12354b912d5aef54702e485970a63dffd64b
SHA256afa9ecb554496dcbf700fe5c51b4e97013d0c0d262d40c81e6b917a21ae5c885
SHA512f1c6213acace074511452636323e2be4207785140081670da2bbdf6dc04573626bbedf6bae42f9a3ed21ae88e1dee8c7ebfdfc294046b017222b8efc10f127a9
-
Filesize
5.2MB
MD51b190420d3e8e719fd17588b7dec41bb
SHA1a575d19c2095919b3c81241cff683303b357d112
SHA256027cb3972c5d368a50e2e1e32256de0d62ef73ecfae46bd0fef435e11092ef17
SHA5128d5a2dbb42034721268e22a32c11970f50ed0f7683982d9d445b2e0f0d3ee43934d813efe9bb21d049400ba84c53cc111f0ca5d498edaab699c19a433039538a
-
Filesize
5.2MB
MD57df7c44b2a73500f44936264e179d93e
SHA16b376badba3082a1e6290172d86031e4573ff1d1
SHA2563a43c2916988b2563faf4fbfa69d9f0ba22cc1986e5b9c5e4d28e27b9fc1c3a0
SHA512368b07f4cd468ac6a8299cf067c9f524d898c7d30b0acf3f552ddff6d6ad5d8c05214aa730eddc355bd3ea2f38d7b1a84ce0c5fd61100d80d730275bd8f9ee84
-
Filesize
5.2MB
MD55773764c26ed9d5368519c905ca756fa
SHA1f118f48fbe73f3feec8c450590068ded5075f0d8
SHA256d3d71e53d38c07d04278616853415b97dd24177803c7a9aee2071dcf1d27d0b1
SHA5122506aa18df9c0d54058b9dc0575639cdf80fda76954e282c22ce07fb2f8f22591725690a1e1e05b53734d072aa39ff2a10fc80b587003f9ac516fdceb66e3583
-
Filesize
5.2MB
MD539482f6df253b06f26e7df52b88f62cb
SHA1844c011c8fe099a36ab0ff4bc2551d25e74fbe2f
SHA256c74deb546ffb90e41fad9fac7cc03331b4e255623e687d7c58674f1493325b31
SHA51281256c58df67a3eefd5386b02cf6a056f8c771f5d60fecfc4eaa1b0c57f53b55d656e5ffcb5f803ad397fb8d9e3ad994a316f9215c6346e2bd13c75df0ced48f
-
Filesize
5.2MB
MD50ef7f836c40f6a9ee72f186658caf266
SHA19e4fc784ad7e2ddd052c9052e6fab3cf72bf6364
SHA2568c4a71c71b6287a6409ff7a6974d1f10afac0b0463c95163364361867fca8051
SHA512e05956865482d3fcad12972da495192a93419239eb02f750e4270c1bb12b948e2c66aac8dbba17d1281a3bfe57d342cbc09adf0b4285275072e4b0486242119c
-
Filesize
5.2MB
MD59f3cac22287d5a7ca07391fe7eb5c48f
SHA1589dca361830a0539bdb5eb411cc63a566e7d1d6
SHA256cd7b723e1c256512923f36db40b97cc4a3ad3ef05713e7d87fd4625af3ee9a14
SHA512d12fefe605a7415ebe739905ed4b897a267100ff044c6f1690e6a9c047359692ff51398959816a3e1a9501d84954634c27df311fea36011ce1adf9fc991aae76
-
Filesize
5.2MB
MD561cc04584aac211a6f70fa0b019b6536
SHA18ca7013c06a3a952c309a325242a0ab302a36b3b
SHA256d52c9eed94e35ffb1ed46f5cdebefa0a94e64f0a0dcff49103cec498857c020c
SHA51292752a680649b4acee36632c62788fff8296eac8fa7ca41e9be045348e66d6a97e2f910b768404aa49a6db8584a77a089e1d59e6e8710efc362fbce759a6bb4a
-
Filesize
5.2MB
MD5c9f671b8a638c78c3bbb4d51ed34ec59
SHA1c7e2ea688c6a6521c548d0a224240aa3c64ce024
SHA256781f2605c85e391b04319f5cfebc3befca548084cd0488bbc29088d3ad4e81ad
SHA51206240ed7eb9e8ce830998396d3bd7ea15f606b0f49014ec2a771a32795c2e00ba9a2df9810a9bae7fb3da79abf3e2306b2a374d1768011fdd6f7346b1a4eb940
-
Filesize
5.2MB
MD5798776519caf580bc16b615ee42396a9
SHA1b9701e5de037ba91c42b9de96c25047a1fcd9452
SHA25692ff3dadcf213576eaa7242632b014853c985f0c268707894538a01543011480
SHA512a80c597e217db1ee02cb9cf6e398a000709353119b28ace61995d04acbb8d6423e888012b6be5f7de0acd8f4342e7f7d98e31b2279394028bc3d9dc79e1f5e59
-
Filesize
5.2MB
MD52c1441bc0909cc8a0007c9468d4fe6a6
SHA147475b7decc703ad2248bfff39b8625b882bc9c2
SHA256bbdfc2ba69408928a703b99571c92707f17b77c871c0f67688cdfeda70fe93ee
SHA512c8ef2407a34d083bba08fde84a8fb826183b88ae6ad0c2bfdbf1e7bd2bafddd99e3ac089de056cf8942e3033e228d96fac4c250a9980edffd43573ad2f8a5eb6
-
Filesize
5.2MB
MD5ace24cf805a15e0d7b56efa9e90d2fc9
SHA102e838588072b89202c2617b031ead98bcae891f
SHA256dc661e1cad58b100e8cbb1fdd4118ceab5606ba2efc15163c621f8a806f18bd1
SHA5125a71b619d4c223cbbf61f1ddcf010d53173c34ce550f533ab5b9f530d6af00a1b04815abf6b438b1f891e5f956d47e253e57c71b5789d93b9f3b29149324bf96