Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2024, 06:30
Behavioral task
behavioral1
Sample
2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
9948f7655658372d3a3a7dd21637236b
-
SHA1
816c68239ebec26bca17dd8e50e0fcf3a1350e6d
-
SHA256
392bb2b7c32e5344548d0dcebd59fdc44aaebba5b81aca573d8c898600e1e4b6
-
SHA512
a0cdfe1070b376ab1d1222a675f3e959de56c160af8c1f1b1e8ddf9fe8535f51c849000cd2d4fa27501db16fe07a60a92ba24d837ef53a00f5922615d26691f2
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l0:RWWBibf56utgpPFotBER/mQ32lUo
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0008000000023c77-5.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c7b-11.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c7e-27.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c85-65.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c84-64.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c81-57.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c83-56.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c82-53.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c7f-48.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c80-39.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c7d-33.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c7c-24.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c8a-90.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c89-118.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c8d-116.dat cobalt_reflective_dll behavioral2/files/0x0008000000023c78-113.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c8c-111.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c88-107.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c87-105.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c86-103.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c8b-97.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/2872-45-0x00007FF662730000-0x00007FF662A81000-memory.dmp xmrig behavioral2/memory/4244-74-0x00007FF6EA850000-0x00007FF6EABA1000-memory.dmp xmrig behavioral2/memory/4880-120-0x00007FF668F30000-0x00007FF669281000-memory.dmp xmrig behavioral2/memory/2956-122-0x00007FF672490000-0x00007FF6727E1000-memory.dmp xmrig behavioral2/memory/1292-121-0x00007FF7586E0000-0x00007FF758A31000-memory.dmp xmrig behavioral2/memory/1816-123-0x00007FF766590000-0x00007FF7668E1000-memory.dmp xmrig behavioral2/memory/4432-124-0x00007FF6AA0B0000-0x00007FF6AA401000-memory.dmp xmrig behavioral2/memory/1444-125-0x00007FF610A90000-0x00007FF610DE1000-memory.dmp xmrig behavioral2/memory/2524-126-0x00007FF699710000-0x00007FF699A61000-memory.dmp xmrig behavioral2/memory/2680-127-0x00007FF7954E0000-0x00007FF795831000-memory.dmp xmrig behavioral2/memory/3592-128-0x00007FF793450000-0x00007FF7937A1000-memory.dmp xmrig behavioral2/memory/2084-131-0x00007FF6435D0000-0x00007FF643921000-memory.dmp xmrig behavioral2/memory/3592-136-0x00007FF793450000-0x00007FF7937A1000-memory.dmp xmrig behavioral2/memory/3856-134-0x00007FF736050000-0x00007FF7363A1000-memory.dmp xmrig behavioral2/memory/1852-133-0x00007FF7C4F70000-0x00007FF7C52C1000-memory.dmp xmrig behavioral2/memory/4320-130-0x00007FF68B0E0000-0x00007FF68B431000-memory.dmp xmrig behavioral2/memory/944-129-0x00007FF6B3D20000-0x00007FF6B4071000-memory.dmp xmrig behavioral2/memory/2336-132-0x00007FF76E250000-0x00007FF76E5A1000-memory.dmp xmrig behavioral2/memory/3116-141-0x00007FF6E2B80000-0x00007FF6E2ED1000-memory.dmp xmrig behavioral2/memory/4764-145-0x00007FF77F440000-0x00007FF77F791000-memory.dmp xmrig behavioral2/memory/2656-143-0x00007FF7FC690000-0x00007FF7FC9E1000-memory.dmp xmrig behavioral2/memory/4588-142-0x00007FF6419D0000-0x00007FF641D21000-memory.dmp xmrig behavioral2/memory/2616-138-0x00007FF79B470000-0x00007FF79B7C1000-memory.dmp xmrig behavioral2/memory/3592-151-0x00007FF793450000-0x00007FF7937A1000-memory.dmp xmrig behavioral2/memory/944-213-0x00007FF6B3D20000-0x00007FF6B4071000-memory.dmp xmrig behavioral2/memory/4320-215-0x00007FF68B0E0000-0x00007FF68B431000-memory.dmp xmrig behavioral2/memory/2084-217-0x00007FF6435D0000-0x00007FF643921000-memory.dmp xmrig behavioral2/memory/2336-219-0x00007FF76E250000-0x00007FF76E5A1000-memory.dmp xmrig behavioral2/memory/2872-221-0x00007FF662730000-0x00007FF662A81000-memory.dmp xmrig behavioral2/memory/1852-223-0x00007FF7C4F70000-0x00007FF7C52C1000-memory.dmp xmrig behavioral2/memory/1816-227-0x00007FF766590000-0x00007FF7668E1000-memory.dmp xmrig behavioral2/memory/3856-226-0x00007FF736050000-0x00007FF7363A1000-memory.dmp xmrig behavioral2/memory/2616-231-0x00007FF79B470000-0x00007FF79B7C1000-memory.dmp xmrig behavioral2/memory/4244-229-0x00007FF6EA850000-0x00007FF6EABA1000-memory.dmp xmrig behavioral2/memory/4880-247-0x00007FF668F30000-0x00007FF669281000-memory.dmp xmrig behavioral2/memory/1444-250-0x00007FF610A90000-0x00007FF610DE1000-memory.dmp xmrig behavioral2/memory/1292-254-0x00007FF7586E0000-0x00007FF758A31000-memory.dmp xmrig behavioral2/memory/2956-256-0x00007FF672490000-0x00007FF6727E1000-memory.dmp xmrig behavioral2/memory/4764-258-0x00007FF77F440000-0x00007FF77F791000-memory.dmp xmrig behavioral2/memory/2680-252-0x00007FF7954E0000-0x00007FF795831000-memory.dmp xmrig behavioral2/memory/2524-249-0x00007FF699710000-0x00007FF699A61000-memory.dmp xmrig behavioral2/memory/2656-244-0x00007FF7FC690000-0x00007FF7FC9E1000-memory.dmp xmrig behavioral2/memory/4588-242-0x00007FF6419D0000-0x00007FF641D21000-memory.dmp xmrig behavioral2/memory/4432-240-0x00007FF6AA0B0000-0x00007FF6AA401000-memory.dmp xmrig behavioral2/memory/3116-239-0x00007FF6E2B80000-0x00007FF6E2ED1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 944 FiltYEg.exe 4320 Auhmvpm.exe 2084 qDyojyW.exe 2336 Xyiomhp.exe 1852 CtKzsgr.exe 3856 YNJhAEW.exe 2872 HjDdCrC.exe 1816 fVtVWim.exe 2616 PZbPtpM.exe 4244 GvQmHXp.exe 4432 ekMBouZ.exe 3116 fFIyMqz.exe 4588 MYNWPOM.exe 2656 BChxpqO.exe 1444 FLSXaLu.exe 4764 ZNXgVod.exe 2524 DsZyxxH.exe 4880 njEQiJe.exe 2680 DQHnbWi.exe 1292 rYwpRdF.exe 2956 hUfXJQA.exe -
resource yara_rule behavioral2/memory/3592-0-0x00007FF793450000-0x00007FF7937A1000-memory.dmp upx behavioral2/files/0x0008000000023c77-5.dat upx behavioral2/files/0x0007000000023c7b-11.dat upx behavioral2/memory/944-9-0x00007FF6B3D20000-0x00007FF6B4071000-memory.dmp upx behavioral2/memory/2084-20-0x00007FF6435D0000-0x00007FF643921000-memory.dmp upx behavioral2/files/0x0007000000023c7e-27.dat upx behavioral2/memory/2336-30-0x00007FF76E250000-0x00007FF76E5A1000-memory.dmp upx behavioral2/files/0x0007000000023c85-65.dat upx behavioral2/files/0x0007000000023c84-64.dat upx behavioral2/memory/2616-63-0x00007FF79B470000-0x00007FF79B7C1000-memory.dmp upx behavioral2/files/0x0007000000023c81-57.dat upx behavioral2/files/0x0007000000023c83-56.dat upx behavioral2/files/0x0007000000023c82-53.dat upx behavioral2/files/0x0007000000023c7f-48.dat upx behavioral2/files/0x0007000000023c80-39.dat upx behavioral2/memory/2872-45-0x00007FF662730000-0x00007FF662A81000-memory.dmp upx behavioral2/memory/3856-44-0x00007FF736050000-0x00007FF7363A1000-memory.dmp upx behavioral2/memory/1852-34-0x00007FF7C4F70000-0x00007FF7C52C1000-memory.dmp upx behavioral2/files/0x0007000000023c7d-33.dat upx behavioral2/files/0x0007000000023c7c-24.dat upx behavioral2/memory/4320-12-0x00007FF68B0E0000-0x00007FF68B431000-memory.dmp upx behavioral2/memory/4244-74-0x00007FF6EA850000-0x00007FF6EABA1000-memory.dmp upx behavioral2/files/0x0007000000023c8a-90.dat upx behavioral2/files/0x0007000000023c89-118.dat upx behavioral2/files/0x0007000000023c8d-116.dat upx behavioral2/memory/4764-114-0x00007FF77F440000-0x00007FF77F791000-memory.dmp upx behavioral2/files/0x0008000000023c78-113.dat upx behavioral2/files/0x0007000000023c8c-111.dat upx behavioral2/files/0x0007000000023c88-107.dat upx behavioral2/files/0x0007000000023c87-105.dat upx behavioral2/files/0x0007000000023c86-103.dat upx behavioral2/memory/2656-98-0x00007FF7FC690000-0x00007FF7FC9E1000-memory.dmp upx behavioral2/files/0x0007000000023c8b-97.dat upx behavioral2/memory/4588-87-0x00007FF6419D0000-0x00007FF641D21000-memory.dmp upx behavioral2/memory/3116-86-0x00007FF6E2B80000-0x00007FF6E2ED1000-memory.dmp upx behavioral2/memory/4880-120-0x00007FF668F30000-0x00007FF669281000-memory.dmp upx behavioral2/memory/2956-122-0x00007FF672490000-0x00007FF6727E1000-memory.dmp upx behavioral2/memory/1292-121-0x00007FF7586E0000-0x00007FF758A31000-memory.dmp upx behavioral2/memory/1816-123-0x00007FF766590000-0x00007FF7668E1000-memory.dmp upx behavioral2/memory/4432-124-0x00007FF6AA0B0000-0x00007FF6AA401000-memory.dmp upx behavioral2/memory/1444-125-0x00007FF610A90000-0x00007FF610DE1000-memory.dmp upx behavioral2/memory/2524-126-0x00007FF699710000-0x00007FF699A61000-memory.dmp upx behavioral2/memory/2680-127-0x00007FF7954E0000-0x00007FF795831000-memory.dmp upx behavioral2/memory/3592-128-0x00007FF793450000-0x00007FF7937A1000-memory.dmp upx behavioral2/memory/2084-131-0x00007FF6435D0000-0x00007FF643921000-memory.dmp upx behavioral2/memory/3592-136-0x00007FF793450000-0x00007FF7937A1000-memory.dmp upx behavioral2/memory/3856-134-0x00007FF736050000-0x00007FF7363A1000-memory.dmp upx behavioral2/memory/1852-133-0x00007FF7C4F70000-0x00007FF7C52C1000-memory.dmp upx behavioral2/memory/4320-130-0x00007FF68B0E0000-0x00007FF68B431000-memory.dmp upx behavioral2/memory/944-129-0x00007FF6B3D20000-0x00007FF6B4071000-memory.dmp upx behavioral2/memory/2336-132-0x00007FF76E250000-0x00007FF76E5A1000-memory.dmp upx behavioral2/memory/3116-141-0x00007FF6E2B80000-0x00007FF6E2ED1000-memory.dmp upx behavioral2/memory/4764-145-0x00007FF77F440000-0x00007FF77F791000-memory.dmp upx behavioral2/memory/2656-143-0x00007FF7FC690000-0x00007FF7FC9E1000-memory.dmp upx behavioral2/memory/4588-142-0x00007FF6419D0000-0x00007FF641D21000-memory.dmp upx behavioral2/memory/2616-138-0x00007FF79B470000-0x00007FF79B7C1000-memory.dmp upx behavioral2/memory/3592-151-0x00007FF793450000-0x00007FF7937A1000-memory.dmp upx behavioral2/memory/944-213-0x00007FF6B3D20000-0x00007FF6B4071000-memory.dmp upx behavioral2/memory/4320-215-0x00007FF68B0E0000-0x00007FF68B431000-memory.dmp upx behavioral2/memory/2084-217-0x00007FF6435D0000-0x00007FF643921000-memory.dmp upx behavioral2/memory/2336-219-0x00007FF76E250000-0x00007FF76E5A1000-memory.dmp upx behavioral2/memory/2872-221-0x00007FF662730000-0x00007FF662A81000-memory.dmp upx behavioral2/memory/1852-223-0x00007FF7C4F70000-0x00007FF7C52C1000-memory.dmp upx behavioral2/memory/1816-227-0x00007FF766590000-0x00007FF7668E1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\fFIyMqz.exe 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\njEQiJe.exe 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rYwpRdF.exe 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hUfXJQA.exe 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\Xyiomhp.exe 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GvQmHXp.exe 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qDyojyW.exe 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CtKzsgr.exe 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HjDdCrC.exe 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PZbPtpM.exe 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BChxpqO.exe 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DQHnbWi.exe 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FiltYEg.exe 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\Auhmvpm.exe 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ekMBouZ.exe 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MYNWPOM.exe 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FLSXaLu.exe 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZNXgVod.exe 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DsZyxxH.exe 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YNJhAEW.exe 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fVtVWim.exe 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3592 wrote to memory of 944 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3592 wrote to memory of 944 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3592 wrote to memory of 4320 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3592 wrote to memory of 4320 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3592 wrote to memory of 2084 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3592 wrote to memory of 2084 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3592 wrote to memory of 2336 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3592 wrote to memory of 2336 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3592 wrote to memory of 1852 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3592 wrote to memory of 1852 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3592 wrote to memory of 3856 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3592 wrote to memory of 3856 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3592 wrote to memory of 2872 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3592 wrote to memory of 2872 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3592 wrote to memory of 1816 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3592 wrote to memory of 1816 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3592 wrote to memory of 2616 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3592 wrote to memory of 2616 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3592 wrote to memory of 4244 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3592 wrote to memory of 4244 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3592 wrote to memory of 4432 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3592 wrote to memory of 4432 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3592 wrote to memory of 3116 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3592 wrote to memory of 3116 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3592 wrote to memory of 4588 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3592 wrote to memory of 4588 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3592 wrote to memory of 2656 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3592 wrote to memory of 2656 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3592 wrote to memory of 1444 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3592 wrote to memory of 1444 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3592 wrote to memory of 4764 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3592 wrote to memory of 4764 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3592 wrote to memory of 2524 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3592 wrote to memory of 2524 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3592 wrote to memory of 4880 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3592 wrote to memory of 4880 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3592 wrote to memory of 2680 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3592 wrote to memory of 2680 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3592 wrote to memory of 1292 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3592 wrote to memory of 1292 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3592 wrote to memory of 2956 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3592 wrote to memory of 2956 3592 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\System\FiltYEg.exeC:\Windows\System\FiltYEg.exe2⤵
- Executes dropped EXE
PID:944
-
-
C:\Windows\System\Auhmvpm.exeC:\Windows\System\Auhmvpm.exe2⤵
- Executes dropped EXE
PID:4320
-
-
C:\Windows\System\qDyojyW.exeC:\Windows\System\qDyojyW.exe2⤵
- Executes dropped EXE
PID:2084
-
-
C:\Windows\System\Xyiomhp.exeC:\Windows\System\Xyiomhp.exe2⤵
- Executes dropped EXE
PID:2336
-
-
C:\Windows\System\CtKzsgr.exeC:\Windows\System\CtKzsgr.exe2⤵
- Executes dropped EXE
PID:1852
-
-
C:\Windows\System\YNJhAEW.exeC:\Windows\System\YNJhAEW.exe2⤵
- Executes dropped EXE
PID:3856
-
-
C:\Windows\System\HjDdCrC.exeC:\Windows\System\HjDdCrC.exe2⤵
- Executes dropped EXE
PID:2872
-
-
C:\Windows\System\fVtVWim.exeC:\Windows\System\fVtVWim.exe2⤵
- Executes dropped EXE
PID:1816
-
-
C:\Windows\System\PZbPtpM.exeC:\Windows\System\PZbPtpM.exe2⤵
- Executes dropped EXE
PID:2616
-
-
C:\Windows\System\GvQmHXp.exeC:\Windows\System\GvQmHXp.exe2⤵
- Executes dropped EXE
PID:4244
-
-
C:\Windows\System\ekMBouZ.exeC:\Windows\System\ekMBouZ.exe2⤵
- Executes dropped EXE
PID:4432
-
-
C:\Windows\System\fFIyMqz.exeC:\Windows\System\fFIyMqz.exe2⤵
- Executes dropped EXE
PID:3116
-
-
C:\Windows\System\MYNWPOM.exeC:\Windows\System\MYNWPOM.exe2⤵
- Executes dropped EXE
PID:4588
-
-
C:\Windows\System\BChxpqO.exeC:\Windows\System\BChxpqO.exe2⤵
- Executes dropped EXE
PID:2656
-
-
C:\Windows\System\FLSXaLu.exeC:\Windows\System\FLSXaLu.exe2⤵
- Executes dropped EXE
PID:1444
-
-
C:\Windows\System\ZNXgVod.exeC:\Windows\System\ZNXgVod.exe2⤵
- Executes dropped EXE
PID:4764
-
-
C:\Windows\System\DsZyxxH.exeC:\Windows\System\DsZyxxH.exe2⤵
- Executes dropped EXE
PID:2524
-
-
C:\Windows\System\njEQiJe.exeC:\Windows\System\njEQiJe.exe2⤵
- Executes dropped EXE
PID:4880
-
-
C:\Windows\System\DQHnbWi.exeC:\Windows\System\DQHnbWi.exe2⤵
- Executes dropped EXE
PID:2680
-
-
C:\Windows\System\rYwpRdF.exeC:\Windows\System\rYwpRdF.exe2⤵
- Executes dropped EXE
PID:1292
-
-
C:\Windows\System\hUfXJQA.exeC:\Windows\System\hUfXJQA.exe2⤵
- Executes dropped EXE
PID:2956
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD50e08bd84fb3ed82231940fc6cf99b2d4
SHA1f170a17ba37922010cd4ad3d579500906ab20e5d
SHA25671ae346ae9fa2779b0a644636c6afdf184b426eea3fcd92fb7b067b6ffa4d47e
SHA5124f0d4f4dc023163bba95a7e268f2ec1a1a9fd670116beec0d9e1b38754464178c58e50b5afdb01fe3e7e27999d88394ad5fa59989cebf66347dc332aa4963191
-
Filesize
5.2MB
MD5122fb033b074291afb03667425e943d1
SHA17292a3d6d615ea1511eae6dffe2ed777b3552e8d
SHA256788937c7e3e99a5ff1572ee4a65d76a26b67e0d1519dbe0e3735ee614f6c161b
SHA5122c02e023e90a3ebb857821609f07ce2830ed472962b8a5d6950a79a90eec6a84642f226fd89f36f7134aeee972e72d81021ff24145d02bfb99bbd74037910ede
-
Filesize
5.2MB
MD58edee2d80f8178d1ac2487abfe4a30e2
SHA1620365f905579f7a000432323e2fc2e5bfd30ed4
SHA2562191f71982305e00e770628348fa2465d9ca213c8cd77bb9a0cdc72300f0d409
SHA512d6ed1eb1a5484d8fb5284bd748a49c7bc59448789343af1cc9ae412fdfe65faf05218608f6114601537ca94280fbb734f4e69c6c057bda97d122245b3a23d766
-
Filesize
5.2MB
MD5828bac2b953c0396b856e97db7a10de4
SHA10e87b0555fa7af9fc14824d4a65c842feef6b3f0
SHA256c5848b9c980bc5b15503262576ea55c27214f4ecdb16f1af588b809bcbd0ac5a
SHA5122c15730e67a180a2f47f77556a4681e6b5cd107792c70d1a06c4dc4150780e4b436a1eb1e76798e9e2396c62002e5f709d4ed9086146974f375cfe816161621e
-
Filesize
5.2MB
MD5d328eb9503ac2b60ff62b219ab861d13
SHA15f458b41456366e5edd0752fce889e196aae4dec
SHA256266c59639aa524ebb0887cf88cc63270a6a6a0b10893e1199a54773a54cc001a
SHA51291bbc024df9263e9ff7dac8206693a4ca98709e7e0879f0b6abe125776b457adf98e3d5d63b247eecd535f509af4f5ace5fc6be9bc1f2b393b6eaa7ceb786fe9
-
Filesize
5.2MB
MD503f3e33d218b8603e5554a40f73c6fe6
SHA1286abe3b418fa137bf3254cb42e9f07857b21aef
SHA256bb187d3585a0b112dea50b55e948b4960f50d01efcab44ee387bfab082f71463
SHA512445ba189b7c5a349c42e0bb02eb75bd4f73a73634b3733a3616a2d7713a44a3012b6d1ac508b41c57f9121ec0ce55375f2c07afc3ce956be33665190e1e28a96
-
Filesize
5.2MB
MD51f791207fd69d7a13e98f55f0d9dc7d2
SHA161c4a04281cf4961cb2e879b25d2524c76acae43
SHA2566751841af1ea9a47173ff376e7e3f06da963d47d2510c667bceeefde173fcd21
SHA512c397c2fbb73aa472f5d34cf91a405f867daa7f3915d54f561236f49706eba2c30aea0387971cb068c818a0007be8306ece97d284c20103fc32c015c11eb787e3
-
Filesize
5.2MB
MD51e9c2f344e5fe9fe1bc812a32811ffc2
SHA11bd6cca12481db51db0002f1b41ef2360325cf34
SHA2568d255648120e7d12bc5162185f6378c67f7dae5baa024cd22ca55261f5e9e383
SHA512e16bc708ecbd9ce7d9b15f59c07468099d5df4e708cbc185d47e3fa8661bfb0879a20aec6def52615ee39eac15aa633abba8106f72f337947a07b7b5e6285119
-
Filesize
5.2MB
MD50085e3e4250ad4f06ae4a033009822d0
SHA19d8855a6d2301a369eda33b77f72506e859972fd
SHA256bad7e3ef7bd528ab8608e6817dba401678f5378a62dd8fad46d60655c436506d
SHA51250e4848d2931c37372f62906afb9831dad6bd056d995a6daa773bb1ccc41bc47152a7aede5e210f5ebcc70b53670bd4646d8a7093543b87aff60e0d07fe5f9fa
-
Filesize
5.2MB
MD5e443dd9913b832d473059c8bf6667ea9
SHA141a7cf630a323625c256ae82d26a5d04177fd9ad
SHA256ffb92b0ac555df7c8b5c43b18e8cc4098c011c55fbcf5315bd0e79bab3c3ce1f
SHA51210ea451509a9695af2f176829c72ea0bec2468ee512a31c4d8a1a01063eef7fa1d7ef4ef07cbca943eb0fcac96cf6da8736a49898381753f05e6cc6941c62ad1
-
Filesize
5.2MB
MD5960323918137c8a29443f829584b9a92
SHA1d2e38d1c81315ba988879f57b8f5965e42766362
SHA2569e6e90ab9399dd1aac28091895f6153e40d82a288feb50d738be75b85e5a429e
SHA512eb93092abf8f2c5f33e51d1668197cce2add3d72cf74a1a392e6e26b3e8c4987b2f4856e07644a7c011976dec19d001bffaf5a018f72ef034636867b6db5ddc6
-
Filesize
5.2MB
MD5611adf5e2c8c21c030161265209916fc
SHA1bbab0d4227f99df50d0a0edfc48a7b5d9fc44d21
SHA256a9b55ab889937f0a9143c10a3c9335d0a6b1826ddbe93605f0428f3b18a3aa2b
SHA5128e70237476bcd800ac7c56d55490c8671246e93b1d6e84656688449cd1ac983f84491dbe5b0b948203fe2aeba142f40ffbcd2e35f96a7cedeb63b10700c69204
-
Filesize
5.2MB
MD51a175784c491cb821dbdd5a1ec1eeaa9
SHA130593dfb0792439aa8c3c4ef274912300f5f156b
SHA256665cca3c33b1dd2f7869fb9aee6df978b51ed16093a9af1941a3dd8c0f000c36
SHA5121e7b2cd5d97c84c4fb13edeb7e4c2c9ec3c8c627501f9d5cb56904f02aa41b16d2995ec7aa1fd6689795b58e5454e0accedd84dca1e109ea74f6511c47e46f00
-
Filesize
5.2MB
MD526e1fd0ce30fa14058c0d05aae47e5e2
SHA12fcf4fba98204337636e103bf3c551de7dde9cd6
SHA2567960a03732b1ca04221a496c071763dedc7878637923c1787cd8afa4c3b9e0f2
SHA512c318b4701c4a806796f30fd940e82ebad66299bd46481a2ac756ad834535834ea9d94867373bc682dfe589d61ef97fe474bc412e925eebf377b5a91c08f89b4c
-
Filesize
5.2MB
MD55d231b9be3a53ced40074c6849162c5e
SHA1eb200dcf3a7093cd16ce2941a15c14c65cc85bc5
SHA256c2d80c52ea13c10ad29065310bb35c2434cf7beb1c1029c59ccc11937c8dedf2
SHA5120526bcb966a8cf700b490a3f094309a0709552969cf921541ce392d8242b00a3dfc858c5f8895c269e4d03aed48eb37eb38ef49feff10934a40cfc2aafa05fae
-
Filesize
5.2MB
MD5bfdc78c463cf23e0bbf9c5c2266bd74e
SHA16c33fcbea63e1e8f3b0e3426cd3195773e032d2b
SHA256414b514e0c63b1f0a026d7f5d5136ae41805ca500c30190907ed87eab6140ed1
SHA51281c30ac8a8e5fc7edbfd3c58f82989a53c2158ef077337ad9f7b4c0629f71f858b387c67fbc53f0b8c06a2d45f4ec4db47edf22017c775ba9f1131905954012f
-
Filesize
5.2MB
MD57456c4b01e9f1bbcbb1d38f6acc7e4a7
SHA1bcf0f2ab759a1a328564eed8066bc2b4778c25fb
SHA25635ae01c4de3b77d0cfc9c8c1dd4dbb7879f742e2ea4bcd0cdbd1a3f54472bc54
SHA512501bd3cca8fa471e013c4285bc765edd9a3b0e246b01619efcf6e1373721e6814a2aeeff4b1ac3d167917e04343ad100b54851a3321b874412f8402967081d1a
-
Filesize
5.2MB
MD57b17bd1cb01db6b8ff49fd0dac97c3b3
SHA19596d453622ccd88bcfa07ae3f3e47cb667f8067
SHA2560924308283f60ae310c43b989c2186894ccf097b3787e887c51b2a0307a0910f
SHA512a3c04f66355c6d45907ee79c4843776c4ac426bfd92d5e6be2e0dc757c8dc429a8738cb1761b15a7531847f7dc746490baec545d181b242af24e59f981668155
-
Filesize
5.2MB
MD57c5437642a73599a192259e15c7740b3
SHA10baeecdde25f20e2ee1063d9dd800e0fd4cd12a5
SHA25698177afc90279ba41574b6854ee236610eb735bc166dca02c087172a615fba9b
SHA5127db92b6c70cd7a93adae7c51a8879711e89e96095738505eebd41604ae1c3aba6e339e5244e149a14e69ccf3f44fde6cae3db3089267dc7d4b3988548c85dfab
-
Filesize
5.2MB
MD5b4390c97a50942ee8d57ffa8b2f1056a
SHA15b3501e2e0e46f1ab66691394e947d7421bb148e
SHA25686b8bffd6972a16b859784a562cc00c5ff5139a5c8d8f6ba72095e72deb61497
SHA51283eb04eff7d37f1365bf6a4b5eca92a2465a4040e0e16e5165408f4b7316867795d97dd2990548b6c4a89ea7962de3dc5ddb41d30ff35828c4209b5d1c682a41
-
Filesize
5.2MB
MD5ba29bd207d62821c67f90c2035c0fac0
SHA1813be3386f55e5d994f01e5df28d6bcac94400a2
SHA25613228d103054c262fa75e34452bc89f2ec24726b5ed4ab5dae46bedd9b9c57d5
SHA5129870ad1093f621798aacde69c9a2462237a9e26ec6c4d637ceb5c5c5db39da8e4d86ed527ad0bdc03182665ca980675f9e05f8ebb688a0edc8f9b3cd9c912c22