Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2024, 06:36
Behavioral task
behavioral1
Sample
2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
b3d35da5da48e4ced28158bef6ea655c
-
SHA1
149f19200f8a34bcdb69a09b904a0a79192a7807
-
SHA256
0cf3ef2b5d3a03e167031cf19840724f03214ba8cb1e9a59754fcfe2e5492e03
-
SHA512
384d7e8a9399872bb138da11389a4bef77ee7a8ca55067619cee6e1fbfd44c6b45aaed627f15c9da3b61f2ad12d85fd2c032bf256cbfb0ff53652c23f836323a
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l0:RWWBibf56utgpPFotBER/mQ32lUQ
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00040000000229c7-5.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb2-11.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb1-13.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb3-25.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb4-28.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb5-34.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb6-47.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb7-53.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb8-60.dat cobalt_reflective_dll behavioral2/files/0x0008000000023cae-44.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb9-69.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbb-76.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbc-82.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbd-91.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbe-103.dat cobalt_reflective_dll behavioral2/files/0x000500000001da19-109.dat cobalt_reflective_dll behavioral2/files/0x0004000000022a9d-133.dat cobalt_reflective_dll behavioral2/files/0x0010000000023b66-134.dat cobalt_reflective_dll behavioral2/files/0x005a000000023b67-140.dat cobalt_reflective_dll behavioral2/files/0x000400000001da4f-118.dat cobalt_reflective_dll behavioral2/files/0x000f000000023b69-149.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/4520-54-0x00007FF734400000-0x00007FF734751000-memory.dmp xmrig behavioral2/memory/1728-63-0x00007FF74A310000-0x00007FF74A661000-memory.dmp xmrig behavioral2/memory/1140-62-0x00007FF737ED0000-0x00007FF738221000-memory.dmp xmrig behavioral2/memory/4492-48-0x00007FF6CF400000-0x00007FF6CF751000-memory.dmp xmrig behavioral2/memory/5028-83-0x00007FF7F73F0000-0x00007FF7F7741000-memory.dmp xmrig behavioral2/memory/3648-75-0x00007FF75DD10000-0x00007FF75E061000-memory.dmp xmrig behavioral2/memory/5020-71-0x00007FF7BDF90000-0x00007FF7BE2E1000-memory.dmp xmrig behavioral2/memory/4980-111-0x00007FF79F3F0000-0x00007FF79F741000-memory.dmp xmrig behavioral2/memory/3608-108-0x00007FF7F84A0000-0x00007FF7F87F1000-memory.dmp xmrig behavioral2/memory/3440-107-0x00007FF77D890000-0x00007FF77DBE1000-memory.dmp xmrig behavioral2/memory/4480-104-0x00007FF73A6E0000-0x00007FF73AA31000-memory.dmp xmrig behavioral2/memory/3288-123-0x00007FF625010000-0x00007FF625361000-memory.dmp xmrig behavioral2/memory/2780-138-0x00007FF767870000-0x00007FF767BC1000-memory.dmp xmrig behavioral2/memory/2672-125-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp xmrig behavioral2/memory/4456-120-0x00007FF768F60000-0x00007FF7692B1000-memory.dmp xmrig behavioral2/memory/3160-152-0x00007FF6CFD80000-0x00007FF6D00D1000-memory.dmp xmrig behavioral2/memory/4868-153-0x00007FF7CFC10000-0x00007FF7CFF61000-memory.dmp xmrig behavioral2/memory/3616-150-0x00007FF642050000-0x00007FF6423A1000-memory.dmp xmrig behavioral2/memory/4492-157-0x00007FF6CF400000-0x00007FF6CF751000-memory.dmp xmrig behavioral2/memory/1112-159-0x00007FF796EE0000-0x00007FF797231000-memory.dmp xmrig behavioral2/memory/1388-168-0x00007FF6D4D90000-0x00007FF6D50E1000-memory.dmp xmrig behavioral2/memory/1640-171-0x00007FF725AF0000-0x00007FF725E41000-memory.dmp xmrig behavioral2/memory/4924-173-0x00007FF6A72B0000-0x00007FF6A7601000-memory.dmp xmrig behavioral2/memory/4492-183-0x00007FF6CF400000-0x00007FF6CF751000-memory.dmp xmrig behavioral2/memory/4520-212-0x00007FF734400000-0x00007FF734751000-memory.dmp xmrig behavioral2/memory/1140-214-0x00007FF737ED0000-0x00007FF738221000-memory.dmp xmrig behavioral2/memory/1728-216-0x00007FF74A310000-0x00007FF74A661000-memory.dmp xmrig behavioral2/memory/5020-218-0x00007FF7BDF90000-0x00007FF7BE2E1000-memory.dmp xmrig behavioral2/memory/5028-223-0x00007FF7F73F0000-0x00007FF7F7741000-memory.dmp xmrig behavioral2/memory/4480-234-0x00007FF73A6E0000-0x00007FF73AA31000-memory.dmp xmrig behavioral2/memory/3608-236-0x00007FF7F84A0000-0x00007FF7F87F1000-memory.dmp xmrig behavioral2/memory/2672-239-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp xmrig behavioral2/memory/4456-242-0x00007FF768F60000-0x00007FF7692B1000-memory.dmp xmrig behavioral2/memory/4980-241-0x00007FF79F3F0000-0x00007FF79F741000-memory.dmp xmrig behavioral2/memory/3648-248-0x00007FF75DD10000-0x00007FF75E061000-memory.dmp xmrig behavioral2/memory/2780-250-0x00007FF767870000-0x00007FF767BC1000-memory.dmp xmrig behavioral2/memory/3616-252-0x00007FF642050000-0x00007FF6423A1000-memory.dmp xmrig behavioral2/memory/4868-254-0x00007FF7CFC10000-0x00007FF7CFF61000-memory.dmp xmrig behavioral2/memory/3440-259-0x00007FF77D890000-0x00007FF77DBE1000-memory.dmp xmrig behavioral2/memory/1112-261-0x00007FF796EE0000-0x00007FF797231000-memory.dmp xmrig behavioral2/memory/3288-267-0x00007FF625010000-0x00007FF625361000-memory.dmp xmrig behavioral2/memory/1388-269-0x00007FF6D4D90000-0x00007FF6D50E1000-memory.dmp xmrig behavioral2/memory/4924-271-0x00007FF6A72B0000-0x00007FF6A7601000-memory.dmp xmrig behavioral2/memory/1640-273-0x00007FF725AF0000-0x00007FF725E41000-memory.dmp xmrig behavioral2/memory/3160-275-0x00007FF6CFD80000-0x00007FF6D00D1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4520 REEvpab.exe 1140 HLxZxNg.exe 1728 cpQuocK.exe 5020 bsnFqyA.exe 5028 moCTHqA.exe 4480 wXDJfYR.exe 3608 fYdIJAb.exe 4980 uKIysLq.exe 4456 GNvyzoj.exe 2672 TZHSWgD.exe 3648 aPGTrEQ.exe 2780 QBXVDDS.exe 3616 JmrCQAc.exe 4868 qHLrMtQ.exe 3440 gDafbKx.exe 1112 gvidqzI.exe 3288 hLFMPXQ.exe 1388 mIPqLPP.exe 4924 QcPciEV.exe 1640 ozBMmoc.exe 3160 jaiWjkb.exe -
resource yara_rule behavioral2/memory/4492-0-0x00007FF6CF400000-0x00007FF6CF751000-memory.dmp upx behavioral2/files/0x00040000000229c7-5.dat upx behavioral2/memory/4520-7-0x00007FF734400000-0x00007FF734751000-memory.dmp upx behavioral2/files/0x0007000000023cb2-11.dat upx behavioral2/files/0x0007000000023cb1-13.dat upx behavioral2/memory/1140-12-0x00007FF737ED0000-0x00007FF738221000-memory.dmp upx behavioral2/memory/1728-18-0x00007FF74A310000-0x00007FF74A661000-memory.dmp upx behavioral2/memory/5020-24-0x00007FF7BDF90000-0x00007FF7BE2E1000-memory.dmp upx behavioral2/files/0x0007000000023cb3-25.dat upx behavioral2/files/0x0007000000023cb4-28.dat upx behavioral2/memory/5028-29-0x00007FF7F73F0000-0x00007FF7F7741000-memory.dmp upx behavioral2/files/0x0007000000023cb5-34.dat upx behavioral2/memory/4480-36-0x00007FF73A6E0000-0x00007FF73AA31000-memory.dmp upx behavioral2/files/0x0007000000023cb6-47.dat upx behavioral2/files/0x0007000000023cb7-53.dat upx behavioral2/memory/4520-54-0x00007FF734400000-0x00007FF734751000-memory.dmp upx behavioral2/files/0x0007000000023cb8-60.dat upx behavioral2/memory/2672-64-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp upx behavioral2/memory/1728-63-0x00007FF74A310000-0x00007FF74A661000-memory.dmp upx behavioral2/memory/1140-62-0x00007FF737ED0000-0x00007FF738221000-memory.dmp upx behavioral2/memory/4456-55-0x00007FF768F60000-0x00007FF7692B1000-memory.dmp upx behavioral2/memory/4980-52-0x00007FF79F3F0000-0x00007FF79F741000-memory.dmp upx behavioral2/memory/4492-48-0x00007FF6CF400000-0x00007FF6CF751000-memory.dmp upx behavioral2/memory/3608-45-0x00007FF7F84A0000-0x00007FF7F87F1000-memory.dmp upx behavioral2/files/0x0008000000023cae-44.dat upx behavioral2/files/0x0007000000023cb9-69.dat upx behavioral2/files/0x0007000000023cbb-76.dat upx behavioral2/memory/2780-77-0x00007FF767870000-0x00007FF767BC1000-memory.dmp upx behavioral2/files/0x0007000000023cbc-82.dat upx behavioral2/memory/3616-85-0x00007FF642050000-0x00007FF6423A1000-memory.dmp upx behavioral2/files/0x0007000000023cbd-91.dat upx behavioral2/memory/4868-90-0x00007FF7CFC10000-0x00007FF7CFF61000-memory.dmp upx behavioral2/memory/5028-83-0x00007FF7F73F0000-0x00007FF7F7741000-memory.dmp upx behavioral2/memory/3648-75-0x00007FF75DD10000-0x00007FF75E061000-memory.dmp upx behavioral2/memory/5020-71-0x00007FF7BDF90000-0x00007FF7BE2E1000-memory.dmp upx behavioral2/files/0x0007000000023cbe-103.dat upx behavioral2/files/0x000500000001da19-109.dat upx behavioral2/memory/4980-111-0x00007FF79F3F0000-0x00007FF79F741000-memory.dmp upx behavioral2/memory/1112-113-0x00007FF796EE0000-0x00007FF797231000-memory.dmp upx behavioral2/memory/3608-108-0x00007FF7F84A0000-0x00007FF7F87F1000-memory.dmp upx behavioral2/memory/3440-107-0x00007FF77D890000-0x00007FF77DBE1000-memory.dmp upx behavioral2/memory/4480-104-0x00007FF73A6E0000-0x00007FF73AA31000-memory.dmp upx behavioral2/memory/3288-123-0x00007FF625010000-0x00007FF625361000-memory.dmp upx behavioral2/files/0x0004000000022a9d-133.dat upx behavioral2/files/0x0010000000023b66-134.dat upx behavioral2/memory/2780-138-0x00007FF767870000-0x00007FF767BC1000-memory.dmp upx behavioral2/files/0x005a000000023b67-140.dat upx behavioral2/memory/1640-139-0x00007FF725AF0000-0x00007FF725E41000-memory.dmp upx behavioral2/memory/4924-132-0x00007FF6A72B0000-0x00007FF6A7601000-memory.dmp upx behavioral2/memory/1388-126-0x00007FF6D4D90000-0x00007FF6D50E1000-memory.dmp upx behavioral2/memory/2672-125-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp upx behavioral2/memory/4456-120-0x00007FF768F60000-0x00007FF7692B1000-memory.dmp upx behavioral2/files/0x000400000001da4f-118.dat upx behavioral2/memory/3160-152-0x00007FF6CFD80000-0x00007FF6D00D1000-memory.dmp upx behavioral2/memory/4868-153-0x00007FF7CFC10000-0x00007FF7CFF61000-memory.dmp upx behavioral2/memory/3616-150-0x00007FF642050000-0x00007FF6423A1000-memory.dmp upx behavioral2/files/0x000f000000023b69-149.dat upx behavioral2/memory/4492-157-0x00007FF6CF400000-0x00007FF6CF751000-memory.dmp upx behavioral2/memory/1112-159-0x00007FF796EE0000-0x00007FF797231000-memory.dmp upx behavioral2/memory/1388-168-0x00007FF6D4D90000-0x00007FF6D50E1000-memory.dmp upx behavioral2/memory/1640-171-0x00007FF725AF0000-0x00007FF725E41000-memory.dmp upx behavioral2/memory/4924-173-0x00007FF6A72B0000-0x00007FF6A7601000-memory.dmp upx behavioral2/memory/4492-183-0x00007FF6CF400000-0x00007FF6CF751000-memory.dmp upx behavioral2/memory/4520-212-0x00007FF734400000-0x00007FF734751000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\gDafbKx.exe 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ozBMmoc.exe 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jaiWjkb.exe 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\moCTHqA.exe 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\wXDJfYR.exe 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fYdIJAb.exe 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QBXVDDS.exe 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JmrCQAc.exe 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cpQuocK.exe 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uKIysLq.exe 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mIPqLPP.exe 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\REEvpab.exe 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HLxZxNg.exe 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\aPGTrEQ.exe 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gvidqzI.exe 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hLFMPXQ.exe 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bsnFqyA.exe 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GNvyzoj.exe 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TZHSWgD.exe 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qHLrMtQ.exe 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QcPciEV.exe 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4492 wrote to memory of 4520 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4492 wrote to memory of 4520 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4492 wrote to memory of 1140 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4492 wrote to memory of 1140 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4492 wrote to memory of 1728 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4492 wrote to memory of 1728 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4492 wrote to memory of 5020 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4492 wrote to memory of 5020 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4492 wrote to memory of 5028 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4492 wrote to memory of 5028 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4492 wrote to memory of 4480 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4492 wrote to memory of 4480 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4492 wrote to memory of 3608 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4492 wrote to memory of 3608 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4492 wrote to memory of 4980 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4492 wrote to memory of 4980 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4492 wrote to memory of 4456 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4492 wrote to memory of 4456 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4492 wrote to memory of 2672 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4492 wrote to memory of 2672 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4492 wrote to memory of 3648 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4492 wrote to memory of 3648 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4492 wrote to memory of 2780 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4492 wrote to memory of 2780 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4492 wrote to memory of 3616 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4492 wrote to memory of 3616 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4492 wrote to memory of 4868 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4492 wrote to memory of 4868 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4492 wrote to memory of 3440 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4492 wrote to memory of 3440 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4492 wrote to memory of 1112 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4492 wrote to memory of 1112 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4492 wrote to memory of 3288 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4492 wrote to memory of 3288 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4492 wrote to memory of 1388 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 4492 wrote to memory of 1388 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 4492 wrote to memory of 4924 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 4492 wrote to memory of 4924 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 4492 wrote to memory of 1640 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 4492 wrote to memory of 1640 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 4492 wrote to memory of 3160 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 110 PID 4492 wrote to memory of 3160 4492 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\System\REEvpab.exeC:\Windows\System\REEvpab.exe2⤵
- Executes dropped EXE
PID:4520
-
-
C:\Windows\System\HLxZxNg.exeC:\Windows\System\HLxZxNg.exe2⤵
- Executes dropped EXE
PID:1140
-
-
C:\Windows\System\cpQuocK.exeC:\Windows\System\cpQuocK.exe2⤵
- Executes dropped EXE
PID:1728
-
-
C:\Windows\System\bsnFqyA.exeC:\Windows\System\bsnFqyA.exe2⤵
- Executes dropped EXE
PID:5020
-
-
C:\Windows\System\moCTHqA.exeC:\Windows\System\moCTHqA.exe2⤵
- Executes dropped EXE
PID:5028
-
-
C:\Windows\System\wXDJfYR.exeC:\Windows\System\wXDJfYR.exe2⤵
- Executes dropped EXE
PID:4480
-
-
C:\Windows\System\fYdIJAb.exeC:\Windows\System\fYdIJAb.exe2⤵
- Executes dropped EXE
PID:3608
-
-
C:\Windows\System\uKIysLq.exeC:\Windows\System\uKIysLq.exe2⤵
- Executes dropped EXE
PID:4980
-
-
C:\Windows\System\GNvyzoj.exeC:\Windows\System\GNvyzoj.exe2⤵
- Executes dropped EXE
PID:4456
-
-
C:\Windows\System\TZHSWgD.exeC:\Windows\System\TZHSWgD.exe2⤵
- Executes dropped EXE
PID:2672
-
-
C:\Windows\System\aPGTrEQ.exeC:\Windows\System\aPGTrEQ.exe2⤵
- Executes dropped EXE
PID:3648
-
-
C:\Windows\System\QBXVDDS.exeC:\Windows\System\QBXVDDS.exe2⤵
- Executes dropped EXE
PID:2780
-
-
C:\Windows\System\JmrCQAc.exeC:\Windows\System\JmrCQAc.exe2⤵
- Executes dropped EXE
PID:3616
-
-
C:\Windows\System\qHLrMtQ.exeC:\Windows\System\qHLrMtQ.exe2⤵
- Executes dropped EXE
PID:4868
-
-
C:\Windows\System\gDafbKx.exeC:\Windows\System\gDafbKx.exe2⤵
- Executes dropped EXE
PID:3440
-
-
C:\Windows\System\gvidqzI.exeC:\Windows\System\gvidqzI.exe2⤵
- Executes dropped EXE
PID:1112
-
-
C:\Windows\System\hLFMPXQ.exeC:\Windows\System\hLFMPXQ.exe2⤵
- Executes dropped EXE
PID:3288
-
-
C:\Windows\System\mIPqLPP.exeC:\Windows\System\mIPqLPP.exe2⤵
- Executes dropped EXE
PID:1388
-
-
C:\Windows\System\QcPciEV.exeC:\Windows\System\QcPciEV.exe2⤵
- Executes dropped EXE
PID:4924
-
-
C:\Windows\System\ozBMmoc.exeC:\Windows\System\ozBMmoc.exe2⤵
- Executes dropped EXE
PID:1640
-
-
C:\Windows\System\jaiWjkb.exeC:\Windows\System\jaiWjkb.exe2⤵
- Executes dropped EXE
PID:3160
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5d1919ecff259ac1a2229e3eaec8782de
SHA12e5a06074b25cb410fc962ab71edce4068176cb6
SHA256844cd34f68b5195a0ab4ac7391fe986946d5e3c0e9cff05108f417da837973e3
SHA5122cafb29ca50fb91bff52bda82fc1d9b21fd0be64ca8ef0d9b2ea45885cd7c6cf84cebce3c28934532ce8a645808b6c51949ab4756160ed883242645baa7c01f3
-
Filesize
5.2MB
MD5c226c4a793e532cdddbcb6eab02e65ff
SHA148d06c9d3d6c09efacf2941ce94c7a10219684b5
SHA2563a170fb3ea26aec8ef6992bf35bba6169413e8573b8e28828c42e92fbdb733d7
SHA512252bc14c6e634dd9030a8e87249b2c42eb3d1c3af15a2bc68c1900367b501d62492335897d46a7ba51b19086058c9b7842d15b6a3789d2ae3537021afef9ffcc
-
Filesize
5.2MB
MD50e811e25105f06fd703efa76094a0172
SHA1dc191ce7141d0fbac06b45fb56e56a51baedd8d1
SHA256d5e68ae252262decf21e93f9225a7bf0d28e2931f76f7337082b0373dc2fd755
SHA512e66de1ec15525152d9839136d36cbb275be84e879200d8f284029c30764bde31cdc5013f6e419008053afa6fa8f9e75cf718cf10335bd893ababd7fba38e0e9e
-
Filesize
5.2MB
MD5b3eed2f9b9ea32596f62d0d423013b16
SHA1b5c01f9f5f4002c0dc1215a80b9ab88df9578050
SHA2565f044e86bd5dc982d9c8420999581da80be04e22bf6014bb5ffd2051b4283671
SHA512f755349df980420421e232b2795b1bbdddc81db068f2de19dcfd3a98b1f0ebd88f1b58d770d2abb2fef55ebefd2cf34d5ba693d8a805f1dd6df34cd1341e526b
-
Filesize
5.2MB
MD5789a05f9b6e8e7345afe1642e8d37d32
SHA1c97e923274732b6ce834aeede176c5bb5b31f17d
SHA256aa9985456e9723b411ee231494b3626c40e741aca0bceb6b105fbe09c6dda859
SHA51254fb9b1a1043283dfe93bde18ff81088fd9b0faa2c399a9803bf7e2941d3b24654f67ffc385e28cd4d4542e4402b24c2778c08a647b99534bbe8e3caddd7b8ba
-
Filesize
5.2MB
MD5f72cbbbf686f81ebabc23252ac7aeb7b
SHA187098c09a2f829563841e118ec1efb288398f718
SHA2560e4c733ad4d8c0bd6392065baeba831fa40198a0216e6e35938bbadeb690f852
SHA512fe6df8794bde67896d38b563ffc84d0f18892f492e7120d7874e31d534f5d8a4e2a8a3e487e8d271ee80f9fc6ac8bbd36c6421820706e588cbe62e5dbcf7512b
-
Filesize
5.2MB
MD5c5b64e1c51e0f8243f0028ba24a592ec
SHA155640b9098fd8c70a0c06f3639a22d35392a19a4
SHA2568561678b78ab3e32b2820b2883fe9eb69b1d6390baebf131f24fbd2cada15b87
SHA512a00b00c8d11ca190372b8fefa006b3a4d986c4fa71401ccbfd1de7e52bd5de0591e2917ec6e124237ae7dfcd970a0a933d7c1734a98d60f09905bc3204795718
-
Filesize
5.2MB
MD552675f4ab5ec8513ecf507c4655ddf78
SHA188d9bc40a590c61629d1f99e3976b6c5ca2666d8
SHA25697652f2ea3c8997cdfd6651bb6792de47cf3793f9a5d3436572ff12d480246b8
SHA512a4d462dc312fd877b21f0f009f8ec8995c11c8ef0158da0c185ca82739922e747ed279a0be005a8548ba3d302375a7ca22c8c1137c11c49c436198d3edb118f0
-
Filesize
5.2MB
MD514bf91da3603fd349bbba121711563d6
SHA14858e142b233c8931b95a3a427b2fdf94b83765f
SHA256a4eb03c8520a239adb4eb50031ddc4465dd1f72c43fa5ac723239991d22b47ef
SHA512e8d7d75f583c37e16177250f69843b6d14d9dda92610a7c7573547cc903947997dffa7226b087651800ae2daea52bb1b91405cafbe1d549d65073d77366bffe4
-
Filesize
5.2MB
MD5905edd8c977a24a4a54272327e33d76d
SHA136387748787931d9b83d686ddf43dd697a96afe1
SHA256a457e9d615583800831490ec65216a208ada7671f3f3383e1c0ab354d02e4700
SHA51233bad3aded3495005c53461159d3bff9452585e0fa14dba5c368f78d3055f3f5203179e6492630633207e2cf7888c56b2ecb93b9faa8a465a8cebf50b316305a
-
Filesize
5.2MB
MD587fab2e9d189500aff27ae2950946e42
SHA11e1ab35d64ef66c9b40b6d9c7c64aa2dee4a9e5e
SHA2567e2b97e76f54ed393a37cbd9238693ec596c4db2db6d6941c6ef93d0dbeb8b08
SHA51216a7f0749c15ddbbf8db0d2fa2c5bbb1c453b69cf2cae3f82d57badf407b5d294e9eb72383d1aa2df0daf6a44b098f9b77bcab49ea364ea8ce3e60470955ce43
-
Filesize
5.2MB
MD5ef6109cccfca1d7c1191ca99413f1ee7
SHA110fca5f9b551c0220f63fb4368a0dcb15893acfd
SHA256c54fc13d73d517517dbc77c6a31d815892bebd34785a89e6334f04ee98c00e40
SHA512b05ad0be48c86fed176ea687f1a287467744b25ca69486dcf189720413c3928692180184af38308bb7d0791f685cd412df762ea996b3f022a62246a5dfedf06c
-
Filesize
5.2MB
MD55545fd5d54df4b4e9920dcf7b9402e18
SHA1081113b1ccc72803bf213229241f02ae66533247
SHA2564c8bbea5e8e3bc6912c4e317b90f555cab16c765a77f03c76d73169c0b0528d9
SHA5123f8da1a573570300959f478ffdac77376da57882e141289394fcf522770f852771e35411029eae60cfffc049d77f129ad48795c98f9f5d745e0feb62e79f32ab
-
Filesize
5.2MB
MD5c4d1afaeacdfbb0bae4c3ce5f59f61a9
SHA14f2268e3993d127269307f29b64bbca21c8ee3c1
SHA2560e8ba8f3352e52c6c808187866ed1157308c81423b26d769f15437bd8052f45a
SHA5123176f6f63a8ddb3b9c5120717f7b4bb5ea82fa3d0e07620ddffc85de189b35f4698aca220f883eef04e59175ee6f055b86182495652d1b58fdb4478fcd99314a
-
Filesize
5.2MB
MD59b80ca68c41d236bee400b74bce759f6
SHA1745e6d218103a5dde73da619c1ac7f5c3f05680f
SHA25662a1cb7134826e3824d12f67b7df53b058778642c355c0b7d2d97409b70b8ff9
SHA512902fdf43dde008fb753a59a9a53093cdbe7c4ef101713c811368c4c8bbd5c040bd92eeb937e81917cb0989bfe4ecddfa117a3c9e9f88a6afc96d070a996edf06
-
Filesize
5.2MB
MD536b8c4f1c36996fb3c1a722975fb3cc6
SHA1e35f73f534b3b7581b37c0d3d84b80570361c033
SHA256e5f2e79ec221efe355dddf4c0d7db9dd8555f1d9511e4fb69e224683fbdb90e1
SHA5121888a905fbde245a96206e4ff61b0b6b8bab9634ecb54b035643f9bcf1a2b80b8470ff4e7190a6c1aa3861c98074526f9a44f3bc02e509fc9a3beb745d4d7fad
-
Filesize
5.2MB
MD57c426409871a0240fca054e04bdeefd7
SHA12c4964a4ff6d4ee2f867c30bd0a312fde8010c47
SHA25687153fedc1ae604f1e8f91bdc43648eacceed42d072c3b12722a98e5dc986836
SHA512e209b3f876d90dee7ef1f772df7d5f60530326f64a622f480aa92e733d266c1cb6858d3f0ca585d963d06590fb59f4734bdf75c078ff3d52527f5abc18daf950
-
Filesize
5.2MB
MD5edd7c433e42ee7473657fa3e6a9db27a
SHA163a7bad2107b5706474440b31ce480d41cecd7d9
SHA25696ceb81fcc33d049947a10be5a002622a8c6e6ae1dc9cc58726393cc8f2ed4a1
SHA512a23eb6a87fb0f7a6eff484599a3d90a02d0160febacd8db23dc8c0f4b2d57c013eeae8fb00d1dcd70af61ceb6b0ff48fb77338d9b309f12f9bf7b79fffdc49ab
-
Filesize
5.2MB
MD5bdad01dd6d071e03cc2455a246989d10
SHA183729ffdab11661c3008387d16ec3ea016150193
SHA256faf9df1e168f7916ef4920cea772288bc349227a51ab29eae0dbebfa0b0da30b
SHA512ad216c516a3e82343e3f60aa87b3b7fe9d975ca70e9526c3e5a6ee5a8c53203f750be3294d74fe2578b10b3d1904dc0c2ff9023ba433e02a32e958f42f61617f
-
Filesize
5.2MB
MD580e8b9e21d517d54922ccd579c0be708
SHA16aee4de544e97e36134c1dc6c38ce681b15db545
SHA256ceaa3dfb352966fc5d146eaa8654a5fe37e57cc8d109c7b4d15e46b807e65002
SHA5127b745636846987e2c46e215dafac67edc92bf972c568cf334897611d736998d8ae57b6fad561d3cd2d422bec921f3b7dccc9f8b4688f149239b905d2f0d7f7d3
-
Filesize
5.2MB
MD55c15806a07c61df9d50ff0550d289a3c
SHA1c38a4049cabc1d9b82542015e1f59ee88ec64a15
SHA256ad19fee7173c6b17fb1d5b7224a68fb1ef9a651db67a8e496f8f3b504991f091
SHA51226636242647ff7002623712ae2a25fb1d89478471b8510f201888d5c7ac7936046eba6d3b4fd070dc6232770f07da1b0bfd68bc6a5acbdd12add9e41e3253380