Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2024, 06:44
Behavioral task
behavioral1
Sample
2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20241023-en
General
-
Target
2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
d1b1378f02ba6a988d970e2a7bc1d661
-
SHA1
4ff05c126719c11900c1ddc815b8c4ef8e0e4018
-
SHA256
25476d0e8bc30105d04b4cbebb6f35bfd67aab9a3f3ec39c0d5d5d28ac871d14
-
SHA512
ddf105168da8c8fe6ec375098e5d9e96efb4136fdbba8799c31c809c2086155f08ba102d5fb0e70cf78e03182e777ffd0a4117a864cd2851efce3de0b01c550d
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lH:RWWBibd56utgpPFotBER/mQ32lUz
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000b000000023c75-4.dat cobalt_reflective_dll behavioral2/files/0x0008000000023ca5-12.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca9-21.dat cobalt_reflective_dll behavioral2/files/0x0007000000023caa-24.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cac-40.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cad-44.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb3-89.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb7-100.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb5-106.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb6-108.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb4-92.dat cobalt_reflective_dll behavioral2/files/0x0008000000023ca6-86.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb2-84.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb1-72.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb0-68.dat cobalt_reflective_dll behavioral2/files/0x0007000000023caf-60.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cae-57.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cab-33.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb8-115.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cba-123.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbb-126.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 49 IoCs
resource yara_rule behavioral2/memory/2660-8-0x00007FF71A530000-0x00007FF71A881000-memory.dmp xmrig behavioral2/memory/4116-17-0x00007FF69BE50000-0x00007FF69C1A1000-memory.dmp xmrig behavioral2/memory/4232-71-0x00007FF7E9580000-0x00007FF7E98D1000-memory.dmp xmrig behavioral2/memory/5040-105-0x00007FF771760000-0x00007FF771AB1000-memory.dmp xmrig behavioral2/memory/4116-104-0x00007FF69BE50000-0x00007FF69C1A1000-memory.dmp xmrig behavioral2/memory/2660-103-0x00007FF71A530000-0x00007FF71A881000-memory.dmp xmrig behavioral2/memory/2860-99-0x00007FF6861E0000-0x00007FF686531000-memory.dmp xmrig behavioral2/memory/2980-98-0x00007FF67EA30000-0x00007FF67ED81000-memory.dmp xmrig behavioral2/memory/2008-119-0x00007FF7A5EF0000-0x00007FF7A6241000-memory.dmp xmrig behavioral2/memory/4064-130-0x00007FF62EB30000-0x00007FF62EE81000-memory.dmp xmrig behavioral2/memory/4092-129-0x00007FF6B6920000-0x00007FF6B6C71000-memory.dmp xmrig behavioral2/memory/2824-125-0x00007FF632490000-0x00007FF6327E1000-memory.dmp xmrig behavioral2/memory/3016-122-0x00007FF7ABC20000-0x00007FF7ABF71000-memory.dmp xmrig behavioral2/memory/2192-142-0x00007FF6A6BB0000-0x00007FF6A6F01000-memory.dmp xmrig behavioral2/memory/2640-145-0x00007FF6B9DC0000-0x00007FF6BA111000-memory.dmp xmrig behavioral2/memory/2948-144-0x00007FF62DF20000-0x00007FF62E271000-memory.dmp xmrig behavioral2/memory/1848-141-0x00007FF7D36D0000-0x00007FF7D3A21000-memory.dmp xmrig behavioral2/memory/4232-134-0x00007FF7E9580000-0x00007FF7E98D1000-memory.dmp xmrig behavioral2/memory/1272-143-0x00007FF683060000-0x00007FF6833B1000-memory.dmp xmrig behavioral2/memory/4124-147-0x00007FF631D00000-0x00007FF632051000-memory.dmp xmrig behavioral2/memory/468-153-0x00007FF6E1880000-0x00007FF6E1BD1000-memory.dmp xmrig behavioral2/memory/4448-152-0x00007FF6A4E00000-0x00007FF6A5151000-memory.dmp xmrig behavioral2/memory/1316-151-0x00007FF61F5C0000-0x00007FF61F911000-memory.dmp xmrig behavioral2/memory/3592-146-0x00007FF689890000-0x00007FF689BE1000-memory.dmp xmrig behavioral2/memory/4092-154-0x00007FF6B6920000-0x00007FF6B6C71000-memory.dmp xmrig behavioral2/memory/1760-159-0x00007FF680D00000-0x00007FF681051000-memory.dmp xmrig behavioral2/memory/4232-155-0x00007FF7E9580000-0x00007FF7E98D1000-memory.dmp xmrig behavioral2/memory/4232-178-0x00007FF7E9580000-0x00007FF7E98D1000-memory.dmp xmrig behavioral2/memory/2660-221-0x00007FF71A530000-0x00007FF71A881000-memory.dmp xmrig behavioral2/memory/4116-223-0x00007FF69BE50000-0x00007FF69C1A1000-memory.dmp xmrig behavioral2/memory/2008-225-0x00007FF7A5EF0000-0x00007FF7A6241000-memory.dmp xmrig behavioral2/memory/4064-228-0x00007FF62EB30000-0x00007FF62EE81000-memory.dmp xmrig behavioral2/memory/3016-229-0x00007FF7ABC20000-0x00007FF7ABF71000-memory.dmp xmrig behavioral2/memory/2640-232-0x00007FF6B9DC0000-0x00007FF6BA111000-memory.dmp xmrig behavioral2/memory/1848-233-0x00007FF7D36D0000-0x00007FF7D3A21000-memory.dmp xmrig behavioral2/memory/1272-237-0x00007FF683060000-0x00007FF6833B1000-memory.dmp xmrig behavioral2/memory/2192-236-0x00007FF6A6BB0000-0x00007FF6A6F01000-memory.dmp xmrig behavioral2/memory/2948-239-0x00007FF62DF20000-0x00007FF62E271000-memory.dmp xmrig behavioral2/memory/3592-243-0x00007FF689890000-0x00007FF689BE1000-memory.dmp xmrig behavioral2/memory/2860-245-0x00007FF6861E0000-0x00007FF686531000-memory.dmp xmrig behavioral2/memory/2980-247-0x00007FF67EA30000-0x00007FF67ED81000-memory.dmp xmrig behavioral2/memory/4124-250-0x00007FF631D00000-0x00007FF632051000-memory.dmp xmrig behavioral2/memory/5040-251-0x00007FF771760000-0x00007FF771AB1000-memory.dmp xmrig behavioral2/memory/1316-253-0x00007FF61F5C0000-0x00007FF61F911000-memory.dmp xmrig behavioral2/memory/4448-255-0x00007FF6A4E00000-0x00007FF6A5151000-memory.dmp xmrig behavioral2/memory/468-257-0x00007FF6E1880000-0x00007FF6E1BD1000-memory.dmp xmrig behavioral2/memory/2824-263-0x00007FF632490000-0x00007FF6327E1000-memory.dmp xmrig behavioral2/memory/4092-265-0x00007FF6B6920000-0x00007FF6B6C71000-memory.dmp xmrig behavioral2/memory/1760-267-0x00007FF680D00000-0x00007FF681051000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2660 eTJKjae.exe 4116 caSuaKT.exe 2008 rfCzoOT.exe 3016 lMqZzWH.exe 4064 LnIKSLG.exe 2640 WOiOpCo.exe 1848 TOSEumu.exe 2192 wRLLqvx.exe 1272 fwHusQD.exe 2948 uXfDJcJ.exe 3592 KgowPDD.exe 4124 nljyViO.exe 2980 NSpspFa.exe 5040 EorhFsS.exe 2860 cFixHKi.exe 1316 LUUIHhr.exe 4448 omCaskv.exe 468 JRZOHUQ.exe 2824 hMMTHJU.exe 4092 HeZGVNK.exe 1760 LSTzAbh.exe -
resource yara_rule behavioral2/memory/4232-0-0x00007FF7E9580000-0x00007FF7E98D1000-memory.dmp upx behavioral2/files/0x000b000000023c75-4.dat upx behavioral2/memory/2660-8-0x00007FF71A530000-0x00007FF71A881000-memory.dmp upx behavioral2/files/0x0008000000023ca5-12.dat upx behavioral2/memory/4116-17-0x00007FF69BE50000-0x00007FF69C1A1000-memory.dmp upx behavioral2/files/0x0007000000023ca9-21.dat upx behavioral2/files/0x0007000000023caa-24.dat upx behavioral2/memory/3016-27-0x00007FF7ABC20000-0x00007FF7ABF71000-memory.dmp upx behavioral2/memory/4064-29-0x00007FF62EB30000-0x00007FF62EE81000-memory.dmp upx behavioral2/files/0x0007000000023cac-40.dat upx behavioral2/files/0x0007000000023cad-44.dat upx behavioral2/memory/1272-55-0x00007FF683060000-0x00007FF6833B1000-memory.dmp upx behavioral2/memory/4232-71-0x00007FF7E9580000-0x00007FF7E98D1000-memory.dmp upx behavioral2/files/0x0007000000023cb3-89.dat upx behavioral2/files/0x0007000000023cb7-100.dat upx behavioral2/files/0x0007000000023cb5-106.dat upx behavioral2/memory/468-109-0x00007FF6E1880000-0x00007FF6E1BD1000-memory.dmp upx behavioral2/files/0x0007000000023cb6-108.dat upx behavioral2/memory/5040-105-0x00007FF771760000-0x00007FF771AB1000-memory.dmp upx behavioral2/memory/4116-104-0x00007FF69BE50000-0x00007FF69C1A1000-memory.dmp upx behavioral2/memory/2660-103-0x00007FF71A530000-0x00007FF71A881000-memory.dmp upx behavioral2/memory/4448-102-0x00007FF6A4E00000-0x00007FF6A5151000-memory.dmp upx behavioral2/memory/1316-101-0x00007FF61F5C0000-0x00007FF61F911000-memory.dmp upx behavioral2/memory/2860-99-0x00007FF6861E0000-0x00007FF686531000-memory.dmp upx behavioral2/memory/2980-98-0x00007FF67EA30000-0x00007FF67ED81000-memory.dmp upx behavioral2/files/0x0007000000023cb4-92.dat upx behavioral2/memory/4124-87-0x00007FF631D00000-0x00007FF632051000-memory.dmp upx behavioral2/files/0x0008000000023ca6-86.dat upx behavioral2/files/0x0007000000023cb2-84.dat upx behavioral2/memory/3592-80-0x00007FF689890000-0x00007FF689BE1000-memory.dmp upx behavioral2/files/0x0007000000023cb1-72.dat upx behavioral2/files/0x0007000000023cb0-68.dat upx behavioral2/files/0x0007000000023caf-60.dat upx behavioral2/files/0x0007000000023cae-57.dat upx behavioral2/memory/2948-56-0x00007FF62DF20000-0x00007FF62E271000-memory.dmp upx behavioral2/memory/2192-53-0x00007FF6A6BB0000-0x00007FF6A6F01000-memory.dmp upx behavioral2/memory/1848-41-0x00007FF7D36D0000-0x00007FF7D3A21000-memory.dmp upx behavioral2/memory/2640-37-0x00007FF6B9DC0000-0x00007FF6BA111000-memory.dmp upx behavioral2/files/0x0007000000023cab-33.dat upx behavioral2/memory/2008-19-0x00007FF7A5EF0000-0x00007FF7A6241000-memory.dmp upx behavioral2/files/0x0007000000023cb8-115.dat upx behavioral2/memory/2008-119-0x00007FF7A5EF0000-0x00007FF7A6241000-memory.dmp upx behavioral2/files/0x0007000000023cba-123.dat upx behavioral2/files/0x0007000000023cbb-126.dat upx behavioral2/memory/1760-133-0x00007FF680D00000-0x00007FF681051000-memory.dmp upx behavioral2/memory/4064-130-0x00007FF62EB30000-0x00007FF62EE81000-memory.dmp upx behavioral2/memory/4092-129-0x00007FF6B6920000-0x00007FF6B6C71000-memory.dmp upx behavioral2/memory/2824-125-0x00007FF632490000-0x00007FF6327E1000-memory.dmp upx behavioral2/memory/3016-122-0x00007FF7ABC20000-0x00007FF7ABF71000-memory.dmp upx behavioral2/memory/2192-142-0x00007FF6A6BB0000-0x00007FF6A6F01000-memory.dmp upx behavioral2/memory/2640-145-0x00007FF6B9DC0000-0x00007FF6BA111000-memory.dmp upx behavioral2/memory/2948-144-0x00007FF62DF20000-0x00007FF62E271000-memory.dmp upx behavioral2/memory/1848-141-0x00007FF7D36D0000-0x00007FF7D3A21000-memory.dmp upx behavioral2/memory/4232-134-0x00007FF7E9580000-0x00007FF7E98D1000-memory.dmp upx behavioral2/memory/1272-143-0x00007FF683060000-0x00007FF6833B1000-memory.dmp upx behavioral2/memory/4124-147-0x00007FF631D00000-0x00007FF632051000-memory.dmp upx behavioral2/memory/468-153-0x00007FF6E1880000-0x00007FF6E1BD1000-memory.dmp upx behavioral2/memory/4448-152-0x00007FF6A4E00000-0x00007FF6A5151000-memory.dmp upx behavioral2/memory/1316-151-0x00007FF61F5C0000-0x00007FF61F911000-memory.dmp upx behavioral2/memory/3592-146-0x00007FF689890000-0x00007FF689BE1000-memory.dmp upx behavioral2/memory/4092-154-0x00007FF6B6920000-0x00007FF6B6C71000-memory.dmp upx behavioral2/memory/1760-159-0x00007FF680D00000-0x00007FF681051000-memory.dmp upx behavioral2/memory/4232-155-0x00007FF7E9580000-0x00007FF7E98D1000-memory.dmp upx behavioral2/memory/4232-178-0x00007FF7E9580000-0x00007FF7E98D1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\wRLLqvx.exe 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EorhFsS.exe 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hMMTHJU.exe 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\caSuaKT.exe 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rfCzoOT.exe 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uXfDJcJ.exe 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nljyViO.exe 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\omCaskv.exe 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LSTzAbh.exe 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lMqZzWH.exe 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TOSEumu.exe 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WOiOpCo.exe 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fwHusQD.exe 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KgowPDD.exe 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NSpspFa.exe 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cFixHKi.exe 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LUUIHhr.exe 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\eTJKjae.exe 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LnIKSLG.exe 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JRZOHUQ.exe 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HeZGVNK.exe 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4232 wrote to memory of 2660 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4232 wrote to memory of 2660 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4232 wrote to memory of 4116 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4232 wrote to memory of 4116 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4232 wrote to memory of 2008 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4232 wrote to memory of 2008 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4232 wrote to memory of 3016 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4232 wrote to memory of 3016 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4232 wrote to memory of 4064 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4232 wrote to memory of 4064 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4232 wrote to memory of 2640 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4232 wrote to memory of 2640 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4232 wrote to memory of 1848 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4232 wrote to memory of 1848 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4232 wrote to memory of 2192 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4232 wrote to memory of 2192 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4232 wrote to memory of 1272 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4232 wrote to memory of 1272 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4232 wrote to memory of 2948 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4232 wrote to memory of 2948 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4232 wrote to memory of 3592 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4232 wrote to memory of 3592 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4232 wrote to memory of 4124 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4232 wrote to memory of 4124 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4232 wrote to memory of 2980 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4232 wrote to memory of 2980 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4232 wrote to memory of 5040 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4232 wrote to memory of 5040 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4232 wrote to memory of 2860 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4232 wrote to memory of 2860 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4232 wrote to memory of 1316 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4232 wrote to memory of 1316 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4232 wrote to memory of 4448 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4232 wrote to memory of 4448 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4232 wrote to memory of 468 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4232 wrote to memory of 468 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4232 wrote to memory of 2824 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4232 wrote to memory of 2824 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4232 wrote to memory of 4092 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4232 wrote to memory of 4092 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4232 wrote to memory of 1760 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4232 wrote to memory of 1760 4232 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\System\eTJKjae.exeC:\Windows\System\eTJKjae.exe2⤵
- Executes dropped EXE
PID:2660
-
-
C:\Windows\System\caSuaKT.exeC:\Windows\System\caSuaKT.exe2⤵
- Executes dropped EXE
PID:4116
-
-
C:\Windows\System\rfCzoOT.exeC:\Windows\System\rfCzoOT.exe2⤵
- Executes dropped EXE
PID:2008
-
-
C:\Windows\System\lMqZzWH.exeC:\Windows\System\lMqZzWH.exe2⤵
- Executes dropped EXE
PID:3016
-
-
C:\Windows\System\LnIKSLG.exeC:\Windows\System\LnIKSLG.exe2⤵
- Executes dropped EXE
PID:4064
-
-
C:\Windows\System\WOiOpCo.exeC:\Windows\System\WOiOpCo.exe2⤵
- Executes dropped EXE
PID:2640
-
-
C:\Windows\System\TOSEumu.exeC:\Windows\System\TOSEumu.exe2⤵
- Executes dropped EXE
PID:1848
-
-
C:\Windows\System\wRLLqvx.exeC:\Windows\System\wRLLqvx.exe2⤵
- Executes dropped EXE
PID:2192
-
-
C:\Windows\System\fwHusQD.exeC:\Windows\System\fwHusQD.exe2⤵
- Executes dropped EXE
PID:1272
-
-
C:\Windows\System\uXfDJcJ.exeC:\Windows\System\uXfDJcJ.exe2⤵
- Executes dropped EXE
PID:2948
-
-
C:\Windows\System\KgowPDD.exeC:\Windows\System\KgowPDD.exe2⤵
- Executes dropped EXE
PID:3592
-
-
C:\Windows\System\nljyViO.exeC:\Windows\System\nljyViO.exe2⤵
- Executes dropped EXE
PID:4124
-
-
C:\Windows\System\NSpspFa.exeC:\Windows\System\NSpspFa.exe2⤵
- Executes dropped EXE
PID:2980
-
-
C:\Windows\System\EorhFsS.exeC:\Windows\System\EorhFsS.exe2⤵
- Executes dropped EXE
PID:5040
-
-
C:\Windows\System\cFixHKi.exeC:\Windows\System\cFixHKi.exe2⤵
- Executes dropped EXE
PID:2860
-
-
C:\Windows\System\LUUIHhr.exeC:\Windows\System\LUUIHhr.exe2⤵
- Executes dropped EXE
PID:1316
-
-
C:\Windows\System\omCaskv.exeC:\Windows\System\omCaskv.exe2⤵
- Executes dropped EXE
PID:4448
-
-
C:\Windows\System\JRZOHUQ.exeC:\Windows\System\JRZOHUQ.exe2⤵
- Executes dropped EXE
PID:468
-
-
C:\Windows\System\hMMTHJU.exeC:\Windows\System\hMMTHJU.exe2⤵
- Executes dropped EXE
PID:2824
-
-
C:\Windows\System\HeZGVNK.exeC:\Windows\System\HeZGVNK.exe2⤵
- Executes dropped EXE
PID:4092
-
-
C:\Windows\System\LSTzAbh.exeC:\Windows\System\LSTzAbh.exe2⤵
- Executes dropped EXE
PID:1760
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5d635b33c67eaf598e4ff9b27281e5cdf
SHA115132dd008e21cff75eb273461f9bb1aa684e1da
SHA256d5731cf0ed4273ed7b5f2468f37ac60fb2b12cbb844bb274f5234d1cbf4bbcc9
SHA512394a3ea82714d6553e972c748c3053eb200697342adb431c504d1114aadea605772d26a5c1036746e36a7f0ec29d91b6bb03ccf15054238fca447d1d36d892c7
-
Filesize
5.2MB
MD55ae99ebac97340823a9790e5fef8c38b
SHA147aad008c47850d6006e64cf8b0a68640ff2b616
SHA256df111c848b3e1d38f128ee51f12452b0317ff8f6c1a1cefc9d1fd79c052a616a
SHA5126cce6e420970b3152d6c795d78819a311fa1311ab02838b6c784c7714444425584474cf25665986690653fd41cbadceb6e77c1a99702e9776aa7a5f7a36b33df
-
Filesize
5.2MB
MD58850f5d5d50b724ac02eaa1cf898460f
SHA16e555dd8a79b895479752a83db7fd7ed7dd2da5c
SHA256b9471ad9ce6379e01967c6fb7fc019d67f51c2ac52944aa1016f8d8d38098efb
SHA512e8382fe0347442cf423948e07dc30e3c6adf6da69851146337b733550bbe6ecc87fa7b017f267c8d8b25909b72a54f05da8500fd4d8f198e43f0f7377066746b
-
Filesize
5.2MB
MD53229ba6c46608ed83f496fa329f7bec6
SHA1ffe9b3b34a90aa1102933f3a392bcd7c2476e2a6
SHA25600f31e8fe142258dce08614601e4f24aed57e50209cbcba2c5d7b9ae1601377f
SHA512ed711da86039a94329336087ab906f1b062522fb6c8c34282e38e55de6e36a7f1be4f1a8812af39de62e76a193715c7dd2fabea21fb317b4e06bada33d09dc06
-
Filesize
5.2MB
MD5ceaeb28848711d83ca3b8b4414839e40
SHA193a0d970f23918d444cf722c560c10dd3cfce232
SHA2561cf3b4539dcbff47aaf39000d12e133e279e45d871f2ea6a76f282291121c735
SHA512aad28cd5c7014f7e0a444257355e90e4c150c708257301cb99af3001b1f35ae9510d06074853e79c0d1386abbc9976db9b4bc45ef7dc2f93522c231e13dde3c9
-
Filesize
5.2MB
MD5925602a9d3ead9e366a404336f3185cf
SHA1bdbae2e2ccf6dfa65c9f6b5f50f5c8c63036a9e7
SHA256362b6d2d60742ac9c91efad72e12574f69b6823aac099af1e9101f1b71f9d262
SHA51232495e25d3a0977254da9888a4160e777f6b0c3182199eae93ee2d4dba707eada006384c902dbcf13581214f73aa48c1ecb1e948d79ab6020e6a7de7c6e5db32
-
Filesize
5.2MB
MD5c6e95377072358030e1c9ec11ae3b4ff
SHA1040a012a25fc978c9fbc5ab6870ca8ea1d63fb4f
SHA256842dfb0bcdc0f03f1bd7709778fdc5268eff3026bfd51e8f041984bb38ccb289
SHA512311bd9b95bb878723a4cf3d853d4fd55f686b59729e0b9552206191262611f3faf0e70fa7f1b77a951ddcfaf2f88159e171ab1f37fcdabb24622a8b553c70435
-
Filesize
5.2MB
MD556b61729e58617b403f15a051b3a569f
SHA102b807440ad41a387db057f43edbd4931f2ac62c
SHA2562d1a04532a31039d63f0a9d4cd2b8437614a822a401997dd56fcf7733b5717f2
SHA512601a3fd4eff16e893da265676973c0194d4527459c8bc93347d50904be8b17a301dda53486286d34e1fcef6c73d3e2880bcdf13c730088f5fbd9ceee18572adf
-
Filesize
5.2MB
MD56978241ab22a6163026f28138f7ab81a
SHA16c2e15b7b1b068d4a6221d6991a1e7e062f7707f
SHA2565776031cda5eded2eff4a0c83a1fa47ebd1fafe5d120e2fc24c7c1b4db3d889b
SHA512a67dbe202ed7466e0e4ef8b9cf1d88ded57acf47be77baf2096e4e7233a0b60f65eaaba1288faf78ddf42dc978528bb2bfcd9ba7a66f2be8f66cd0967e9620b8
-
Filesize
5.2MB
MD561706d96cdc7ecac81a0b6ead9f2cf83
SHA1daa3ee5b5e2a46fa5ad9c9eaf7f13b1fd757105c
SHA2562bebc59fd9dd16a5cf539bb5d717ed95603d27bec59abc19211582451b6e346a
SHA51230855b477bf77bb48d46f42109feaf94726f278aabd76cbd06fb8810f9a6975726fe0081219bf8ad2735aa5e5cb7845963c3462bda946207f47c7851d6da28c0
-
Filesize
5.2MB
MD59205cc1f4be3d5eeebfc497852bed321
SHA1ec513fad660440e1cd970be14058b84735164ea9
SHA2568268910baaea6d069683975da0f566c3b8061f305db23cfa3711ba882078da72
SHA512bf8d680d4ece284e7b7b94bbf659ec36b2c4743aad1f4484e481e47da284de7920523962062c54f8d60beb46db108c6ea624f03edb997203d34c0d85c0d7dbb8
-
Filesize
5.2MB
MD5188a80ecf98ace53cdbbc0700992e33d
SHA1d6ab1327faf60f57b18b25545e33d02b0afe21c8
SHA256b5e8bcb41a7d70aa30c39e3032bfa2f5baf2f5cba0461be299e647b60e056c0a
SHA5123ce261ed9d09396cf7b2153db0e3684d874e5272a110b4b06d73baabd5e4164ad3d2c2ff75618b407a3ab88fd8f0c74e2b206426dc4aa384300e0d235d737fc5
-
Filesize
5.2MB
MD5af6ade01546970237fb6412937110730
SHA1a6244651a78c862d452294e1ef69ed9920a85ee1
SHA25675204497a3f48159ce480e7edd98b88447606e64b558b21e5dae8589d8239ec9
SHA5126f85ee2c86639b60c22319b91c4cb81fef3b1eb56d1edc5a53ebf6be15d1191e94ae70c0fc86c3f652afef41b313eb5ad20fb0b3000813d73054e8476cd397c0
-
Filesize
5.2MB
MD5e0dfa4ad43ed0aeafbb444f74d4618da
SHA1769f15fef0c6452ea35b6eea0721f2386741778b
SHA256af509f84790740402ef491b83e30ca3121dbdd76fd400ff8a38006b984aeda45
SHA512c0de574a78e20e9efd752ea16254f45e23af7e1b2c16cc2599277e9a226e37a3cd6b9892f3c4538019c19916454941f505e6c658707577e2cc99e13bd6218cf4
-
Filesize
5.2MB
MD5f3020f3fa78d1a28d9de72da3c4bc563
SHA1affecacaa25493e1c18a2d97009c099569f04003
SHA256f09b8a2e7367fb2fd2e7cb6ce6658f84e8993f3b8cf941437fd9adc1013082cc
SHA512ee46a106f584b138fcd9cee6227eefedff34f042e2d79a1189953f57b747f2214142f5f7aa341b422f28f72d3d53e9f6ebddc79ceabdcb1cbb00b5b40b48bdc1
-
Filesize
5.2MB
MD5c5b8ea1f4c44e11b5a9b230e7d141dcd
SHA12e84a37d9df036d0c38a44867b37990f29ffe532
SHA256bafadf1b2955106832f4fa84143390a7fb937b547f8c6297cea02c2d303ad5f5
SHA51269f06fa801f8914aadb2f8e90aa1a8f4c1a69f98dc7b9a7b2513f5de2e9715324b9546dfb6d4d3b6774f76092da076a309508ee005c3984dbe7689b8a7abe794
-
Filesize
5.2MB
MD5cf527c2a434065cf984df8e93027857b
SHA1cae80891491f40c458b224b4cb827581bcc984be
SHA25657106d90214c028d751969b7355cca45a4010eae9ab99338d27a365b459f951a
SHA512c499aa20ab5d5463e7223d23b06f6e93adec1315c443cdea0fec86435c96ad4c36256e2cdcf493558d1c5404b6afbd69b344681e9990dc7208a3e5be05c4427f
-
Filesize
5.2MB
MD5886b926a87ec9e9f23b921798a21babc
SHA16e4dfd1f0e4a07f21a86704667f5cdd121d32815
SHA256bdf8037f6adc59c73daa00a8154f90d51f82536c9476def86ed2dd8e7db0260c
SHA512ba8ccafb0176723f359d7f62b917c2718b0b92b83fe4e24db88a19a35115dacc45116506f9d790212b1c6f275b9de472399f8bde5dd49cd78a932b88c8cf406d
-
Filesize
5.2MB
MD58f4fcc97a3d28f623f2255d32fd36665
SHA14acddd906f5bd94b314d7e6105397f49425a3c9f
SHA256d50358feed4d6902fe3036450f8233759a3ec879f55b2dc0f6eb26be8feebd28
SHA5125f0c77e6bef0080d222902a9ea2733831cd4bdce171736232b29dcd4e4c4a3442641e727a35fda67df1c52b0f0cc1e9b618e6c0f4313c145ada39eb10a0b32d9
-
Filesize
5.2MB
MD52220adb418f76484378d42aabb9f3e9a
SHA1257b802efe1a332bc082cdf996a1ea53a079cd3f
SHA2561f6c8b389e84e1ae0c855ee0207924346625e2c6c32fe3b751c735f81ffa06b4
SHA512e8ff13f457aaebcfabdd5ede33dedd0209043a0e50f59f9c4f045702a5203a9b2a64e62394ac11d37dd3fa56ef2f4f969d184110f221ac3923e7c3b9904ec92f
-
Filesize
5.2MB
MD5a75f5bbde698aeb4a98dba83c490b0bf
SHA16f0288bb1edadf9a75953a291bcc840e29b386b8
SHA256bdd8870abd6550e1cb88da9c0debc97ad15fde689fa636c017892180d48fe3fd
SHA5120590e0c51b935e0d16058aa971a7e30e60afd6853ed75d9b289941131b99ecb1c13808e0fc7a0beb563f1e96593475609d7f1b74b8d8d670dab34f8d6f23b4e2