Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/10/2024, 10:36
Behavioral task
behavioral1
Sample
2024-10-27_90fb243e4c987f40a62d3927a1779ba3_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-27_90fb243e4c987f40a62d3927a1779ba3_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-27_90fb243e4c987f40a62d3927a1779ba3_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.7MB
-
MD5
90fb243e4c987f40a62d3927a1779ba3
-
SHA1
4e716f2c3fce529f320cfbd4809c7322821a4b68
-
SHA256
1da1d4b72e31f159e270fa2bcd50f9181f1260c9359f4449eab8d04f07b8d1ff
-
SHA512
5075dfd138138e69aebf0ac132b2ecadce9ba54a667bce87d1cc9563cb5f61b509fb9a1b824303147a9a74f1c4e8a139886b9bfed81c27e0e911438681641a24
-
SSDEEP
98304:hemTLkNdfE0pZaN56utgpPFotBER/mQ32lUO:w+156utgpPF8u/7O
Malware Config
Signatures
-
Xmrig family
-
XMRig Miner payload 1 IoCs
resource yara_rule behavioral1/memory/1860-0-0x000000013FDB0000-0x00000001400FD000-memory.dmp xmrig -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1860 wrote to memory of 3020 1860 2024-10-27_90fb243e4c987f40a62d3927a1779ba3_cobalt-strike_cobaltstrike_poet-rat.exe 29 PID 1860 wrote to memory of 3020 1860 2024-10-27_90fb243e4c987f40a62d3927a1779ba3_cobalt-strike_cobaltstrike_poet-rat.exe 29 PID 1860 wrote to memory of 3020 1860 2024-10-27_90fb243e4c987f40a62d3927a1779ba3_cobalt-strike_cobaltstrike_poet-rat.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-27_90fb243e4c987f40a62d3927a1779ba3_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-27_90fb243e4c987f40a62d3927a1779ba3_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1860 -s 722⤵PID:3020
-