Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 15:22
Behavioral task
behavioral1
Sample
2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240708-en
General
-
Target
2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
3241f9591762f228184ac39e29ff0abe
-
SHA1
036f417b63d0914e063b96cf6a789ca2f272948a
-
SHA256
1779f5062e13aa3ea7ea63d70f7b6f72ba2f75347f1b745e24be4550d64a9ed8
-
SHA512
c8d96bc618b9f94e7b98369d2918b88d167c8c75b83e3e8f15e633250419f49fa517d02732da8cb61aa0fb5e96c9f90ccd004e8b11ca8884613314e5845bb18d
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lf:RWWBibd56utgpPFotBER/mQ32lUz
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000c000000023b6f-5.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b7e-27.dat cobalt_reflective_dll behavioral2/files/0x0031000000023b7f-28.dat cobalt_reflective_dll behavioral2/files/0x0031000000023b80-45.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b82-48.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b84-65.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b85-71.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b89-91.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8a-95.dat cobalt_reflective_dll behavioral2/files/0x000b000000023b79-111.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8b-109.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b88-89.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b87-87.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b83-61.dat cobalt_reflective_dll behavioral2/files/0x0031000000023b81-44.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b7c-32.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b7d-31.dat cobalt_reflective_dll behavioral2/files/0x000b000000023b78-15.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8c-123.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8f-126.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8e-132.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/1932-101-0x00007FF62A590000-0x00007FF62A8E1000-memory.dmp xmrig behavioral2/memory/2280-98-0x00007FF793E10000-0x00007FF794161000-memory.dmp xmrig behavioral2/memory/3744-60-0x00007FF697640000-0x00007FF697991000-memory.dmp xmrig behavioral2/memory/4932-59-0x00007FF65D800000-0x00007FF65DB51000-memory.dmp xmrig behavioral2/memory/2564-57-0x00007FF675430000-0x00007FF675781000-memory.dmp xmrig behavioral2/memory/4332-113-0x00007FF7141C0000-0x00007FF714511000-memory.dmp xmrig behavioral2/memory/1944-115-0x00007FF7178F0000-0x00007FF717C41000-memory.dmp xmrig behavioral2/memory/2548-114-0x00007FF6B7970000-0x00007FF6B7CC1000-memory.dmp xmrig behavioral2/memory/768-121-0x00007FF768D00000-0x00007FF769051000-memory.dmp xmrig behavioral2/memory/2828-129-0x00007FF763EF0000-0x00007FF764241000-memory.dmp xmrig behavioral2/memory/4228-124-0x00007FF627A00000-0x00007FF627D51000-memory.dmp xmrig behavioral2/memory/2280-136-0x00007FF793E10000-0x00007FF794161000-memory.dmp xmrig behavioral2/memory/3092-144-0x00007FF628E20000-0x00007FF629171000-memory.dmp xmrig behavioral2/memory/2856-152-0x00007FF6A9770000-0x00007FF6A9AC1000-memory.dmp xmrig behavioral2/memory/4236-153-0x00007FF615650000-0x00007FF6159A1000-memory.dmp xmrig behavioral2/memory/4604-158-0x00007FF665CD0000-0x00007FF666021000-memory.dmp xmrig behavioral2/memory/1732-157-0x00007FF647A60000-0x00007FF647DB1000-memory.dmp xmrig behavioral2/memory/4004-156-0x00007FF7D3F00000-0x00007FF7D4251000-memory.dmp xmrig behavioral2/memory/2188-155-0x00007FF768030000-0x00007FF768381000-memory.dmp xmrig behavioral2/memory/1548-154-0x00007FF62B5B0000-0x00007FF62B901000-memory.dmp xmrig behavioral2/memory/3588-151-0x00007FF741860000-0x00007FF741BB1000-memory.dmp xmrig behavioral2/memory/1192-159-0x00007FF7BB030000-0x00007FF7BB381000-memory.dmp xmrig behavioral2/memory/1592-160-0x00007FF674F80000-0x00007FF6752D1000-memory.dmp xmrig behavioral2/memory/2280-161-0x00007FF793E10000-0x00007FF794161000-memory.dmp xmrig behavioral2/memory/4332-218-0x00007FF7141C0000-0x00007FF714511000-memory.dmp xmrig behavioral2/memory/1932-220-0x00007FF62A590000-0x00007FF62A8E1000-memory.dmp xmrig behavioral2/memory/768-222-0x00007FF768D00000-0x00007FF769051000-memory.dmp xmrig behavioral2/memory/1944-225-0x00007FF7178F0000-0x00007FF717C41000-memory.dmp xmrig behavioral2/memory/2548-226-0x00007FF6B7970000-0x00007FF6B7CC1000-memory.dmp xmrig behavioral2/memory/4228-231-0x00007FF627A00000-0x00007FF627D51000-memory.dmp xmrig behavioral2/memory/2564-232-0x00007FF675430000-0x00007FF675781000-memory.dmp xmrig behavioral2/memory/4932-229-0x00007FF65D800000-0x00007FF65DB51000-memory.dmp xmrig behavioral2/memory/3744-234-0x00007FF697640000-0x00007FF697991000-memory.dmp xmrig behavioral2/memory/3092-245-0x00007FF628E20000-0x00007FF629171000-memory.dmp xmrig behavioral2/memory/4604-252-0x00007FF665CD0000-0x00007FF666021000-memory.dmp xmrig behavioral2/memory/2856-251-0x00007FF6A9770000-0x00007FF6A9AC1000-memory.dmp xmrig behavioral2/memory/3588-254-0x00007FF741860000-0x00007FF741BB1000-memory.dmp xmrig behavioral2/memory/2828-248-0x00007FF763EF0000-0x00007FF764241000-memory.dmp xmrig behavioral2/memory/4004-247-0x00007FF7D3F00000-0x00007FF7D4251000-memory.dmp xmrig behavioral2/memory/1548-257-0x00007FF62B5B0000-0x00007FF62B901000-memory.dmp xmrig behavioral2/memory/2188-260-0x00007FF768030000-0x00007FF768381000-memory.dmp xmrig behavioral2/memory/4236-259-0x00007FF615650000-0x00007FF6159A1000-memory.dmp xmrig behavioral2/memory/1732-264-0x00007FF647A60000-0x00007FF647DB1000-memory.dmp xmrig behavioral2/memory/1192-266-0x00007FF7BB030000-0x00007FF7BB381000-memory.dmp xmrig behavioral2/memory/1592-269-0x00007FF674F80000-0x00007FF6752D1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 1932 LoSldln.exe 4332 mfVzWzR.exe 768 JKYvpNe.exe 2548 MxxyPAl.exe 1944 WkPRsMB.exe 4228 wxplRzi.exe 2564 JgtaKCw.exe 4932 frfqzLz.exe 3744 RnfaPPL.exe 2828 INueiWa.exe 3092 wYUDrnQ.exe 4004 SdCzaQr.exe 4604 ZQEqSIz.exe 3588 FCRoSyF.exe 2856 FchlEVU.exe 4236 fcIEibC.exe 1548 ozKLfGZ.exe 2188 svTBQAc.exe 1732 HJIYnBl.exe 1192 WVLgxOs.exe 1592 VvDkDFD.exe -
resource yara_rule behavioral2/memory/2280-0-0x00007FF793E10000-0x00007FF794161000-memory.dmp upx behavioral2/files/0x000c000000023b6f-5.dat upx behavioral2/memory/1932-10-0x00007FF62A590000-0x00007FF62A8E1000-memory.dmp upx behavioral2/memory/4332-16-0x00007FF7141C0000-0x00007FF714511000-memory.dmp upx behavioral2/files/0x000a000000023b7e-27.dat upx behavioral2/files/0x0031000000023b7f-28.dat upx behavioral2/files/0x0031000000023b80-45.dat upx behavioral2/files/0x000a000000023b82-48.dat upx behavioral2/memory/2828-58-0x00007FF763EF0000-0x00007FF764241000-memory.dmp upx behavioral2/files/0x000a000000023b84-65.dat upx behavioral2/files/0x000a000000023b85-71.dat upx behavioral2/memory/2856-86-0x00007FF6A9770000-0x00007FF6A9AC1000-memory.dmp upx behavioral2/files/0x000a000000023b89-91.dat upx behavioral2/files/0x000a000000023b8a-95.dat upx behavioral2/memory/2188-105-0x00007FF768030000-0x00007FF768381000-memory.dmp upx behavioral2/files/0x000b000000023b79-111.dat upx behavioral2/files/0x000a000000023b8b-109.dat upx behavioral2/memory/1548-108-0x00007FF62B5B0000-0x00007FF62B901000-memory.dmp upx behavioral2/memory/4236-104-0x00007FF615650000-0x00007FF6159A1000-memory.dmp upx behavioral2/memory/1932-101-0x00007FF62A590000-0x00007FF62A8E1000-memory.dmp upx behavioral2/memory/2280-98-0x00007FF793E10000-0x00007FF794161000-memory.dmp upx behavioral2/files/0x000a000000023b88-89.dat upx behavioral2/files/0x000a000000023b87-87.dat upx behavioral2/memory/3588-85-0x00007FF741860000-0x00007FF741BB1000-memory.dmp upx behavioral2/memory/4604-84-0x00007FF665CD0000-0x00007FF666021000-memory.dmp upx behavioral2/memory/4004-76-0x00007FF7D3F00000-0x00007FF7D4251000-memory.dmp upx behavioral2/memory/3092-66-0x00007FF628E20000-0x00007FF629171000-memory.dmp upx behavioral2/files/0x000a000000023b83-61.dat upx behavioral2/memory/3744-60-0x00007FF697640000-0x00007FF697991000-memory.dmp upx behavioral2/memory/4932-59-0x00007FF65D800000-0x00007FF65DB51000-memory.dmp upx behavioral2/memory/2564-57-0x00007FF675430000-0x00007FF675781000-memory.dmp upx behavioral2/memory/4228-46-0x00007FF627A00000-0x00007FF627D51000-memory.dmp upx behavioral2/files/0x0031000000023b81-44.dat upx behavioral2/memory/1944-37-0x00007FF7178F0000-0x00007FF717C41000-memory.dmp upx behavioral2/memory/2548-33-0x00007FF6B7970000-0x00007FF6B7CC1000-memory.dmp upx behavioral2/files/0x000a000000023b7c-32.dat upx behavioral2/files/0x000a000000023b7d-31.dat upx behavioral2/memory/768-24-0x00007FF768D00000-0x00007FF769051000-memory.dmp upx behavioral2/files/0x000b000000023b78-15.dat upx behavioral2/memory/4332-113-0x00007FF7141C0000-0x00007FF714511000-memory.dmp upx behavioral2/memory/1944-115-0x00007FF7178F0000-0x00007FF717C41000-memory.dmp upx behavioral2/memory/2548-114-0x00007FF6B7970000-0x00007FF6B7CC1000-memory.dmp upx behavioral2/memory/768-121-0x00007FF768D00000-0x00007FF769051000-memory.dmp upx behavioral2/files/0x000a000000023b8c-123.dat upx behavioral2/files/0x000a000000023b8f-126.dat upx behavioral2/memory/2828-129-0x00007FF763EF0000-0x00007FF764241000-memory.dmp upx behavioral2/files/0x000a000000023b8e-132.dat upx behavioral2/memory/1592-131-0x00007FF674F80000-0x00007FF6752D1000-memory.dmp upx behavioral2/memory/1192-128-0x00007FF7BB030000-0x00007FF7BB381000-memory.dmp upx behavioral2/memory/1732-127-0x00007FF647A60000-0x00007FF647DB1000-memory.dmp upx behavioral2/memory/4228-124-0x00007FF627A00000-0x00007FF627D51000-memory.dmp upx behavioral2/memory/2280-136-0x00007FF793E10000-0x00007FF794161000-memory.dmp upx behavioral2/memory/3092-144-0x00007FF628E20000-0x00007FF629171000-memory.dmp upx behavioral2/memory/2856-152-0x00007FF6A9770000-0x00007FF6A9AC1000-memory.dmp upx behavioral2/memory/4236-153-0x00007FF615650000-0x00007FF6159A1000-memory.dmp upx behavioral2/memory/4604-158-0x00007FF665CD0000-0x00007FF666021000-memory.dmp upx behavioral2/memory/1732-157-0x00007FF647A60000-0x00007FF647DB1000-memory.dmp upx behavioral2/memory/4004-156-0x00007FF7D3F00000-0x00007FF7D4251000-memory.dmp upx behavioral2/memory/2188-155-0x00007FF768030000-0x00007FF768381000-memory.dmp upx behavioral2/memory/1548-154-0x00007FF62B5B0000-0x00007FF62B901000-memory.dmp upx behavioral2/memory/3588-151-0x00007FF741860000-0x00007FF741BB1000-memory.dmp upx behavioral2/memory/1192-159-0x00007FF7BB030000-0x00007FF7BB381000-memory.dmp upx behavioral2/memory/1592-160-0x00007FF674F80000-0x00007FF6752D1000-memory.dmp upx behavioral2/memory/2280-161-0x00007FF793E10000-0x00007FF794161000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\MxxyPAl.exe 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZQEqSIz.exe 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FchlEVU.exe 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fcIEibC.exe 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\svTBQAc.exe 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mfVzWzR.exe 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WkPRsMB.exe 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SdCzaQr.exe 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FCRoSyF.exe 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VvDkDFD.exe 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\wxplRzi.exe 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\frfqzLz.exe 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RnfaPPL.exe 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\wYUDrnQ.exe 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LoSldln.exe 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JKYvpNe.exe 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JgtaKCw.exe 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\INueiWa.exe 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ozKLfGZ.exe 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HJIYnBl.exe 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WVLgxOs.exe 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2280 wrote to memory of 1932 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 2280 wrote to memory of 1932 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 2280 wrote to memory of 4332 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2280 wrote to memory of 4332 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2280 wrote to memory of 2548 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2280 wrote to memory of 2548 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2280 wrote to memory of 768 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2280 wrote to memory of 768 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2280 wrote to memory of 1944 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2280 wrote to memory of 1944 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2280 wrote to memory of 4228 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2280 wrote to memory of 4228 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2280 wrote to memory of 2564 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2280 wrote to memory of 2564 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2280 wrote to memory of 4932 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2280 wrote to memory of 4932 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2280 wrote to memory of 3744 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2280 wrote to memory of 3744 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2280 wrote to memory of 2828 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2280 wrote to memory of 2828 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2280 wrote to memory of 3092 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2280 wrote to memory of 3092 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2280 wrote to memory of 4004 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2280 wrote to memory of 4004 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2280 wrote to memory of 4604 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2280 wrote to memory of 4604 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2280 wrote to memory of 3588 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2280 wrote to memory of 3588 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2280 wrote to memory of 2856 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2280 wrote to memory of 2856 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2280 wrote to memory of 4236 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2280 wrote to memory of 4236 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2280 wrote to memory of 1548 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2280 wrote to memory of 1548 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2280 wrote to memory of 2188 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2280 wrote to memory of 2188 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2280 wrote to memory of 1732 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2280 wrote to memory of 1732 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2280 wrote to memory of 1192 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2280 wrote to memory of 1192 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2280 wrote to memory of 1592 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 2280 wrote to memory of 1592 2280 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\System\LoSldln.exeC:\Windows\System\LoSldln.exe2⤵
- Executes dropped EXE
PID:1932
-
-
C:\Windows\System\mfVzWzR.exeC:\Windows\System\mfVzWzR.exe2⤵
- Executes dropped EXE
PID:4332
-
-
C:\Windows\System\MxxyPAl.exeC:\Windows\System\MxxyPAl.exe2⤵
- Executes dropped EXE
PID:2548
-
-
C:\Windows\System\JKYvpNe.exeC:\Windows\System\JKYvpNe.exe2⤵
- Executes dropped EXE
PID:768
-
-
C:\Windows\System\WkPRsMB.exeC:\Windows\System\WkPRsMB.exe2⤵
- Executes dropped EXE
PID:1944
-
-
C:\Windows\System\wxplRzi.exeC:\Windows\System\wxplRzi.exe2⤵
- Executes dropped EXE
PID:4228
-
-
C:\Windows\System\JgtaKCw.exeC:\Windows\System\JgtaKCw.exe2⤵
- Executes dropped EXE
PID:2564
-
-
C:\Windows\System\frfqzLz.exeC:\Windows\System\frfqzLz.exe2⤵
- Executes dropped EXE
PID:4932
-
-
C:\Windows\System\RnfaPPL.exeC:\Windows\System\RnfaPPL.exe2⤵
- Executes dropped EXE
PID:3744
-
-
C:\Windows\System\INueiWa.exeC:\Windows\System\INueiWa.exe2⤵
- Executes dropped EXE
PID:2828
-
-
C:\Windows\System\wYUDrnQ.exeC:\Windows\System\wYUDrnQ.exe2⤵
- Executes dropped EXE
PID:3092
-
-
C:\Windows\System\SdCzaQr.exeC:\Windows\System\SdCzaQr.exe2⤵
- Executes dropped EXE
PID:4004
-
-
C:\Windows\System\ZQEqSIz.exeC:\Windows\System\ZQEqSIz.exe2⤵
- Executes dropped EXE
PID:4604
-
-
C:\Windows\System\FCRoSyF.exeC:\Windows\System\FCRoSyF.exe2⤵
- Executes dropped EXE
PID:3588
-
-
C:\Windows\System\FchlEVU.exeC:\Windows\System\FchlEVU.exe2⤵
- Executes dropped EXE
PID:2856
-
-
C:\Windows\System\fcIEibC.exeC:\Windows\System\fcIEibC.exe2⤵
- Executes dropped EXE
PID:4236
-
-
C:\Windows\System\ozKLfGZ.exeC:\Windows\System\ozKLfGZ.exe2⤵
- Executes dropped EXE
PID:1548
-
-
C:\Windows\System\svTBQAc.exeC:\Windows\System\svTBQAc.exe2⤵
- Executes dropped EXE
PID:2188
-
-
C:\Windows\System\HJIYnBl.exeC:\Windows\System\HJIYnBl.exe2⤵
- Executes dropped EXE
PID:1732
-
-
C:\Windows\System\WVLgxOs.exeC:\Windows\System\WVLgxOs.exe2⤵
- Executes dropped EXE
PID:1192
-
-
C:\Windows\System\VvDkDFD.exeC:\Windows\System\VvDkDFD.exe2⤵
- Executes dropped EXE
PID:1592
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD59210e94d9e8cbe0d0c5925482b0888aa
SHA1083ac05a9a7723c532d0d7769d989f896c444477
SHA2562bcd3a13d67015f782143c233a199c30445f2e1f6ff32043ad134e497e2478c6
SHA512373aaedd8858132d61150f9f7a11c163d7f753965ed5a6be242c8598159b1d2e64f7e1d9cbcec030e15b2c00ec03a37cafa1846b51d55031ac00af613ef3b955
-
Filesize
5.2MB
MD57b46f34f929bef1c6b09e33103b44ad3
SHA1b73d53a9b4054d69d6690d31b9855106d3d19581
SHA2561dfa7805cf52b58e2652493a440e302b1b5301c24ec5ff2aa4662227cee5650f
SHA512462232a7a618b1ba73bac0ddbbfc5868e6c08afd086645101736bba34d1a8579b618d57e36c303c79a9016556a40bfedbd983792a53655b633b3b077f806b3e8
-
Filesize
5.2MB
MD5f17c61eb66a037f60d85830e476d8ada
SHA1eee01317375dc0767bc3085b3f2562df149ab68e
SHA2562f5cfc2c71cda0ec2b5bd8298f7bc9600eddaf40babbcba08682053da1489677
SHA512e4f9ec02592cd54bb321658e2712161d78a98d411e59ea95a98137140e62f527892fd2c57388132c97fd04352aea345445aef1a27f169d11b885f148de4e60e9
-
Filesize
5.2MB
MD526619f64677c7ffa27488013a48ddfc4
SHA1d92b1821cf72ae314a63b21afaf8b0a31b66fbb6
SHA2567963e93756b3571f0522788628361f0eb40677651432c1115afb6e01df1f24da
SHA5129332a3c491841f9f9bb42d4ad3b6904ac13956fedf4bc92dd066ac41f4170cbb8b1a4ea38134e07e49d2ecacde56c097f414881be52e85f73c90878003d5e832
-
Filesize
5.2MB
MD5187251a65843dbf5f9476bf03fadc6f2
SHA13e72258ce1cd068d1a7fa018cd10d2dcc686d32d
SHA256fe0ed7d0904a438e518c5301e5db841937472505d3df3c22492838274d5f38ed
SHA512b6b1dd17fe9f92d9f2365b011570817f3be732dfc13f2ae04ff26859929998521ce261582226c3ccf8727c6fc768b25039d6646867dbf75412f3fcb758825b86
-
Filesize
5.2MB
MD5d09ddcdcec8b62a9a3afe9cc2e49aa0a
SHA13e675e3bf745775357c150fd101adce4df80691b
SHA256be0ab50d99b5aa1430e3030f581d000e0b0a266670dcf18af1670520747d9d18
SHA5126fa4583a5b406e4de9e550937924b4dc6f75bdb9d8cdc59b57a28ca6194ec2baae5a760caa6f1108412e58a8804f2a3f2eab7ebba2bdbe60305365b92faf7b37
-
Filesize
5.2MB
MD5beb5c8bc890ed76b7564803474bfdf76
SHA17c406d7a72fa2495fc06aa3958ddd50feb69ecec
SHA256e4f2015e52472e62a65f2ca15ab04e725b162402b0a6a78dc92f0eae8be51555
SHA512b01a16d2bbdbbc5e747eb6295297a93c7ab17032aabfa6b1a44543214f5d1d28b3eb6611d13e5adad5dacd402ce478e84bc92be6eac00f2148a5e801015bc2ea
-
Filesize
5.2MB
MD5d736dbe8c9732a15f8ca54195778284f
SHA165df3c627621823ea00ebc87b1fae5600f70028c
SHA256c6f68a629143c7fc215d56afbc6d8d6ffbbc689b99ba93ab2401729a1d0cff1f
SHA512713795a63c819641fb1f1273bf91ff0479eb67af350248460ed282a90aa801edabbe3ebc016ad90f496c87a87e42cefe9a5b8a2d7c90c546c55d149e3eea8200
-
Filesize
5.2MB
MD54f4a60afb64c870807eb730daabe0263
SHA181199712b1a0efd9a8ca021ff043d4e67da1541e
SHA25640c58455bf223a19407fcdef0ff560acd103d4a8676283c04951c2f1f3fee180
SHA512a94d7d9010edad8a14bd3aa4d369bac68b0fdea8d87c3b82d79b97d4340d4ebdfea18792249778ec7c4f170fd9d47d3627026b6f7c2554c74b041f6fe415e9af
-
Filesize
5.2MB
MD51a3f27488c2d32a68426b44a2688bc50
SHA108384fdb25eb859fdd976f5b70fa3ac96eef08d8
SHA256ed6ce41a4eb38211b4965172b679870f4c4378e3ea6d527b27286f430d210113
SHA512ab38350bd2d36803464fc4604d26770bcc2ad07bc6c208bf99054ecd962d4b3b91bff16590060b05eb429c396aff9ae01dc979cd17ff4c88640958d01291be71
-
Filesize
5.2MB
MD54698615ce9b4964c4d57a6c2d7450e5c
SHA13719d3222f94e3fb93ac6be76214618358a2ab85
SHA25629a2b2c76e8a43270eb3adf575c6dd91d7a3fd004c63e6c3c30f6d3927bee7be
SHA5125e01811e90a665e4bbd8bc61cf5e30a2c624030f0525132099373b189df421ab3c0a9c7ba128b9ab1a347b7a22e1142923283fb554f52784e4c7d0888170c3d0
-
Filesize
5.2MB
MD561374cb464cb28eb3489a1bcaf87b8c4
SHA1f43417477b2b960a49b8d0a610f50ca3632f266c
SHA256385f84a9330af5bd7bd3ade3ab95b418b506e5d45304c7275a42bbcf06bfc9f8
SHA51268bd73264dcdeec7481c6d3b71117b7519474d66435b2c21cae6f56416c76a112fc5d3a5ee48f9b5cd125029547dc9991056bf7fe61cc12ed0bd83e87654bdd4
-
Filesize
5.2MB
MD53ebc5b384b2f8c8349a4a6dd188f48e1
SHA14aa42f471a47b76a3cd849dc1bb713d224727b28
SHA2565b5e456d4d7e84913d6d89c5a16ea3e63f983b3e428b2d8f39f3b6f37b9c3ae5
SHA512f005321cfacff9ac2be761dbfc3362fb33112bdef35fe76af03db0bbf5db64f5be958423ca57acdc7ce4780e84f576a65bd13a11806a7ed57baaf4943ad5bbb2
-
Filesize
5.2MB
MD5d4b58045d49ec046a82ed8a0cde194a2
SHA1bb8812d0bd88f11a038bcce9c4a01d9bc20ab1b3
SHA256fc96166a66a22a58641bb6542d8502d08ca04fede8c417168935732730410c4f
SHA5124edca5a65589c0066345d7e51235c1e4692351a1f4130e4bea0b13b6925598ff4d79769baa9883e7410d3509426079b6f531124fe8e01177ec1d32016b0d55a8
-
Filesize
5.2MB
MD516c6598f788d521f1959fd2c56d31da1
SHA1a6da37aacb516006e952eab6c6a7eac4f94704f4
SHA256c05cf3feea43517612193153a740e9ee4eb632908ed56c8151e6a698f4bfe863
SHA51273d0b0f1bf9507eb7463fcba4be75d7a2a0dc2dcf7d2432b15465c8377dc25e5964d215e7d67446d9c84b8967de2911975df80ddcdcb42f045d5318712750350
-
Filesize
5.2MB
MD5aab930dc24292fa2bb7b0e88b7d60d7c
SHA176008109ed3198d2c2783a092a3245c572d82435
SHA25663fc5f916c209f1925d0a1a3f5a86ed269c1b27cb59503802c837456066acb8a
SHA512920e8afd54cf0d6bbc45a72848fecd197aa7a5f4f9b9d793523093a5cf896eab40a767ca7ac99cc18b463feb5b3e5848213f7450b080b3151f7f51c22af0a09f
-
Filesize
5.2MB
MD5ab2695f0868d880a13499163421a118f
SHA15e3596beb1c1bd2a7e473e6c35e4f6dbf31478c3
SHA25673c0cf6840197444aa8016095a0191bc1d6c74df24ff66c3b505ed9c17e0ca17
SHA512bdcd0a3c68eecb7d43b0bd3f03867d3c41b3b3397d2279fa86cb430d1481246b33a7491c387637ff952cbeafdbb3a88b575b0ca179bc8ebb3f598ad9340171d6
-
Filesize
5.2MB
MD58ae898bba8cc917e18e061ab32db2a8a
SHA1e47ca94bc8d6f6edf06389a4379c12b19f6bd529
SHA2568b23781f41713d890d0a2d84a6c4e1d8e5c2663f0581ba9ae5f92071b0f46cdf
SHA5129f0a6c07f5ea13b563b935625cc0ffbf2c5142bb3f3b99babf76fcfeb89683f9562f1c9746cfaa3eb3595067a6eedee1f29e4a7c9d7df0d24a86c64078a96c22
-
Filesize
5.2MB
MD5b78c2522777d0f89a2de5226460c8957
SHA11aa0b7d5d2171c7c66dc417c31447ced3d3c6835
SHA256fd3a5c759a2ebe9acb892fd3e1fc8169745e8a83085235b37c9937220a9a5448
SHA512e0c0cf4fde44e50bf200c7ca6d8920b912f3130fc2c984c22dd3d6ed48a0082f520d709c7819e76a764bdbb3f195680f56e3db2b7a75672e895145cdce825ec1
-
Filesize
5.2MB
MD572daedb0c94860ed587178c5596b1814
SHA1cd3cdc2f2c3b4ec22f90a46d2609a9e0273043da
SHA256b824b5f4a145e751eda144689f40fbec486856e024117c8cec96f21935398e9f
SHA512a05d129e7f0605d98cf94569197bb0c7ca75515f644bd343bc32d78d2965047a1eea7e75eb28f9835657a76a5607a28881d58f688ea86d920d754157f92eef12
-
Filesize
5.2MB
MD5cd996253967ea5a84793328214f4c075
SHA126730756341dfef09f9f4d5a404092768c342e76
SHA256cc83f3f015bbb5d3e341f924496a782c9092cdd2196a8ccdfa4355ddeb8b11ac
SHA512a2a1cfd2e4d87f0b578c90117940b22dbbebba6d995c65e2c6eedfb9b26c2cd61655a66229867ae1cddd11583e70d71f96d4aa56c6739d70b7894b9cfd1e7559