Analysis
-
max time kernel
140s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 15:24
Behavioral task
behavioral1
Sample
2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
7d06c0ae9c73b6a8407c4b1746360d76
-
SHA1
c610841166aa6c6a7513c9eea46d1616e39aa462
-
SHA256
777d44c6731dc80ad0a28d9f8f68b33cfd30b0d575614a1d873bc8dd306c4db2
-
SHA512
4a210db00385754a9181aa85cabb8e11750b09b78f319d1f334e6c94e0d79e64cb006c3dce0ee0b723600903b7c3eb2cfab415ef2d5b31857e082596cd9def7d
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lX:RWWBibd56utgpPFotBER/mQ32lUb
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000b000000023b9c-4.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b9e-8.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b9d-15.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b9f-26.dat cobalt_reflective_dll behavioral2/files/0x000a000000023ba0-29.dat cobalt_reflective_dll behavioral2/files/0x000a000000023ba1-35.dat cobalt_reflective_dll behavioral2/files/0x000a000000023ba2-44.dat cobalt_reflective_dll behavioral2/files/0x000b000000023ba4-55.dat cobalt_reflective_dll behavioral2/files/0x000b000000023ba5-69.dat cobalt_reflective_dll behavioral2/files/0x000e000000023bb4-88.dat cobalt_reflective_dll behavioral2/files/0x0009000000023bc3-99.dat cobalt_reflective_dll behavioral2/files/0x0009000000023bc4-106.dat cobalt_reflective_dll behavioral2/files/0x000e000000023bc8-117.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bcd-126.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bce-135.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bca-124.dat cobalt_reflective_dll behavioral2/files/0x0009000000023bc2-95.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bbd-86.dat cobalt_reflective_dll behavioral2/files/0x000a000000023bad-73.dat cobalt_reflective_dll behavioral2/files/0x000b000000023ba3-52.dat cobalt_reflective_dll behavioral2/files/0x000c000000023b99-48.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 46 IoCs
resource yara_rule behavioral2/memory/2424-40-0x00007FF6D0400000-0x00007FF6D0751000-memory.dmp xmrig behavioral2/memory/4960-60-0x00007FF762480000-0x00007FF7627D1000-memory.dmp xmrig behavioral2/memory/32-74-0x00007FF76ACE0000-0x00007FF76B031000-memory.dmp xmrig behavioral2/memory/976-77-0x00007FF73F3A0000-0x00007FF73F6F1000-memory.dmp xmrig behavioral2/memory/3016-93-0x00007FF7D98F0000-0x00007FF7D9C41000-memory.dmp xmrig behavioral2/memory/32-133-0x00007FF76ACE0000-0x00007FF76B031000-memory.dmp xmrig behavioral2/memory/2412-128-0x00007FF7DFC50000-0x00007FF7DFFA1000-memory.dmp xmrig behavioral2/memory/4984-123-0x00007FF603F30000-0x00007FF604281000-memory.dmp xmrig behavioral2/memory/752-110-0x00007FF74D540000-0x00007FF74D891000-memory.dmp xmrig behavioral2/memory/2536-100-0x00007FF71D390000-0x00007FF71D6E1000-memory.dmp xmrig behavioral2/memory/1844-84-0x00007FF670630000-0x00007FF670981000-memory.dmp xmrig behavioral2/memory/3188-80-0x00007FF7DEE30000-0x00007FF7DF181000-memory.dmp xmrig behavioral2/memory/3976-76-0x00007FF718820000-0x00007FF718B71000-memory.dmp xmrig behavioral2/memory/3084-61-0x00007FF7F93A0000-0x00007FF7F96F1000-memory.dmp xmrig behavioral2/memory/3084-137-0x00007FF7F93A0000-0x00007FF7F96F1000-memory.dmp xmrig behavioral2/memory/3060-150-0x00007FF794630000-0x00007FF794981000-memory.dmp xmrig behavioral2/memory/4624-153-0x00007FF78FCD0000-0x00007FF790021000-memory.dmp xmrig behavioral2/memory/3568-155-0x00007FF700C60000-0x00007FF700FB1000-memory.dmp xmrig behavioral2/memory/3084-159-0x00007FF7F93A0000-0x00007FF7F96F1000-memory.dmp xmrig behavioral2/memory/4916-156-0x00007FF797510000-0x00007FF797861000-memory.dmp xmrig behavioral2/memory/4088-158-0x00007FF756EC0000-0x00007FF757211000-memory.dmp xmrig behavioral2/memory/4596-157-0x00007FF741400000-0x00007FF741751000-memory.dmp xmrig behavioral2/memory/3116-154-0x00007FF78D910000-0x00007FF78DC61000-memory.dmp xmrig behavioral2/memory/1728-152-0x00007FF7D4E10000-0x00007FF7D5161000-memory.dmp xmrig behavioral2/memory/644-151-0x00007FF6875F0000-0x00007FF687941000-memory.dmp xmrig behavioral2/memory/976-211-0x00007FF73F3A0000-0x00007FF73F6F1000-memory.dmp xmrig behavioral2/memory/1844-213-0x00007FF670630000-0x00007FF670981000-memory.dmp xmrig behavioral2/memory/3016-216-0x00007FF7D98F0000-0x00007FF7D9C41000-memory.dmp xmrig behavioral2/memory/2536-217-0x00007FF71D390000-0x00007FF71D6E1000-memory.dmp xmrig behavioral2/memory/752-219-0x00007FF74D540000-0x00007FF74D891000-memory.dmp xmrig behavioral2/memory/2424-223-0x00007FF6D0400000-0x00007FF6D0751000-memory.dmp xmrig behavioral2/memory/2412-234-0x00007FF7DFC50000-0x00007FF7DFFA1000-memory.dmp xmrig behavioral2/memory/4960-236-0x00007FF762480000-0x00007FF7627D1000-memory.dmp xmrig behavioral2/memory/4984-238-0x00007FF603F30000-0x00007FF604281000-memory.dmp xmrig behavioral2/memory/3188-241-0x00007FF7DEE30000-0x00007FF7DF181000-memory.dmp xmrig behavioral2/memory/3976-242-0x00007FF718820000-0x00007FF718B71000-memory.dmp xmrig behavioral2/memory/3060-251-0x00007FF794630000-0x00007FF794981000-memory.dmp xmrig behavioral2/memory/4624-252-0x00007FF78FCD0000-0x00007FF790021000-memory.dmp xmrig behavioral2/memory/3116-258-0x00007FF78D910000-0x00007FF78DC61000-memory.dmp xmrig behavioral2/memory/644-256-0x00007FF6875F0000-0x00007FF687941000-memory.dmp xmrig behavioral2/memory/3568-260-0x00007FF700C60000-0x00007FF700FB1000-memory.dmp xmrig behavioral2/memory/1728-254-0x00007FF7D4E10000-0x00007FF7D5161000-memory.dmp xmrig behavioral2/memory/32-246-0x00007FF76ACE0000-0x00007FF76B031000-memory.dmp xmrig behavioral2/memory/4088-266-0x00007FF756EC0000-0x00007FF757211000-memory.dmp xmrig behavioral2/memory/4916-264-0x00007FF797510000-0x00007FF797861000-memory.dmp xmrig behavioral2/memory/4596-263-0x00007FF741400000-0x00007FF741751000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 976 qCYNAky.exe 1844 YyVzPKv.exe 3016 TnHBJsO.exe 2536 LkZNiKo.exe 752 dQZBltq.exe 2424 sySWomU.exe 2412 wdSQhFs.exe 4984 nIDRJWl.exe 4960 MvYzBCR.exe 32 raECuRM.exe 3188 tIAgvWq.exe 3976 YOwWovx.exe 644 kcRgREk.exe 3060 yUIxVRV.exe 1728 CSWADbW.exe 4624 kguCWCv.exe 3116 KdjXVtU.exe 3568 fRSFLAy.exe 4916 yOUQVvF.exe 4596 ZasNeGp.exe 4088 EjBEUBH.exe -
resource yara_rule behavioral2/memory/3084-0-0x00007FF7F93A0000-0x00007FF7F96F1000-memory.dmp upx behavioral2/files/0x000b000000023b9c-4.dat upx behavioral2/memory/976-9-0x00007FF73F3A0000-0x00007FF73F6F1000-memory.dmp upx behavioral2/files/0x000a000000023b9e-8.dat upx behavioral2/files/0x000a000000023b9d-15.dat upx behavioral2/memory/3016-18-0x00007FF7D98F0000-0x00007FF7D9C41000-memory.dmp upx behavioral2/files/0x000a000000023b9f-26.dat upx behavioral2/files/0x000a000000023ba0-29.dat upx behavioral2/memory/752-30-0x00007FF74D540000-0x00007FF74D891000-memory.dmp upx behavioral2/memory/2536-24-0x00007FF71D390000-0x00007FF71D6E1000-memory.dmp upx behavioral2/memory/1844-14-0x00007FF670630000-0x00007FF670981000-memory.dmp upx behavioral2/files/0x000a000000023ba1-35.dat upx behavioral2/memory/2424-40-0x00007FF6D0400000-0x00007FF6D0751000-memory.dmp upx behavioral2/files/0x000a000000023ba2-44.dat upx behavioral2/files/0x000b000000023ba4-55.dat upx behavioral2/memory/4960-60-0x00007FF762480000-0x00007FF7627D1000-memory.dmp upx behavioral2/files/0x000b000000023ba5-69.dat upx behavioral2/memory/32-74-0x00007FF76ACE0000-0x00007FF76B031000-memory.dmp upx behavioral2/memory/976-77-0x00007FF73F3A0000-0x00007FF73F6F1000-memory.dmp upx behavioral2/memory/3060-83-0x00007FF794630000-0x00007FF794981000-memory.dmp upx behavioral2/files/0x000e000000023bb4-88.dat upx behavioral2/memory/3016-93-0x00007FF7D98F0000-0x00007FF7D9C41000-memory.dmp upx behavioral2/files/0x0009000000023bc3-99.dat upx behavioral2/files/0x0009000000023bc4-106.dat upx behavioral2/files/0x000e000000023bc8-117.dat upx behavioral2/files/0x0008000000023bcd-126.dat upx behavioral2/files/0x0008000000023bce-135.dat upx behavioral2/memory/4088-134-0x00007FF756EC0000-0x00007FF757211000-memory.dmp upx behavioral2/memory/32-133-0x00007FF76ACE0000-0x00007FF76B031000-memory.dmp upx behavioral2/memory/4596-129-0x00007FF741400000-0x00007FF741751000-memory.dmp upx behavioral2/memory/2412-128-0x00007FF7DFC50000-0x00007FF7DFFA1000-memory.dmp upx behavioral2/files/0x0008000000023bca-124.dat upx behavioral2/memory/4984-123-0x00007FF603F30000-0x00007FF604281000-memory.dmp upx behavioral2/memory/4916-122-0x00007FF797510000-0x00007FF797861000-memory.dmp upx behavioral2/memory/3568-115-0x00007FF700C60000-0x00007FF700FB1000-memory.dmp upx behavioral2/memory/3116-114-0x00007FF78D910000-0x00007FF78DC61000-memory.dmp upx behavioral2/memory/752-110-0x00007FF74D540000-0x00007FF74D891000-memory.dmp upx behavioral2/memory/4624-103-0x00007FF78FCD0000-0x00007FF790021000-memory.dmp upx behavioral2/memory/2536-100-0x00007FF71D390000-0x00007FF71D6E1000-memory.dmp upx behavioral2/files/0x0009000000023bc2-95.dat upx behavioral2/memory/1728-94-0x00007FF7D4E10000-0x00007FF7D5161000-memory.dmp upx behavioral2/files/0x0008000000023bbd-86.dat upx behavioral2/memory/644-85-0x00007FF6875F0000-0x00007FF687941000-memory.dmp upx behavioral2/memory/1844-84-0x00007FF670630000-0x00007FF670981000-memory.dmp upx behavioral2/memory/3188-80-0x00007FF7DEE30000-0x00007FF7DF181000-memory.dmp upx behavioral2/memory/3976-76-0x00007FF718820000-0x00007FF718B71000-memory.dmp upx behavioral2/files/0x000a000000023bad-73.dat upx behavioral2/memory/3084-61-0x00007FF7F93A0000-0x00007FF7F96F1000-memory.dmp upx behavioral2/files/0x000b000000023ba3-52.dat upx behavioral2/files/0x000c000000023b99-48.dat upx behavioral2/memory/4984-47-0x00007FF603F30000-0x00007FF604281000-memory.dmp upx behavioral2/memory/2412-45-0x00007FF7DFC50000-0x00007FF7DFFA1000-memory.dmp upx behavioral2/memory/3084-137-0x00007FF7F93A0000-0x00007FF7F96F1000-memory.dmp upx behavioral2/memory/3060-150-0x00007FF794630000-0x00007FF794981000-memory.dmp upx behavioral2/memory/4624-153-0x00007FF78FCD0000-0x00007FF790021000-memory.dmp upx behavioral2/memory/3568-155-0x00007FF700C60000-0x00007FF700FB1000-memory.dmp upx behavioral2/memory/3084-159-0x00007FF7F93A0000-0x00007FF7F96F1000-memory.dmp upx behavioral2/memory/4916-156-0x00007FF797510000-0x00007FF797861000-memory.dmp upx behavioral2/memory/4088-158-0x00007FF756EC0000-0x00007FF757211000-memory.dmp upx behavioral2/memory/4596-157-0x00007FF741400000-0x00007FF741751000-memory.dmp upx behavioral2/memory/3116-154-0x00007FF78D910000-0x00007FF78DC61000-memory.dmp upx behavioral2/memory/1728-152-0x00007FF7D4E10000-0x00007FF7D5161000-memory.dmp upx behavioral2/memory/644-151-0x00007FF6875F0000-0x00007FF687941000-memory.dmp upx behavioral2/memory/976-211-0x00007FF73F3A0000-0x00007FF73F6F1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\YOwWovx.exe 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yUIxVRV.exe 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CSWADbW.exe 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yOUQVvF.exe 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qCYNAky.exe 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LkZNiKo.exe 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\raECuRM.exe 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\tIAgvWq.exe 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fRSFLAy.exe 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EjBEUBH.exe 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TnHBJsO.exe 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nIDRJWl.exe 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kcRgREk.exe 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KdjXVtU.exe 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\wdSQhFs.exe 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kguCWCv.exe 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZasNeGp.exe 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YyVzPKv.exe 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dQZBltq.exe 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\sySWomU.exe 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MvYzBCR.exe 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3084 wrote to memory of 976 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 3084 wrote to memory of 976 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 3084 wrote to memory of 1844 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3084 wrote to memory of 1844 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3084 wrote to memory of 3016 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3084 wrote to memory of 3016 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3084 wrote to memory of 2536 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3084 wrote to memory of 2536 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3084 wrote to memory of 752 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3084 wrote to memory of 752 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3084 wrote to memory of 2424 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3084 wrote to memory of 2424 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3084 wrote to memory of 2412 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3084 wrote to memory of 2412 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3084 wrote to memory of 4984 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3084 wrote to memory of 4984 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3084 wrote to memory of 4960 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3084 wrote to memory of 4960 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3084 wrote to memory of 32 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3084 wrote to memory of 32 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3084 wrote to memory of 3188 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3084 wrote to memory of 3188 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3084 wrote to memory of 3976 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3084 wrote to memory of 3976 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3084 wrote to memory of 3060 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3084 wrote to memory of 3060 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3084 wrote to memory of 644 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3084 wrote to memory of 644 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3084 wrote to memory of 1728 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3084 wrote to memory of 1728 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3084 wrote to memory of 4624 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3084 wrote to memory of 4624 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3084 wrote to memory of 3116 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3084 wrote to memory of 3116 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3084 wrote to memory of 3568 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3084 wrote to memory of 3568 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3084 wrote to memory of 4916 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3084 wrote to memory of 4916 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3084 wrote to memory of 4596 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3084 wrote to memory of 4596 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3084 wrote to memory of 4088 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3084 wrote to memory of 4088 3084 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\System\qCYNAky.exeC:\Windows\System\qCYNAky.exe2⤵
- Executes dropped EXE
PID:976
-
-
C:\Windows\System\YyVzPKv.exeC:\Windows\System\YyVzPKv.exe2⤵
- Executes dropped EXE
PID:1844
-
-
C:\Windows\System\TnHBJsO.exeC:\Windows\System\TnHBJsO.exe2⤵
- Executes dropped EXE
PID:3016
-
-
C:\Windows\System\LkZNiKo.exeC:\Windows\System\LkZNiKo.exe2⤵
- Executes dropped EXE
PID:2536
-
-
C:\Windows\System\dQZBltq.exeC:\Windows\System\dQZBltq.exe2⤵
- Executes dropped EXE
PID:752
-
-
C:\Windows\System\sySWomU.exeC:\Windows\System\sySWomU.exe2⤵
- Executes dropped EXE
PID:2424
-
-
C:\Windows\System\wdSQhFs.exeC:\Windows\System\wdSQhFs.exe2⤵
- Executes dropped EXE
PID:2412
-
-
C:\Windows\System\nIDRJWl.exeC:\Windows\System\nIDRJWl.exe2⤵
- Executes dropped EXE
PID:4984
-
-
C:\Windows\System\MvYzBCR.exeC:\Windows\System\MvYzBCR.exe2⤵
- Executes dropped EXE
PID:4960
-
-
C:\Windows\System\raECuRM.exeC:\Windows\System\raECuRM.exe2⤵
- Executes dropped EXE
PID:32
-
-
C:\Windows\System\tIAgvWq.exeC:\Windows\System\tIAgvWq.exe2⤵
- Executes dropped EXE
PID:3188
-
-
C:\Windows\System\YOwWovx.exeC:\Windows\System\YOwWovx.exe2⤵
- Executes dropped EXE
PID:3976
-
-
C:\Windows\System\yUIxVRV.exeC:\Windows\System\yUIxVRV.exe2⤵
- Executes dropped EXE
PID:3060
-
-
C:\Windows\System\kcRgREk.exeC:\Windows\System\kcRgREk.exe2⤵
- Executes dropped EXE
PID:644
-
-
C:\Windows\System\CSWADbW.exeC:\Windows\System\CSWADbW.exe2⤵
- Executes dropped EXE
PID:1728
-
-
C:\Windows\System\kguCWCv.exeC:\Windows\System\kguCWCv.exe2⤵
- Executes dropped EXE
PID:4624
-
-
C:\Windows\System\KdjXVtU.exeC:\Windows\System\KdjXVtU.exe2⤵
- Executes dropped EXE
PID:3116
-
-
C:\Windows\System\fRSFLAy.exeC:\Windows\System\fRSFLAy.exe2⤵
- Executes dropped EXE
PID:3568
-
-
C:\Windows\System\yOUQVvF.exeC:\Windows\System\yOUQVvF.exe2⤵
- Executes dropped EXE
PID:4916
-
-
C:\Windows\System\ZasNeGp.exeC:\Windows\System\ZasNeGp.exe2⤵
- Executes dropped EXE
PID:4596
-
-
C:\Windows\System\EjBEUBH.exeC:\Windows\System\EjBEUBH.exe2⤵
- Executes dropped EXE
PID:4088
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD536ee7c37918de24ec39b4c46d6acee9b
SHA1a5250d9ae2d190bf63831db90d4f9618b71b7799
SHA256067ad2e7fd65c4d200684dab68ca0b37c5bd602092874db1609fd3d58af2f354
SHA512d22eae05dd0f0fc026055b806816ca8be7c4559a3040dcebe7d288f6aafaab193efa6a7f594c4b00ed2fcce6cf3998e33acd6b1af3894a46269aacfac546a877
-
Filesize
5.2MB
MD54cf96cb4d528f7b5ecb9997f7d203325
SHA1bdafc296244acda0f3d788794a06478b0b5503d0
SHA256c516a48f2c7db70e933795600cad7ab98edacd8ca6d0e5db18c07d739f242ae2
SHA5123854337135c953985925d0f33227033ec354fc57ab81e1fbbbe8b28d5c243eba970f7a8c4e10908435cbe0e4279a3e12381ec2a6ac3a1c852348ab9392fbd4fe
-
Filesize
5.2MB
MD57330adc77c291701db4450b42a276046
SHA17351f955f74e201d35a9d4be6f49c8e95f233fe5
SHA256b3038074f677124c3448296952888c440053a90550b9f1656c596a8e5f7ed1d1
SHA512b8706ceefd8ebeef033989d758dcc5eccae42457d403d42b2ecc9be6aebd99c91fbe2f10f31d0109ceaa9a29fe703975dd32a46c0bf8dc62cd5680b14252351c
-
Filesize
5.2MB
MD55eef210b8795684a7c52c80ec9da6ecc
SHA105b314f3d2236d0dc3fdf72d3b2f234fe1eb96eb
SHA256cc6adf77cee877ce76d72691474e9f048a5baf158253a4204f42d37c660c5d02
SHA512dc889d939e9bded9278d32e83ef1057722b7856262f99e0ac7eabbd8271843dd67b1ab28c20436818ae2734485c063ee50039dc7ae0180cbb42a2f564a44b700
-
Filesize
5.2MB
MD59fcb88b35aa520aabee5e6ee9f5b297a
SHA14a6bab462413ab5a2e6058b0015ac42cb6eb9cc2
SHA256dee4d2b2e1fc1aeb8613fbf5910e7e1ce283ff382523e94c3bb031cd6f195be8
SHA512e1e7561e81dba390db5f6ee2e13132fda941b83751c2c434a03b851d8194b3480e31671fd0da02c38f844925284fd2915464bfb334dfe18b36ba3f4794617f3c
-
Filesize
5.2MB
MD5c80f237c04aac3eb5949252cbbc97b9f
SHA1d22805cc69008720c4d7bc5436ad3739e66bcce8
SHA2565458e4a5e814edfbf3c2ddd72d4bd4a6e8751ff7aed62144c94efd27c4d35f83
SHA512623f7ebefff823718d3110c5713d8762ea3268bdc0d59bb690b328f36e22b9076f1fcd4015bda0e64f30eefa2c72077fc06bd7f7bc2c07e6e2019ba87e79630a
-
Filesize
5.2MB
MD545ae0640e800c5d09cc35e1d21240f27
SHA1e6652fd165cf32e5c84953f6754d9f521ec5e82b
SHA2564beff2c068feac7498d5a29374aa83250b3103202d50cd2390e9f3682f66d292
SHA5121c6a4f0ed86c2714ee8309fa6212aafb0b54c1bb25e5c0a5f8f9f55869879ee6887abd0ca8e16c22cda74ddcb2863dac37f4dc8771a757cb68c304813bd71828
-
Filesize
5.2MB
MD54c577a516b61feec48fe838c7a75eea5
SHA1613dc08fa9cfe4247f6f10c6b2437f159cf396b7
SHA2563ee1cd0cf3a7805b45246ba7d6b3e6af016a85f42ad3a984e2bee76ad2ffb4f4
SHA51246f2d32d464b9cb4a053dbda83246e7c360eb7b61e4ac993f80c4abe27993cc1a3241e249eb5c7e37cd54d7cee352c1a4a96507d6e9a29793a5d368a67394aac
-
Filesize
5.2MB
MD54494d5afb8b1b4b651a562ae7083960a
SHA122c831f4184b88fd705b69c51730a2e6724c8890
SHA2565d77e30b1c2077be1762624921d27d7facec28a53b2f82784ae87a97bab945f8
SHA5125e9c1f0d09d58bbb4c4cdab6be6caea32af10a40eae251ae802358184a1da5e1d3c8c1d506861b62dc352a4d6e9cb6d0e3ee1e057b51ab8aac5a95991d77f31d
-
Filesize
5.2MB
MD517709c4f5e9bcdabeb309773a9002753
SHA18ffb33ed9035fc4e1e910f9ff4b169e8722028ee
SHA256c624d800959e796ad9e7e59e089622dae27130985657eaa452555d1f33b68216
SHA5120a3adf929ca898e0d9e4e4a7f2423e67ca44279a0b5776b3ea3d1753538a3336f84f165fec059f015cef7ea37ddb8ff0ce8edd36f9673c33f148948270646b7a
-
Filesize
5.2MB
MD5adb0516d191abb689db40ba7c04f4856
SHA1706a2fb4092780794ca385d40744703670b3b0b0
SHA25686ee5913c3b522c38d6204912816d6a4b762b30fab3a266e8cf9076e4095ef0a
SHA512f33b1e3b9735e85cbc41a7b2ca04dc008c4e86f4b1d58922577954393aefb66e7490415ae8569ae5de73856a945f1d5e5e772706f3af7b9674a193e7ef8abff4
-
Filesize
5.2MB
MD5152393789d05cd98e6224c84d2bb2616
SHA1e96872e0ff03d008317bf31d485f60f967d6738e
SHA256adb9332a4ecefd2fca65967d1fb8c675aa2136f1dc76df01bac4ce44024b340e
SHA51228abf84b9e401dbe0c8ce3dd17b95b062aa5da4c1389b7cd1a41fde75d5f2450d072a3cad336d01532c31af40e96042adc88f1756d838cff1366a1e842ad2a87
-
Filesize
5.2MB
MD5f2fd5e6c1f663d7e65f3013922b807f8
SHA1fc56b09f265295c931b8b699eb19d63cb6a11208
SHA25698f18e5a8d33337b73cb89c25290b4f2f33db0ce4885454d6cb05459602cd016
SHA5127585c670a2c8ed1ef59883d1196f4b0ec8e659f4db802e14dae09a9ea95518116c4a0afb5a3326ecd20a5c83ec90f4dcc7f7d2cfda7061d99510bc593f5467ad
-
Filesize
5.2MB
MD5b51d4791237705022a68a907bda4d14e
SHA10cbd87d251562eef1d2527c3b412c8d42c37e831
SHA2569087a5acc14da017336715b9ef6e0fb9bd9aace249bf9e44734568f8df001989
SHA512194f631dd6ac9271074fe1e7bc8d75f398112332c91a5dac6bcac8d59df00c44dabb1aa9d5814163aa4c16240e651991e71bc1adc59802ea698d3a9629dc9b4c
-
Filesize
5.2MB
MD5a5435a4af7e523aa02ffb15c774c0bf3
SHA17f5255a3c65fc60a302a363d7bb7521cde2eea28
SHA256c9fa4ec95b3f39e41e57f7344a6ac1e78c4971f9143193cb4b704aebe5326dfd
SHA5128dc32339c76816373a524108d38325b63122eb421bac69d9be5804d5c888a6a8bd072f05af329982d86180f80ee104bb7183796819033e086db94052bdbd0beb
-
Filesize
5.2MB
MD55c948a8981011a500e5f4c15de3b7722
SHA1f1ab8082b1cf1d739302e576d5e04753896cbbb3
SHA256e8797eda33b89d0d977905f0c44af8c438d86d50fe3b6bf3580291f5eb500b0b
SHA51274f0d2aaa0234bcfd2ace5ae53c6710585e44c91c7ccb58e1b4509f76b46ded80b080cbe3829d823082b19f338ce8f37ebdc706cc44c68fd974a07a5a00fb7b5
-
Filesize
5.2MB
MD5498c87ffa12483517f740eb401b2ad35
SHA100cb3ae1fb80f69d4bce00d1edbbb634cb2bd51c
SHA2560a3d819eb160b680da0776204f4e7a2041132c64f6a188f2d9644ccfcd2fddef
SHA5127786948dac6b6d8c54e12d9e915fce5887006b66a5bd19dd83cd247b70e7f9a125941e60a3d18f7e58540efa298e64ec44b4a8deb5290437d2317398d5d17799
-
Filesize
5.2MB
MD5808464319ec81dc11501d30caf0b008e
SHA10c1d300fb527d2471e289bd73407dfc589c9dce1
SHA25657e4a492fd8a42d0baaf51547653733a355e9ce70b65d6d0dc88c7e992c1a3ff
SHA5127eb10ab79d03626bcdf1e765d245b80f4187b8b099c6ca74743dd5dae0a908ec1f8fbf370ca770d2845aafd091e1c296348c13d5f0e59d3835796be2c94bb75f
-
Filesize
5.2MB
MD5c29fb264942a93efa869d7b6fdedc65b
SHA1384fdeee1edeb286e909e204e12d5ffe6d7de7c5
SHA2561cb447c7ea498abd9f72709485638b602cf849f11f4149e073ce6e471a8cdac7
SHA512dc531cdf8769b8d3edb0836c7d3bff62e00ac23ba5bcead57de9d2cd221a1ec2441bc56ea37df2ce1d5f89be37db1927ea4bff12c48b59f7e053be5c3b92b920
-
Filesize
5.2MB
MD50e15b32a3b642c94f8f0ae8f9e7f39ab
SHA149077cc6372ee8fcdeab4b7641a7a934d8ceef03
SHA25625c27d394c70ad99d05787959d74d3cae7f2d4f3b5c81d6b18e9cc6ec8d3802d
SHA51249d1aef8abf5885dfa5ce7c85a3b621794b0eb9bc5ed6359115b18d3dab3433acb25ef51c20c11765449c3fc72c9439360e23f172be7c96a613aa23aa864ea7e
-
Filesize
5.2MB
MD564b341a9fb40d7d921fb567f77568ff9
SHA1e9aadd91d68f01f32eec724a0d62697e6097e020
SHA25657eead5eac9860c084b37ad4137c1d7a17081dd02c8d0adf3a24d995568a4a12
SHA5125ca1061d77b040b316933b8d9def5eff7253aa3f6797b3273e16755509671f7efdbfee605e1d1b2b43e5e9075434eb01c84fadc6c0dc3a18a2fda01c739a163f