Analysis
-
max time kernel
141s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 15:24
Behavioral task
behavioral1
Sample
2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
9193a68334f3d0ceb7c720348d7cb892
-
SHA1
26bc63d9b6fc062775d89d89505277a64255b4b4
-
SHA256
7818509911bf43dbd4c52a0dd9f6b86bd8d1411c6b7cf01776cbd5cf92ab5b00
-
SHA512
86dbb6fa50cbf766887bade2d2cde83bc609b93c0146acd2074ece50bc3f32032f38e3fd05e1c4f82392a0daf3d89d6998390661b3dc930e7241af840c50bc60
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lZ:RWWBibd56utgpPFotBER/mQ32lUF
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0009000000023c98-5.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca1-12.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca3-21.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca4-25.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca7-44.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca9-66.dat cobalt_reflective_dll behavioral2/files/0x000a000000023c99-75.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cab-79.dat cobalt_reflective_dll behavioral2/files/0x0007000000023caa-73.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca8-64.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca6-43.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca5-40.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca2-29.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cac-85.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cae-94.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb0-111.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb2-119.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb1-123.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb3-132.dat cobalt_reflective_dll behavioral2/files/0x0007000000023caf-107.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cad-100.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/3464-77-0x00007FF66A350000-0x00007FF66A6A1000-memory.dmp xmrig behavioral2/memory/3840-71-0x00007FF6FE770000-0x00007FF6FEAC1000-memory.dmp xmrig behavioral2/memory/4124-81-0x00007FF630C50000-0x00007FF630FA1000-memory.dmp xmrig behavioral2/memory/3516-82-0x00007FF7A0E00000-0x00007FF7A1151000-memory.dmp xmrig behavioral2/memory/4872-130-0x00007FF65B730000-0x00007FF65BA81000-memory.dmp xmrig behavioral2/memory/736-120-0x00007FF7D0590000-0x00007FF7D08E1000-memory.dmp xmrig behavioral2/memory/460-109-0x00007FF750F20000-0x00007FF751271000-memory.dmp xmrig behavioral2/memory/952-108-0x00007FF604FB0000-0x00007FF605301000-memory.dmp xmrig behavioral2/memory/3508-103-0x00007FF7A4A60000-0x00007FF7A4DB1000-memory.dmp xmrig behavioral2/memory/1908-102-0x00007FF6C74D0000-0x00007FF6C7821000-memory.dmp xmrig behavioral2/memory/3476-86-0x00007FF60A820000-0x00007FF60AB71000-memory.dmp xmrig behavioral2/memory/4376-145-0x00007FF636D90000-0x00007FF6370E1000-memory.dmp xmrig behavioral2/memory/1168-150-0x00007FF7F6E00000-0x00007FF7F7151000-memory.dmp xmrig behavioral2/memory/3496-148-0x00007FF7852E0000-0x00007FF785631000-memory.dmp xmrig behavioral2/memory/3036-147-0x00007FF7D7DC0000-0x00007FF7D8111000-memory.dmp xmrig behavioral2/memory/2552-143-0x00007FF674C80000-0x00007FF674FD1000-memory.dmp xmrig behavioral2/memory/4124-134-0x00007FF630C50000-0x00007FF630FA1000-memory.dmp xmrig behavioral2/memory/4936-149-0x00007FF60E630000-0x00007FF60E981000-memory.dmp xmrig behavioral2/memory/4004-153-0x00007FF62BA50000-0x00007FF62BDA1000-memory.dmp xmrig behavioral2/memory/4124-154-0x00007FF630C50000-0x00007FF630FA1000-memory.dmp xmrig behavioral2/memory/1308-159-0x00007FF608AC0000-0x00007FF608E11000-memory.dmp xmrig behavioral2/memory/1648-160-0x00007FF62B830000-0x00007FF62BB81000-memory.dmp xmrig behavioral2/memory/4192-157-0x00007FF77AE40000-0x00007FF77B191000-memory.dmp xmrig behavioral2/memory/4500-161-0x00007FF659C60000-0x00007FF659FB1000-memory.dmp xmrig behavioral2/memory/3476-209-0x00007FF60A820000-0x00007FF60AB71000-memory.dmp xmrig behavioral2/memory/3516-221-0x00007FF7A0E00000-0x00007FF7A1151000-memory.dmp xmrig behavioral2/memory/3508-223-0x00007FF7A4A60000-0x00007FF7A4DB1000-memory.dmp xmrig behavioral2/memory/952-225-0x00007FF604FB0000-0x00007FF605301000-memory.dmp xmrig behavioral2/memory/736-227-0x00007FF7D0590000-0x00007FF7D08E1000-memory.dmp xmrig behavioral2/memory/4872-229-0x00007FF65B730000-0x00007FF65BA81000-memory.dmp xmrig behavioral2/memory/1168-231-0x00007FF7F6E00000-0x00007FF7F7151000-memory.dmp xmrig behavioral2/memory/2552-234-0x00007FF674C80000-0x00007FF674FD1000-memory.dmp xmrig behavioral2/memory/3840-237-0x00007FF6FE770000-0x00007FF6FEAC1000-memory.dmp xmrig behavioral2/memory/4376-236-0x00007FF636D90000-0x00007FF6370E1000-memory.dmp xmrig behavioral2/memory/3036-241-0x00007FF7D7DC0000-0x00007FF7D8111000-memory.dmp xmrig behavioral2/memory/3464-240-0x00007FF66A350000-0x00007FF66A6A1000-memory.dmp xmrig behavioral2/memory/3496-243-0x00007FF7852E0000-0x00007FF785631000-memory.dmp xmrig behavioral2/memory/4936-253-0x00007FF60E630000-0x00007FF60E981000-memory.dmp xmrig behavioral2/memory/1908-255-0x00007FF6C74D0000-0x00007FF6C7821000-memory.dmp xmrig behavioral2/memory/460-258-0x00007FF750F20000-0x00007FF751271000-memory.dmp xmrig behavioral2/memory/4004-259-0x00007FF62BA50000-0x00007FF62BDA1000-memory.dmp xmrig behavioral2/memory/1648-264-0x00007FF62B830000-0x00007FF62BB81000-memory.dmp xmrig behavioral2/memory/4192-265-0x00007FF77AE40000-0x00007FF77B191000-memory.dmp xmrig behavioral2/memory/4500-261-0x00007FF659C60000-0x00007FF659FB1000-memory.dmp xmrig behavioral2/memory/1308-267-0x00007FF608AC0000-0x00007FF608E11000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 3476 ecfXdcy.exe 3516 bgxGPsE.exe 952 nHMVhql.exe 3508 vfvImcs.exe 736 OEtWJIX.exe 4872 CRLOYNJ.exe 1168 jgKOQwK.exe 2552 HkyfTzY.exe 3840 dRUbbBQ.exe 4376 FuAzjCT.exe 3464 ybVqnGU.exe 3036 RAIJPvC.exe 3496 XkqbVxy.exe 4936 kcnfNTG.exe 460 eCBNMAk.exe 1908 GeyoJVw.exe 4004 rtBtwGE.exe 4192 gCcpJJo.exe 4500 EwGmIhf.exe 1308 SdgSxck.exe 1648 HctwnwU.exe -
resource yara_rule behavioral2/memory/4124-0-0x00007FF630C50000-0x00007FF630FA1000-memory.dmp upx behavioral2/files/0x0009000000023c98-5.dat upx behavioral2/files/0x0007000000023ca1-12.dat upx behavioral2/memory/3516-17-0x00007FF7A0E00000-0x00007FF7A1151000-memory.dmp upx behavioral2/files/0x0007000000023ca3-21.dat upx behavioral2/files/0x0007000000023ca4-25.dat upx behavioral2/memory/736-33-0x00007FF7D0590000-0x00007FF7D08E1000-memory.dmp upx behavioral2/files/0x0007000000023ca7-44.dat upx behavioral2/memory/2552-54-0x00007FF674C80000-0x00007FF674FD1000-memory.dmp upx behavioral2/files/0x0007000000023ca9-66.dat upx behavioral2/files/0x000a000000023c99-75.dat upx behavioral2/files/0x0007000000023cab-79.dat upx behavioral2/memory/3496-78-0x00007FF7852E0000-0x00007FF785631000-memory.dmp upx behavioral2/memory/3464-77-0x00007FF66A350000-0x00007FF66A6A1000-memory.dmp upx behavioral2/files/0x0007000000023caa-73.dat upx behavioral2/memory/3840-71-0x00007FF6FE770000-0x00007FF6FEAC1000-memory.dmp upx behavioral2/files/0x0007000000023ca8-64.dat upx behavioral2/memory/3036-63-0x00007FF7D7DC0000-0x00007FF7D8111000-memory.dmp upx behavioral2/memory/4376-62-0x00007FF636D90000-0x00007FF6370E1000-memory.dmp upx behavioral2/files/0x0007000000023ca6-43.dat upx behavioral2/memory/1168-42-0x00007FF7F6E00000-0x00007FF7F7151000-memory.dmp upx behavioral2/files/0x0007000000023ca5-40.dat upx behavioral2/memory/4872-35-0x00007FF65B730000-0x00007FF65BA81000-memory.dmp upx behavioral2/memory/952-30-0x00007FF604FB0000-0x00007FF605301000-memory.dmp upx behavioral2/files/0x0007000000023ca2-29.dat upx behavioral2/memory/3508-24-0x00007FF7A4A60000-0x00007FF7A4DB1000-memory.dmp upx behavioral2/memory/3476-8-0x00007FF60A820000-0x00007FF60AB71000-memory.dmp upx behavioral2/memory/4124-81-0x00007FF630C50000-0x00007FF630FA1000-memory.dmp upx behavioral2/memory/3516-82-0x00007FF7A0E00000-0x00007FF7A1151000-memory.dmp upx behavioral2/files/0x0007000000023cac-85.dat upx behavioral2/files/0x0007000000023cae-94.dat upx behavioral2/files/0x0007000000023cb0-111.dat upx behavioral2/files/0x0007000000023cb2-119.dat upx behavioral2/files/0x0007000000023cb1-123.dat upx behavioral2/files/0x0007000000023cb3-132.dat upx behavioral2/memory/1648-131-0x00007FF62B830000-0x00007FF62BB81000-memory.dmp upx behavioral2/memory/4872-130-0x00007FF65B730000-0x00007FF65BA81000-memory.dmp upx behavioral2/memory/1308-126-0x00007FF608AC0000-0x00007FF608E11000-memory.dmp upx behavioral2/memory/4192-121-0x00007FF77AE40000-0x00007FF77B191000-memory.dmp upx behavioral2/memory/736-120-0x00007FF7D0590000-0x00007FF7D08E1000-memory.dmp upx behavioral2/memory/4500-116-0x00007FF659C60000-0x00007FF659FB1000-memory.dmp upx behavioral2/memory/4004-115-0x00007FF62BA50000-0x00007FF62BDA1000-memory.dmp upx behavioral2/memory/460-109-0x00007FF750F20000-0x00007FF751271000-memory.dmp upx behavioral2/memory/952-108-0x00007FF604FB0000-0x00007FF605301000-memory.dmp upx behavioral2/files/0x0007000000023caf-107.dat upx behavioral2/files/0x0007000000023cad-100.dat upx behavioral2/memory/3508-103-0x00007FF7A4A60000-0x00007FF7A4DB1000-memory.dmp upx behavioral2/memory/1908-102-0x00007FF6C74D0000-0x00007FF6C7821000-memory.dmp upx behavioral2/memory/4936-97-0x00007FF60E630000-0x00007FF60E981000-memory.dmp upx behavioral2/memory/3476-86-0x00007FF60A820000-0x00007FF60AB71000-memory.dmp upx behavioral2/memory/4376-145-0x00007FF636D90000-0x00007FF6370E1000-memory.dmp upx behavioral2/memory/1168-150-0x00007FF7F6E00000-0x00007FF7F7151000-memory.dmp upx behavioral2/memory/3496-148-0x00007FF7852E0000-0x00007FF785631000-memory.dmp upx behavioral2/memory/3036-147-0x00007FF7D7DC0000-0x00007FF7D8111000-memory.dmp upx behavioral2/memory/2552-143-0x00007FF674C80000-0x00007FF674FD1000-memory.dmp upx behavioral2/memory/4124-134-0x00007FF630C50000-0x00007FF630FA1000-memory.dmp upx behavioral2/memory/4936-149-0x00007FF60E630000-0x00007FF60E981000-memory.dmp upx behavioral2/memory/4004-153-0x00007FF62BA50000-0x00007FF62BDA1000-memory.dmp upx behavioral2/memory/4124-154-0x00007FF630C50000-0x00007FF630FA1000-memory.dmp upx behavioral2/memory/1308-159-0x00007FF608AC0000-0x00007FF608E11000-memory.dmp upx behavioral2/memory/1648-160-0x00007FF62B830000-0x00007FF62BB81000-memory.dmp upx behavioral2/memory/4192-157-0x00007FF77AE40000-0x00007FF77B191000-memory.dmp upx behavioral2/memory/4500-161-0x00007FF659C60000-0x00007FF659FB1000-memory.dmp upx behavioral2/memory/3476-209-0x00007FF60A820000-0x00007FF60AB71000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\OEtWJIX.exe 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jgKOQwK.exe 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dRUbbBQ.exe 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kcnfNTG.exe 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GeyoJVw.exe 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EwGmIhf.exe 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SdgSxck.exe 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HctwnwU.exe 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ecfXdcy.exe 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bgxGPsE.exe 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nHMVhql.exe 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CRLOYNJ.exe 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HkyfTzY.exe 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XkqbVxy.exe 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rtBtwGE.exe 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FuAzjCT.exe 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ybVqnGU.exe 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RAIJPvC.exe 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vfvImcs.exe 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\eCBNMAk.exe 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gCcpJJo.exe 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4124 wrote to memory of 3476 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 4124 wrote to memory of 3476 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 4124 wrote to memory of 3516 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4124 wrote to memory of 3516 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 4124 wrote to memory of 952 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4124 wrote to memory of 952 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4124 wrote to memory of 3508 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4124 wrote to memory of 3508 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4124 wrote to memory of 736 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4124 wrote to memory of 736 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4124 wrote to memory of 4872 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4124 wrote to memory of 4872 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4124 wrote to memory of 1168 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4124 wrote to memory of 1168 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4124 wrote to memory of 2552 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4124 wrote to memory of 2552 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4124 wrote to memory of 3840 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4124 wrote to memory of 3840 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4124 wrote to memory of 4376 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4124 wrote to memory of 4376 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4124 wrote to memory of 3464 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4124 wrote to memory of 3464 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4124 wrote to memory of 3036 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4124 wrote to memory of 3036 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4124 wrote to memory of 3496 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4124 wrote to memory of 3496 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4124 wrote to memory of 4936 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4124 wrote to memory of 4936 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4124 wrote to memory of 460 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4124 wrote to memory of 460 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4124 wrote to memory of 1908 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4124 wrote to memory of 1908 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4124 wrote to memory of 4004 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4124 wrote to memory of 4004 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4124 wrote to memory of 4192 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4124 wrote to memory of 4192 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4124 wrote to memory of 4500 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4124 wrote to memory of 4500 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4124 wrote to memory of 1308 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4124 wrote to memory of 1308 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4124 wrote to memory of 1648 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4124 wrote to memory of 1648 4124 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\System\ecfXdcy.exeC:\Windows\System\ecfXdcy.exe2⤵
- Executes dropped EXE
PID:3476
-
-
C:\Windows\System\bgxGPsE.exeC:\Windows\System\bgxGPsE.exe2⤵
- Executes dropped EXE
PID:3516
-
-
C:\Windows\System\nHMVhql.exeC:\Windows\System\nHMVhql.exe2⤵
- Executes dropped EXE
PID:952
-
-
C:\Windows\System\vfvImcs.exeC:\Windows\System\vfvImcs.exe2⤵
- Executes dropped EXE
PID:3508
-
-
C:\Windows\System\OEtWJIX.exeC:\Windows\System\OEtWJIX.exe2⤵
- Executes dropped EXE
PID:736
-
-
C:\Windows\System\CRLOYNJ.exeC:\Windows\System\CRLOYNJ.exe2⤵
- Executes dropped EXE
PID:4872
-
-
C:\Windows\System\jgKOQwK.exeC:\Windows\System\jgKOQwK.exe2⤵
- Executes dropped EXE
PID:1168
-
-
C:\Windows\System\HkyfTzY.exeC:\Windows\System\HkyfTzY.exe2⤵
- Executes dropped EXE
PID:2552
-
-
C:\Windows\System\dRUbbBQ.exeC:\Windows\System\dRUbbBQ.exe2⤵
- Executes dropped EXE
PID:3840
-
-
C:\Windows\System\FuAzjCT.exeC:\Windows\System\FuAzjCT.exe2⤵
- Executes dropped EXE
PID:4376
-
-
C:\Windows\System\ybVqnGU.exeC:\Windows\System\ybVqnGU.exe2⤵
- Executes dropped EXE
PID:3464
-
-
C:\Windows\System\RAIJPvC.exeC:\Windows\System\RAIJPvC.exe2⤵
- Executes dropped EXE
PID:3036
-
-
C:\Windows\System\XkqbVxy.exeC:\Windows\System\XkqbVxy.exe2⤵
- Executes dropped EXE
PID:3496
-
-
C:\Windows\System\kcnfNTG.exeC:\Windows\System\kcnfNTG.exe2⤵
- Executes dropped EXE
PID:4936
-
-
C:\Windows\System\eCBNMAk.exeC:\Windows\System\eCBNMAk.exe2⤵
- Executes dropped EXE
PID:460
-
-
C:\Windows\System\GeyoJVw.exeC:\Windows\System\GeyoJVw.exe2⤵
- Executes dropped EXE
PID:1908
-
-
C:\Windows\System\rtBtwGE.exeC:\Windows\System\rtBtwGE.exe2⤵
- Executes dropped EXE
PID:4004
-
-
C:\Windows\System\gCcpJJo.exeC:\Windows\System\gCcpJJo.exe2⤵
- Executes dropped EXE
PID:4192
-
-
C:\Windows\System\EwGmIhf.exeC:\Windows\System\EwGmIhf.exe2⤵
- Executes dropped EXE
PID:4500
-
-
C:\Windows\System\SdgSxck.exeC:\Windows\System\SdgSxck.exe2⤵
- Executes dropped EXE
PID:1308
-
-
C:\Windows\System\HctwnwU.exeC:\Windows\System\HctwnwU.exe2⤵
- Executes dropped EXE
PID:1648
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5cb6b41a0490e185861806561eb6b69c3
SHA1075299abdab5a8d097325a62c73a311afd0437ea
SHA256b1e6829ed4103153a857848250607d041f1f761c683a0b3abedb9f0db293a5c6
SHA51208c4409bc5f40d452ab136891da636d78df8735b6aab3c325b0d89caeae0199b304e9749bb483431436f8e844d62ba7f94e13c56805fb7c7d070d08d3aa0aae8
-
Filesize
5.2MB
MD5bf9359a89381a7fe947fff95fa7e74ac
SHA1e2befc314f3997aac0571469043817d685600ba6
SHA256486a21aa0346bb686ee26cf3ad283490cd0b4005579d63f894dc01dca9e0b6c6
SHA512c78360e2c909e07371618db278b686533ea30a4abbb5075a8fd18b2966d270d98bf53357957b81c863f075d2c7560ec0e8a67e6c5725e6df946ca9807da9ebca
-
Filesize
5.2MB
MD5068ac44dc5829f6394a7466bd74182cf
SHA1d1fce9662ea4d5d023dc65728f990100480f3ba9
SHA256ef45bc4f2787f802a15631fd327720cf3f3909141a2608bf7d4a5e9410e03e1f
SHA512efabaf095791c406251dfd4c19b8f05448ddbb4dfbc05a9c59053ffe02ace826e06535068c4640a0e4c996abeaca104d9030a130623a2b897961658a02732451
-
Filesize
5.2MB
MD59708a421f6288ec3d60fbe122e6f4dc1
SHA15b83ef7a45b9a661e932c0c84c46a3ade036b1eb
SHA256d2b5751ff5dc279c3b13e55eff058713fa2b7e93312a3b2c50440ce735c49f3c
SHA51263d2dfa8951d7a9f50289f9165ac719e42b322cd947df3fad59a05c55faebb654fbd6683833865c872ffa047c58a23312b0d3c3d32c5f3c8ac79b2240af93954
-
Filesize
5.2MB
MD57f3a293cfaedc5f0dac69f1c86f8e074
SHA1a3c70b20a398fd8b0c7a5db64bcd363397140c80
SHA256a07c0024d53afbcc7b6f871e420d8e4708ca6d6e01351535f0b275d12a263e48
SHA512b68ddde69692defa7c23a22731f9ff89d0ef3e7e8e3b77207c43c884aae2a4f6ef7f0c6ee398583f0a533e6385739118f688e1b9b76516461eeccfb67896c36f
-
Filesize
5.2MB
MD5b24f51b4f81548b86604098d77bf08ef
SHA1ac31f440d0414cd0784905ea6bf684a413b8aa1f
SHA256f7d1328c37dc038954c05e12b52734c2a6acf5a0cbe3c2b7969fb04f5fee9efd
SHA5121ad28dc3f6e415c007b3ad1620cf45d66605b6079b6ad13cd9b49e1b768b6e5bbfb619d66c00367f8ad4197d45318af754923c9d41d7cba9898a660bc23bcdf4
-
Filesize
5.2MB
MD56bcdcac667f7b0c4567f9d53d0b31a44
SHA102971a2a7172a0c683f9543e78ddc1039d93dca2
SHA2562119b8436c94b199aebd9e3e9e07c22cfdb815cff1a68ad0b825d02b93a68767
SHA51252d56dc2cc881129e1389a8c41ed4332512e3fb63b12948930e92478dad3b72362d55775b66dec479a52fc556286b7873c0add7742faac12057ff5a4b06db3ec
-
Filesize
5.2MB
MD5aa6417ceee1274a6fe7a0cdfba708849
SHA1c68f49548d63263970cd3312e1500043ac2fce92
SHA2562ccbe7c9ff39493685c1245ba4b4be53d069acc4bcd532eea993971b480e9c21
SHA5123b6363e7795408a560bb8c4eaffa205b87e49e7fc0b12bef932439f76074af5b45622aae4964dbeb15d656053192e0849a94695894150ec48b2c54d23a50188e
-
Filesize
5.2MB
MD53c24f5907d8cb7a9eb6d519ba4cf6bbb
SHA16585929ca677939c615b83249fe6ce49d57ea69d
SHA25617a18275aa2b92a627b997abc97718824ef2704c7a0580eaaf70613d575936d1
SHA5121cd06c0703061cb6f9fad824b199f74d4779320b2c138c82388b7a19765633f32f598d2e727b8436e6a5e51a38754d178715bee7db9c5c1a111992852e703284
-
Filesize
5.2MB
MD52289e9b213f47516b9f91f1b7f5c99ad
SHA1eeca393520d52a1d21094f8f5823aee5db8635fc
SHA256454ebe42e10ee9bb67c9e04086e57ceb52c67183575d7a510d98ebc82a3bbfc9
SHA512666634aad478f128287908f766012612a92fc14c1bc92bafac3df83bb78b93311f862603994a698d5c13b39ced643e2d96e5bade7fad8fb7c74312ad4793dc3f
-
Filesize
5.2MB
MD5de73c83c1fa09b3eb6c06ef40bc4048d
SHA15c7c9b9baa695af5f883b2995166bab6bc4c9a82
SHA25691c243aee0275c8a94cc9118adfcca697b5a07016f1735f2882b5ccac28d9feb
SHA5122544a403cbfcffd5f24a0e04f3d6901ba93e71c86153d56d7122f00450d1b7a4bb8b1e3306d5a27982f5d51610391067617ffd038afc7d81f27973fba6d47cfe
-
Filesize
5.2MB
MD5b3c342a32b54727ed0a736fd48a57a4f
SHA1cc266f687023dd6836be3f0a59848cba96d3c825
SHA256f71bb44cb82ed044c4507e1ea7a88eab012e672c7ebe15bd0b850b843d2af2cb
SHA5129b6bb2008f72a793a8065f9fb132deec9daf6e8047e75678c04dae869706bf62785a007fc499f40caaba172d9d009ffbb09b20e598bd4592db1c4a2df5141ae1
-
Filesize
5.2MB
MD5fa7b4d48c5f9a3ac66bfa30bbb8ae7e7
SHA1e2821954144caac07ce9ee1e27a6012d3200bd65
SHA2560753c925e167480c6d632c9cd262d56c7c19ae2d225025b31014960e60c346dd
SHA512bea4a935fc1e14ebbadafdae3a7c0705c18fecce4e539b3caadc85525533928aa99b51d35325db250549433cc6b163b199432f790f84d36ab8dc5ac20748ab96
-
Filesize
5.2MB
MD56b00dd20b7e29bd0fcedbb5e639bbcfe
SHA1d4f9ff082b9b9a2a61bc45aaf767ebadb212bb35
SHA256d23e28bcff0c5e612a043b95898cfbdf294bc32c4b87847b7ec5d368f502bc35
SHA51214213750797c440b25fdbfd1f9006b87b00b563fc59f3ef41236711faa13e4ec84c6b70dee4b363e589dd775d79eb04916b928869e550a4afb7d30e05ef43d28
-
Filesize
5.2MB
MD597208122e80b494b718b3ccf1fcc1efc
SHA1c9ecf7967680283b74bcbb888968c5b14581215b
SHA25615776b12b13025adca2f4d51af23b121034d8c98e554062995199b22926ac1f2
SHA512d5bc0c39e12fe62561168e1d0d4983e0b0c45f805836ca203788dc38d32b2c0fa866fc98989bd9068bcee9103e7e412aedda827a9d26869fc03bf586422ff1cc
-
Filesize
5.2MB
MD53cec5109ed778b986a3980eeb623ce8b
SHA17ac5c9590bd96b364f47fe60b7d0a9873b171e9d
SHA256cced47bc76729252822b924b9b4141a3e55063909ba992ec0623b33cd82886c3
SHA512598946bd6eb9eda3edff5a75435b6792b2bc57736c021ef763fe79b855d79eca1b4470a4949b80b5395613f92625ff0615cea649d0aa1e1a52dcec610ff13ba9
-
Filesize
5.2MB
MD586e796ea6ed803909bf5d1f2bbbdbae8
SHA18b809421a993fb253a4a119df01dad6340e0ff79
SHA2562d96191fc0a9dfbac5c9768b77737f472969699bcc297b464e3dea9c17960dea
SHA512c902d923e0daf71d88b092baf131258fdab5e2d035cddd38ecfcbaba5a426f89729bead13c60b34a812da5360149f3264167b95cb1f8f8eff3632ff7e6935eca
-
Filesize
5.2MB
MD5d68c0d9033da7434ad845009dae2fab9
SHA147625fc1f7458da417af79a1f6807da090e96902
SHA2564a8232d7a80f2e83457412a0645f509ae80d8bce9445f297a2afbf21a6ec6e2a
SHA5128de74bca1e9139b2cb84d9add14084f21ba02683cac652bab9acda8214403d8d1b213f5d7f900290a37c6d4ed5861abc47f2425dfabe817283a4c185f0e665fb
-
Filesize
5.2MB
MD59e2f7b936416590442714adb75c2afdd
SHA1e9b31199bedb202bc1230e4e084b4fefb5c37c05
SHA256b02b2ef8f262af275a1cf5df2ef43ae7555796b660b83753d5b8e47503130a57
SHA5121c6f9b09ebbd9740e97152ad9e48ef94594f2cae5f67bc544c51e16b51e76030392acfce00bc4d01bb175cc763c2f081e7f86f41c0d14450ea5fc2aebdc88fad
-
Filesize
5.2MB
MD567606f9bce5cd626e545014d02e1a2eb
SHA13eb497f324f8dd3e6f0c27d7a1b75082b00653f7
SHA256861ddec5ada85dc55bf1cf76ec0da876a1c013c02d93b09b72b1937670398d15
SHA512dd4c07475fa501486d6951f71e15d265a968ab3b3ba46cb259420bd0c3711b51c99d48c4a4fc1b00910fc0a1e64035896f82d8de5303f16230953624dfcee22f
-
Filesize
5.2MB
MD5a516f5db3fc37c8b11b9064ba99c675f
SHA152e6b850e72e1afa6e60daf638b02d2bb6f76ab0
SHA2567a283eb5aa5269db10a139aeb44f6cbc4f497bef2e35b8c2d558d5aab96cbdae
SHA5120564e05c8c0e40488f4c3e70319e5b83d21f14c77b8a7430297a9e622b815bf5c31075e94cb4ca08e3f34280af9f31fe3a233372a581d2f65299c62dbd1d0408