Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 15:25
Behavioral task
behavioral1
Sample
2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
9a9650bf9cbb13e69544fcac21a4d2be
-
SHA1
39d61e7a055c8602f386c971e1a5af19e4ac97aa
-
SHA256
88eae1f65df3bde5e241391c85236ae6fe363d504700ee94accf27e78ca0aedc
-
SHA512
d956d0a7a93eaf657b909d9ea660bfcbf1634c365c7950d57038cadc2497d5ce01bfa16215905b69bf7b91e0c9e1dc789ec6f7a7126051533bf77772803db12e
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l1:RWWBibd56utgpPFotBER/mQ32lUZ
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000d000000023b79-5.dat cobalt_reflective_dll behavioral2/files/0x000b000000023b87-9.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8c-19.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8b-25.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b90-46.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b93-58.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b95-67.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b96-75.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b94-95.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b99-100.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b9c-121.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b9b-117.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b9a-115.dat cobalt_reflective_dll behavioral2/files/0x000c000000023b7e-113.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b97-97.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b98-89.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8e-65.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b92-71.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b91-49.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8f-41.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8d-33.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/1904-86-0x00007FF739620000-0x00007FF739971000-memory.dmp xmrig behavioral2/memory/1816-85-0x00007FF7FD920000-0x00007FF7FDC71000-memory.dmp xmrig behavioral2/memory/3828-84-0x00007FF7AA8F0000-0x00007FF7AAC41000-memory.dmp xmrig behavioral2/memory/2344-54-0x00007FF68AEE0000-0x00007FF68B231000-memory.dmp xmrig behavioral2/memory/1112-127-0x00007FF63E0A0000-0x00007FF63E3F1000-memory.dmp xmrig behavioral2/memory/1592-126-0x00007FF7EF010000-0x00007FF7EF361000-memory.dmp xmrig behavioral2/memory/2136-125-0x00007FF773850000-0x00007FF773BA1000-memory.dmp xmrig behavioral2/memory/2144-124-0x00007FF7185A0000-0x00007FF7188F1000-memory.dmp xmrig behavioral2/memory/1668-123-0x00007FF7FAAC0000-0x00007FF7FAE11000-memory.dmp xmrig behavioral2/memory/1004-129-0x00007FF727240000-0x00007FF727591000-memory.dmp xmrig behavioral2/memory/4940-130-0x00007FF7C1A20000-0x00007FF7C1D71000-memory.dmp xmrig behavioral2/memory/2800-131-0x00007FF723860000-0x00007FF723BB1000-memory.dmp xmrig behavioral2/memory/2800-128-0x00007FF723860000-0x00007FF723BB1000-memory.dmp xmrig behavioral2/memory/3616-133-0x00007FF7FD160000-0x00007FF7FD4B1000-memory.dmp xmrig behavioral2/memory/1412-135-0x00007FF677800000-0x00007FF677B51000-memory.dmp xmrig behavioral2/memory/5052-143-0x00007FF773020000-0x00007FF773371000-memory.dmp xmrig behavioral2/memory/3656-145-0x00007FF774700000-0x00007FF774A51000-memory.dmp xmrig behavioral2/memory/4008-142-0x00007FF676950000-0x00007FF676CA1000-memory.dmp xmrig behavioral2/memory/2468-141-0x00007FF6012E0000-0x00007FF601631000-memory.dmp xmrig behavioral2/memory/4972-134-0x00007FF6ADDD0000-0x00007FF6AE121000-memory.dmp xmrig behavioral2/memory/1048-144-0x00007FF76A000000-0x00007FF76A351000-memory.dmp xmrig behavioral2/memory/4220-139-0x00007FF6E9B60000-0x00007FF6E9EB1000-memory.dmp xmrig behavioral2/memory/4528-132-0x00007FF71DBA0000-0x00007FF71DEF1000-memory.dmp xmrig behavioral2/memory/2800-151-0x00007FF723860000-0x00007FF723BB1000-memory.dmp xmrig behavioral2/memory/1004-211-0x00007FF727240000-0x00007FF727591000-memory.dmp xmrig behavioral2/memory/4940-213-0x00007FF7C1A20000-0x00007FF7C1D71000-memory.dmp xmrig behavioral2/memory/4528-216-0x00007FF71DBA0000-0x00007FF71DEF1000-memory.dmp xmrig behavioral2/memory/3616-217-0x00007FF7FD160000-0x00007FF7FD4B1000-memory.dmp xmrig behavioral2/memory/2344-221-0x00007FF68AEE0000-0x00007FF68B231000-memory.dmp xmrig behavioral2/memory/4972-220-0x00007FF6ADDD0000-0x00007FF6AE121000-memory.dmp xmrig behavioral2/memory/1412-235-0x00007FF677800000-0x00007FF677B51000-memory.dmp xmrig behavioral2/memory/1904-232-0x00007FF739620000-0x00007FF739971000-memory.dmp xmrig behavioral2/memory/4220-236-0x00007FF6E9B60000-0x00007FF6E9EB1000-memory.dmp xmrig behavioral2/memory/1816-230-0x00007FF7FD920000-0x00007FF7FDC71000-memory.dmp xmrig behavioral2/memory/3828-238-0x00007FF7AA8F0000-0x00007FF7AAC41000-memory.dmp xmrig behavioral2/memory/3656-241-0x00007FF774700000-0x00007FF774A51000-memory.dmp xmrig behavioral2/memory/4008-242-0x00007FF676950000-0x00007FF676CA1000-memory.dmp xmrig behavioral2/memory/2468-245-0x00007FF6012E0000-0x00007FF601631000-memory.dmp xmrig behavioral2/memory/1048-248-0x00007FF76A000000-0x00007FF76A351000-memory.dmp xmrig behavioral2/memory/1668-250-0x00007FF7FAAC0000-0x00007FF7FAE11000-memory.dmp xmrig behavioral2/memory/1112-252-0x00007FF63E0A0000-0x00007FF63E3F1000-memory.dmp xmrig behavioral2/memory/5052-246-0x00007FF773020000-0x00007FF773371000-memory.dmp xmrig behavioral2/memory/2144-254-0x00007FF7185A0000-0x00007FF7188F1000-memory.dmp xmrig behavioral2/memory/2136-256-0x00007FF773850000-0x00007FF773BA1000-memory.dmp xmrig behavioral2/memory/1592-258-0x00007FF7EF010000-0x00007FF7EF361000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 1004 FzJZpND.exe 4940 ciAspRk.exe 4528 XRcxdTT.exe 3616 WEaGhXL.exe 4972 AAGScWh.exe 1412 MozXkMx.exe 2344 dOMyzfD.exe 3828 HZoMRyw.exe 1816 vkAshwW.exe 4220 uCnTVkJ.exe 1904 aVTFLCp.exe 2468 lYUxqSe.exe 4008 ypaxTyt.exe 5052 nMhblTg.exe 1048 NUjiKMZ.exe 3656 xxufLXq.exe 1668 JoPHGWP.exe 1112 YEcuJob.exe 2144 MWnEZzb.exe 2136 NhTItIN.exe 1592 iELWOvP.exe -
resource yara_rule behavioral2/memory/2800-0-0x00007FF723860000-0x00007FF723BB1000-memory.dmp upx behavioral2/files/0x000d000000023b79-5.dat upx behavioral2/files/0x000b000000023b87-9.dat upx behavioral2/files/0x000a000000023b8c-19.dat upx behavioral2/files/0x000a000000023b8b-25.dat upx behavioral2/files/0x000a000000023b90-46.dat upx behavioral2/files/0x000a000000023b93-58.dat upx behavioral2/files/0x000a000000023b95-67.dat upx behavioral2/files/0x000a000000023b96-75.dat upx behavioral2/memory/1048-82-0x00007FF76A000000-0x00007FF76A351000-memory.dmp upx behavioral2/memory/1904-86-0x00007FF739620000-0x00007FF739971000-memory.dmp upx behavioral2/memory/3656-88-0x00007FF774700000-0x00007FF774A51000-memory.dmp upx behavioral2/memory/5052-87-0x00007FF773020000-0x00007FF773371000-memory.dmp upx behavioral2/files/0x000a000000023b94-95.dat upx behavioral2/files/0x000a000000023b99-100.dat upx behavioral2/files/0x000a000000023b9c-121.dat upx behavioral2/files/0x000a000000023b9b-117.dat upx behavioral2/files/0x000a000000023b9a-115.dat upx behavioral2/files/0x000c000000023b7e-113.dat upx behavioral2/files/0x000a000000023b97-97.dat upx behavioral2/files/0x000a000000023b98-89.dat upx behavioral2/memory/1816-85-0x00007FF7FD920000-0x00007FF7FDC71000-memory.dmp upx behavioral2/memory/3828-84-0x00007FF7AA8F0000-0x00007FF7AAC41000-memory.dmp upx behavioral2/memory/4008-81-0x00007FF676950000-0x00007FF676CA1000-memory.dmp upx behavioral2/memory/2468-80-0x00007FF6012E0000-0x00007FF601631000-memory.dmp upx behavioral2/memory/4220-68-0x00007FF6E9B60000-0x00007FF6E9EB1000-memory.dmp upx behavioral2/files/0x000a000000023b8e-65.dat upx behavioral2/files/0x000a000000023b92-71.dat upx behavioral2/memory/2344-54-0x00007FF68AEE0000-0x00007FF68B231000-memory.dmp upx behavioral2/files/0x000a000000023b91-49.dat upx behavioral2/memory/1412-44-0x00007FF677800000-0x00007FF677B51000-memory.dmp upx behavioral2/files/0x000a000000023b8f-41.dat upx behavioral2/files/0x000a000000023b8d-33.dat upx behavioral2/memory/4972-32-0x00007FF6ADDD0000-0x00007FF6AE121000-memory.dmp upx behavioral2/memory/3616-24-0x00007FF7FD160000-0x00007FF7FD4B1000-memory.dmp upx behavioral2/memory/4528-23-0x00007FF71DBA0000-0x00007FF71DEF1000-memory.dmp upx behavioral2/memory/4940-13-0x00007FF7C1A20000-0x00007FF7C1D71000-memory.dmp upx behavioral2/memory/1004-6-0x00007FF727240000-0x00007FF727591000-memory.dmp upx behavioral2/memory/1112-127-0x00007FF63E0A0000-0x00007FF63E3F1000-memory.dmp upx behavioral2/memory/1592-126-0x00007FF7EF010000-0x00007FF7EF361000-memory.dmp upx behavioral2/memory/2136-125-0x00007FF773850000-0x00007FF773BA1000-memory.dmp upx behavioral2/memory/2144-124-0x00007FF7185A0000-0x00007FF7188F1000-memory.dmp upx behavioral2/memory/1668-123-0x00007FF7FAAC0000-0x00007FF7FAE11000-memory.dmp upx behavioral2/memory/1004-129-0x00007FF727240000-0x00007FF727591000-memory.dmp upx behavioral2/memory/4940-130-0x00007FF7C1A20000-0x00007FF7C1D71000-memory.dmp upx behavioral2/memory/2800-131-0x00007FF723860000-0x00007FF723BB1000-memory.dmp upx behavioral2/memory/2800-128-0x00007FF723860000-0x00007FF723BB1000-memory.dmp upx behavioral2/memory/3616-133-0x00007FF7FD160000-0x00007FF7FD4B1000-memory.dmp upx behavioral2/memory/1412-135-0x00007FF677800000-0x00007FF677B51000-memory.dmp upx behavioral2/memory/5052-143-0x00007FF773020000-0x00007FF773371000-memory.dmp upx behavioral2/memory/3656-145-0x00007FF774700000-0x00007FF774A51000-memory.dmp upx behavioral2/memory/4008-142-0x00007FF676950000-0x00007FF676CA1000-memory.dmp upx behavioral2/memory/2468-141-0x00007FF6012E0000-0x00007FF601631000-memory.dmp upx behavioral2/memory/4972-134-0x00007FF6ADDD0000-0x00007FF6AE121000-memory.dmp upx behavioral2/memory/1048-144-0x00007FF76A000000-0x00007FF76A351000-memory.dmp upx behavioral2/memory/4220-139-0x00007FF6E9B60000-0x00007FF6E9EB1000-memory.dmp upx behavioral2/memory/4528-132-0x00007FF71DBA0000-0x00007FF71DEF1000-memory.dmp upx behavioral2/memory/2800-151-0x00007FF723860000-0x00007FF723BB1000-memory.dmp upx behavioral2/memory/1004-211-0x00007FF727240000-0x00007FF727591000-memory.dmp upx behavioral2/memory/4940-213-0x00007FF7C1A20000-0x00007FF7C1D71000-memory.dmp upx behavioral2/memory/4528-216-0x00007FF71DBA0000-0x00007FF71DEF1000-memory.dmp upx behavioral2/memory/3616-217-0x00007FF7FD160000-0x00007FF7FD4B1000-memory.dmp upx behavioral2/memory/2344-221-0x00007FF68AEE0000-0x00007FF68B231000-memory.dmp upx behavioral2/memory/4972-220-0x00007FF6ADDD0000-0x00007FF6AE121000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\uCnTVkJ.exe 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ypaxTyt.exe 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xxufLXq.exe 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JoPHGWP.exe 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YEcuJob.exe 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dOMyzfD.exe 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HZoMRyw.exe 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MozXkMx.exe 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vkAshwW.exe 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lYUxqSe.exe 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MWnEZzb.exe 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NhTItIN.exe 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FzJZpND.exe 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XRcxdTT.exe 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WEaGhXL.exe 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\iELWOvP.exe 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\aVTFLCp.exe 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nMhblTg.exe 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NUjiKMZ.exe 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ciAspRk.exe 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AAGScWh.exe 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2800 wrote to memory of 1004 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 2800 wrote to memory of 1004 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 2800 wrote to memory of 4940 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2800 wrote to memory of 4940 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 2800 wrote to memory of 4528 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2800 wrote to memory of 4528 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 2800 wrote to memory of 3616 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2800 wrote to memory of 3616 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 2800 wrote to memory of 4972 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2800 wrote to memory of 4972 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 2800 wrote to memory of 1412 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2800 wrote to memory of 1412 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 2800 wrote to memory of 2344 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2800 wrote to memory of 2344 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 2800 wrote to memory of 3828 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2800 wrote to memory of 3828 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 2800 wrote to memory of 1816 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2800 wrote to memory of 1816 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 2800 wrote to memory of 4220 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2800 wrote to memory of 4220 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 2800 wrote to memory of 1904 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2800 wrote to memory of 1904 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 2800 wrote to memory of 2468 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2800 wrote to memory of 2468 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 2800 wrote to memory of 4008 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2800 wrote to memory of 4008 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 2800 wrote to memory of 5052 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2800 wrote to memory of 5052 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 2800 wrote to memory of 1048 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2800 wrote to memory of 1048 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 2800 wrote to memory of 3656 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2800 wrote to memory of 3656 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 2800 wrote to memory of 1668 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2800 wrote to memory of 1668 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 2800 wrote to memory of 1112 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2800 wrote to memory of 1112 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 2800 wrote to memory of 2144 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2800 wrote to memory of 2144 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 2800 wrote to memory of 2136 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2800 wrote to memory of 2136 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 2800 wrote to memory of 1592 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 2800 wrote to memory of 1592 2800 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\System\FzJZpND.exeC:\Windows\System\FzJZpND.exe2⤵
- Executes dropped EXE
PID:1004
-
-
C:\Windows\System\ciAspRk.exeC:\Windows\System\ciAspRk.exe2⤵
- Executes dropped EXE
PID:4940
-
-
C:\Windows\System\XRcxdTT.exeC:\Windows\System\XRcxdTT.exe2⤵
- Executes dropped EXE
PID:4528
-
-
C:\Windows\System\WEaGhXL.exeC:\Windows\System\WEaGhXL.exe2⤵
- Executes dropped EXE
PID:3616
-
-
C:\Windows\System\AAGScWh.exeC:\Windows\System\AAGScWh.exe2⤵
- Executes dropped EXE
PID:4972
-
-
C:\Windows\System\MozXkMx.exeC:\Windows\System\MozXkMx.exe2⤵
- Executes dropped EXE
PID:1412
-
-
C:\Windows\System\dOMyzfD.exeC:\Windows\System\dOMyzfD.exe2⤵
- Executes dropped EXE
PID:2344
-
-
C:\Windows\System\HZoMRyw.exeC:\Windows\System\HZoMRyw.exe2⤵
- Executes dropped EXE
PID:3828
-
-
C:\Windows\System\vkAshwW.exeC:\Windows\System\vkAshwW.exe2⤵
- Executes dropped EXE
PID:1816
-
-
C:\Windows\System\uCnTVkJ.exeC:\Windows\System\uCnTVkJ.exe2⤵
- Executes dropped EXE
PID:4220
-
-
C:\Windows\System\aVTFLCp.exeC:\Windows\System\aVTFLCp.exe2⤵
- Executes dropped EXE
PID:1904
-
-
C:\Windows\System\lYUxqSe.exeC:\Windows\System\lYUxqSe.exe2⤵
- Executes dropped EXE
PID:2468
-
-
C:\Windows\System\ypaxTyt.exeC:\Windows\System\ypaxTyt.exe2⤵
- Executes dropped EXE
PID:4008
-
-
C:\Windows\System\nMhblTg.exeC:\Windows\System\nMhblTg.exe2⤵
- Executes dropped EXE
PID:5052
-
-
C:\Windows\System\NUjiKMZ.exeC:\Windows\System\NUjiKMZ.exe2⤵
- Executes dropped EXE
PID:1048
-
-
C:\Windows\System\xxufLXq.exeC:\Windows\System\xxufLXq.exe2⤵
- Executes dropped EXE
PID:3656
-
-
C:\Windows\System\JoPHGWP.exeC:\Windows\System\JoPHGWP.exe2⤵
- Executes dropped EXE
PID:1668
-
-
C:\Windows\System\YEcuJob.exeC:\Windows\System\YEcuJob.exe2⤵
- Executes dropped EXE
PID:1112
-
-
C:\Windows\System\MWnEZzb.exeC:\Windows\System\MWnEZzb.exe2⤵
- Executes dropped EXE
PID:2144
-
-
C:\Windows\System\NhTItIN.exeC:\Windows\System\NhTItIN.exe2⤵
- Executes dropped EXE
PID:2136
-
-
C:\Windows\System\iELWOvP.exeC:\Windows\System\iELWOvP.exe2⤵
- Executes dropped EXE
PID:1592
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD588e14b4a9c24c25d5d3c64159542384c
SHA18eeff1bd5a2138ffb06422beeb9bebbbdc01066e
SHA256be42dd3c1eed5bb5eab7202c0109610aa145966c770e275f70958b177a11feac
SHA512efc9c4595eb23ab0f96e19eed9368f6153063ed68e3a23ff9be1bd5ed4915eca7467fc8071512fb9ad45b24cd36b0056ecf4824e4a412f9c1521e92829d1f6c7
-
Filesize
5.2MB
MD5699ba62cb974acc9c6042cfc72820d95
SHA1b9d78ccd0dbf4af843d1e5b7657164fb504912aa
SHA256be0750169aa83bc09a8ac8986e772dee708e356171075bac5a5c87b51f3336e2
SHA512f1867fe06b9f6a6e130e63916f82776e0f64c68cc97886c71a604e8b3cdef7478c0b5fc178eada9d163e8632578e0a137a7f2efa6363e8f30778778bcb709981
-
Filesize
5.2MB
MD5f4a34ad88eb8f1bf02b7f8f7f95458c2
SHA19eb39dad8d254b88a47241f5bdd3bd0bd13dae16
SHA256d73bf7398ddabc7bae8a15b748a381dcfb5c4ac627c96300516b2ec37395af73
SHA512b1c5807597556904f5e473334d2ea09bc4b37e2a70a6018f3a147db6f66b8af1f03b8cdc8c20ec13467733087e5f72b71019a3e5f153b6c0cf7b24e9939e69b1
-
Filesize
5.2MB
MD54a7e2f88dfc1f39d9a8fefdacdb3fc2c
SHA104beb5cc44de8ec9fcf9c6ce7d29138e6b55f94f
SHA25634d935287660551f50bb24c458a4cfbedfd4669dde87c89fc9e9bf0ae05d36b0
SHA51247e9ede1f714275d4500125c4efbb01e152f9e32a4b76a8477be42defb7bd29ab1a41dc355cf391d2a79af6150ca56c650538cf87e1bb796bcd4cf812ed2804b
-
Filesize
5.2MB
MD5d3a2adaeaf73eaa5280dca3a4d2fce10
SHA1bbe93c6b279946d646562973af8bf01f8c460ef6
SHA25653f2626195a90392330ec15bda88a519503f40c21ba485d1f68558c2cdcf46e7
SHA5124866a21a98563d557b08718188958210940ad578771bc8b88ce8ae9bc296860abeb7b70e6722594133b4a2011269f09f19c53559e6bdb2513ee64389bc26db73
-
Filesize
5.2MB
MD5185430f4fe040d296c9e89098bb3d98f
SHA1b4b71f86733995c45449136cb3bdd2cae1ed5074
SHA256b501f3fda4a4186f3e5c0a7e770ef3dc092fb385a9da5c6b85d07a2abe6664ca
SHA512782dc1c834480a60c5fd22b823b31d1177842027f12462f972e4ed33de12dc59cb3c66e4bc4d5e7d2fd3cf4c4d9ad456e3ee64d073c0e55577362f6e9a1ab271
-
Filesize
5.2MB
MD5f9b2a5a6be619d9c690500d57056dd3d
SHA160d03bb5542458b6e15931a908b8b70da64567ab
SHA2565e9701b8f9004c78624aa075df9ff27c308b42b4ca18d69afeef5c1c20835ca3
SHA512a28442f86a2d7c4b74c06bc9fa7953dcc62adcd0af475ef874fb21f91302d6539f143033d6b84bf37db943ace5eba3adf75907ae80c89b9b367fefbbfe5a8cc7
-
Filesize
5.2MB
MD5d79d90df88c7f129a247704a8f30435c
SHA1b7fc5b51542454c83b745ee249a83d5951a492bb
SHA2564d3ce7739d027ddc8f6a3d56d3b890504fbc3852951e4482035810f72d3eb5cf
SHA512e6db7fcb76d07aa1aa1114f2cb809457aa4ea14222c5c28dba20f5471d261a96fd7b5ec30161476de0321c0e28ba2c6352dcd035a7949b1778f9bdedb4d4a573
-
Filesize
5.2MB
MD579ca5d474d2fa787ac993735cc5f275d
SHA104636e24bd498218e9772ab853e515a92cc24df3
SHA256981b1de08a859a173f7a7f1fd33ed5c33d90584212497476b1d9a65756c078eb
SHA512fe4d78d70458f46b8f91371b7ee01b86ff3f8ecb024f362afc96df1f6bb66b9ca73b12f8d751b9cf0b8b96fc3284b3cf126c2616e6531ec903e3ad947e5e28f2
-
Filesize
5.2MB
MD552866630a4b6071a0c79d3b00bbc227a
SHA106f844973ead2131bb8ab5fcdafa464c4178cc1a
SHA25645fb5875754236e5f977792cfd1e209f7a78a727d3416ab83ed2fc9b9aed7533
SHA5127054d82d34e7638cc190774bb5bad31abb1885ac0615d8b736a4fc27589c0ef4a99424afd20c5e962ed897abba9fd1c02c52fdbbce26c6a4098bc05263353560
-
Filesize
5.2MB
MD545f738f8b03305d29666d026975a4336
SHA1d9dd5cdab90ad7c8c531b904ff2d0fcfcac8f467
SHA2567e9fe80f397f78e224660d0f15e25284dfeb102cf383d4b35654079393fb6ad8
SHA51215b84507db7ada1fbb0e89dec7ac5f0cfcdb722708beb000982f1d6c98aff663827de8abac9874e90e39e652ad8fe9cf37500f17a42b370475a114c44d6c2590
-
Filesize
5.2MB
MD57785fd754fc0f56cebad930f5ab78545
SHA118fc34ecbe460cb174d4e7a27fbfb85a4842e5ce
SHA256ee3ef1eebf5f678529e39ddfa1a931d099ba91d4dafc9fddcd5d0d5134f5d9de
SHA5121477266f46c586a4927ec8e0f9a407460bb4dcb7e65287b73f617723b9ce5405fb510a6e4ba9c83881cdab8e88967ec5de67a3a5f867b86765c086bb153d48c3
-
Filesize
5.2MB
MD5cfe78632a8b65b003ce352c599f8158e
SHA1eb35a720f95fdedf237a48117e22dab2f66b0ace
SHA25614c9200c4004a6028fdfbc88565ff0a9f762299cee6eda697477f333e652b6bc
SHA512a2820b4b396bd563b5d5bdd23f208ad58754a7a0feada71af5d86dbf8ae04758634ac5e6d750cd34a009211b8bd65ffe7e972600609e0afcac46966dd03ae09d
-
Filesize
5.2MB
MD559f5b4c6f91a678866c2c3ee67ebfb79
SHA1bda792c32ed67be7650eb628d6e5770f27389172
SHA25613dc008204d1d1fcbf595270e0a79be0dc3245247b55e07f557c6c70781b9af3
SHA512798623a6ab68f346923b520a57f19990076795f6dc0b93468d3e421c7a3e69898fc4ef2df70442613a6acf6b957859c1bfd47091566a6fb3f43340caa231b55f
-
Filesize
5.2MB
MD5fbf681e13cc3b490c7197ed604e42827
SHA168bf52f52f5563deca2309342262cec317ffac85
SHA256bf3f5d2416c6e9c17e93a0da46bafc392d6a1885c76e219616f23511a9419aec
SHA5123fb7ef44aae73f63fa3a0c3ba43c1321761016e1d94a8747d400b4aae172f5380bab014c5d6800287c23c30aa1ed3b51fad9bb9838f6bda0ae7529048139a962
-
Filesize
5.2MB
MD56efac1268b14e7529a1714ade6bbea8a
SHA13b0a875f686ef6926b17c060720d57494b1b4a7b
SHA25682737e7f4b2158f280bcbad27b6d28008390391ad6c7a479d1d0e3d65dc7e8b6
SHA5120f9bf3525543c1037fdf8e1dc1f5ab73a954b26c8383768ad4039ac5c57b094c2e7eeb5cd0380204ac89367948c8f30568b1d82258e03488bca77293c89d128e
-
Filesize
5.2MB
MD5a7cbb354417f7347cdc7a94c0696e4d8
SHA17f0bb3165cadc043d1348f5a2fdaa3ad65dfd55c
SHA256ed5c0dd203a8e213f0e5460a47b387fa758010ee2c06600273873b227cd92568
SHA5125a5895a6371b8b53b0408a99c5200b6a1e028cf3e7c948adb6c948e51cd1ca9192615273125bdf1fa40772f1dce1e4ea8784d40903661f29120dbdf457230f13
-
Filesize
5.2MB
MD557f6426c2fd926f558f4ecd05c875c89
SHA17487b0a735b400f19baa6535200c8a90011c4083
SHA256000e19b1202a19604a6e0c90208de76eece1c0f008acea0fd101c2adc74341fa
SHA512ad50de7923357fae00a7dbf2349c6927340c26ee65913c0c0092239c5e89648df5baf4c5fbebc4f3c998724272d8efabb98c05b8dc5fe0d2f241863d2fe2f0f4
-
Filesize
5.2MB
MD513c690843dd34cd0625d282e53057fb9
SHA11a22f8f5fbbc189605cda72ce86eca0f3e8357d9
SHA256736f5712f132178d171d9d3000c33bedb80c6809adb0676c2ffe87ba561f2ecb
SHA512c95879ca319d19a1956a0e472337769e3d31b05ad0bc0d14b3a648f8033a0970d9964297f807779436ba773af323f4f7edfc46c8afcddf854ce60aebb0d03302
-
Filesize
5.2MB
MD53b0dddc60d4627926d87e8db1fee5648
SHA17e0673387c27f4512738726600f1557014f2db5e
SHA256a0b0fc1ff7c549a89fd075a313c939cd3e23ad6f61300c1189ec57676eec2c7c
SHA51213c0886629ff6aff9661fb849bb8b6b75002ae6b94205e6af5d086c1f890ebd93bf627c2c202b80a4ee43631a84e7c86602cf38b1064c423c8171931f0a63c0e
-
Filesize
5.2MB
MD5f49a786de988d848f2e390434fbad217
SHA159447a2f547a8dd0d44d0bb710c6d103a7efb95b
SHA256f799e42d138fbdba459ac6f83393d276c58c1ca9cd4ba7d4bc03b128a14acbd5
SHA512797119fe6031650246e6e0e5b4d3cb95e9c1a51580c2b5f61a4ee296e5e94401f302a86d3a9796e9bb9c962a693a18183df6b20bb0adb498ffc47b2428cd0275