Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 15:26
Behavioral task
behavioral1
Sample
2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20241010-en
General
-
Target
2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
b488f797c4cae1c1f5ab43f070da6c45
-
SHA1
10effe43f10db515231251df49748a4f2ed8e0d4
-
SHA256
4d314d0d6ad2e348cb8ee7ccce4c24584d8a66f28edb0c7e0d1d4a1ceb9d89ba
-
SHA512
9bd4363d05e578044dd693ca15b9288c84a0c21e163efc6693b5351f496bd1d2511b14c3b7b706cbab32e53d139dc0ec7fa916825d0bdf96d32897b3a355c055
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lL:RWWBibd56utgpPFotBER/mQ32lUf
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000c000000023b10-5.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b6d-11.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b6e-16.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b70-27.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b6f-25.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b71-35.dat cobalt_reflective_dll behavioral2/files/0x0031000000023b73-41.dat cobalt_reflective_dll behavioral2/files/0x000b000000023b6a-48.dat cobalt_reflective_dll behavioral2/files/0x0031000000023b74-53.dat cobalt_reflective_dll behavioral2/files/0x0031000000023b75-65.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b76-66.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b77-76.dat cobalt_reflective_dll behavioral2/files/0x000e000000023a65-111.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b7b-119.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b79-120.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b7c-133.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b7a-125.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b78-116.dat cobalt_reflective_dll behavioral2/files/0x000e000000023a63-109.dat cobalt_reflective_dll behavioral2/files/0x000e000000023a39-98.dat cobalt_reflective_dll behavioral2/files/0x0003000000022a8a-85.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 46 IoCs
resource yara_rule behavioral2/memory/3192-50-0x00007FF62EF10000-0x00007FF62F261000-memory.dmp xmrig behavioral2/memory/3928-54-0x00007FF739970000-0x00007FF739CC1000-memory.dmp xmrig behavioral2/memory/3108-67-0x00007FF7611C0000-0x00007FF761511000-memory.dmp xmrig behavioral2/memory/2364-59-0x00007FF7E4190000-0x00007FF7E44E1000-memory.dmp xmrig behavioral2/memory/644-90-0x00007FF7E0870000-0x00007FF7E0BC1000-memory.dmp xmrig behavioral2/memory/2868-127-0x00007FF6DA6B0000-0x00007FF6DAA01000-memory.dmp xmrig behavioral2/memory/4200-135-0x00007FF665EA0000-0x00007FF6661F1000-memory.dmp xmrig behavioral2/memory/1968-123-0x00007FF672A00000-0x00007FF672D51000-memory.dmp xmrig behavioral2/memory/3480-103-0x00007FF6C4C20000-0x00007FF6C4F71000-memory.dmp xmrig behavioral2/memory/1880-89-0x00007FF7EDA90000-0x00007FF7EDDE1000-memory.dmp xmrig behavioral2/memory/4556-77-0x00007FF637000000-0x00007FF637351000-memory.dmp xmrig behavioral2/memory/3928-136-0x00007FF739970000-0x00007FF739CC1000-memory.dmp xmrig behavioral2/memory/3192-141-0x00007FF62EF10000-0x00007FF62F261000-memory.dmp xmrig behavioral2/memory/3268-145-0x00007FF701500000-0x00007FF701851000-memory.dmp xmrig behavioral2/memory/232-146-0x00007FF659210000-0x00007FF659561000-memory.dmp xmrig behavioral2/memory/1392-149-0x00007FF701510000-0x00007FF701861000-memory.dmp xmrig behavioral2/memory/4780-150-0x00007FF75BEF0000-0x00007FF75C241000-memory.dmp xmrig behavioral2/memory/2972-158-0x00007FF781C90000-0x00007FF781FE1000-memory.dmp xmrig behavioral2/memory/396-161-0x00007FF6F7B00000-0x00007FF6F7E51000-memory.dmp xmrig behavioral2/memory/860-160-0x00007FF632E30000-0x00007FF633181000-memory.dmp xmrig behavioral2/memory/3312-157-0x00007FF6A8A40000-0x00007FF6A8D91000-memory.dmp xmrig behavioral2/memory/1284-155-0x00007FF62BC50000-0x00007FF62BFA1000-memory.dmp xmrig behavioral2/memory/836-156-0x00007FF70C900000-0x00007FF70CC51000-memory.dmp xmrig behavioral2/memory/1620-162-0x00007FF7DD910000-0x00007FF7DDC61000-memory.dmp xmrig behavioral2/memory/3928-163-0x00007FF739970000-0x00007FF739CC1000-memory.dmp xmrig behavioral2/memory/2364-215-0x00007FF7E4190000-0x00007FF7E44E1000-memory.dmp xmrig behavioral2/memory/3108-217-0x00007FF7611C0000-0x00007FF761511000-memory.dmp xmrig behavioral2/memory/4556-219-0x00007FF637000000-0x00007FF637351000-memory.dmp xmrig behavioral2/memory/1880-221-0x00007FF7EDA90000-0x00007FF7EDDE1000-memory.dmp xmrig behavioral2/memory/3480-223-0x00007FF6C4C20000-0x00007FF6C4F71000-memory.dmp xmrig behavioral2/memory/1968-226-0x00007FF672A00000-0x00007FF672D51000-memory.dmp xmrig behavioral2/memory/4200-231-0x00007FF665EA0000-0x00007FF6661F1000-memory.dmp xmrig behavioral2/memory/3192-233-0x00007FF62EF10000-0x00007FF62F261000-memory.dmp xmrig behavioral2/memory/3268-237-0x00007FF701500000-0x00007FF701851000-memory.dmp xmrig behavioral2/memory/1392-240-0x00007FF701510000-0x00007FF701861000-memory.dmp xmrig behavioral2/memory/232-241-0x00007FF659210000-0x00007FF659561000-memory.dmp xmrig behavioral2/memory/644-252-0x00007FF7E0870000-0x00007FF7E0BC1000-memory.dmp xmrig behavioral2/memory/4780-254-0x00007FF75BEF0000-0x00007FF75C241000-memory.dmp xmrig behavioral2/memory/1284-256-0x00007FF62BC50000-0x00007FF62BFA1000-memory.dmp xmrig behavioral2/memory/836-258-0x00007FF70C900000-0x00007FF70CC51000-memory.dmp xmrig behavioral2/memory/3312-260-0x00007FF6A8A40000-0x00007FF6A8D91000-memory.dmp xmrig behavioral2/memory/2868-264-0x00007FF6DA6B0000-0x00007FF6DAA01000-memory.dmp xmrig behavioral2/memory/2972-263-0x00007FF781C90000-0x00007FF781FE1000-memory.dmp xmrig behavioral2/memory/860-269-0x00007FF632E30000-0x00007FF633181000-memory.dmp xmrig behavioral2/memory/396-270-0x00007FF6F7B00000-0x00007FF6F7E51000-memory.dmp xmrig behavioral2/memory/1620-267-0x00007FF7DD910000-0x00007FF7DDC61000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2364 fzYNEKh.exe 3108 JhLjgWd.exe 4556 QTNxBTd.exe 1880 yjYDGbE.exe 3480 QUmHaXc.exe 1968 NxSEJRq.exe 4200 loXGOTA.exe 3192 EQiafCt.exe 3268 NiVDbLU.exe 232 xMaiiDF.exe 1392 ulRcvWn.exe 4780 fSwfdtt.exe 644 yYggjHK.exe 1284 lahHBUY.exe 836 BvfOWnI.exe 3312 joIsNNo.exe 2972 btCdhuW.exe 2868 cwbXTRm.exe 860 RihbiHd.exe 396 xncyisx.exe 1620 rWgiKGF.exe -
resource yara_rule behavioral2/memory/3928-0-0x00007FF739970000-0x00007FF739CC1000-memory.dmp upx behavioral2/files/0x000c000000023b10-5.dat upx behavioral2/memory/2364-6-0x00007FF7E4190000-0x00007FF7E44E1000-memory.dmp upx behavioral2/files/0x000a000000023b6d-11.dat upx behavioral2/files/0x000a000000023b6e-16.dat upx behavioral2/memory/1880-24-0x00007FF7EDA90000-0x00007FF7EDDE1000-memory.dmp upx behavioral2/files/0x000a000000023b70-27.dat upx behavioral2/memory/3480-29-0x00007FF6C4C20000-0x00007FF6C4F71000-memory.dmp upx behavioral2/files/0x000a000000023b6f-25.dat upx behavioral2/memory/4556-18-0x00007FF637000000-0x00007FF637351000-memory.dmp upx behavioral2/memory/3108-14-0x00007FF7611C0000-0x00007FF761511000-memory.dmp upx behavioral2/files/0x000a000000023b71-35.dat upx behavioral2/memory/1968-36-0x00007FF672A00000-0x00007FF672D51000-memory.dmp upx behavioral2/files/0x0031000000023b73-41.dat upx behavioral2/memory/4200-42-0x00007FF665EA0000-0x00007FF6661F1000-memory.dmp upx behavioral2/files/0x000b000000023b6a-48.dat upx behavioral2/memory/3192-50-0x00007FF62EF10000-0x00007FF62F261000-memory.dmp upx behavioral2/files/0x0031000000023b74-53.dat upx behavioral2/memory/3928-54-0x00007FF739970000-0x00007FF739CC1000-memory.dmp upx behavioral2/memory/232-60-0x00007FF659210000-0x00007FF659561000-memory.dmp upx behavioral2/files/0x0031000000023b75-65.dat upx behavioral2/files/0x000a000000023b76-66.dat upx behavioral2/memory/1392-68-0x00007FF701510000-0x00007FF701861000-memory.dmp upx behavioral2/memory/3108-67-0x00007FF7611C0000-0x00007FF761511000-memory.dmp upx behavioral2/memory/2364-59-0x00007FF7E4190000-0x00007FF7E44E1000-memory.dmp upx behavioral2/memory/3268-56-0x00007FF701500000-0x00007FF701851000-memory.dmp upx behavioral2/files/0x000a000000023b77-76.dat upx behavioral2/memory/644-90-0x00007FF7E0870000-0x00007FF7E0BC1000-memory.dmp upx behavioral2/memory/1284-97-0x00007FF62BC50000-0x00007FF62BFA1000-memory.dmp upx behavioral2/files/0x000e000000023a65-111.dat upx behavioral2/files/0x000a000000023b7b-119.dat upx behavioral2/files/0x000a000000023b79-120.dat upx behavioral2/memory/2868-127-0x00007FF6DA6B0000-0x00007FF6DAA01000-memory.dmp upx behavioral2/memory/4200-135-0x00007FF665EA0000-0x00007FF6661F1000-memory.dmp upx behavioral2/files/0x000a000000023b7c-133.dat upx behavioral2/memory/1620-132-0x00007FF7DD910000-0x00007FF7DDC61000-memory.dmp upx behavioral2/memory/396-128-0x00007FF6F7B00000-0x00007FF6F7E51000-memory.dmp upx behavioral2/files/0x000a000000023b7a-125.dat upx behavioral2/memory/860-124-0x00007FF632E30000-0x00007FF633181000-memory.dmp upx behavioral2/memory/1968-123-0x00007FF672A00000-0x00007FF672D51000-memory.dmp upx behavioral2/memory/2972-117-0x00007FF781C90000-0x00007FF781FE1000-memory.dmp upx behavioral2/files/0x000a000000023b78-116.dat upx behavioral2/files/0x000e000000023a63-109.dat upx behavioral2/memory/836-107-0x00007FF70C900000-0x00007FF70CC51000-memory.dmp upx behavioral2/memory/3312-105-0x00007FF6A8A40000-0x00007FF6A8D91000-memory.dmp upx behavioral2/memory/3480-103-0x00007FF6C4C20000-0x00007FF6C4F71000-memory.dmp upx behavioral2/files/0x000e000000023a39-98.dat upx behavioral2/memory/1880-89-0x00007FF7EDA90000-0x00007FF7EDDE1000-memory.dmp upx behavioral2/files/0x0003000000022a8a-85.dat upx behavioral2/memory/4780-81-0x00007FF75BEF0000-0x00007FF75C241000-memory.dmp upx behavioral2/memory/4556-77-0x00007FF637000000-0x00007FF637351000-memory.dmp upx behavioral2/memory/3928-136-0x00007FF739970000-0x00007FF739CC1000-memory.dmp upx behavioral2/memory/3192-141-0x00007FF62EF10000-0x00007FF62F261000-memory.dmp upx behavioral2/memory/3268-145-0x00007FF701500000-0x00007FF701851000-memory.dmp upx behavioral2/memory/232-146-0x00007FF659210000-0x00007FF659561000-memory.dmp upx behavioral2/memory/1392-149-0x00007FF701510000-0x00007FF701861000-memory.dmp upx behavioral2/memory/4780-150-0x00007FF75BEF0000-0x00007FF75C241000-memory.dmp upx behavioral2/memory/2972-158-0x00007FF781C90000-0x00007FF781FE1000-memory.dmp upx behavioral2/memory/396-161-0x00007FF6F7B00000-0x00007FF6F7E51000-memory.dmp upx behavioral2/memory/860-160-0x00007FF632E30000-0x00007FF633181000-memory.dmp upx behavioral2/memory/3312-157-0x00007FF6A8A40000-0x00007FF6A8D91000-memory.dmp upx behavioral2/memory/1284-155-0x00007FF62BC50000-0x00007FF62BFA1000-memory.dmp upx behavioral2/memory/836-156-0x00007FF70C900000-0x00007FF70CC51000-memory.dmp upx behavioral2/memory/1620-162-0x00007FF7DD910000-0x00007FF7DDC61000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\NiVDbLU.exe 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\joIsNNo.exe 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cwbXTRm.exe 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RihbiHd.exe 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xncyisx.exe 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QTNxBTd.exe 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yjYDGbE.exe 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\loXGOTA.exe 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rWgiKGF.exe 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xMaiiDF.exe 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lahHBUY.exe 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BvfOWnI.exe 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NxSEJRq.exe 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ulRcvWn.exe 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fSwfdtt.exe 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\btCdhuW.exe 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\fzYNEKh.exe 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JhLjgWd.exe 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QUmHaXc.exe 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EQiafCt.exe 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yYggjHK.exe 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3928 wrote to memory of 2364 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3928 wrote to memory of 2364 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3928 wrote to memory of 3108 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3928 wrote to memory of 3108 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3928 wrote to memory of 4556 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3928 wrote to memory of 4556 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3928 wrote to memory of 1880 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3928 wrote to memory of 1880 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3928 wrote to memory of 3480 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3928 wrote to memory of 3480 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3928 wrote to memory of 1968 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3928 wrote to memory of 1968 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3928 wrote to memory of 4200 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3928 wrote to memory of 4200 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3928 wrote to memory of 3192 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3928 wrote to memory of 3192 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3928 wrote to memory of 3268 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3928 wrote to memory of 3268 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3928 wrote to memory of 232 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3928 wrote to memory of 232 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3928 wrote to memory of 1392 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3928 wrote to memory of 1392 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3928 wrote to memory of 4780 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3928 wrote to memory of 4780 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3928 wrote to memory of 644 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3928 wrote to memory of 644 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3928 wrote to memory of 1284 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3928 wrote to memory of 1284 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3928 wrote to memory of 836 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3928 wrote to memory of 836 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3928 wrote to memory of 3312 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3928 wrote to memory of 3312 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3928 wrote to memory of 2972 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3928 wrote to memory of 2972 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3928 wrote to memory of 2868 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3928 wrote to memory of 2868 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3928 wrote to memory of 860 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3928 wrote to memory of 860 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3928 wrote to memory of 396 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 3928 wrote to memory of 396 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 3928 wrote to memory of 1620 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 3928 wrote to memory of 1620 3928 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\System\fzYNEKh.exeC:\Windows\System\fzYNEKh.exe2⤵
- Executes dropped EXE
PID:2364
-
-
C:\Windows\System\JhLjgWd.exeC:\Windows\System\JhLjgWd.exe2⤵
- Executes dropped EXE
PID:3108
-
-
C:\Windows\System\QTNxBTd.exeC:\Windows\System\QTNxBTd.exe2⤵
- Executes dropped EXE
PID:4556
-
-
C:\Windows\System\yjYDGbE.exeC:\Windows\System\yjYDGbE.exe2⤵
- Executes dropped EXE
PID:1880
-
-
C:\Windows\System\QUmHaXc.exeC:\Windows\System\QUmHaXc.exe2⤵
- Executes dropped EXE
PID:3480
-
-
C:\Windows\System\NxSEJRq.exeC:\Windows\System\NxSEJRq.exe2⤵
- Executes dropped EXE
PID:1968
-
-
C:\Windows\System\loXGOTA.exeC:\Windows\System\loXGOTA.exe2⤵
- Executes dropped EXE
PID:4200
-
-
C:\Windows\System\EQiafCt.exeC:\Windows\System\EQiafCt.exe2⤵
- Executes dropped EXE
PID:3192
-
-
C:\Windows\System\NiVDbLU.exeC:\Windows\System\NiVDbLU.exe2⤵
- Executes dropped EXE
PID:3268
-
-
C:\Windows\System\xMaiiDF.exeC:\Windows\System\xMaiiDF.exe2⤵
- Executes dropped EXE
PID:232
-
-
C:\Windows\System\ulRcvWn.exeC:\Windows\System\ulRcvWn.exe2⤵
- Executes dropped EXE
PID:1392
-
-
C:\Windows\System\fSwfdtt.exeC:\Windows\System\fSwfdtt.exe2⤵
- Executes dropped EXE
PID:4780
-
-
C:\Windows\System\yYggjHK.exeC:\Windows\System\yYggjHK.exe2⤵
- Executes dropped EXE
PID:644
-
-
C:\Windows\System\lahHBUY.exeC:\Windows\System\lahHBUY.exe2⤵
- Executes dropped EXE
PID:1284
-
-
C:\Windows\System\BvfOWnI.exeC:\Windows\System\BvfOWnI.exe2⤵
- Executes dropped EXE
PID:836
-
-
C:\Windows\System\joIsNNo.exeC:\Windows\System\joIsNNo.exe2⤵
- Executes dropped EXE
PID:3312
-
-
C:\Windows\System\btCdhuW.exeC:\Windows\System\btCdhuW.exe2⤵
- Executes dropped EXE
PID:2972
-
-
C:\Windows\System\cwbXTRm.exeC:\Windows\System\cwbXTRm.exe2⤵
- Executes dropped EXE
PID:2868
-
-
C:\Windows\System\RihbiHd.exeC:\Windows\System\RihbiHd.exe2⤵
- Executes dropped EXE
PID:860
-
-
C:\Windows\System\xncyisx.exeC:\Windows\System\xncyisx.exe2⤵
- Executes dropped EXE
PID:396
-
-
C:\Windows\System\rWgiKGF.exeC:\Windows\System\rWgiKGF.exe2⤵
- Executes dropped EXE
PID:1620
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5409a7088392ff9dffd3ad370eee2933e
SHA1a05a7f3fd9fd9022bdc0621880fd47316ca72764
SHA2563e649f45d76113996e3ff4b484787754623d7a1bc990ef918e1e0fc0978cb9fc
SHA512dcbea86179a0baff4e5067be431bc6c310f4e67fc1d5ee7586571fded17bd6dfa478b3d26eb236e8627ce7aba3164cb7b90fe68a77b0fc94bad02a21f09ba882
-
Filesize
5.2MB
MD597e5ce3685ebff1d9bc45233c930039f
SHA10c616dae1c947d3c5aa362d11e3e5cd99b63f20f
SHA2566265bf5a7f5808c37df806120f79e6510ffedf10e6df8b25d8ba33ece290ea10
SHA5127fd72aacc7109fa265175d3583ee763f9b2fd3337428d147597d013edb2442c4792d3ffb11eadc6a7d0d7239c0fea5e2295aae5771f6fb52db63c716af091b57
-
Filesize
5.2MB
MD599b4b7df3ca4be0fdcf0dcd48bf6f95f
SHA1d8c339aeadc4430d9fbedfcd0a46c14420d8c350
SHA256789406f8f488df45cca38174e6fb80d4be5201e198967ed26fa7d3051db9fdd5
SHA51278035ef781628b89c1314b6060a286a4e780f3e43d7d196a60fc06e39ec510651e910a45d923f33b75a2b57229f47645d317ef3e92f0e78f8fd36e958a5f06c4
-
Filesize
5.2MB
MD58b592da54af18cdcb82b2782c9f152e1
SHA13374716cc4dcc77a7c2fc8f026d0902806844ab6
SHA2564664aea3ea70d87face04f8a06b4ec36744edd926876a6e4145ee411c0fb1b15
SHA51289894d655ce477a3334a1d386c8afcd7f3dacc7120d19463d409fe2b4c25bf7fdf6dd559a6a40fe68b78b073b957e379973a06de10a17bb92f20da086da1738e
-
Filesize
5.2MB
MD5a01418edd5b12cc90845500693305a60
SHA140da102e3ad6c53d2ad858890406f5c53a8121d1
SHA256f075be445f82e8f54bcee4f128817fba9cd8943bc2be223fae141ba1f672fcf6
SHA51228891969f79cdceb839c5704c7d774153121b04d80bc053be11b46f68e29ec6a165f5586103bb5f035052e0563ba85f4be295f29aa0191c1dbc5a1d2279f773f
-
Filesize
5.2MB
MD584e5db288f70a1cbb0e68b7c6669638b
SHA152bfbe5fdbeeac3a4b4b9410c2fe4cd4970696bc
SHA2563a4bf2759be6deedc2a9e671aa97a43b4383535c55035b3c636923aa12f1fc31
SHA5125d088d4b687e7a669d8de689590af40e1394dcfeabe67a28876036446b15c8cdcf527524802949c10b4c8aa147a5dded954c930b3c71180aa26fa174b7d5c233
-
Filesize
5.2MB
MD51f223a01b9784383fa5150f04576f386
SHA1d55a253d622b361bdfb96648d205db6c570ef8b9
SHA2561fda00d557d5a2e787b5cba37a39b9f5d399032370841f63e06a5bcc08ed7620
SHA512812c3a41008750ef9273fe70023b8567cb471dd7fb1eaf0ea2e818c40c24f9f5f11993ca54178c1e3bab3a3a423e4fdaca8c507c5ae54fa9a811bb583d7f52c8
-
Filesize
5.2MB
MD5c7af5b65d594ab6fef22c3d354d77e30
SHA1b41bdfa165b51a9a082ac62bb9eca3f72ac57709
SHA25643625ae72550ae6be782ec19b87dbbc6c402e15a731a58ad19f275bff84add02
SHA5129005b103b7bcfb281194ecc28b4322cfe94538cdd30ea0495463956548cc3190dfd4132f6161eb30ab9a579e165f038de3518e98109a8015b164fa32a0cc85ac
-
Filesize
5.2MB
MD57d341aaecc018f462ed8daf3cee66d1e
SHA1e36692080131322dc0d5f7c436a8a7e51652388d
SHA256d868d08bb00fc444e3767477b38fb4f4c8aa6d435a8e511d831fdd9f6fb9a8ce
SHA512908a6d4d6117c77508571a6966d6aaed7d466a5c54cb4cdbec178dd8d62b2245c727e781f42de31f34b5087f610eb28458c67e909d296c26dd6414e8beba453b
-
Filesize
5.2MB
MD54c943382c34c656830ecad8ea2056003
SHA1ec1e7bf037afa5781a6b85f98b9f3a7348c68d85
SHA256f082550226c757cd5f83a85f26d54c71694d81e3e15d629d7832950b3328698c
SHA5124bceb1d5c4af5ec3971eab616b70fb21048c473b9640d9d194b6499ed57ff72d0a8d9dc05394674d901de189855d1c469e7bb12b6c65409ec969de35a7f7e194
-
Filesize
5.2MB
MD5bcb82174a6fa9aa821b7b8e7a30e3625
SHA1ba4e8625bfa0f9a671453a54c78db7d4b105656d
SHA2567308fa0ff8c0de35177b58136a7fcddac32b3749798671491d72ffc58eeeb313
SHA512beebd4f49f4b39f577f3283a2b33dacde519b467d6dd8245d69ad8ebb8583d4eb5c2f12bf2d2c4d8ecf1dce65ce0baf0dd1896395181a257b181a0efb54d7313
-
Filesize
5.2MB
MD5f10f40912cda9fb9032d1fdc1368e604
SHA15a47d9a1c2e2f3287dfa47d85ee5ec02000cd6b4
SHA2561d80eaac2b63970e15c9acd26134ad88e20e3fce9fe32e5e41391f7bd6a4ab51
SHA512f7aae34c0bdd21c77dcb2fc89f63e46a9227a75c7fe7b9d80e69367a3facd29ed827945fd3faa4c02c4f4315be8d314d6d79dff1eb42467704ba431b550b7d3e
-
Filesize
5.2MB
MD55cc107861591663f14d6e904bfc931fc
SHA187d26ea88d8c123e054bccc5e330f92e919cc325
SHA25622f2086d3acdab05cea2e6357f8e8f99538b054a0f8cf25d52623d10a9818d76
SHA51242ca7db3aa585dadd56408b12784999bf1242db124b0601f0c39cda9f56eff656dda7151a9c6a11e85b8badf4b0e328125ac6bb1d43bd5416ece97d9b629379d
-
Filesize
5.2MB
MD51502ea099020ce15a04188622592e324
SHA1d9e868cd92770b8bdc77cd2b4a6e043212d9ad4c
SHA256175cfe70380cc3ee50ff5f69d78d22bf70a4fc43bc2b40eb38ca71d39be84f4d
SHA5127f3dc2f24648a8465df5d9fb2d3eae19fba0893adc3d8b937ba7835fac9b1248bf2dd71ecd230535c6861f799c5fd2c0a16dfdb23df7e3cb80f4ac010687e030
-
Filesize
5.2MB
MD5176ff77df88b2502c5891269f02e2f9b
SHA1feb8b505d6dca7be969ae46bf12ffebff50b743c
SHA256eda185607a0ea184807f101c1d0db4e997ca854632fc0d09cae2cdbde790a1fb
SHA51279507c466d43938a391fb709e1121b59ad92225f40756542629ac77b88ff5deb47b8d4bfcfb26421e46f3ddfe0cb6f54c3278b74b3cd7e173034bd8f3bf52f77
-
Filesize
5.2MB
MD5d38a1e3e5029a07e3fcfac2a221dbde6
SHA176c7e3cc227e825e08b3dbd54516715bdf26f734
SHA2563fef88c9609e746603e5adcdd46508a237f7168d6b1a1653749ed3f0e7032f68
SHA5124e50678115d3b2a103cc950550b1ca3e3ede144f8ac4cfb222913a0490f856c95183ec21ca734e4074b3137bc49571615e286166f18f5a8d4b289ea548d2d57f
-
Filesize
5.2MB
MD538e182c3d994c6f58ee4cf67e2710099
SHA14a6f4f44fe66633adfb7c7a90e2da8f066f4a542
SHA256df40d7e7be7433d0c315f93af443deb53fc21cbad6a83ede6a1a60adca2cb72a
SHA512693e489cc8887dc2175d6bd879f3acc2c2cbcc950407f51e1f01797ae1ba74db9d3f92921fa520fb6e46e44bb79f9b6bcb03ba702419a08bbc1c1208ccefdbe9
-
Filesize
5.2MB
MD568c1af30c80d0fd17c30b597f297c496
SHA190899df164ea03aabb1e1db1fbcefa5314189894
SHA2561d0d2f95d62aa655b7cf0c074096f63a57970874a7a1a7e9af565a705c70675e
SHA512f929466361ff3ae1cfe8994be2abac455908b7c33e438331f99d57d842e5ac088bf185403c58806a94040082b58f4c9040d355a9f1f9b13be068d94d1b4f9d6f
-
Filesize
5.2MB
MD53f004d49ff7abf058aec525d3d0d8986
SHA1f18a0edc6ce85db2184d2dc654042f90e5beb5c4
SHA256b770a01b91ae2bb2a8745a1c6e66d455a7f8749fadd808bd2874596fd7bf3bd3
SHA512b84c67738a78c558c3566115086ccf355a2456915f0655029cc74246db96049ba222a6851cb5d136947b15e70c2b7ba0c1e12fe8025d80899f8e478ff115304b
-
Filesize
5.2MB
MD5c3294bde900e034865ff1ba1d8a2e878
SHA121c232a7257686f7663e135a18edf0c678f7738e
SHA25681d033ca5fa7bf48c8e2b62cf302f1c9e197ff0578c0365034843bc7be747288
SHA512ff27f35a32312ed7bdbce579d43534bc8550e35f400e180b781ad3c933912f4f4a1ef356f83807a3dbd05b88df9cb510aa8b282ebe9016081daff69439580009
-
Filesize
5.2MB
MD5e8b768b11ce4287ba3944c084e8a0b1b
SHA1f60768d0c966fccedb6c0219a1fb427fe307fa1e
SHA256eff49a52fad3b22fdf73610dfc9501af034888041bcb6ef67e3734fbfccc2057
SHA512eb83ba70068f582147f7a9df336f629bafb42c67c22a4c1cf3cf112f3c85588ec883e845beae91b31391ee4fec26184b89d89408a68f498e96caa0ccfcf7c6ee