Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 15:27
Behavioral task
behavioral1
Sample
2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
d72e35939db27c6924f4f77163eb3291
-
SHA1
458c718171871d5f013fe40d4413bf640b0cc234
-
SHA256
bdd012c106ef6b6be69b0d1fea641387b4fc959018965d98062ece2f45b4fac6
-
SHA512
a26c1282ef3c7bb4750310fb8e666dd6d62586b7f0c9d2422989ed593d8813a37579035f308539d4a2f7c09fbf4f94fb68d78e32362f163915c299b5e800dcf4
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lT:RWWBibd56utgpPFotBER/mQ32lUP
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000c000000023b6d-6.dat cobalt_reflective_dll behavioral2/files/0x0008000000023c50-12.dat cobalt_reflective_dll behavioral2/files/0x0008000000023c44-11.dat cobalt_reflective_dll behavioral2/files/0x0008000000023c51-23.dat cobalt_reflective_dll behavioral2/files/0x0010000000023b23-27.dat cobalt_reflective_dll behavioral2/files/0x0008000000023c52-36.dat cobalt_reflective_dll behavioral2/files/0x000c000000023c39-51.dat cobalt_reflective_dll behavioral2/files/0x0008000000023c55-53.dat cobalt_reflective_dll behavioral2/files/0x0008000000023c54-46.dat cobalt_reflective_dll behavioral2/files/0x0008000000023c56-63.dat cobalt_reflective_dll behavioral2/files/0x0002000000022ab7-72.dat cobalt_reflective_dll behavioral2/files/0x0008000000023c57-92.dat cobalt_reflective_dll behavioral2/files/0x000c000000023b24-96.dat cobalt_reflective_dll behavioral2/files/0x0008000000023c58-105.dat cobalt_reflective_dll behavioral2/files/0x0008000000023c59-118.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c64-126.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c63-124.dat cobalt_reflective_dll behavioral2/files/0x0008000000023c5a-121.dat cobalt_reflective_dll behavioral2/files/0x0010000000023b1f-90.dat cobalt_reflective_dll behavioral2/files/0x000c000000023b22-87.dat cobalt_reflective_dll behavioral2/files/0x0002000000022ab5-71.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/2644-41-0x00007FF65A400000-0x00007FF65A751000-memory.dmp xmrig behavioral2/memory/2768-34-0x00007FF7BE6C0000-0x00007FF7BEA11000-memory.dmp xmrig behavioral2/memory/1396-30-0x00007FF796200000-0x00007FF796551000-memory.dmp xmrig behavioral2/memory/228-57-0x00007FF6276D0000-0x00007FF627A21000-memory.dmp xmrig behavioral2/memory/1084-61-0x00007FF646250000-0x00007FF6465A1000-memory.dmp xmrig behavioral2/memory/2372-78-0x00007FF6A7AF0000-0x00007FF6A7E41000-memory.dmp xmrig behavioral2/memory/2352-80-0x00007FF7EC7C0000-0x00007FF7ECB11000-memory.dmp xmrig behavioral2/memory/4420-108-0x00007FF6407F0000-0x00007FF640B41000-memory.dmp xmrig behavioral2/memory/2124-94-0x00007FF7407F0000-0x00007FF740B41000-memory.dmp xmrig behavioral2/memory/3936-85-0x00007FF6B1920000-0x00007FF6B1C71000-memory.dmp xmrig behavioral2/memory/2112-74-0x00007FF678480000-0x00007FF6787D1000-memory.dmp xmrig behavioral2/memory/1332-128-0x00007FF66F600000-0x00007FF66F951000-memory.dmp xmrig behavioral2/memory/1832-130-0x00007FF6CD130000-0x00007FF6CD481000-memory.dmp xmrig behavioral2/memory/5008-129-0x00007FF7F81B0000-0x00007FF7F8501000-memory.dmp xmrig behavioral2/memory/4100-131-0x00007FF6FC020000-0x00007FF6FC371000-memory.dmp xmrig behavioral2/memory/2984-132-0x00007FF60D0E0000-0x00007FF60D431000-memory.dmp xmrig behavioral2/memory/4340-133-0x00007FF621030000-0x00007FF621381000-memory.dmp xmrig behavioral2/memory/228-134-0x00007FF6276D0000-0x00007FF627A21000-memory.dmp xmrig behavioral2/memory/4672-144-0x00007FF7C4450000-0x00007FF7C47A1000-memory.dmp xmrig behavioral2/memory/4016-143-0x00007FF60CD50000-0x00007FF60D0A1000-memory.dmp xmrig behavioral2/memory/3268-147-0x00007FF7BC520000-0x00007FF7BC871000-memory.dmp xmrig behavioral2/memory/2968-150-0x00007FF7AD640000-0x00007FF7AD991000-memory.dmp xmrig behavioral2/memory/2728-149-0x00007FF7F1240000-0x00007FF7F1591000-memory.dmp xmrig behavioral2/memory/228-156-0x00007FF6276D0000-0x00007FF627A21000-memory.dmp xmrig behavioral2/memory/1084-206-0x00007FF646250000-0x00007FF6465A1000-memory.dmp xmrig behavioral2/memory/2112-208-0x00007FF678480000-0x00007FF6787D1000-memory.dmp xmrig behavioral2/memory/3936-210-0x00007FF6B1920000-0x00007FF6B1C71000-memory.dmp xmrig behavioral2/memory/1396-218-0x00007FF796200000-0x00007FF796551000-memory.dmp xmrig behavioral2/memory/2768-220-0x00007FF7BE6C0000-0x00007FF7BEA11000-memory.dmp xmrig behavioral2/memory/2644-222-0x00007FF65A400000-0x00007FF65A751000-memory.dmp xmrig behavioral2/memory/4420-224-0x00007FF6407F0000-0x00007FF640B41000-memory.dmp xmrig behavioral2/memory/4016-226-0x00007FF60CD50000-0x00007FF60D0A1000-memory.dmp xmrig behavioral2/memory/1332-228-0x00007FF66F600000-0x00007FF66F951000-memory.dmp xmrig behavioral2/memory/4672-232-0x00007FF7C4450000-0x00007FF7C47A1000-memory.dmp xmrig behavioral2/memory/2372-245-0x00007FF6A7AF0000-0x00007FF6A7E41000-memory.dmp xmrig behavioral2/memory/2352-244-0x00007FF7EC7C0000-0x00007FF7ECB11000-memory.dmp xmrig behavioral2/memory/2124-248-0x00007FF7407F0000-0x00007FF740B41000-memory.dmp xmrig behavioral2/memory/3268-249-0x00007FF7BC520000-0x00007FF7BC871000-memory.dmp xmrig behavioral2/memory/2968-251-0x00007FF7AD640000-0x00007FF7AD991000-memory.dmp xmrig behavioral2/memory/2728-253-0x00007FF7F1240000-0x00007FF7F1591000-memory.dmp xmrig behavioral2/memory/5008-255-0x00007FF7F81B0000-0x00007FF7F8501000-memory.dmp xmrig behavioral2/memory/4340-257-0x00007FF621030000-0x00007FF621381000-memory.dmp xmrig behavioral2/memory/1832-259-0x00007FF6CD130000-0x00007FF6CD481000-memory.dmp xmrig behavioral2/memory/4100-261-0x00007FF6FC020000-0x00007FF6FC371000-memory.dmp xmrig behavioral2/memory/2984-263-0x00007FF60D0E0000-0x00007FF60D431000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 1084 QpLsXTp.exe 2112 rgupddw.exe 3936 CwjuHHx.exe 1396 JeQwySX.exe 2768 lhJZcNX.exe 2644 VGgIXKT.exe 4420 OGSUFMQ.exe 1332 GdkksUS.exe 4016 dUZIVkZ.exe 4672 rGNXNjj.exe 2372 csHWtTV.exe 2352 YmMbYTP.exe 3268 RoqqHZB.exe 2124 BMzTiEf.exe 2968 wPXalwn.exe 2728 WGimjxu.exe 5008 sHGImmS.exe 4340 gkOGJBX.exe 1832 eiclfam.exe 4100 bHjRESn.exe 2984 iWQKVpB.exe -
resource yara_rule behavioral2/memory/228-0-0x00007FF6276D0000-0x00007FF627A21000-memory.dmp upx behavioral2/files/0x000c000000023b6d-6.dat upx behavioral2/memory/1084-8-0x00007FF646250000-0x00007FF6465A1000-memory.dmp upx behavioral2/files/0x0008000000023c50-12.dat upx behavioral2/memory/3936-20-0x00007FF6B1920000-0x00007FF6B1C71000-memory.dmp upx behavioral2/memory/2112-14-0x00007FF678480000-0x00007FF6787D1000-memory.dmp upx behavioral2/files/0x0008000000023c44-11.dat upx behavioral2/files/0x0008000000023c51-23.dat upx behavioral2/files/0x0010000000023b23-27.dat upx behavioral2/files/0x0008000000023c52-36.dat upx behavioral2/memory/4420-42-0x00007FF6407F0000-0x00007FF640B41000-memory.dmp upx behavioral2/files/0x000c000000023c39-51.dat upx behavioral2/files/0x0008000000023c55-53.dat upx behavioral2/memory/4016-52-0x00007FF60CD50000-0x00007FF60D0A1000-memory.dmp upx behavioral2/memory/1332-49-0x00007FF66F600000-0x00007FF66F951000-memory.dmp upx behavioral2/files/0x0008000000023c54-46.dat upx behavioral2/memory/2644-41-0x00007FF65A400000-0x00007FF65A751000-memory.dmp upx behavioral2/memory/2768-34-0x00007FF7BE6C0000-0x00007FF7BEA11000-memory.dmp upx behavioral2/memory/1396-30-0x00007FF796200000-0x00007FF796551000-memory.dmp upx behavioral2/memory/228-57-0x00007FF6276D0000-0x00007FF627A21000-memory.dmp upx behavioral2/memory/1084-61-0x00007FF646250000-0x00007FF6465A1000-memory.dmp upx behavioral2/files/0x0008000000023c56-63.dat upx behavioral2/files/0x0002000000022ab7-72.dat upx behavioral2/memory/2372-78-0x00007FF6A7AF0000-0x00007FF6A7E41000-memory.dmp upx behavioral2/memory/2352-80-0x00007FF7EC7C0000-0x00007FF7ECB11000-memory.dmp upx behavioral2/files/0x0008000000023c57-92.dat upx behavioral2/files/0x000c000000023b24-96.dat upx behavioral2/files/0x0008000000023c58-105.dat upx behavioral2/files/0x0008000000023c59-118.dat upx behavioral2/files/0x0007000000023c64-126.dat upx behavioral2/files/0x0007000000023c63-124.dat upx behavioral2/files/0x0008000000023c5a-121.dat upx behavioral2/memory/4420-108-0x00007FF6407F0000-0x00007FF640B41000-memory.dmp upx behavioral2/memory/2728-100-0x00007FF7F1240000-0x00007FF7F1591000-memory.dmp upx behavioral2/memory/2968-97-0x00007FF7AD640000-0x00007FF7AD991000-memory.dmp upx behavioral2/memory/2124-94-0x00007FF7407F0000-0x00007FF740B41000-memory.dmp upx behavioral2/memory/3268-93-0x00007FF7BC520000-0x00007FF7BC871000-memory.dmp upx behavioral2/files/0x0010000000023b1f-90.dat upx behavioral2/files/0x000c000000023b22-87.dat upx behavioral2/memory/3936-85-0x00007FF6B1920000-0x00007FF6B1C71000-memory.dmp upx behavioral2/memory/2112-74-0x00007FF678480000-0x00007FF6787D1000-memory.dmp upx behavioral2/files/0x0002000000022ab5-71.dat upx behavioral2/memory/4672-62-0x00007FF7C4450000-0x00007FF7C47A1000-memory.dmp upx behavioral2/memory/1332-128-0x00007FF66F600000-0x00007FF66F951000-memory.dmp upx behavioral2/memory/1832-130-0x00007FF6CD130000-0x00007FF6CD481000-memory.dmp upx behavioral2/memory/5008-129-0x00007FF7F81B0000-0x00007FF7F8501000-memory.dmp upx behavioral2/memory/4100-131-0x00007FF6FC020000-0x00007FF6FC371000-memory.dmp upx behavioral2/memory/2984-132-0x00007FF60D0E0000-0x00007FF60D431000-memory.dmp upx behavioral2/memory/4340-133-0x00007FF621030000-0x00007FF621381000-memory.dmp upx behavioral2/memory/228-134-0x00007FF6276D0000-0x00007FF627A21000-memory.dmp upx behavioral2/memory/4672-144-0x00007FF7C4450000-0x00007FF7C47A1000-memory.dmp upx behavioral2/memory/4016-143-0x00007FF60CD50000-0x00007FF60D0A1000-memory.dmp upx behavioral2/memory/3268-147-0x00007FF7BC520000-0x00007FF7BC871000-memory.dmp upx behavioral2/memory/2968-150-0x00007FF7AD640000-0x00007FF7AD991000-memory.dmp upx behavioral2/memory/2728-149-0x00007FF7F1240000-0x00007FF7F1591000-memory.dmp upx behavioral2/memory/228-156-0x00007FF6276D0000-0x00007FF627A21000-memory.dmp upx behavioral2/memory/1084-206-0x00007FF646250000-0x00007FF6465A1000-memory.dmp upx behavioral2/memory/2112-208-0x00007FF678480000-0x00007FF6787D1000-memory.dmp upx behavioral2/memory/3936-210-0x00007FF6B1920000-0x00007FF6B1C71000-memory.dmp upx behavioral2/memory/1396-218-0x00007FF796200000-0x00007FF796551000-memory.dmp upx behavioral2/memory/2768-220-0x00007FF7BE6C0000-0x00007FF7BEA11000-memory.dmp upx behavioral2/memory/2644-222-0x00007FF65A400000-0x00007FF65A751000-memory.dmp upx behavioral2/memory/4420-224-0x00007FF6407F0000-0x00007FF640B41000-memory.dmp upx behavioral2/memory/4016-226-0x00007FF60CD50000-0x00007FF60D0A1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\dUZIVkZ.exe 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YmMbYTP.exe 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BMzTiEf.exe 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gkOGJBX.exe 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rgupddw.exe 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GdkksUS.exe 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\sHGImmS.exe 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bHjRESn.exe 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\iWQKVpB.exe 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JeQwySX.exe 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\OGSUFMQ.exe 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rGNXNjj.exe 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\wPXalwn.exe 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lhJZcNX.exe 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CwjuHHx.exe 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VGgIXKT.exe 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\csHWtTV.exe 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RoqqHZB.exe 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WGimjxu.exe 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\eiclfam.exe 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QpLsXTp.exe 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 228 wrote to memory of 1084 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 228 wrote to memory of 1084 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 228 wrote to memory of 2112 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 228 wrote to memory of 2112 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 228 wrote to memory of 3936 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 228 wrote to memory of 3936 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 228 wrote to memory of 1396 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 228 wrote to memory of 1396 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 228 wrote to memory of 2768 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 228 wrote to memory of 2768 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 228 wrote to memory of 2644 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 228 wrote to memory of 2644 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 228 wrote to memory of 4420 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 228 wrote to memory of 4420 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 228 wrote to memory of 1332 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 228 wrote to memory of 1332 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 228 wrote to memory of 4016 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 228 wrote to memory of 4016 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 228 wrote to memory of 4672 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 228 wrote to memory of 4672 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 228 wrote to memory of 2372 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 228 wrote to memory of 2372 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 228 wrote to memory of 2352 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 228 wrote to memory of 2352 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 228 wrote to memory of 3268 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 228 wrote to memory of 3268 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 228 wrote to memory of 2124 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 228 wrote to memory of 2124 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 228 wrote to memory of 2728 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 228 wrote to memory of 2728 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 228 wrote to memory of 2968 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 228 wrote to memory of 2968 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 228 wrote to memory of 5008 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 228 wrote to memory of 5008 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 228 wrote to memory of 4340 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 228 wrote to memory of 4340 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 228 wrote to memory of 1832 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 228 wrote to memory of 1832 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 228 wrote to memory of 4100 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 228 wrote to memory of 4100 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 228 wrote to memory of 2984 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 228 wrote to memory of 2984 228 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\System\QpLsXTp.exeC:\Windows\System\QpLsXTp.exe2⤵
- Executes dropped EXE
PID:1084
-
-
C:\Windows\System\rgupddw.exeC:\Windows\System\rgupddw.exe2⤵
- Executes dropped EXE
PID:2112
-
-
C:\Windows\System\CwjuHHx.exeC:\Windows\System\CwjuHHx.exe2⤵
- Executes dropped EXE
PID:3936
-
-
C:\Windows\System\JeQwySX.exeC:\Windows\System\JeQwySX.exe2⤵
- Executes dropped EXE
PID:1396
-
-
C:\Windows\System\lhJZcNX.exeC:\Windows\System\lhJZcNX.exe2⤵
- Executes dropped EXE
PID:2768
-
-
C:\Windows\System\VGgIXKT.exeC:\Windows\System\VGgIXKT.exe2⤵
- Executes dropped EXE
PID:2644
-
-
C:\Windows\System\OGSUFMQ.exeC:\Windows\System\OGSUFMQ.exe2⤵
- Executes dropped EXE
PID:4420
-
-
C:\Windows\System\GdkksUS.exeC:\Windows\System\GdkksUS.exe2⤵
- Executes dropped EXE
PID:1332
-
-
C:\Windows\System\dUZIVkZ.exeC:\Windows\System\dUZIVkZ.exe2⤵
- Executes dropped EXE
PID:4016
-
-
C:\Windows\System\rGNXNjj.exeC:\Windows\System\rGNXNjj.exe2⤵
- Executes dropped EXE
PID:4672
-
-
C:\Windows\System\csHWtTV.exeC:\Windows\System\csHWtTV.exe2⤵
- Executes dropped EXE
PID:2372
-
-
C:\Windows\System\YmMbYTP.exeC:\Windows\System\YmMbYTP.exe2⤵
- Executes dropped EXE
PID:2352
-
-
C:\Windows\System\RoqqHZB.exeC:\Windows\System\RoqqHZB.exe2⤵
- Executes dropped EXE
PID:3268
-
-
C:\Windows\System\BMzTiEf.exeC:\Windows\System\BMzTiEf.exe2⤵
- Executes dropped EXE
PID:2124
-
-
C:\Windows\System\WGimjxu.exeC:\Windows\System\WGimjxu.exe2⤵
- Executes dropped EXE
PID:2728
-
-
C:\Windows\System\wPXalwn.exeC:\Windows\System\wPXalwn.exe2⤵
- Executes dropped EXE
PID:2968
-
-
C:\Windows\System\sHGImmS.exeC:\Windows\System\sHGImmS.exe2⤵
- Executes dropped EXE
PID:5008
-
-
C:\Windows\System\gkOGJBX.exeC:\Windows\System\gkOGJBX.exe2⤵
- Executes dropped EXE
PID:4340
-
-
C:\Windows\System\eiclfam.exeC:\Windows\System\eiclfam.exe2⤵
- Executes dropped EXE
PID:1832
-
-
C:\Windows\System\bHjRESn.exeC:\Windows\System\bHjRESn.exe2⤵
- Executes dropped EXE
PID:4100
-
-
C:\Windows\System\iWQKVpB.exeC:\Windows\System\iWQKVpB.exe2⤵
- Executes dropped EXE
PID:2984
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5074f84d12d35b3d99f570a8fd21c86ca
SHA1f2bb3849197d92c903bfaa08854abab7a2bffe83
SHA25696a9fab52ff4f6d4a8c305ac4a23804c9bbd7d28b7b9f4a60603af95ff246f9b
SHA5120f072803955360501506dd1f315bd2593b99d17fbb46010628f2b49b98d1575f3cdb3a789d41f8adf504da8d3974f859e1e6624bfb37de82fa3de64206024b76
-
Filesize
5.2MB
MD510d161e3fd968de9d8830a12c2e813f0
SHA1d48cda3f2acfde028597a9c27d356c608aff52b7
SHA25650ff642141c2a76b4c8503bfcaaae89c855c04f235fff53f3aeb48e1c4bdccf1
SHA512995b0b45b518634cc6afe0012f32d58ad8c9c851369fce480a3edbcf0483b7c29b0858e05c5e6cd1bd0e02b8ecd4f0c00619d09743e6340e73b133611908daa4
-
Filesize
5.2MB
MD52c5d69c6a70e4fca8863440c196f14db
SHA186878204f4000460d8bab920b4d38cb1d755a98d
SHA256f0024b1dd076c211f9e48bb86084a660fdffd377fa7ed34fd512d20e78d5b2fe
SHA51254c806ec22978bc828c3697af7a66151ad410269d2744720b0ec56ee72afd3c7b609062d7417838184dfff898dbd0946745e9804de1f6a659442c45ce4b89d36
-
Filesize
5.2MB
MD5d998300f9672c115e59c15e7f6cbf981
SHA1928ce9ce33c5e0acf4910a064a5cb4d11c66ed81
SHA25661f098ba73e1659f8e7e167a54762ccf0493d6b99c3c5dcd93b9df8028bedea5
SHA5127af7c23889c4f50e75f8acc5ebc6b3c796f672a26c2c950b1b32645dfb2d1fc0219a3e9e1b60748d581b85cc20746b91e9f19247a26e971a6ce56567b778855b
-
Filesize
5.2MB
MD5bbdcf7b68be2437c008a9a6ef951acc9
SHA17d36bd7f0cc40a503093206c5dbe1ee4d8d4c7da
SHA256b5dd060f7937f27b45d110e159dbbafbda39ecf9c635ed6b1dc495ae826e7f4d
SHA5121d84a2f53492eee5b2dc4fb1582c21a017df40f04dbc968b752fea77fb1be38ededb9e69c7e4ba9d07eac9c8b526d501718aab4b9568d91e9b7930dfb6c25ce2
-
Filesize
5.2MB
MD5754f5d70b5749a8d5c86ba7d76322f09
SHA11ef5143a3405e789f8cde7018d1f16a150916eb7
SHA25684ca801571ecd94372b8b9c334259aa76390d2fc42d85b48f28ec06187679c99
SHA5121e5751d50d3f81dbf6693e3005b009461868b3e5632de21c90118c57cad9ca9f9ab6fbcf3176d23adaf1c8028b1e7198ca271588297adc0069a8fcd890372943
-
Filesize
5.2MB
MD5ea56a92454b1d72d89c6d7c6545723b5
SHA1c527b4fdb98a4280b4da706ee60a8af7074b39b0
SHA256c680b7fbe422914ecd4acf0346ab42e8d7c6f3ca33e39d322303521c485c2968
SHA5123d114db7c85c599fb23880625d05de1edacca53b3cfc1cd1f5c0c14d8950a4c70407c12e9450b0ace2f64831f87f7c0bc7f1585ca3fff316e524b1674b82a2b5
-
Filesize
5.2MB
MD501cd6cdea7fcd627a6307ebc997f9894
SHA1938ed290daad7a342b98a3eb26b4f0ab44fd6df2
SHA256d76a16995258d37e5d8a90f1b1b1e0cf97f1f1d22204f802bc89a084752d8e13
SHA512c5cf41f12f42154781922d9ebd503f057f677ce1f33b82a3d2ff68ecb99a054e1357e1a66c4879aaad6be8c89a6e4e6e28cbc0672483682bac403cca62c387e9
-
Filesize
5.2MB
MD535c8c9ee0203c78c9bcb51b2e3c08dcc
SHA12051fb5a8e421b728e0eb81a6f6017384465f7a2
SHA25667db09cbf70baef799991d48680b49c7c88fee42e6901b14a32dbb112ba70132
SHA51237dc77a710e951b5b50a6a36e562085b78e8cbec3de99600b651eb01e6885493ac54a72c694395ef96314ddd8de99c6a9b9deb33ed5beb83de25721f5c9e345b
-
Filesize
5.2MB
MD564086ffe86a9212b3595f8f77b51d8eb
SHA1b729edcb9d6aa91ad76273a0f524e6de23a95d0b
SHA2560690bd2173adfe7cc9a39ed22642d217373de533ab867e57ec5dde3117652d9a
SHA512c46f1d1ce5395d54c90ce7e7177b0cb0a73df61e4811c05db98499eb8a126aefd5a669fe950bd5ee7637ef93c4e3ed01abdd22a9800f489a9ec66ba2952af955
-
Filesize
5.2MB
MD5361b27671905daa9fd9ac13400602bb6
SHA1fdc109a86091db7e2d225b78ba696f8d66773d37
SHA256a62d5d3443697cda8b1cdf9a7f935837fba6867796586770adf31a93c487bcc9
SHA51245e5eadb011b39a57e5706772783e4964d6dbe87928d74d7a13eaedf2423c4cd71e5550d5fc8e5d11c04a9d617209edb9a9302e439c530dcfa3bcd589b92698a
-
Filesize
5.2MB
MD5efb409644dbaa670a11f6095c6458ca7
SHA1cb176b3df2042632f0d0a3bd1988220055082bbe
SHA256f16b3799755e3c3699543a5166ff2d5ee2b9900ffeb53651285100591ddd6c2b
SHA512dab3e138bce36d220bf984886443a44a68d13384224cbc1700935d52e4975165195a8d38b104d6c614c957b019312794f51edb07169ba548f6ee4ab6799a9b54
-
Filesize
5.2MB
MD57cc256c99443e3336f3692862f93d24e
SHA1ffd91f0bd9a1d08587b87f81707cf648523f77df
SHA2567899dfa2d50ffd92cbf1201d9ec61949b6ab093077eb0392e2270baf7aefe099
SHA512f29ff5efe7db054df46422e476f17620e3d57d5079ddc2c66a840880f0c23bd23eab76b9d29d887d988b8ed8306b8fab09394c8422a3bafd2812fa5664af4151
-
Filesize
5.2MB
MD5a7ae74ea4280bebf2633311a250b4c7b
SHA1503a820bee89e113154290a4c38df71d1881b3d3
SHA256619ac7a30deecd62f8d0075eb43c49019f8e7814e9facaca8162dee4467d3f19
SHA512f1c11e0baf9f1454b6ad9806c50a159e02e56875b16fa9f63f208fc0f2cdd21385c308f813c80efa691cf1ab26fa4b0a4de59132c0972ef3ea3f2ff71e2c0876
-
Filesize
5.2MB
MD599ef305717bd0dadca30153e8a55cb97
SHA13843878221bb9de7ef4a9a38586303f549e6e293
SHA256e1f1e3df441eca9ff5c6923e7b7cdf0545d7a67c040828247d91ff7be3e5adfc
SHA512ac2156f6a4b7cf86525bb51671f65adfc8fed63aad23292a17f918fe9736735a70b2b97a61190ac928c376b237c1e4ed24ab174698abc9311b6ba7824578dce0
-
Filesize
5.2MB
MD5e42c663b971e51a7355170467dce4b5d
SHA144d2df07d19f3cfe4fbb14c793e2364d93affaa2
SHA256f347e81a0f52ed4d31198243830cf490c645a0d77de76e5467b6f2f279860586
SHA512340d7c01673544764e1c108461a0e6a37fb600161658f0225461d3b5cf9569fa66e44b6693b0ae8e0d52597a24c0ecf1e1f6e27983c49bfa4e1c496f52014d1b
-
Filesize
5.2MB
MD50a9a9bf9bea9cec279a1ace5ea4bb897
SHA1dd293f6012212aa72843441d5b5af0e6665c9e49
SHA256ee558648738261d1a9543e5d8baa72c7cdf10dc97cc45e10e81659112fad8b1b
SHA512f502f1e21b35ffed3551c9dbde2a833b9a82ddd7e0fef37a0c5018bfd38e9f07c48f6e9b98d7bede27019f257a3fde792b2c0e512087784128a1865ee50e7e28
-
Filesize
5.2MB
MD506adcee07b1a2b9b3a6915f3cca14531
SHA13ec61834620044227b26a9fb53b2182ea5eeef66
SHA256097d26b06bb0c8a91e2016c89d6adb1ff10c942fe9b1068733d4eb8f4e32e311
SHA512a79885b9060c22a5e242faea12edf501c332b7ed1af3d179f46773c707eea38112d968e2a25d747292ba667e62d2d80a7cdde78a250e395bd1412a83de633fe3
-
Filesize
5.2MB
MD5660e0aa3c381fa1b966ece6e4b1e553a
SHA193f2d49306994c709f5628f49c7ef10c307ff26f
SHA256830531c0a1c7e49dc303c0fbb648940725a8c16a567ba66e811d12902733e178
SHA5121f4e343016eb62793b9cb6eb9dcbcf13e95edddd52247f3226886121d9ef80c2c68386cc3a5bfb8518492430de957e7690ba051fe96bc7af8f2e25409c9ebf36
-
Filesize
5.2MB
MD5c0767e4e11fb4246ad0b838257357701
SHA139b9af2d47f139c8584449addd04d9e08db7b407
SHA256c2b6c60b461b292c032749acbdd7bd3c10cd802ee5d2bb6abddc1a6b0e283836
SHA512aecc42452cc0349818a4d946cf4489cd8e131b734234df1e7cccb7b30f98f4cb7263c49b8b9cb790992bf05b3446f6016aca6d4ba944da8b98001708ae022351
-
Filesize
5.2MB
MD5a643ef4fd2d763cd9c45d800c57f5f1d
SHA1aba3287f978a5f31884ff4c7840305fb0efe041b
SHA256c21697db301320cf901a2177a19fd188060582017710bcae44329714a361652c
SHA512c6fe447600463d97a01b4a1e2ac2a6a66a1cef92f5e89418656252f88aaa090655c4ea7bc56badc93f51349eea3df2a320c4d459727539acb658057942bed103