Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 15:48
Behavioral task
behavioral1
Sample
2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
4e0987837fb5da33e09b7852d3075ee5
-
SHA1
aeaff3e4506f4d14b22a848cd7290dd1e5dcfe3b
-
SHA256
627bf59509313d97ab8a2972bd27135583fccd1ec2054d9c818bdbdb2d76797f
-
SHA512
2d7c3360bc5c0b7aee18bd9b49903151b6e9dfa526117283dade959364b254b1a2b16d786f7931a3e9ef7a034365f420d982f09928e6623e01a3455a3c4ad138
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lg:RWWBibd56utgpPFotBER/mQ32lUM
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000c000000023b33-4.dat cobalt_reflective_dll behavioral2/files/0x000d000000023b80-12.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b89-20.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8a-36.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8d-43.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8f-60.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b91-74.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b95-81.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b94-92.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b93-84.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b92-76.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b90-65.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8e-53.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8c-41.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b8b-39.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b88-25.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b98-126.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b97-130.dat cobalt_reflective_dll behavioral2/files/0x000b000000023b85-137.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b96-136.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b99-129.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 46 IoCs
resource yara_rule behavioral2/memory/4360-86-0x00007FF630CA0000-0x00007FF630FF1000-memory.dmp xmrig behavioral2/memory/4776-95-0x00007FF73C590000-0x00007FF73C8E1000-memory.dmp xmrig behavioral2/memory/892-98-0x00007FF780DD0000-0x00007FF781121000-memory.dmp xmrig behavioral2/memory/3680-97-0x00007FF7476A0000-0x00007FF7479F1000-memory.dmp xmrig behavioral2/memory/4336-96-0x00007FF703120000-0x00007FF703471000-memory.dmp xmrig behavioral2/memory/4444-94-0x00007FF771710000-0x00007FF771A61000-memory.dmp xmrig behavioral2/memory/3772-89-0x00007FF78B8D0000-0x00007FF78BC21000-memory.dmp xmrig behavioral2/memory/2840-88-0x00007FF6464E0000-0x00007FF646831000-memory.dmp xmrig behavioral2/memory/732-87-0x00007FF6940B0000-0x00007FF694401000-memory.dmp xmrig behavioral2/memory/1420-82-0x00007FF7788B0000-0x00007FF778C01000-memory.dmp xmrig behavioral2/memory/4392-77-0x00007FF7E0C40000-0x00007FF7E0F91000-memory.dmp xmrig behavioral2/memory/5056-68-0x00007FF64ED20000-0x00007FF64F071000-memory.dmp xmrig behavioral2/memory/3464-103-0x00007FF6A9B40000-0x00007FF6A9E91000-memory.dmp xmrig behavioral2/memory/4716-101-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp xmrig behavioral2/memory/4244-106-0x00007FF74C110000-0x00007FF74C461000-memory.dmp xmrig behavioral2/memory/1572-105-0x00007FF6469F0000-0x00007FF646D41000-memory.dmp xmrig behavioral2/memory/4424-102-0x00007FF6F89F0000-0x00007FF6F8D41000-memory.dmp xmrig behavioral2/memory/1324-143-0x00007FF745B80000-0x00007FF745ED1000-memory.dmp xmrig behavioral2/memory/888-144-0x00007FF625970000-0x00007FF625CC1000-memory.dmp xmrig behavioral2/memory/4716-145-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp xmrig behavioral2/memory/4716-146-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp xmrig behavioral2/memory/2996-164-0x00007FF6FCD10000-0x00007FF6FD061000-memory.dmp xmrig behavioral2/memory/752-165-0x00007FF6BCEA0000-0x00007FF6BD1F1000-memory.dmp xmrig behavioral2/memory/2372-163-0x00007FF7C59C0000-0x00007FF7C5D11000-memory.dmp xmrig behavioral2/memory/4716-168-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp xmrig behavioral2/memory/4424-205-0x00007FF6F89F0000-0x00007FF6F8D41000-memory.dmp xmrig behavioral2/memory/3464-207-0x00007FF6A9B40000-0x00007FF6A9E91000-memory.dmp xmrig behavioral2/memory/4244-209-0x00007FF74C110000-0x00007FF74C461000-memory.dmp xmrig behavioral2/memory/1572-211-0x00007FF6469F0000-0x00007FF646D41000-memory.dmp xmrig behavioral2/memory/4776-217-0x00007FF73C590000-0x00007FF73C8E1000-memory.dmp xmrig behavioral2/memory/4392-216-0x00007FF7E0C40000-0x00007FF7E0F91000-memory.dmp xmrig behavioral2/memory/4336-219-0x00007FF703120000-0x00007FF703471000-memory.dmp xmrig behavioral2/memory/5056-214-0x00007FF64ED20000-0x00007FF64F071000-memory.dmp xmrig behavioral2/memory/1420-234-0x00007FF7788B0000-0x00007FF778C01000-memory.dmp xmrig behavioral2/memory/3772-239-0x00007FF78B8D0000-0x00007FF78BC21000-memory.dmp xmrig behavioral2/memory/732-243-0x00007FF6940B0000-0x00007FF694401000-memory.dmp xmrig behavioral2/memory/2840-241-0x00007FF6464E0000-0x00007FF646831000-memory.dmp xmrig behavioral2/memory/4444-238-0x00007FF771710000-0x00007FF771A61000-memory.dmp xmrig behavioral2/memory/892-235-0x00007FF780DD0000-0x00007FF781121000-memory.dmp xmrig behavioral2/memory/4360-231-0x00007FF630CA0000-0x00007FF630FF1000-memory.dmp xmrig behavioral2/memory/3680-230-0x00007FF7476A0000-0x00007FF7479F1000-memory.dmp xmrig behavioral2/memory/888-251-0x00007FF625970000-0x00007FF625CC1000-memory.dmp xmrig behavioral2/memory/2372-254-0x00007FF7C59C0000-0x00007FF7C5D11000-memory.dmp xmrig behavioral2/memory/1324-255-0x00007FF745B80000-0x00007FF745ED1000-memory.dmp xmrig behavioral2/memory/752-257-0x00007FF6BCEA0000-0x00007FF6BD1F1000-memory.dmp xmrig behavioral2/memory/2996-259-0x00007FF6FCD10000-0x00007FF6FD061000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4424 dOlJUfP.exe 3464 dhRCBfx.exe 1572 cNjqzlW.exe 4244 pfNoDHV.exe 5056 mMTdqMD.exe 4776 KyKCGvg.exe 4392 xmaJdvR.exe 4336 jzInWfI.exe 1420 AiTHIwA.exe 4360 ITGtWPq.exe 732 BduGTDT.exe 2840 lwpFgQI.exe 3680 uuZPvEe.exe 3772 aEygsxg.exe 4444 zufUofr.exe 892 bwjaFhf.exe 2372 adnyHxz.exe 1324 gMEWJjN.exe 2996 tViZCKL.exe 888 nAZnDdo.exe 752 ykTtcUq.exe -
resource yara_rule behavioral2/memory/4716-0-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp upx behavioral2/files/0x000c000000023b33-4.dat upx behavioral2/memory/4424-8-0x00007FF6F89F0000-0x00007FF6F8D41000-memory.dmp upx behavioral2/files/0x000d000000023b80-12.dat upx behavioral2/memory/3464-18-0x00007FF6A9B40000-0x00007FF6A9E91000-memory.dmp upx behavioral2/files/0x000a000000023b89-20.dat upx behavioral2/memory/1572-23-0x00007FF6469F0000-0x00007FF646D41000-memory.dmp upx behavioral2/files/0x000a000000023b8a-36.dat upx behavioral2/files/0x000a000000023b8d-43.dat upx behavioral2/files/0x000a000000023b8f-60.dat upx behavioral2/files/0x000a000000023b91-74.dat upx behavioral2/files/0x000a000000023b95-81.dat upx behavioral2/memory/4360-86-0x00007FF630CA0000-0x00007FF630FF1000-memory.dmp upx behavioral2/files/0x000a000000023b94-92.dat upx behavioral2/memory/4776-95-0x00007FF73C590000-0x00007FF73C8E1000-memory.dmp upx behavioral2/memory/892-98-0x00007FF780DD0000-0x00007FF781121000-memory.dmp upx behavioral2/memory/3680-97-0x00007FF7476A0000-0x00007FF7479F1000-memory.dmp upx behavioral2/memory/4336-96-0x00007FF703120000-0x00007FF703471000-memory.dmp upx behavioral2/memory/4444-94-0x00007FF771710000-0x00007FF771A61000-memory.dmp upx behavioral2/memory/3772-89-0x00007FF78B8D0000-0x00007FF78BC21000-memory.dmp upx behavioral2/memory/2840-88-0x00007FF6464E0000-0x00007FF646831000-memory.dmp upx behavioral2/memory/732-87-0x00007FF6940B0000-0x00007FF694401000-memory.dmp upx behavioral2/files/0x000a000000023b93-84.dat upx behavioral2/memory/1420-82-0x00007FF7788B0000-0x00007FF778C01000-memory.dmp upx behavioral2/memory/4392-77-0x00007FF7E0C40000-0x00007FF7E0F91000-memory.dmp upx behavioral2/files/0x000a000000023b92-76.dat upx behavioral2/memory/5056-68-0x00007FF64ED20000-0x00007FF64F071000-memory.dmp upx behavioral2/files/0x000a000000023b90-65.dat upx behavioral2/files/0x000a000000023b8e-53.dat upx behavioral2/files/0x000a000000023b8c-41.dat upx behavioral2/files/0x000a000000023b8b-39.dat upx behavioral2/memory/4244-31-0x00007FF74C110000-0x00007FF74C461000-memory.dmp upx behavioral2/files/0x000a000000023b88-25.dat upx behavioral2/memory/3464-103-0x00007FF6A9B40000-0x00007FF6A9E91000-memory.dmp upx behavioral2/memory/4716-101-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp upx behavioral2/memory/4244-106-0x00007FF74C110000-0x00007FF74C461000-memory.dmp upx behavioral2/files/0x000a000000023b98-126.dat upx behavioral2/files/0x000a000000023b97-130.dat upx behavioral2/memory/752-135-0x00007FF6BCEA0000-0x00007FF6BD1F1000-memory.dmp upx behavioral2/files/0x000b000000023b85-137.dat upx behavioral2/files/0x000a000000023b96-136.dat upx behavioral2/memory/2996-134-0x00007FF6FCD10000-0x00007FF6FD061000-memory.dmp upx behavioral2/memory/2372-132-0x00007FF7C59C0000-0x00007FF7C5D11000-memory.dmp upx behavioral2/files/0x000a000000023b99-129.dat upx behavioral2/memory/1572-105-0x00007FF6469F0000-0x00007FF646D41000-memory.dmp upx behavioral2/memory/4424-102-0x00007FF6F89F0000-0x00007FF6F8D41000-memory.dmp upx behavioral2/memory/1324-143-0x00007FF745B80000-0x00007FF745ED1000-memory.dmp upx behavioral2/memory/888-144-0x00007FF625970000-0x00007FF625CC1000-memory.dmp upx behavioral2/memory/4716-145-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp upx behavioral2/memory/4716-146-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp upx behavioral2/memory/2996-164-0x00007FF6FCD10000-0x00007FF6FD061000-memory.dmp upx behavioral2/memory/752-165-0x00007FF6BCEA0000-0x00007FF6BD1F1000-memory.dmp upx behavioral2/memory/2372-163-0x00007FF7C59C0000-0x00007FF7C5D11000-memory.dmp upx behavioral2/memory/4716-168-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp upx behavioral2/memory/4424-205-0x00007FF6F89F0000-0x00007FF6F8D41000-memory.dmp upx behavioral2/memory/3464-207-0x00007FF6A9B40000-0x00007FF6A9E91000-memory.dmp upx behavioral2/memory/4244-209-0x00007FF74C110000-0x00007FF74C461000-memory.dmp upx behavioral2/memory/1572-211-0x00007FF6469F0000-0x00007FF646D41000-memory.dmp upx behavioral2/memory/4776-217-0x00007FF73C590000-0x00007FF73C8E1000-memory.dmp upx behavioral2/memory/4392-216-0x00007FF7E0C40000-0x00007FF7E0F91000-memory.dmp upx behavioral2/memory/4336-219-0x00007FF703120000-0x00007FF703471000-memory.dmp upx behavioral2/memory/5056-214-0x00007FF64ED20000-0x00007FF64F071000-memory.dmp upx behavioral2/memory/1420-234-0x00007FF7788B0000-0x00007FF778C01000-memory.dmp upx behavioral2/memory/3772-239-0x00007FF78B8D0000-0x00007FF78BC21000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\dhRCBfx.exe 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mMTdqMD.exe 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xmaJdvR.exe 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BduGTDT.exe 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lwpFgQI.exe 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\aEygsxg.exe 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zufUofr.exe 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\tViZCKL.exe 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ITGtWPq.exe 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\uuZPvEe.exe 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bwjaFhf.exe 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ykTtcUq.exe 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dOlJUfP.exe 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cNjqzlW.exe 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\pfNoDHV.exe 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KyKCGvg.exe 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gMEWJjN.exe 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nAZnDdo.exe 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jzInWfI.exe 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AiTHIwA.exe 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\adnyHxz.exe 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4716 wrote to memory of 4424 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4716 wrote to memory of 4424 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 4716 wrote to memory of 3464 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4716 wrote to memory of 3464 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 4716 wrote to memory of 1572 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4716 wrote to memory of 1572 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 4716 wrote to memory of 4244 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4716 wrote to memory of 4244 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 4716 wrote to memory of 5056 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4716 wrote to memory of 5056 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 4716 wrote to memory of 4776 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4716 wrote to memory of 4776 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 4716 wrote to memory of 4392 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4716 wrote to memory of 4392 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 4716 wrote to memory of 4336 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4716 wrote to memory of 4336 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 4716 wrote to memory of 1420 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4716 wrote to memory of 1420 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 4716 wrote to memory of 4360 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4716 wrote to memory of 4360 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 4716 wrote to memory of 732 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4716 wrote to memory of 732 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 4716 wrote to memory of 2840 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4716 wrote to memory of 2840 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 4716 wrote to memory of 3680 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4716 wrote to memory of 3680 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 4716 wrote to memory of 3772 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4716 wrote to memory of 3772 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 4716 wrote to memory of 892 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4716 wrote to memory of 892 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 4716 wrote to memory of 4444 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4716 wrote to memory of 4444 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 4716 wrote to memory of 2372 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4716 wrote to memory of 2372 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 4716 wrote to memory of 2996 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4716 wrote to memory of 2996 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 4716 wrote to memory of 752 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4716 wrote to memory of 752 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 4716 wrote to memory of 1324 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4716 wrote to memory of 1324 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 4716 wrote to memory of 888 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 4716 wrote to memory of 888 4716 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\System\dOlJUfP.exeC:\Windows\System\dOlJUfP.exe2⤵
- Executes dropped EXE
PID:4424
-
-
C:\Windows\System\dhRCBfx.exeC:\Windows\System\dhRCBfx.exe2⤵
- Executes dropped EXE
PID:3464
-
-
C:\Windows\System\cNjqzlW.exeC:\Windows\System\cNjqzlW.exe2⤵
- Executes dropped EXE
PID:1572
-
-
C:\Windows\System\pfNoDHV.exeC:\Windows\System\pfNoDHV.exe2⤵
- Executes dropped EXE
PID:4244
-
-
C:\Windows\System\mMTdqMD.exeC:\Windows\System\mMTdqMD.exe2⤵
- Executes dropped EXE
PID:5056
-
-
C:\Windows\System\KyKCGvg.exeC:\Windows\System\KyKCGvg.exe2⤵
- Executes dropped EXE
PID:4776
-
-
C:\Windows\System\xmaJdvR.exeC:\Windows\System\xmaJdvR.exe2⤵
- Executes dropped EXE
PID:4392
-
-
C:\Windows\System\jzInWfI.exeC:\Windows\System\jzInWfI.exe2⤵
- Executes dropped EXE
PID:4336
-
-
C:\Windows\System\AiTHIwA.exeC:\Windows\System\AiTHIwA.exe2⤵
- Executes dropped EXE
PID:1420
-
-
C:\Windows\System\ITGtWPq.exeC:\Windows\System\ITGtWPq.exe2⤵
- Executes dropped EXE
PID:4360
-
-
C:\Windows\System\BduGTDT.exeC:\Windows\System\BduGTDT.exe2⤵
- Executes dropped EXE
PID:732
-
-
C:\Windows\System\lwpFgQI.exeC:\Windows\System\lwpFgQI.exe2⤵
- Executes dropped EXE
PID:2840
-
-
C:\Windows\System\uuZPvEe.exeC:\Windows\System\uuZPvEe.exe2⤵
- Executes dropped EXE
PID:3680
-
-
C:\Windows\System\aEygsxg.exeC:\Windows\System\aEygsxg.exe2⤵
- Executes dropped EXE
PID:3772
-
-
C:\Windows\System\bwjaFhf.exeC:\Windows\System\bwjaFhf.exe2⤵
- Executes dropped EXE
PID:892
-
-
C:\Windows\System\zufUofr.exeC:\Windows\System\zufUofr.exe2⤵
- Executes dropped EXE
PID:4444
-
-
C:\Windows\System\adnyHxz.exeC:\Windows\System\adnyHxz.exe2⤵
- Executes dropped EXE
PID:2372
-
-
C:\Windows\System\tViZCKL.exeC:\Windows\System\tViZCKL.exe2⤵
- Executes dropped EXE
PID:2996
-
-
C:\Windows\System\ykTtcUq.exeC:\Windows\System\ykTtcUq.exe2⤵
- Executes dropped EXE
PID:752
-
-
C:\Windows\System\gMEWJjN.exeC:\Windows\System\gMEWJjN.exe2⤵
- Executes dropped EXE
PID:1324
-
-
C:\Windows\System\nAZnDdo.exeC:\Windows\System\nAZnDdo.exe2⤵
- Executes dropped EXE
PID:888
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5c87529a90e6f9c71b1cde0c4618143d0
SHA1fc6e2d3f7e4e4b2b9c187952046f4387b8e0ec07
SHA2565ddf0ff59084c491527f50db1f14138317015dc58c11f87fa52bce1d7f96c6cd
SHA512b163b4b4288da8c4557e29a9ffaa1479ce9f10e1b4c835b8f5cfdd8a0f6c15702e707ad5aee8c5c0ee1eb5326af56bedda6985a365bc9a5f9de76b6ada3afc99
-
Filesize
5.2MB
MD5fe3788f812d5180761888e5fa1a25392
SHA1727c7c8542acc9e5ef31b35ec4f7294f6e0daaf3
SHA2569ade302588f06b61b3ae753eff2b2992e333043f1d80aba3c2419deb217167ed
SHA51243b66b4114bfc8d1a99bdeafefccb785e06b8e70704c69449db6acc19c3a6f519101a631af1be8aa239d4ba15dce8c3b2f6a97267b50219658a2d3c379f891c2
-
Filesize
5.2MB
MD5f6cff765ca7358ec6e9aceaf8114857f
SHA13735b376b472d5e5d16d2393884ff9649ace8f20
SHA2563cf1749e131adcf89cd98574a1484650c693245b925e005f9733dcb652f0f492
SHA512e894e08353e883633b82b5a072a6110693b183df810f4ae4f2c83adcf8b2ff194b5d313763abd0142fdb38b0abd76da9017b7ad5f38b136f661225f882bd04a8
-
Filesize
5.2MB
MD5bd8219a4c62cff3e8c4fa6d14b364fe7
SHA145c21dd3260e0334f136299d6129c9fe5d9adf62
SHA256b45cc4dc517dfa86df52a198dca1c055f1ad0463c40fa6e294dc068a3fa2062c
SHA512429c550b5072a6c2b360d5f6b51827b933b9a79beffd4dfe037f429ab90392b55b5faa7436321094f59ae239fa4720c6d1410bb707f5cc78d815a0da6b47c0a3
-
Filesize
5.2MB
MD54853deb4b8bbcdf358dbf95a67d8c966
SHA110508b7e466f71d776460701244e82b6dcc3cf1c
SHA2565f123c9f2f6d6e01c3ee6aa498889d3c935784979e8bebd61c8652b9ffb23e5c
SHA5126fb151dd1166c5aaceb5eabd339f4fc61cab2b47e9c10a8f3a6720f98ec4a91f228b8ff89cd1727edb7b86f3007efae9761980e78e41d5fefdcbdcee17827940
-
Filesize
5.2MB
MD58f23d394252f614a39815d8d0f76d938
SHA11f11b6fc6408f929ec6bbc689309393e9c7ccbc6
SHA2561eda6ef0a95528cd3f8be7687cb99489f9c27fe6762648cf55238905779facb8
SHA51288cacee4f2b1ad3c624ad4210ecdf88a44d2aa016980e96c2836f1bdafffdd62da1cc5a24ff29629547db8089433ffb7ecc23f6f5b880e25c49936aff729d419
-
Filesize
5.2MB
MD57480fb196400e769b7efbb179794105f
SHA16c757e4d80aaf91070480e0f97fb7a6906cab291
SHA25664f385f6df99ea05030f1f424bec2344fd90d711471fc8ccfbfb8c1a0298d471
SHA5129316daff5c13e72fa7736443bd9e2496a8eef341e0f279c2838918d529898fb411632571f2641be678cda53f7581ecf39d1484192831f27c8c1b05a79c4a5243
-
Filesize
5.2MB
MD5c0b94d705346add5f44eb1fa1e6f3e26
SHA168b23878921759eac92370d077540c5eb8f2dc8d
SHA2567ee9f817b95ecf504adb3ed0da9b725b1fdd343318fcdea72f39419008a467fd
SHA512558df339682bcaf076752da39016c817ce1bedff372b34fb9dd81c906e935e3b4038cc987f92429f5bfbdf88bc51812613c52c47a0046198cad55f98debfe224
-
Filesize
5.2MB
MD5e9a6a9dbb85ea60ddfcb370611edf874
SHA1dd0f54478055adcd41edacf5a59374f4bb3c401b
SHA256365f6b879ee7b4c243e987d0a989285c782b40680d4cd457a40cdce4acb70e44
SHA5129677b171986bb2c964f35f032c916d7d9afd4ce0a0885f7409c350978cce1dcf978750c153f26c74bcad1451f7c2a1ddff421f54d6159cb79f42e19ca80228cb
-
Filesize
5.2MB
MD5079762613fed53684b685794bc83b4bf
SHA1369ef5fcc3b85a80dcb4e40aba4c3105cf95f60c
SHA256e0e00eafa99127dd6430f9be654d15b7c527509d2dc3a4b6f4922cf1ea68bcf9
SHA5128e6eba0baceb7357a6cc930405aab592dff7d515fa3940910c43f5e6b01669aab6e71f41732c72246051098acc9fe80800269609b1619fae87648aa7db83edef
-
Filesize
5.2MB
MD50d1e720bd7c19c293034eb8eb399472e
SHA131ee9bceb9919f3e17d3dae12c4b1293b6521caf
SHA2565504997df9f4a1e6948b64c8e417a3d517e8b0c8500a62a96ae6dcef39346b89
SHA512157235d4e61476ea7cb121bec4ab8b1ac726fbd59c893bcc3f0c2724e063a69ac0d982acb7d6b25584d23214820369a8448e05e2eeac3b11f86199b1064d15f4
-
Filesize
5.2MB
MD592a702da68428067fb8148e4ed1e94ce
SHA1638c795226ed6d804d76199beccb11c2bbe223de
SHA256abff49ed1640169e4dfd8eb2326bdef59e17432675522b61a8ad7dd8c18b1831
SHA512b6bfe99234b44ed9614de1e8d2a108ab46214e779cdeadb477e523e270cd383a9eeb5f10eb46ec4702232eb7811a797735af70cf5a8a0c7bac65801a886ab75b
-
Filesize
5.2MB
MD516896adb283d0a022b07b6aaf2a058a9
SHA1cc15666a4c59ed26bf6dc27704ec0d9b222104ef
SHA2563a3ce17d54fd381f3b3e28816d4543ab432d5ed0814926ab479120d815d05933
SHA5121dfd0966b375cac69a31f58b1a7860c6df72f2130684e9beb8435dbae01f6bd6c83ed0e867235376972ee2dd31c205714439ce4c073c3381773a65466e2b471f
-
Filesize
5.2MB
MD523e02ffc2d38395979c020b146d82878
SHA1b761e07714d931ae3742b9332e4d26991404dc39
SHA2562a2e36762374ae06fdd77efe70eb8001412b8a9ac247fba6e6d13d0c4b54c9b5
SHA5127eb8f6a19db0b8ae7feed5c84a8fe6749819429347b17723448f73a1f96c9be4a86b35aefa035c74f0a55d3bb33fad13ede65d4f9508dd2a5d53eee6e5e3cc66
-
Filesize
5.2MB
MD53eab7768f05066a7d957f76138b2318a
SHA1d4ebb9d8edcc74365a22cbdde44a4ad7cce234e0
SHA256d1619364fded668f8a384dbe1a9503e3a03c50ec66c5f4a6dfaed7b634a5dcfe
SHA512894228044e906ce492fb4a743d75f9d45d3af63301a4790762dd0f318bc229b2ac0d255afd691c176901922ee8a357ca3974e64441926e616af9c79ded35b68b
-
Filesize
5.2MB
MD5bd6b7aa99d22efa76da26000c0ccb11c
SHA1041ccb7544cacfd8080e316e97cef08f457008ef
SHA256253b447a9cec0bd03f521c7e00434ce41bee007f211365f3382a028fd523a9fa
SHA512c84a635141d5992560931d670d3884a87cd635ad7134ae972debfc5579d3df3211e1aa572b02e62222e908f0822d68178f1f3363aca00a843a93ac39fdbae1e8
-
Filesize
5.2MB
MD5ece8dab3448b67fa23e9fd9750c2b21f
SHA1a611749afc53a0e92849eb5646a20ba5ea871c82
SHA256a6fb17a06521085380cdc3525775c733fe7baea49e4fff3d1b39e547aadb451a
SHA512767a9cf2499bab55080de8f6febc502888bd3b6b32a51686e22d622ba82cb1c6acdeff5daceac0b03a5380e2482158e89fdaa4c8e782763d0de2ab63c484a02a
-
Filesize
5.2MB
MD5d2bc4d1392ac8bfc558d8d60c79c12ed
SHA14575e24b8143efc6bc7ff3568a7dac55eeddf745
SHA2569e983b7aaa75376974d975cde5bbbdd098d9260ad802163845e3a520de9d49e6
SHA51237a2cb5e67a5595d7613d8133107bbba434a21d4a370fdf8c3e75be6415a8fe638ff7311da9d8138b4ca9b36cab55ae1d75d1d59f00b7bd07ae93e257aa82451
-
Filesize
5.2MB
MD522fd57850ffa55b526f92c267489b661
SHA1cbe5bc43b1780cc8b89be23be9b0945dd30a9617
SHA256e788fbce21a1d87aec42e206e6f07e38841702138fe72075cf08bf3804059451
SHA5122506312a5704fd5d1c1a18d2cc8a99ee83210e3bd4f6da456b360118ddf1a1415d39f7c335e6d5cd3c28b9b41dc73715e6e5bd1c629e43bdcbbee643befff75a
-
Filesize
5.2MB
MD5e6f81648a19159a1c1e9fd69454521f9
SHA142fd0feaff8c10fd43a3e37a9d31e883f69dd0c3
SHA2565d7f68c07d40ffd3c409e6b0a2e26fc97e5fa45d4e64ee37eb692fbc0be5da36
SHA512022efff137e0da4a04ce36fd0ccbd0cd1c39c5be480019cd4db06f007e6e9740941a648e8d9e0f20bc7ffa9fa859730ef394e10383a61c17e5ca180c0c10ec98
-
Filesize
5.2MB
MD58b33dce1c03a7828016f39d8cb18481d
SHA1058f6b1d52bb8dc2ae1844280dc99ef765383d07
SHA256b14e6965d26545912384a50eba38b42ffe5ff8a26fb68673729a4c79f089c4ed
SHA512cdd67d74f72340448dd8194fb74efd9301b25fd00ee952a0b300b0f92dd25ce1ffdcd3f3bd68f0e34607baca92605e899faf7671357f29fca488f38614d79a1b