Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 15:47
Behavioral task
behavioral1
Sample
2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20241010-en
General
-
Target
2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
45570f7a4ec67a7cca656d40d222696a
-
SHA1
8e6af8a1bdf69dcd27d22c327d0890b0d723faa2
-
SHA256
c490c4b3257dd8e4ffd0d88f2925c918b5981b48f0b4f9a90078dfac7b190253
-
SHA512
54e1cb8067b5ebe9652849ae35ec3ee376678d999d0cc2eaea174d44a709cf12575b7087aaff3dc0dc4d36513eb5248882cece17818e118dd5c1a59bc2b1e77d
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lZ:RWWBibf56utgpPFotBER/mQ32lUl
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x000b000000023b92-4.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b94-10.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b93-15.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b95-24.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b98-40.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b99-46.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b9c-58.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b9f-75.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b9e-89.dat cobalt_reflective_dll behavioral2/files/0x000b000000023ba1-97.dat cobalt_reflective_dll behavioral2/files/0x000b000000023b90-96.dat cobalt_reflective_dll behavioral2/files/0x000b000000023ba0-95.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b9d-85.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b9b-61.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b9a-54.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b97-42.dat cobalt_reflective_dll behavioral2/files/0x000a000000023b96-34.dat cobalt_reflective_dll behavioral2/files/0x000e000000023bb1-131.dat cobalt_reflective_dll behavioral2/files/0x000b000000023ba2-130.dat cobalt_reflective_dll behavioral2/files/0x0008000000023bba-137.dat cobalt_reflective_dll behavioral2/files/0x0009000000023bbf-142.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 47 IoCs
resource yara_rule behavioral2/memory/3300-84-0x00007FF692050000-0x00007FF6923A1000-memory.dmp xmrig behavioral2/memory/32-104-0x00007FF734F80000-0x00007FF7352D1000-memory.dmp xmrig behavioral2/memory/3224-103-0x00007FF6CBBD0000-0x00007FF6CBF21000-memory.dmp xmrig behavioral2/memory/544-102-0x00007FF6CF410000-0x00007FF6CF761000-memory.dmp xmrig behavioral2/memory/1968-100-0x00007FF7CC060000-0x00007FF7CC3B1000-memory.dmp xmrig behavioral2/memory/3696-87-0x00007FF6C7DD0000-0x00007FF6C8121000-memory.dmp xmrig behavioral2/memory/1892-83-0x00007FF761B00000-0x00007FF761E51000-memory.dmp xmrig behavioral2/memory/3236-74-0x00007FF746570000-0x00007FF7468C1000-memory.dmp xmrig behavioral2/memory/1020-105-0x00007FF62EBD0000-0x00007FF62EF21000-memory.dmp xmrig behavioral2/memory/3980-120-0x00007FF745050000-0x00007FF7453A1000-memory.dmp xmrig behavioral2/memory/1968-129-0x00007FF7CC060000-0x00007FF7CC3B1000-memory.dmp xmrig behavioral2/memory/3552-128-0x00007FF695200000-0x00007FF695551000-memory.dmp xmrig behavioral2/memory/3672-127-0x00007FF6E7EF0000-0x00007FF6E8241000-memory.dmp xmrig behavioral2/memory/3260-109-0x00007FF691BD0000-0x00007FF691F21000-memory.dmp xmrig behavioral2/memory/2364-106-0x00007FF786E60000-0x00007FF7871B1000-memory.dmp xmrig behavioral2/memory/1336-113-0x00007FF6AF8B0000-0x00007FF6AFC01000-memory.dmp xmrig behavioral2/memory/264-112-0x00007FF6AFF20000-0x00007FF6B0271000-memory.dmp xmrig behavioral2/memory/1712-111-0x00007FF71DA20000-0x00007FF71DD71000-memory.dmp xmrig behavioral2/memory/2616-108-0x00007FF682000000-0x00007FF682351000-memory.dmp xmrig behavioral2/memory/1020-146-0x00007FF62EBD0000-0x00007FF62EF21000-memory.dmp xmrig behavioral2/memory/1020-147-0x00007FF62EBD0000-0x00007FF62EF21000-memory.dmp xmrig behavioral2/memory/2944-165-0x00007FF7488C0000-0x00007FF748C11000-memory.dmp xmrig behavioral2/memory/3280-166-0x00007FF6F6B10000-0x00007FF6F6E61000-memory.dmp xmrig behavioral2/memory/1632-168-0x00007FF6F60A0000-0x00007FF6F63F1000-memory.dmp xmrig behavioral2/memory/1220-167-0x00007FF7C7860000-0x00007FF7C7BB1000-memory.dmp xmrig behavioral2/memory/1020-169-0x00007FF62EBD0000-0x00007FF62EF21000-memory.dmp xmrig behavioral2/memory/2364-209-0x00007FF786E60000-0x00007FF7871B1000-memory.dmp xmrig behavioral2/memory/2616-211-0x00007FF682000000-0x00007FF682351000-memory.dmp xmrig behavioral2/memory/3260-213-0x00007FF691BD0000-0x00007FF691F21000-memory.dmp xmrig behavioral2/memory/1712-216-0x00007FF71DA20000-0x00007FF71DD71000-memory.dmp xmrig behavioral2/memory/264-217-0x00007FF6AFF20000-0x00007FF6B0271000-memory.dmp xmrig behavioral2/memory/1336-223-0x00007FF6AF8B0000-0x00007FF6AFC01000-memory.dmp xmrig behavioral2/memory/544-222-0x00007FF6CF410000-0x00007FF6CF761000-memory.dmp xmrig behavioral2/memory/3236-220-0x00007FF746570000-0x00007FF7468C1000-memory.dmp xmrig behavioral2/memory/1892-227-0x00007FF761B00000-0x00007FF761E51000-memory.dmp xmrig behavioral2/memory/3300-229-0x00007FF692050000-0x00007FF6923A1000-memory.dmp xmrig behavioral2/memory/3696-231-0x00007FF6C7DD0000-0x00007FF6C8121000-memory.dmp xmrig behavioral2/memory/3224-233-0x00007FF6CBBD0000-0x00007FF6CBF21000-memory.dmp xmrig behavioral2/memory/1968-236-0x00007FF7CC060000-0x00007FF7CC3B1000-memory.dmp xmrig behavioral2/memory/3980-243-0x00007FF745050000-0x00007FF7453A1000-memory.dmp xmrig behavioral2/memory/3552-242-0x00007FF695200000-0x00007FF695551000-memory.dmp xmrig behavioral2/memory/32-240-0x00007FF734F80000-0x00007FF7352D1000-memory.dmp xmrig behavioral2/memory/3672-238-0x00007FF6E7EF0000-0x00007FF6E8241000-memory.dmp xmrig behavioral2/memory/3280-254-0x00007FF6F6B10000-0x00007FF6F6E61000-memory.dmp xmrig behavioral2/memory/1220-255-0x00007FF7C7860000-0x00007FF7C7BB1000-memory.dmp xmrig behavioral2/memory/1632-259-0x00007FF6F60A0000-0x00007FF6F63F1000-memory.dmp xmrig behavioral2/memory/2944-258-0x00007FF7488C0000-0x00007FF748C11000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2364 jwSTRpL.exe 2616 ZNBAOaf.exe 3260 zBwcUpW.exe 1712 yzDPuuV.exe 264 HugMGdK.exe 1336 eyvWyCX.exe 544 DOFgpul.exe 3236 cCuOanw.exe 1892 eVdmJhq.exe 3300 czjKqIi.exe 3696 nILWVJc.exe 3224 RfDeGLZ.exe 3980 hzgSRNz.exe 32 SRQAbSA.exe 3672 HZojLuH.exe 3552 yRQwXgw.exe 1968 NVZROtJ.exe 2944 KpWEqCb.exe 3280 UgCDztf.exe 1220 zaXJqRO.exe 1632 vLMuxYo.exe -
resource yara_rule behavioral2/memory/1020-0-0x00007FF62EBD0000-0x00007FF62EF21000-memory.dmp upx behavioral2/files/0x000b000000023b92-4.dat upx behavioral2/memory/2364-6-0x00007FF786E60000-0x00007FF7871B1000-memory.dmp upx behavioral2/files/0x000a000000023b94-10.dat upx behavioral2/files/0x000a000000023b93-15.dat upx behavioral2/memory/2616-12-0x00007FF682000000-0x00007FF682351000-memory.dmp upx behavioral2/files/0x000a000000023b95-24.dat upx behavioral2/memory/264-31-0x00007FF6AFF20000-0x00007FF6B0271000-memory.dmp upx behavioral2/files/0x000a000000023b98-40.dat upx behavioral2/files/0x000a000000023b99-46.dat upx behavioral2/files/0x000a000000023b9c-58.dat upx behavioral2/memory/1336-62-0x00007FF6AF8B0000-0x00007FF6AFC01000-memory.dmp upx behavioral2/files/0x000a000000023b9f-75.dat upx behavioral2/memory/3300-84-0x00007FF692050000-0x00007FF6923A1000-memory.dmp upx behavioral2/files/0x000a000000023b9e-89.dat upx behavioral2/files/0x000b000000023ba1-97.dat upx behavioral2/memory/32-104-0x00007FF734F80000-0x00007FF7352D1000-memory.dmp upx behavioral2/memory/3224-103-0x00007FF6CBBD0000-0x00007FF6CBF21000-memory.dmp upx behavioral2/memory/544-102-0x00007FF6CF410000-0x00007FF6CF761000-memory.dmp upx behavioral2/memory/1968-100-0x00007FF7CC060000-0x00007FF7CC3B1000-memory.dmp upx behavioral2/files/0x000b000000023b90-96.dat upx behavioral2/files/0x000b000000023ba0-95.dat upx behavioral2/memory/3552-94-0x00007FF695200000-0x00007FF695551000-memory.dmp upx behavioral2/memory/3672-93-0x00007FF6E7EF0000-0x00007FF6E8241000-memory.dmp upx behavioral2/memory/3980-88-0x00007FF745050000-0x00007FF7453A1000-memory.dmp upx behavioral2/memory/3696-87-0x00007FF6C7DD0000-0x00007FF6C8121000-memory.dmp upx behavioral2/files/0x000a000000023b9d-85.dat upx behavioral2/memory/1892-83-0x00007FF761B00000-0x00007FF761E51000-memory.dmp upx behavioral2/memory/3236-74-0x00007FF746570000-0x00007FF7468C1000-memory.dmp upx behavioral2/files/0x000a000000023b9b-61.dat upx behavioral2/files/0x000a000000023b9a-54.dat upx behavioral2/files/0x000a000000023b97-42.dat upx behavioral2/files/0x000a000000023b96-34.dat upx behavioral2/memory/1712-30-0x00007FF71DA20000-0x00007FF71DD71000-memory.dmp upx behavioral2/memory/3260-20-0x00007FF691BD0000-0x00007FF691F21000-memory.dmp upx behavioral2/memory/1020-105-0x00007FF62EBD0000-0x00007FF62EF21000-memory.dmp upx behavioral2/memory/3980-120-0x00007FF745050000-0x00007FF7453A1000-memory.dmp upx behavioral2/files/0x000e000000023bb1-131.dat upx behavioral2/files/0x000b000000023ba2-130.dat upx behavioral2/memory/1968-129-0x00007FF7CC060000-0x00007FF7CC3B1000-memory.dmp upx behavioral2/memory/3552-128-0x00007FF695200000-0x00007FF695551000-memory.dmp upx behavioral2/memory/3672-127-0x00007FF6E7EF0000-0x00007FF6E8241000-memory.dmp upx behavioral2/memory/3260-109-0x00007FF691BD0000-0x00007FF691F21000-memory.dmp upx behavioral2/memory/2364-106-0x00007FF786E60000-0x00007FF7871B1000-memory.dmp upx behavioral2/memory/1336-113-0x00007FF6AF8B0000-0x00007FF6AFC01000-memory.dmp upx behavioral2/memory/264-112-0x00007FF6AFF20000-0x00007FF6B0271000-memory.dmp upx behavioral2/memory/1712-111-0x00007FF71DA20000-0x00007FF71DD71000-memory.dmp upx behavioral2/memory/2616-108-0x00007FF682000000-0x00007FF682351000-memory.dmp upx behavioral2/files/0x0008000000023bba-137.dat upx behavioral2/files/0x0009000000023bbf-142.dat upx behavioral2/memory/1632-141-0x00007FF6F60A0000-0x00007FF6F63F1000-memory.dmp upx behavioral2/memory/1220-140-0x00007FF7C7860000-0x00007FF7C7BB1000-memory.dmp upx behavioral2/memory/3280-135-0x00007FF6F6B10000-0x00007FF6F6E61000-memory.dmp upx behavioral2/memory/2944-134-0x00007FF7488C0000-0x00007FF748C11000-memory.dmp upx behavioral2/memory/1020-146-0x00007FF62EBD0000-0x00007FF62EF21000-memory.dmp upx behavioral2/memory/1020-147-0x00007FF62EBD0000-0x00007FF62EF21000-memory.dmp upx behavioral2/memory/2944-165-0x00007FF7488C0000-0x00007FF748C11000-memory.dmp upx behavioral2/memory/3280-166-0x00007FF6F6B10000-0x00007FF6F6E61000-memory.dmp upx behavioral2/memory/1632-168-0x00007FF6F60A0000-0x00007FF6F63F1000-memory.dmp upx behavioral2/memory/1220-167-0x00007FF7C7860000-0x00007FF7C7BB1000-memory.dmp upx behavioral2/memory/1020-169-0x00007FF62EBD0000-0x00007FF62EF21000-memory.dmp upx behavioral2/memory/2364-209-0x00007FF786E60000-0x00007FF7871B1000-memory.dmp upx behavioral2/memory/2616-211-0x00007FF682000000-0x00007FF682351000-memory.dmp upx behavioral2/memory/3260-213-0x00007FF691BD0000-0x00007FF691F21000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\NVZROtJ.exe 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jwSTRpL.exe 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nILWVJc.exe 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hzgSRNz.exe 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SRQAbSA.exe 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yRQwXgw.exe 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HugMGdK.exe 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\eVdmJhq.exe 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\czjKqIi.exe 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zaXJqRO.exe 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\vLMuxYo.exe 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zBwcUpW.exe 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DOFgpul.exe 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RfDeGLZ.exe 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HZojLuH.exe 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\UgCDztf.exe 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZNBAOaf.exe 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yzDPuuV.exe 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\eyvWyCX.exe 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cCuOanw.exe 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KpWEqCb.exe 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1020 wrote to memory of 2364 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 1020 wrote to memory of 2364 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 1020 wrote to memory of 2616 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 1020 wrote to memory of 2616 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 1020 wrote to memory of 3260 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 1020 wrote to memory of 3260 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 1020 wrote to memory of 1712 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 1020 wrote to memory of 1712 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 1020 wrote to memory of 264 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 1020 wrote to memory of 264 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 1020 wrote to memory of 1336 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 1020 wrote to memory of 1336 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 1020 wrote to memory of 544 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 1020 wrote to memory of 544 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 1020 wrote to memory of 3236 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 1020 wrote to memory of 3236 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 1020 wrote to memory of 1892 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 1020 wrote to memory of 1892 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 1020 wrote to memory of 3300 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 1020 wrote to memory of 3300 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 1020 wrote to memory of 3696 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 1020 wrote to memory of 3696 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 1020 wrote to memory of 3224 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 1020 wrote to memory of 3224 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 1020 wrote to memory of 3980 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 1020 wrote to memory of 3980 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 1020 wrote to memory of 32 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 1020 wrote to memory of 32 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 1020 wrote to memory of 3672 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 1020 wrote to memory of 3672 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 1020 wrote to memory of 3552 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 1020 wrote to memory of 3552 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 1020 wrote to memory of 1968 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 1020 wrote to memory of 1968 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 1020 wrote to memory of 2944 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 1020 wrote to memory of 2944 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 1020 wrote to memory of 3280 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 1020 wrote to memory of 3280 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 1020 wrote to memory of 1220 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 1020 wrote to memory of 1220 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 1020 wrote to memory of 1632 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 1020 wrote to memory of 1632 1020 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\System\jwSTRpL.exeC:\Windows\System\jwSTRpL.exe2⤵
- Executes dropped EXE
PID:2364
-
-
C:\Windows\System\ZNBAOaf.exeC:\Windows\System\ZNBAOaf.exe2⤵
- Executes dropped EXE
PID:2616
-
-
C:\Windows\System\zBwcUpW.exeC:\Windows\System\zBwcUpW.exe2⤵
- Executes dropped EXE
PID:3260
-
-
C:\Windows\System\yzDPuuV.exeC:\Windows\System\yzDPuuV.exe2⤵
- Executes dropped EXE
PID:1712
-
-
C:\Windows\System\HugMGdK.exeC:\Windows\System\HugMGdK.exe2⤵
- Executes dropped EXE
PID:264
-
-
C:\Windows\System\eyvWyCX.exeC:\Windows\System\eyvWyCX.exe2⤵
- Executes dropped EXE
PID:1336
-
-
C:\Windows\System\DOFgpul.exeC:\Windows\System\DOFgpul.exe2⤵
- Executes dropped EXE
PID:544
-
-
C:\Windows\System\cCuOanw.exeC:\Windows\System\cCuOanw.exe2⤵
- Executes dropped EXE
PID:3236
-
-
C:\Windows\System\eVdmJhq.exeC:\Windows\System\eVdmJhq.exe2⤵
- Executes dropped EXE
PID:1892
-
-
C:\Windows\System\czjKqIi.exeC:\Windows\System\czjKqIi.exe2⤵
- Executes dropped EXE
PID:3300
-
-
C:\Windows\System\nILWVJc.exeC:\Windows\System\nILWVJc.exe2⤵
- Executes dropped EXE
PID:3696
-
-
C:\Windows\System\RfDeGLZ.exeC:\Windows\System\RfDeGLZ.exe2⤵
- Executes dropped EXE
PID:3224
-
-
C:\Windows\System\hzgSRNz.exeC:\Windows\System\hzgSRNz.exe2⤵
- Executes dropped EXE
PID:3980
-
-
C:\Windows\System\SRQAbSA.exeC:\Windows\System\SRQAbSA.exe2⤵
- Executes dropped EXE
PID:32
-
-
C:\Windows\System\HZojLuH.exeC:\Windows\System\HZojLuH.exe2⤵
- Executes dropped EXE
PID:3672
-
-
C:\Windows\System\yRQwXgw.exeC:\Windows\System\yRQwXgw.exe2⤵
- Executes dropped EXE
PID:3552
-
-
C:\Windows\System\NVZROtJ.exeC:\Windows\System\NVZROtJ.exe2⤵
- Executes dropped EXE
PID:1968
-
-
C:\Windows\System\KpWEqCb.exeC:\Windows\System\KpWEqCb.exe2⤵
- Executes dropped EXE
PID:2944
-
-
C:\Windows\System\UgCDztf.exeC:\Windows\System\UgCDztf.exe2⤵
- Executes dropped EXE
PID:3280
-
-
C:\Windows\System\zaXJqRO.exeC:\Windows\System\zaXJqRO.exe2⤵
- Executes dropped EXE
PID:1220
-
-
C:\Windows\System\vLMuxYo.exeC:\Windows\System\vLMuxYo.exe2⤵
- Executes dropped EXE
PID:1632
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5607c3585b10a2f988b3565bc816144a3
SHA1e4b773e2d24a4271981e87eef911cafc7ee3403e
SHA2569de468ba1571d5325e212acc188676c1caa0f8a29726d126269e7254d174be6f
SHA512438e29b0298ababc87ddd3b773ab891b0f3eddb00d0be5f042587bc947bf50b6dd49ffa93c1a0687d67eef47332fb3d45a47e0f3dc1691f41eb742a139f9ee33
-
Filesize
5.2MB
MD5b9d8c46cc26854d2128b44fd570707ed
SHA1ae17bf9d4a1239e7b2b9bdef374cb95d402783ac
SHA256021339981794f5ce7bf99dddb70a86c23d3fadfd265f1f6ea94a38d417a4ad6b
SHA512cbe4c994a2ce2f8e7819e57b6b4ad37101bb636f5d8e707deb5e9dd1bab1df86a7c4ef88ddfbe1206af74bf0104b5de4123946cb03850c449f4d64bc098215ca
-
Filesize
5.2MB
MD589df7e3e328e768247d401219a31d082
SHA1cf734edbfb2a20025e27607992d04b131405fdc2
SHA256acba578adfd8ad7bc43991055b183593b56ef38fdc872695f022548c77a7267b
SHA5126e60b9ab4a22144cea29ae93928232038f823261825804e62a69f608f80c6d46f119732bd2e7a19ae1886c412b33411aab48111ec066965fc2ea665c3af31df7
-
Filesize
5.2MB
MD5ede7f241a1b1a4f30eaa92849a8d4541
SHA1e49228e13bbcb804e6f37745957ec570e2f3ce6f
SHA256a24fea66cda3f6b8112ce86b376671cfff2cb2e555b1e46e01888f58834703a2
SHA512a20c4b090cb78faf65f1b331cfe22301e2082dbb1eadf9cacb881c0628d9d32180b3e6f82f223aa9a5567fc6fb076d72696e864e38319e485bfac05491f6967d
-
Filesize
5.2MB
MD5f500bf7aa2ca2d835164ce9a191d24a4
SHA1a68959d34d378dc5ef6b418dbea87d4cdd647cb0
SHA2566917079efb07db81c6b3537f68880dcdd97608d40df87c946ec2579236249005
SHA512d7bbf2a19fc11266cda85a1e3409fbddc8154f69b239d2b0758a88417ba0582d326170a5433a99b338b0f8f37fcbb891790b1a480fb8f5cb1763402c58018074
-
Filesize
5.2MB
MD595511bf425568eac8bb82dc420b94ee3
SHA14536015b6d6fee487009e51b5437847050d41dc9
SHA256a0d2764b43f2fc05ce51616f89d212fe5ed0713df9945f789a8201b0e24b19ff
SHA5121c9fb6aee1b06a0848f3fc606dba706cd9abf02353d8823d2b71889c941b43b40c8a1056490e2a0e0e5b31bf90175298c56181fa3556552c1996354d84719293
-
Filesize
5.2MB
MD55c58cf265797d79d4e05b89b39c8270d
SHA1b912dcc8154466e508c2da0b29acbcbb29236ed6
SHA256961d11307b8cd70b2a78d7b96c508307bc7b15136ce5671d6e85544efc4f0f63
SHA512e9007b85765e85a42c6761753e614f8564699a190d59dec60cf1cce86b31e85d901ffdd1a749a40b85d0db62c597291eaa11fae714ac30629b6b98eba97e2cc0
-
Filesize
5.2MB
MD5d8f50fce33dc693d9217d3a050d63afe
SHA150250bce6a7b1fec39674abfa565e31950331a60
SHA256b410310eb43f0868af8423eb91e47867262ea351334edaca2a450799b5775b10
SHA512de578d8d5da30759280f80eb4b0077be141248e4e57672a923fd1448e49f15aae0cb0097fb24d8ab362a23b8e78e9b9ce39f4a48d6d547b8feb9d2a4dcffdd2b
-
Filesize
5.2MB
MD5df8db4c85906e38ffb787547f2918352
SHA1ca4e23fcef91600b1ba2fc7bfdd55fc5843a6ab4
SHA2566aa9bffdbd0142e524549dfa9eacfb3e8a0585f398ac70c4aea1fbf72837023d
SHA5120c855bb26bff16df03e392c5058d363bf7c9127b5ccb9c0ca9bc1d54ceef1f6b3dfbb1c931ad28a4701799ee83298d54700b70a147d533d433a0a53f78f5c6b7
-
Filesize
5.2MB
MD5b009aa3f4132f226f9f4dcd774667c12
SHA1318948067a773112a06eed6916e17b22be828af4
SHA25609109a9a1e6ece28704ad2eda2d2eb6bb043d33108934a5088978b44fae63658
SHA512a3b1799e1e8b500ba9a2e78824c2914bf84704bd7cb2aa2474f4842c5e28847e8846aeaec716f27991e8ed13773678ae56cab13ec39fa4ab006ff6a07ddd7ab7
-
Filesize
5.2MB
MD5feda346c902e5bf533def20ab0174610
SHA1c3459188160d23928a3267c03fc2b3539bedf9f8
SHA256026df1d5c42fd19d6a62d8abf9011070438e09be5d8b76d9e9bfbf1107c7e48d
SHA512a5ccb49b96711affec3cfe51113531cefbb1d0e4f041352b31db75ee4c27ac8db8555bec501d6f78b406e54473db864481bf752679141f2d57e15807b6286515
-
Filesize
5.2MB
MD53cd385f9bf1c2fe5553fd18d5a3458fa
SHA16955712f2c7b8ede1e77adde0d2c81ae274858f0
SHA2562f9baffc1608eab36d705d635ddc3f04a479dea4648821f31fe43ba38fc72239
SHA512fa33e78d624f5b60d5651ecba36b4dfe94d29083c3b9cb120ea7b6f603d299da825d95917a54148226e391a230a8f1f97c551cb566c99cf1fc68c9013962b889
-
Filesize
5.2MB
MD566ea212009d6528e232fc87c160cee3e
SHA1fdf8332c92a155324a329ef7127b71b020a84faa
SHA256c56a4136de065e1d080d3bd00cf0350cba8d449a919aa10466b42df34e6ca278
SHA512f3902139ce6242d8b75237f247e7b66b3bd48260e86ee35dfc1288338cff88fe65a508ec633160d1ea88d0a6f99dfb247d987fd71683b33057112d152284d4e7
-
Filesize
5.2MB
MD54dad28b94b24fdef04b5150880110563
SHA19d034a13e11b301deef3af329f597412a6963a5d
SHA256adbcc6c6dda0d9fecf5b640e233f29352c7e239f43b7bc86ce30ab62127d4def
SHA5129bbb20af2e5b03c805578e35afcbd84ee942a8e20ba46ce89daa4e016b0ad80ab8010339ee98c5c98139beb1c3b1be1ffef4465adce9dc2d7e8fdd18f1ba6a23
-
Filesize
5.2MB
MD5d8c2f21b45570bd29539274d5d84239d
SHA16fe12f77e8db6074751e8b68996d079fd79faa9c
SHA25612d55a24a91dcd56bc1f80b6bf282b81f0d344386f639d04787b8baf3db60f4b
SHA512ef605362bd20f835d7f667d691ded45c6d23c7d8d109fcf70123265932fc087fe36cf5bba66d73190511c342a7c3d9984dc7906b87594435fed700c3a783eb7e
-
Filesize
5.2MB
MD58b2528aa12fb8bbf6977c04521011fd9
SHA1d2800bc7dcdc677c7871da584ecedff074b38725
SHA256f970824bc7ee2aa3e9c4742bd2f8517a96eea5bdcf16a48d13c9e1bae66608fb
SHA512144108401f40c2abb9c77dde3a9757f123b934fc4dd807a3786e44444c4a3ffe230c489239ed15ff45ebf423ced375da4fd0f45d6f62dfa90377220e242478c6
-
Filesize
5.2MB
MD5d345d826ffe47407ea8755e8cd30b7be
SHA1dad54e11fee29d6e62ea613a86c9b931ab091240
SHA256141f4b45b68d931927eb74c00279e36266bdf5fa5e7542f5e1e43631325d5385
SHA5122adda326dc2377118c651aed6c18677be55eb9165001ac9813228c8e8546d4bc8eaa6900638727fa99d0a36195982305f92fd29cec62e01c9cad5fa06b0aec87
-
Filesize
5.2MB
MD51202ffa04af4db451e722b3444ffb84c
SHA122f85a756e0189922dcb8ab43a93e2a30f3ecdb1
SHA25653384c939acbdeca1f50b5fa7bebe473e35168acaca3f173da4223bfcb525e3e
SHA5121eb310c84415cd259e9f180d4f222abda7529f9254911038d4974171ab79ac8d6b7b7d81d345c410e2582bae6c62177341b3a6b40521e7cbd7db68d431f32317
-
Filesize
5.2MB
MD5692a1968b756c94a01c829bbf7586c21
SHA1132146df5a43122e7c4def41cc9ea5febc777533
SHA2564e3a00c29ccaaaed98fd1220576f216f7af8a77f7a4652878ab092bafa27a48f
SHA512feebfd8ccc69d8108d5b432344f6b8d519037f3e61cb021a63174c7946a09def69001810eedc842bae855054ceac1a2249e78d874d145fbcca10b7a76edf103b
-
Filesize
5.2MB
MD554d00dd9b2673e1486b4397c45d71f98
SHA12525894b7cf397a7f9f1975b876422fe1e0a4a2a
SHA256ff77dec173683acb671292ea620fdd42f02a38e78b2c6bdc617dda05f8e6c4a7
SHA5120616036685b6fe47f4ed3a87c365f7e2ef2251c5e9082b64303cc4a918a52e92ea032c6581dad64c9d68d448acc9a2f44a4ca6afc7d6eb4275dec255f0e75c31
-
Filesize
5.2MB
MD5fb2ff3ac017367d4e073b1bcf5f512c0
SHA1c2af5b040d8261288e457ff71373333f49449414
SHA2567def57faef0364eafb47033c3fa2cf9dcf5026fa8ac61e62b4e690e324d4f97d
SHA512e20bb723fdec5fcf62fef727818423b917677b9d7e67b02b81bc17466ce9b4742bceef92f1cfe9eeb9def58c9cef4d95cf7c900dc236cc337b22773f6c3a4c3e