Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 02:44
Behavioral task
behavioral1
Sample
2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
1f266a8bd5f09f14a19f94246b03ef3f
-
SHA1
8929b45ab14314b8b81ed3ff557f5416919d81dd
-
SHA256
ad977b6b18127fa1cc0b2c8d4342a85f04503fe8c4d41ff74d0c6737189fe846
-
SHA512
25deda3ea711cd8d0370acb47a1da343049de4bb2917cd73af66f6157291ed33455ab0ea2ae754597f33ec218f5e0663d2440b053c970c9578394b4242621481
-
SSDEEP
49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lq:RWWBibf56utgpPFotBER/mQ32lU+
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0008000000023c97-5.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9b-10.dat cobalt_reflective_dll behavioral2/files/0x0008000000023c98-11.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9c-21.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9f-40.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca2-52.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca5-60.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca9-86.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca4-83.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca7-98.dat cobalt_reflective_dll behavioral2/files/0x0007000000023caa-104.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cad-126.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cac-118.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cab-111.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca6-92.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca3-90.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca8-100.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca1-68.dat cobalt_reflective_dll behavioral2/files/0x0007000000023ca0-63.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9e-45.dat cobalt_reflective_dll behavioral2/files/0x0007000000023c9d-34.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/432-115-0x00007FF7A9E00000-0x00007FF7AA151000-memory.dmp xmrig behavioral2/memory/3656-122-0x00007FF65BE00000-0x00007FF65C151000-memory.dmp xmrig behavioral2/memory/3764-121-0x00007FF63DE00000-0x00007FF63E151000-memory.dmp xmrig behavioral2/memory/3508-120-0x00007FF717850000-0x00007FF717BA1000-memory.dmp xmrig behavioral2/memory/64-117-0x00007FF684000000-0x00007FF684351000-memory.dmp xmrig behavioral2/memory/4704-116-0x00007FF783C10000-0x00007FF783F61000-memory.dmp xmrig behavioral2/memory/4852-113-0x00007FF6DCC20000-0x00007FF6DCF71000-memory.dmp xmrig behavioral2/memory/3716-108-0x00007FF7A5790000-0x00007FF7A5AE1000-memory.dmp xmrig behavioral2/memory/1164-107-0x00007FF629940000-0x00007FF629C91000-memory.dmp xmrig behavioral2/memory/4280-132-0x00007FF6E0BD0000-0x00007FF6E0F21000-memory.dmp xmrig behavioral2/memory/3924-141-0x00007FF66E410000-0x00007FF66E761000-memory.dmp xmrig behavioral2/memory/3948-139-0x00007FF704B20000-0x00007FF704E71000-memory.dmp xmrig behavioral2/memory/5028-149-0x00007FF6EEA60000-0x00007FF6EEDB1000-memory.dmp xmrig behavioral2/memory/3872-150-0x00007FF62B460000-0x00007FF62B7B1000-memory.dmp xmrig behavioral2/memory/2868-138-0x00007FF6967C0000-0x00007FF696B11000-memory.dmp xmrig behavioral2/memory/2520-134-0x00007FF667EB0000-0x00007FF668201000-memory.dmp xmrig behavioral2/memory/804-133-0x00007FF64DC30000-0x00007FF64DF81000-memory.dmp xmrig behavioral2/memory/1780-131-0x00007FF761B60000-0x00007FF761EB1000-memory.dmp xmrig behavioral2/memory/2976-129-0x00007FF68E7D0000-0x00007FF68EB21000-memory.dmp xmrig behavioral2/memory/3872-128-0x00007FF62B460000-0x00007FF62B7B1000-memory.dmp xmrig behavioral2/memory/5088-137-0x00007FF77FF70000-0x00007FF7802C1000-memory.dmp xmrig behavioral2/memory/4424-135-0x00007FF76D900000-0x00007FF76DC51000-memory.dmp xmrig behavioral2/memory/3504-130-0x00007FF63D160000-0x00007FF63D4B1000-memory.dmp xmrig behavioral2/memory/3872-151-0x00007FF62B460000-0x00007FF62B7B1000-memory.dmp xmrig behavioral2/memory/2976-201-0x00007FF68E7D0000-0x00007FF68EB21000-memory.dmp xmrig behavioral2/memory/3504-203-0x00007FF63D160000-0x00007FF63D4B1000-memory.dmp xmrig behavioral2/memory/4280-220-0x00007FF6E0BD0000-0x00007FF6E0F21000-memory.dmp xmrig behavioral2/memory/1780-222-0x00007FF761B60000-0x00007FF761EB1000-memory.dmp xmrig behavioral2/memory/804-224-0x00007FF64DC30000-0x00007FF64DF81000-memory.dmp xmrig behavioral2/memory/5088-230-0x00007FF77FF70000-0x00007FF7802C1000-memory.dmp xmrig behavioral2/memory/2868-227-0x00007FF6967C0000-0x00007FF696B11000-memory.dmp xmrig behavioral2/memory/4424-229-0x00007FF76D900000-0x00007FF76DC51000-memory.dmp xmrig behavioral2/memory/4704-232-0x00007FF783C10000-0x00007FF783F61000-memory.dmp xmrig behavioral2/memory/2520-234-0x00007FF667EB0000-0x00007FF668201000-memory.dmp xmrig behavioral2/memory/64-240-0x00007FF684000000-0x00007FF684351000-memory.dmp xmrig behavioral2/memory/3924-242-0x00007FF66E410000-0x00007FF66E761000-memory.dmp xmrig behavioral2/memory/1164-238-0x00007FF629940000-0x00007FF629C91000-memory.dmp xmrig behavioral2/memory/3948-236-0x00007FF704B20000-0x00007FF704E71000-memory.dmp xmrig behavioral2/memory/5028-246-0x00007FF6EEA60000-0x00007FF6EEDB1000-memory.dmp xmrig behavioral2/memory/3508-258-0x00007FF717850000-0x00007FF717BA1000-memory.dmp xmrig behavioral2/memory/432-255-0x00007FF7A9E00000-0x00007FF7AA151000-memory.dmp xmrig behavioral2/memory/3764-250-0x00007FF63DE00000-0x00007FF63E151000-memory.dmp xmrig behavioral2/memory/3656-249-0x00007FF65BE00000-0x00007FF65C151000-memory.dmp xmrig behavioral2/memory/4852-257-0x00007FF6DCC20000-0x00007FF6DCF71000-memory.dmp xmrig behavioral2/memory/3716-253-0x00007FF7A5790000-0x00007FF7A5AE1000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2976 JoSuFNx.exe 3504 WBllpZh.exe 1780 ulFZFzz.exe 4280 VtaaRaV.exe 804 kjvqvXY.exe 2520 GRILuWC.exe 4424 OxmylKm.exe 4704 BAaFmCR.exe 5088 QrYnGip.exe 2868 apkapNZ.exe 64 BwrrPth.exe 3924 ZNpTMlm.exe 3948 WfvzWha.exe 1164 tmPWVlz.exe 3716 hlOHqRK.exe 3508 yOkjBFR.exe 4852 NhAGyom.exe 432 xncEhdU.exe 3764 YVlhhJi.exe 3656 dUoPoZN.exe 5028 TLCljGl.exe -
resource yara_rule behavioral2/memory/3872-0-0x00007FF62B460000-0x00007FF62B7B1000-memory.dmp upx behavioral2/files/0x0008000000023c97-5.dat upx behavioral2/memory/2976-6-0x00007FF68E7D0000-0x00007FF68EB21000-memory.dmp upx behavioral2/files/0x0007000000023c9b-10.dat upx behavioral2/files/0x0008000000023c98-11.dat upx behavioral2/files/0x0007000000023c9c-21.dat upx behavioral2/memory/1780-20-0x00007FF761B60000-0x00007FF761EB1000-memory.dmp upx behavioral2/memory/3504-14-0x00007FF63D160000-0x00007FF63D4B1000-memory.dmp upx behavioral2/files/0x0007000000023c9f-40.dat upx behavioral2/files/0x0007000000023ca2-52.dat upx behavioral2/files/0x0007000000023ca5-60.dat upx behavioral2/files/0x0007000000023ca9-86.dat upx behavioral2/files/0x0007000000023ca4-83.dat upx behavioral2/files/0x0007000000023ca7-98.dat upx behavioral2/files/0x0007000000023caa-104.dat upx behavioral2/memory/432-115-0x00007FF7A9E00000-0x00007FF7AA151000-memory.dmp upx behavioral2/memory/3656-122-0x00007FF65BE00000-0x00007FF65C151000-memory.dmp upx behavioral2/files/0x0007000000023cad-126.dat upx behavioral2/memory/5028-125-0x00007FF6EEA60000-0x00007FF6EEDB1000-memory.dmp upx behavioral2/memory/3764-121-0x00007FF63DE00000-0x00007FF63E151000-memory.dmp upx behavioral2/memory/3508-120-0x00007FF717850000-0x00007FF717BA1000-memory.dmp upx behavioral2/files/0x0007000000023cac-118.dat upx behavioral2/memory/64-117-0x00007FF684000000-0x00007FF684351000-memory.dmp upx behavioral2/memory/4704-116-0x00007FF783C10000-0x00007FF783F61000-memory.dmp upx behavioral2/memory/4852-113-0x00007FF6DCC20000-0x00007FF6DCF71000-memory.dmp upx behavioral2/files/0x0007000000023cab-111.dat upx behavioral2/memory/3716-108-0x00007FF7A5790000-0x00007FF7A5AE1000-memory.dmp upx behavioral2/memory/1164-107-0x00007FF629940000-0x00007FF629C91000-memory.dmp upx behavioral2/memory/3948-99-0x00007FF704B20000-0x00007FF704E71000-memory.dmp upx behavioral2/files/0x0007000000023ca6-92.dat upx behavioral2/files/0x0007000000023ca3-90.dat upx behavioral2/files/0x0007000000023ca8-100.dat upx behavioral2/memory/3924-89-0x00007FF66E410000-0x00007FF66E761000-memory.dmp upx behavioral2/memory/2868-88-0x00007FF6967C0000-0x00007FF696B11000-memory.dmp upx behavioral2/memory/5088-77-0x00007FF77FF70000-0x00007FF7802C1000-memory.dmp upx behavioral2/files/0x0007000000023ca1-68.dat upx behavioral2/files/0x0007000000023ca0-63.dat upx behavioral2/memory/4424-55-0x00007FF76D900000-0x00007FF76DC51000-memory.dmp upx behavioral2/memory/2520-46-0x00007FF667EB0000-0x00007FF668201000-memory.dmp upx behavioral2/files/0x0007000000023c9e-45.dat upx behavioral2/memory/804-32-0x00007FF64DC30000-0x00007FF64DF81000-memory.dmp upx behavioral2/files/0x0007000000023c9d-34.dat upx behavioral2/memory/4280-25-0x00007FF6E0BD0000-0x00007FF6E0F21000-memory.dmp upx behavioral2/memory/4280-132-0x00007FF6E0BD0000-0x00007FF6E0F21000-memory.dmp upx behavioral2/memory/3924-141-0x00007FF66E410000-0x00007FF66E761000-memory.dmp upx behavioral2/memory/3948-139-0x00007FF704B20000-0x00007FF704E71000-memory.dmp upx behavioral2/memory/5028-149-0x00007FF6EEA60000-0x00007FF6EEDB1000-memory.dmp upx behavioral2/memory/3872-150-0x00007FF62B460000-0x00007FF62B7B1000-memory.dmp upx behavioral2/memory/2868-138-0x00007FF6967C0000-0x00007FF696B11000-memory.dmp upx behavioral2/memory/2520-134-0x00007FF667EB0000-0x00007FF668201000-memory.dmp upx behavioral2/memory/804-133-0x00007FF64DC30000-0x00007FF64DF81000-memory.dmp upx behavioral2/memory/1780-131-0x00007FF761B60000-0x00007FF761EB1000-memory.dmp upx behavioral2/memory/2976-129-0x00007FF68E7D0000-0x00007FF68EB21000-memory.dmp upx behavioral2/memory/3872-128-0x00007FF62B460000-0x00007FF62B7B1000-memory.dmp upx behavioral2/memory/5088-137-0x00007FF77FF70000-0x00007FF7802C1000-memory.dmp upx behavioral2/memory/4424-135-0x00007FF76D900000-0x00007FF76DC51000-memory.dmp upx behavioral2/memory/3504-130-0x00007FF63D160000-0x00007FF63D4B1000-memory.dmp upx behavioral2/memory/3872-151-0x00007FF62B460000-0x00007FF62B7B1000-memory.dmp upx behavioral2/memory/2976-201-0x00007FF68E7D0000-0x00007FF68EB21000-memory.dmp upx behavioral2/memory/3504-203-0x00007FF63D160000-0x00007FF63D4B1000-memory.dmp upx behavioral2/memory/4280-220-0x00007FF6E0BD0000-0x00007FF6E0F21000-memory.dmp upx behavioral2/memory/1780-222-0x00007FF761B60000-0x00007FF761EB1000-memory.dmp upx behavioral2/memory/804-224-0x00007FF64DC30000-0x00007FF64DF81000-memory.dmp upx behavioral2/memory/5088-230-0x00007FF77FF70000-0x00007FF7802C1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\YVlhhJi.exe 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ulFZFzz.exe 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GRILuWC.exe 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WfvzWha.exe 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\tmPWVlz.exe 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NhAGyom.exe 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xncEhdU.exe 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JoSuFNx.exe 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\OxmylKm.exe 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BAaFmCR.exe 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QrYnGip.exe 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\apkapNZ.exe 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hlOHqRK.exe 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WBllpZh.exe 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kjvqvXY.exe 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dUoPoZN.exe 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VtaaRaV.exe 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BwrrPth.exe 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZNpTMlm.exe 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yOkjBFR.exe 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TLCljGl.exe 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3872 wrote to memory of 2976 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 83 PID 3872 wrote to memory of 2976 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 83 PID 3872 wrote to memory of 3504 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 3872 wrote to memory of 3504 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 3872 wrote to memory of 1780 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3872 wrote to memory of 1780 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3872 wrote to memory of 4280 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3872 wrote to memory of 4280 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3872 wrote to memory of 804 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3872 wrote to memory of 804 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3872 wrote to memory of 2520 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3872 wrote to memory of 2520 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3872 wrote to memory of 4424 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3872 wrote to memory of 4424 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3872 wrote to memory of 4704 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3872 wrote to memory of 4704 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3872 wrote to memory of 5088 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3872 wrote to memory of 5088 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3872 wrote to memory of 2868 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3872 wrote to memory of 2868 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3872 wrote to memory of 3948 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3872 wrote to memory of 3948 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3872 wrote to memory of 64 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3872 wrote to memory of 64 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3872 wrote to memory of 3924 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3872 wrote to memory of 3924 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3872 wrote to memory of 1164 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3872 wrote to memory of 1164 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3872 wrote to memory of 3716 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3872 wrote to memory of 3716 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3872 wrote to memory of 3508 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3872 wrote to memory of 3508 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3872 wrote to memory of 4852 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3872 wrote to memory of 4852 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3872 wrote to memory of 432 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3872 wrote to memory of 432 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3872 wrote to memory of 3764 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3872 wrote to memory of 3764 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3872 wrote to memory of 3656 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3872 wrote to memory of 3656 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3872 wrote to memory of 5028 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3872 wrote to memory of 5028 3872 2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-21_1f266a8bd5f09f14a19f94246b03ef3f_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\System\JoSuFNx.exeC:\Windows\System\JoSuFNx.exe2⤵
- Executes dropped EXE
PID:2976
-
-
C:\Windows\System\WBllpZh.exeC:\Windows\System\WBllpZh.exe2⤵
- Executes dropped EXE
PID:3504
-
-
C:\Windows\System\ulFZFzz.exeC:\Windows\System\ulFZFzz.exe2⤵
- Executes dropped EXE
PID:1780
-
-
C:\Windows\System\VtaaRaV.exeC:\Windows\System\VtaaRaV.exe2⤵
- Executes dropped EXE
PID:4280
-
-
C:\Windows\System\kjvqvXY.exeC:\Windows\System\kjvqvXY.exe2⤵
- Executes dropped EXE
PID:804
-
-
C:\Windows\System\GRILuWC.exeC:\Windows\System\GRILuWC.exe2⤵
- Executes dropped EXE
PID:2520
-
-
C:\Windows\System\OxmylKm.exeC:\Windows\System\OxmylKm.exe2⤵
- Executes dropped EXE
PID:4424
-
-
C:\Windows\System\BAaFmCR.exeC:\Windows\System\BAaFmCR.exe2⤵
- Executes dropped EXE
PID:4704
-
-
C:\Windows\System\QrYnGip.exeC:\Windows\System\QrYnGip.exe2⤵
- Executes dropped EXE
PID:5088
-
-
C:\Windows\System\apkapNZ.exeC:\Windows\System\apkapNZ.exe2⤵
- Executes dropped EXE
PID:2868
-
-
C:\Windows\System\WfvzWha.exeC:\Windows\System\WfvzWha.exe2⤵
- Executes dropped EXE
PID:3948
-
-
C:\Windows\System\BwrrPth.exeC:\Windows\System\BwrrPth.exe2⤵
- Executes dropped EXE
PID:64
-
-
C:\Windows\System\ZNpTMlm.exeC:\Windows\System\ZNpTMlm.exe2⤵
- Executes dropped EXE
PID:3924
-
-
C:\Windows\System\tmPWVlz.exeC:\Windows\System\tmPWVlz.exe2⤵
- Executes dropped EXE
PID:1164
-
-
C:\Windows\System\hlOHqRK.exeC:\Windows\System\hlOHqRK.exe2⤵
- Executes dropped EXE
PID:3716
-
-
C:\Windows\System\yOkjBFR.exeC:\Windows\System\yOkjBFR.exe2⤵
- Executes dropped EXE
PID:3508
-
-
C:\Windows\System\NhAGyom.exeC:\Windows\System\NhAGyom.exe2⤵
- Executes dropped EXE
PID:4852
-
-
C:\Windows\System\xncEhdU.exeC:\Windows\System\xncEhdU.exe2⤵
- Executes dropped EXE
PID:432
-
-
C:\Windows\System\YVlhhJi.exeC:\Windows\System\YVlhhJi.exe2⤵
- Executes dropped EXE
PID:3764
-
-
C:\Windows\System\dUoPoZN.exeC:\Windows\System\dUoPoZN.exe2⤵
- Executes dropped EXE
PID:3656
-
-
C:\Windows\System\TLCljGl.exeC:\Windows\System\TLCljGl.exe2⤵
- Executes dropped EXE
PID:5028
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5d629b8475d2d0281f2777929c4cc8172
SHA1858d63c46e465c325f0e36acd5b0bd59ab59f2ab
SHA256f304afca7f88d7b71a71ea83d1d2a1aea17b085a1556674dce3452bcbd1d72b3
SHA512fec863a2f9b0b1c2ca09d7415243803326e1bb8ea83ceaad1178b2a5940186dc3fcff15338b96c5dbce3fd83522d2e56a6e9fce24c8efccdc12ec259bc0ff120
-
Filesize
5.2MB
MD5539574c8f19a73785c39a13c2218a399
SHA12ae7297f947988ece47fbb86965969a5696af4ae
SHA256c099aa1006325950b4a653b750f4c09d170299c9396e6ff353d00f826eb3d548
SHA512a8d1ac2d216417ea2b25dccb288697a3ddbc32ba0d05156b63ce0847041a44a16d754ea6fc93149c5213c0377793c6c2221f68fe6d5eba6a55ff25dcc35a20ca
-
Filesize
5.2MB
MD53e65172b7a85ca0b50c09a3aa0818d17
SHA1c287f6af3bc19b046aa7d613eb133802b1e72bf3
SHA2561fd18a2e1c5c23a0a96713a7431dc8a2a64c617bb9b73df796fd297f0f387c5a
SHA5128522b6b68fd02291b3159fdb35540566e77d5c5081af9fe4966a8132964f4820b086c25e270f51989851012cb673c1acff401c434982a0cc58053d830534fa2b
-
Filesize
5.2MB
MD52c41cc2c0725bc2fbef440dd387a6779
SHA182661ab17754115654563b246f5671267b01f634
SHA2566b9533c08259f856378bf56eb0105b828fb77c9c7f821cbb1c68892d24b1167d
SHA512707d0ffa80ed85ef90ab3f7d62af19c2876273c2a08b314cd8128281e0c7400b1ab6cf9f0e12c777fce01a9d28f5e86f2bfb8ceaaf1ea25a231788f6b4382065
-
Filesize
5.2MB
MD5c129b760b27381df460817ff81ec2bb7
SHA1d624e44d9dfa19897398339aa79673a8565819fb
SHA256df9246c8e9c0645f5723fc46dbcf20fa8ab227e73648e7b19ab85010a2878de0
SHA5122dfb2c28abb172f43c21bc54e62c5671b7face2364d0eaa7491154ab44fb37cbe51fc668fc2c7b5cd6eda1aed03b5028e9e6e9d99c5b6cb7d5d4c7cb126c2269
-
Filesize
5.2MB
MD5b62d2b5a19fc51cb0109f9e5c863d927
SHA177b29a6e54c2f5a6c888a1eea26494a0bbb6f06e
SHA256090b192a0dcd42f3f2947811cb42e1e92d3484a788b22e84bbdc88e5b1d9bd1e
SHA51229b08d733f230983a5bd89243d290fddc3520497f4ea92f2ff8f9a0449f658f19901b9b695eed76203ffd32bb92e9964d16d9891d8ade61a2dc1325b220d1389
-
Filesize
5.2MB
MD5ea4e8a320bdc858395143f50390172ed
SHA1d142a11bcf44a8e50f7b5388ee6d83bbb9a87484
SHA25686f33db8e1bec954b8d08cb5e277349c0edec97fffeabb0d4059ff4cd28a0ac2
SHA512a17647784aa1186d0b8f6cd0ec27ef9861b9ca87da0844fc594fe97582f61cadad43a5f634b6d5494a9295f28e694cb129d75032742737fcbccc4ba731127a73
-
Filesize
5.2MB
MD525c3f920b249d0fc28d7b0e841e27bbf
SHA1b88bb3d025bdc57bf4784709ad681dd31dcff5c0
SHA2566873bb52f32f928059d39fce77781584888ce08e16170b9e59ad20aeff47503e
SHA5121a6471359e400bd4b2979f19a23b26cd08408039d291a5b28c452f6f184e99b8224c44da38603ee196a42802e646170b95277c109538af0e9c9c422c5a324e69
-
Filesize
5.2MB
MD50acee6b796aae947ee50c8a059433287
SHA19d190abfb293a647b8534f0d108aef04a2d2d6ca
SHA25667c501bcb5e3385ccf3563c167269ecb405b457c00df23e8bad2093470277f41
SHA51252f49b698fe674f6107fa40d6f0f14e4db9b0afb608633903d94050d13d1c5ec3deb0d97937378dcf2d0fbf53afbe2bd7eb48c03f3c61cbfd37001819576585b
-
Filesize
5.2MB
MD53ca4865a5a8505134832a83856a3b2dd
SHA1b7c9fbc3c9dc33b8f968fe4d33ca32e72f84a5f6
SHA256379cd839060dd2d43f492c275604ea621602cfba4714684d5d1d22ca6145b2e4
SHA512605fc9e9f1db185e3cfdf6d5132967fde442ee3557e43bc9d1b1ae70da17b304db173b5825324fd92409f0b1a17965c42840b3cad54fc4d0a2a956a1f154c350
-
Filesize
5.2MB
MD5d603dfa6e91e6aa28ebb6136b6b30a4d
SHA1fd6c92e98c2d1dc30fb351a4434998c2e109cbe9
SHA2560ba72a113a3024f7c868c0850495416a4ca6f46cd9b18daa582f6d681bfd5ce4
SHA5124d5c3805d5307473f0d3af6456cbdb415b9742c3509ed3e62c3dd04e0a15cc85bee716e6aa6acca71286a32ed147cdad68ab8566dfb1f96676c1589ca30b69b8
-
Filesize
5.2MB
MD5d5778af5fea6044da2fc226506023cd6
SHA15a6dbbe8c97d4f5a4fc34d3d1662f191a483d9f5
SHA256752762dca9cc6ca6e84b4116770fb4468b0eb78f4709a19ecc0f7b0a5e791ac0
SHA51284a0aa32c6133b1f52d353dd0e169611fd25dda299710eb77083ada8bfb99f72914d468f7b3fdabad6dafcd5925b10ef7a91f0f4bc5481672e16bc658d649f8c
-
Filesize
5.2MB
MD5662ba9d925f4edad9858bd32ae8bfa37
SHA10512861c4074a929dceba5346fa027aaada624fa
SHA256656edb9acd4dbcc8a59ff90cbb71484c1dec95e696b2d1657ec451407488e02a
SHA512b07a2250b98426298fe7a0837b235f1e1d0b3f568cd9f7fd7e107809319a4507d08a3e5db936a11caf386c48e814f69c37fe5689a8082313c4c088f5716e01cf
-
Filesize
5.2MB
MD59b86969503be32d005ca4358b686cb5e
SHA130938998ebc720b825508d6bb05fe637a72fb583
SHA2560d326b718ec419393f58a959375b22a6b6dbd5cddb890d0a2c9db8ae95cf686c
SHA512a453ac7c87210205d13e806bd147abb5e4992e984a394348ea334bb346d4e071479252b786e33892e5303d4ea5b6beb43aec784d160f94070c3e391588b9ca11
-
Filesize
5.2MB
MD5302c3c22ac88f82d8b47a7f51175895f
SHA1fe807de58502bb7337a4b8082a357bc3b458ed67
SHA256f65c73b42d50fd089d60a00cfc50d2784d344c3073311d8768c0e90df54cee56
SHA5127326c14d921f27ae45378559cd20c22168d25f08ee4230da5971ccd98b2f3fc00f82266f7b8cfef90c890b11fcbd996a09341913d7743a1c558674950f28e16d
-
Filesize
5.2MB
MD5f517c8b7f7f0a3f85377cb719957850c
SHA19533784ce2d6ac732674a046e3ab0e8588df01d2
SHA2564aa95aad880ec1daca0b9bf1b82564f74968dbdd379daef01549655149de13ef
SHA512ddee5e03f6ed96af48b9f98e53c70d9471e2af0c954edb909bb9223946daef6df26f634adb3202cbff4ea11681b2e1a0d32420d532c9566c254395ee92516219
-
Filesize
5.2MB
MD58dbd503fd9b6a1afe88e562728caca65
SHA15dfcd9544e0c0c69f2e8c11f6d017a5675b5d162
SHA2564b6990cb480e46f75d25e606df54db6847d89129c30acc87242e7b531393a3e4
SHA512138a6ca07f00ac8f8ea370fd79b8a0a0e64f62482cf6f76cded3920823c17c6c613182e3b7909474eaf72b5fe9d78c798cfdb18a251816c460a98bf4e0e91b71
-
Filesize
5.2MB
MD5b7d6fe30607399a6821a39709a927d59
SHA1087e016be62f20bef1b08e6f4afa209f494d6ea8
SHA256dcf4a5ebd2ef1b8c41f27c9b5ded194eb0de1e76eb57f1d22d795dca7109ee1f
SHA5127e711accad75cef079c336c2c3effba819972a33aa23d997c043b721006d6cf4e88cef8944e1303b296022df0f79de61c0310ce773c375b05592aae77d750f7b
-
Filesize
5.2MB
MD5e0c4d5eaaff2b2342e4a2520418fd3f9
SHA120a76bbf045d11ae84325a355adf400ac9024ba2
SHA2560740ded466975117f327a659ba913587d69373c04983433f5922a323840eaba6
SHA512aec16d152611b9a96460e6d3439f019379de4024c6d3bb8d87b004ad445ad342fb37fed012d99a25cc4b2e06d64041e38c39f4e024be26910a38e9a0a03f79b6
-
Filesize
5.2MB
MD52336fe6df4df2c988a455b9dcccb322c
SHA1719e9eec4c843640b5db9e535999216a911fcb32
SHA25684b71f7dd81a1e2db305c179b2400d67b8cd6c8c58f74c33cbef0a36f589149d
SHA512c33970ba009b43528b194615c2458ea13c2e90db8beda1221e10dd413fb193531d6f306cef49998caf845c1ef6cae25c933f8cf9d7b0cb5a13ea8f1621431a9e
-
Filesize
5.2MB
MD538bc7a4ea09e75cbe6dd2af71892e1af
SHA14e597d1640a702d09c0bd7265c1da0113eee09fa
SHA256f1f88150902508f61061ae291343eba3f0c5dc05a1e048da54d0fb0f11dd865d
SHA5127b4a65783b3fb1c6f2e54c30587d1348f75e7028d376dfbd070af57811ccfc5307f94ada2b96d8739746c9536d342f1045bcafd3548d050c09738201d2e4ccd2