Analysis
-
max time kernel
12s -
max time network
4s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 15:13
Behavioral task
behavioral1
Sample
2024-11-21_d62bb83cd257f979771036eb5a825b48_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2024-11-21_d62bb83cd257f979771036eb5a825b48_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
6.0MB
-
MD5
d62bb83cd257f979771036eb5a825b48
-
SHA1
1c7df6fd625283023a8e5d8ce0698d011ff94641
-
SHA256
3b3054483ab5a628f957742c56f2e33adb5441c78f0b49538d0ef259f2050741
-
SHA512
55139464305e8cbfeeef5df95df456159a81bb4f9615d226b3883c26d6b60e4eeefdf2874d654f004a99fca867130d36cff41bf863262d7e36bc2a661d56c37b
-
SSDEEP
98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lUu:T+q56utgpPF8u/7u
Malware Config
Signatures
-
Xmrig family
-
XMRig Miner payload 12 IoCs
resource yara_rule behavioral1/memory/2904-0-0x000000013F4A0000-0x000000013F7F4000-memory.dmp xmrig behavioral1/files/0x000700000001211a-3.dat xmrig behavioral1/files/0x000700000001211a-6.dat xmrig behavioral1/files/0x0008000000016cd1-11.dat xmrig behavioral1/files/0x0008000000016cd1-7.dat xmrig behavioral1/files/0x0008000000016d25-12.dat xmrig behavioral1/files/0x0008000000016d25-16.dat xmrig behavioral1/files/0x0007000000016d36-20.dat xmrig behavioral1/memory/2088-29-0x000000013FCA0000-0x000000013FFF4000-memory.dmp xmrig behavioral1/files/0x0009000000016d9a-39.dat xmrig behavioral1/files/0x0009000000016d9a-62.dat xmrig behavioral1/files/0x0006000000018f53-114.dat xmrig -
Executes dropped EXE 1 IoCs
pid Process 2312 VxZdaAV.exe -
Loads dropped DLL 1 IoCs
pid Process 2904 2024-11-21_d62bb83cd257f979771036eb5a825b48_cobalt-strike_cobaltstrike_poet-rat.exe -
resource yara_rule behavioral1/memory/2904-0-0x000000013F4A0000-0x000000013F7F4000-memory.dmp upx behavioral1/files/0x000700000001211a-3.dat upx behavioral1/files/0x000700000001211a-6.dat upx behavioral1/files/0x0008000000016cd1-11.dat upx behavioral1/files/0x0008000000016cd1-7.dat upx behavioral1/files/0x0008000000016d25-12.dat upx behavioral1/files/0x0008000000016d25-16.dat upx behavioral1/files/0x0007000000016d36-20.dat upx behavioral1/memory/2088-29-0x000000013FCA0000-0x000000013FFF4000-memory.dmp upx behavioral1/files/0x0009000000016d9a-39.dat upx behavioral1/files/0x0009000000016d9a-62.dat upx behavioral1/files/0x0006000000018f53-114.dat upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\System\VxZdaAV.exe 2024-11-21_d62bb83cd257f979771036eb5a825b48_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yFTNBPW.exe 2024-11-21_d62bb83cd257f979771036eb5a825b48_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2904 wrote to memory of 2312 2904 2024-11-21_d62bb83cd257f979771036eb5a825b48_cobalt-strike_cobaltstrike_poet-rat.exe 29 PID 2904 wrote to memory of 2312 2904 2024-11-21_d62bb83cd257f979771036eb5a825b48_cobalt-strike_cobaltstrike_poet-rat.exe 29 PID 2904 wrote to memory of 2312 2904 2024-11-21_d62bb83cd257f979771036eb5a825b48_cobalt-strike_cobaltstrike_poet-rat.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_d62bb83cd257f979771036eb5a825b48_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-21_d62bb83cd257f979771036eb5a825b48_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\System\VxZdaAV.exeC:\Windows\System\VxZdaAV.exe2⤵
- Executes dropped EXE
PID:2312
-
-
C:\Windows\System\yFTNBPW.exeC:\Windows\System\yFTNBPW.exe2⤵PID:2088
-
-
C:\Windows\System\DGSSlol.exeC:\Windows\System\DGSSlol.exe2⤵PID:2768
-
-
C:\Windows\System\UdycgYY.exeC:\Windows\System\UdycgYY.exe2⤵PID:2796
-
-
C:\Windows\System\XuIjLPC.exeC:\Windows\System\XuIjLPC.exe2⤵PID:2160
-
-
C:\Windows\System\fluDBrS.exeC:\Windows\System\fluDBrS.exe2⤵PID:284
-
-
C:\Windows\System\zkcdyVk.exeC:\Windows\System\zkcdyVk.exe2⤵PID:1680
-
-
C:\Windows\System\mccjidq.exeC:\Windows\System\mccjidq.exe2⤵PID:2736
-
-
C:\Windows\System\krnTGjr.exeC:\Windows\System\krnTGjr.exe2⤵PID:1380
-
-
C:\Windows\System\npKJwjM.exeC:\Windows\System\npKJwjM.exe2⤵PID:3124
-
-
C:\Windows\System\AhCzWIE.exeC:\Windows\System\AhCzWIE.exe2⤵PID:3280
-
-
C:\Windows\System\rAjMgQU.exeC:\Windows\System\rAjMgQU.exe2⤵PID:3568
-
-
C:\Windows\System\pPOgSYv.exeC:\Windows\System\pPOgSYv.exe2⤵PID:3624
-
-
C:\Windows\System\MSmchmd.exeC:\Windows\System\MSmchmd.exe2⤵PID:3760
-
-
C:\Windows\System\kqlOrPB.exeC:\Windows\System\kqlOrPB.exe2⤵PID:3868
-
-
C:\Windows\System\IQuMnKi.exeC:\Windows\System\IQuMnKi.exe2⤵PID:3884
-
-
C:\Windows\System\WdobASH.exeC:\Windows\System\WdobASH.exe2⤵PID:3988
-
-
C:\Windows\System\TVHpQjq.exeC:\Windows\System\TVHpQjq.exe2⤵PID:2548
-
-
C:\Windows\System\mjLYzSv.exeC:\Windows\System\mjLYzSv.exe2⤵PID:1956
-
-
C:\Windows\System\ExlPdVs.exeC:\Windows\System\ExlPdVs.exe2⤵PID:2124
-
-
C:\Windows\System\TcHISoz.exeC:\Windows\System\TcHISoz.exe2⤵PID:3732
-
-
C:\Windows\System\jXPhyXg.exeC:\Windows\System\jXPhyXg.exe2⤵PID:3748
-
-
C:\Windows\System\LBlMrWP.exeC:\Windows\System\LBlMrWP.exe2⤵PID:3712
-
-
C:\Windows\System\tSkjJnc.exeC:\Windows\System\tSkjJnc.exe2⤵PID:344
-
-
C:\Windows\System\rUWXdai.exeC:\Windows\System\rUWXdai.exe2⤵PID:4076
-
-
C:\Windows\System\GNDTAPz.exeC:\Windows\System\GNDTAPz.exe2⤵PID:3312
-
-
C:\Windows\System\dDBwtua.exeC:\Windows\System\dDBwtua.exe2⤵PID:3472
-
-
C:\Windows\System\DMtzUFw.exeC:\Windows\System\DMtzUFw.exe2⤵PID:4068
-
-
C:\Windows\System\liYWcMI.exeC:\Windows\System\liYWcMI.exe2⤵PID:4184
-
-
C:\Windows\System\nLZOzIk.exeC:\Windows\System\nLZOzIk.exe2⤵PID:4240
-
-
C:\Windows\System\nzFtXUm.exeC:\Windows\System\nzFtXUm.exe2⤵PID:4584
-
-
C:\Windows\System\tXmvaHf.exeC:\Windows\System\tXmvaHf.exe2⤵PID:4612
-
-
C:\Windows\System\DNQjaOj.exeC:\Windows\System\DNQjaOj.exe2⤵PID:4756
-
-
C:\Windows\System\oobEQiX.exeC:\Windows\System\oobEQiX.exe2⤵PID:4880
-
-
C:\Windows\System\FbSRsPR.exeC:\Windows\System\FbSRsPR.exe2⤵PID:5036
-
-
C:\Windows\System\rawgXcF.exeC:\Windows\System\rawgXcF.exe2⤵PID:4300
-
-
C:\Windows\System\ktRbLVs.exeC:\Windows\System\ktRbLVs.exe2⤵PID:4420
-
-
C:\Windows\System\pRCTFkP.exeC:\Windows\System\pRCTFkP.exe2⤵PID:4200
-
-
C:\Windows\System\MAdMVSd.exeC:\Windows\System\MAdMVSd.exe2⤵PID:4448
-
-
C:\Windows\System\guLyNRF.exeC:\Windows\System\guLyNRF.exe2⤵PID:4284
-
-
C:\Windows\System\cpyrPnx.exeC:\Windows\System\cpyrPnx.exe2⤵PID:4536
-
-
C:\Windows\System\TWQzOdW.exeC:\Windows\System\TWQzOdW.exe2⤵PID:2640
-
-
C:\Windows\System\twzFdgb.exeC:\Windows\System\twzFdgb.exe2⤵PID:4916
-
-
C:\Windows\System\fCwjvXH.exeC:\Windows\System\fCwjvXH.exe2⤵PID:4768
-
-
C:\Windows\System\ROhVqeZ.exeC:\Windows\System\ROhVqeZ.exe2⤵PID:4984
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.7MB
MD52167a189c4d40255464eed9a79240f33
SHA14e4097747e234d1de20fae63d42484e99bbcba61
SHA2563ab774103adf4f57142c411341802de3b59a555829a197cf0073e39d8d2210fd
SHA51289ee03ecb4b7385d66c224e5e7a8140dd961f0e9a6edb1d75147473ac3e055a31f7625625d79218d73d630cbc71005d3454cabc2d86203da06ad2ad5354d494b
-
Filesize
1.2MB
MD5fd155d252539e68cbdbd92cd2a52bcbd
SHA10ca5a9904a756af3691fbc423f66b23218a0a64c
SHA256dc77149705e58e879c10580242e442aee3e90168635a5292bec787d8a088acff
SHA51278429b6110787380fcb6e2b1187e86170fc8e8d55f45343f2498876971ea716f740f9ca43b363e895855366c7ceb040f7dd283c19459ef450213d688ae348c7e
-
Filesize
3.3MB
MD55337ce326c75c47110a0b27cd108ecbd
SHA1de70a012b22cc7727858716c52bd2fe22e17dbe6
SHA25666668fa02f6cfb732103d44dcd5d327894e0e7a43efa5c21f0e75b6320184a97
SHA512b632147a055a28f4c686144170be278f4b7cc5e24f46b37ec8652ddfb45c1591109e667f2b26529c2fde53e4864f5b70c329f62aeada2a96c958db30e3041cb2
-
Filesize
2.8MB
MD523b729b972386884d973a25aa8d478fb
SHA1c5cc640ef3d9745d8a5b0114b72fd7be555db5dc
SHA2560437aa87e6dac5aee476c1371cc3e365600092a5ec3a05d777d4ec4e26723c34
SHA512a08f2cac5b98e3a76515f25ba44cd9312b69650815a299f7fe00f380087ee6ffcc413ba0d87241e2e9a6c5822f949658b79c6dc787e4b4c944f108a193b2dbaf
-
Filesize
1.6MB
MD563603f4d4da5645df7186258531c5936
SHA152696b1e61adb41a0e554c444ed96b3efe8cae48
SHA256a0e2db51baffb38f5e7a895386c15e698f478983905fd966a8d670cd492d0077
SHA512754271d9f4fa1f4825f0da8b70e88e60327c4ac8e4f776b62423a438b3868c0ba94fc117d74a1402a1614389d5a09816a65ca580e53ef7f9e7b371e35f1bdb93
-
Filesize
3.4MB
MD5e365b2fcb55807cbf7f8e07f35f3db75
SHA185b968ed16b0216d9804db74c6355c217832b068
SHA256b5e2dfd59fc67f7d9b73c2d1f9d4ae077da82b9a39781de3c6387cfbf5e94f29
SHA512857bdac07275bc953df7ed6d65b29dd8f3c4fd8f2c6dd05b943ee25016a0d73ba6305e439e7dd2ede2c456781f29a88e54f634030f9cf8ace9c5ca8837c9cf16
-
Filesize
3.6MB
MD5dfd90975cf73afe198538099bdaa9fe4
SHA1d8d19b8be4300dcc11530b962aa7de2de85d3c4c
SHA256f96531abac53cf041c38260df22bd987b02ecb89ae5749444a657c720d63ae3b
SHA512809cb9e341edb96c36a702d98982f0686bfc0c7a23268dca3db55afa6bd46cae99d6527cb287bbba893a3e4a293b6cdc6afc91a8784e34762b7fe35af841f9db
-
Filesize
3.4MB
MD5e638e9f997a642bd4b00938427ba13d8
SHA126783d2986bef45822ab08cb81730ceff268fc90
SHA25606f7055d03cc69efb6341a7fbda2e25d60305f6f893464b4bfd760762e3fa23a
SHA51233e33c21cad52d47e8706e9f1f6ba9e380cdf09f434e4a34fc2e1bcfa44c3644b76d5baec285856c4c2143c6ebd92e9171b857f37da593bddcaf1de0dc27c8f8
-
Filesize
2.4MB
MD5e0a9d34c6807ffbb14d5dd73c9ef50db
SHA1dfca92e6244b6581a94ac8d156856252341b8539
SHA256e1b7388b64d3d13714a786c7cb18b1d3e461ef8364381a3678f98bd4e6d5bc07
SHA51238fbfb17175e81d6f7c109f6f42cc46097d67f709fb7adccc3f17830e1a3ecfc2b8445a67eb192c944fb81da3d59359e42bf2d60bf0db516be7e6aee1f08b9cd
-
Filesize
2.1MB
MD5ecf1d4597f4436e3c1d6488218246e0c
SHA124198914854a05e71e3cffe87abd403cf76b96f6
SHA25675977c4dfa1f3ff11fc9ed4d6384cf3a3ad8d87a3ef861a5ed22c7934c226f4b
SHA51235ef3a02ca780d12e90b1c25e00360d561d548a50349ccfd02d03f768388554d0d74fd385d98ebe702228fda415e25927f0a6b23fa936ac2501ed0738dda9de5