Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14-12-2024 02:53
Behavioral task
behavioral1
Sample
2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240708-en
General
-
Target
2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
82fa350c690590840584042057e81c1d
-
SHA1
9cfb41bebed8af62d09763a09f0c94beb793e1f9
-
SHA256
2b211c1a61c5eaebddfde3cd16537ff85876c8ea517b00d07c96ef6648286a26
-
SHA512
158a55f4e063b98febf3c25d5d018a2d61c3e34eb25fb533d11a6171a7a12267704be41b14e585690d914a08500d6b5172ea33b9c78ef9ed4f745359e39be5d2
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l7:RWWBibd56utgpPFotBER/mQ32lU3
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral1/files/0x0007000000018636-12.dat cobalt_reflective_dll behavioral1/files/0x0007000000018741-13.dat cobalt_reflective_dll behavioral1/files/0x000500000001948d-55.dat cobalt_reflective_dll behavioral1/files/0x00050000000195c4-84.dat cobalt_reflective_dll behavioral1/files/0x00050000000195ca-121.dat cobalt_reflective_dll behavioral1/files/0x000500000001958b-114.dat cobalt_reflective_dll behavioral1/files/0x00050000000195c7-103.dat cobalt_reflective_dll behavioral1/files/0x00050000000195cc-128.dat cobalt_reflective_dll behavioral1/files/0x000600000001938e-68.dat cobalt_reflective_dll behavioral1/files/0x000500000001945c-61.dat cobalt_reflective_dll behavioral1/files/0x00050000000193e6-60.dat cobalt_reflective_dll behavioral1/files/0x00050000000195c8-119.dat cobalt_reflective_dll behavioral1/files/0x00050000000195c6-97.dat cobalt_reflective_dll behavioral1/files/0x00050000000195c2-96.dat cobalt_reflective_dll behavioral1/files/0x00050000000193f0-91.dat cobalt_reflective_dll behavioral1/files/0x00050000000194e2-75.dat cobalt_reflective_dll behavioral1/files/0x00070000000191d1-57.dat cobalt_reflective_dll behavioral1/files/0x00070000000191cf-48.dat cobalt_reflective_dll behavioral1/files/0x000600000001919c-44.dat cobalt_reflective_dll behavioral1/files/0x00060000000191ad-36.dat cobalt_reflective_dll behavioral1/files/0x000b00000001225f-6.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 36 IoCs
resource yara_rule behavioral1/memory/2604-72-0x000000013F680000-0x000000013F9D1000-memory.dmp xmrig behavioral1/memory/2928-109-0x000000013F250000-0x000000013F5A1000-memory.dmp xmrig behavioral1/memory/2744-107-0x000000013F440000-0x000000013F791000-memory.dmp xmrig behavioral1/memory/2560-104-0x000000013FF40000-0x0000000140291000-memory.dmp xmrig behavioral1/memory/2908-80-0x000000013FCB0000-0x0000000140001000-memory.dmp xmrig behavioral1/memory/2704-69-0x000000013F940000-0x000000013FC91000-memory.dmp xmrig behavioral1/memory/2756-134-0x000000013F680000-0x000000013F9D1000-memory.dmp xmrig behavioral1/memory/2644-99-0x000000013FC40000-0x000000013FF91000-memory.dmp xmrig behavioral1/memory/2624-93-0x000000013FD70000-0x00000001400C1000-memory.dmp xmrig behavioral1/memory/2700-28-0x000000013F3D0000-0x000000013F721000-memory.dmp xmrig behavioral1/memory/2852-135-0x000000013F8B0000-0x000000013FC01000-memory.dmp xmrig behavioral1/memory/2500-20-0x000000013F5B0000-0x000000013F901000-memory.dmp xmrig behavioral1/memory/2804-19-0x000000013F100000-0x000000013F451000-memory.dmp xmrig behavioral1/memory/2756-137-0x000000013F680000-0x000000013F9D1000-memory.dmp xmrig behavioral1/memory/868-154-0x000000013F800000-0x000000013FB51000-memory.dmp xmrig behavioral1/memory/2996-157-0x000000013FE10000-0x0000000140161000-memory.dmp xmrig behavioral1/memory/2872-155-0x000000013FF90000-0x00000001402E1000-memory.dmp xmrig behavioral1/memory/2268-153-0x000000013FF60000-0x00000001402B1000-memory.dmp xmrig behavioral1/memory/2256-151-0x000000013F820000-0x000000013FB71000-memory.dmp xmrig behavioral1/memory/2132-149-0x000000013FCF0000-0x0000000140041000-memory.dmp xmrig behavioral1/memory/2748-158-0x000000013F280000-0x000000013F5D1000-memory.dmp xmrig behavioral1/memory/1028-156-0x000000013FA70000-0x000000013FDC1000-memory.dmp xmrig behavioral1/memory/2100-152-0x000000013F4E0000-0x000000013F831000-memory.dmp xmrig behavioral1/memory/2756-159-0x000000013F680000-0x000000013F9D1000-memory.dmp xmrig behavioral1/memory/2500-224-0x000000013F5B0000-0x000000013F901000-memory.dmp xmrig behavioral1/memory/2804-226-0x000000013F100000-0x000000013F451000-memory.dmp xmrig behavioral1/memory/2700-228-0x000000013F3D0000-0x000000013F721000-memory.dmp xmrig behavioral1/memory/2852-230-0x000000013F8B0000-0x000000013FC01000-memory.dmp xmrig behavioral1/memory/2644-238-0x000000013FC40000-0x000000013FF91000-memory.dmp xmrig behavioral1/memory/2624-240-0x000000013FD70000-0x00000001400C1000-memory.dmp xmrig behavioral1/memory/2908-236-0x000000013FCB0000-0x0000000140001000-memory.dmp xmrig behavioral1/memory/2604-234-0x000000013F680000-0x000000013F9D1000-memory.dmp xmrig behavioral1/memory/2704-232-0x000000013F940000-0x000000013FC91000-memory.dmp xmrig behavioral1/memory/2744-246-0x000000013F440000-0x000000013F791000-memory.dmp xmrig behavioral1/memory/2928-242-0x000000013F250000-0x000000013F5A1000-memory.dmp xmrig behavioral1/memory/2560-250-0x000000013FF40000-0x0000000140291000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2500 DdqPTns.exe 2700 EsngyQt.exe 2804 aXXkbpu.exe 2852 kuZXwqZ.exe 2704 xjQVXDz.exe 2604 jsnkRcF.exe 2908 bLIFKre.exe 2624 WFjsTyl.exe 2644 CGMJAGE.exe 2744 oansrdv.exe 2928 OXvQnEI.exe 2560 EQUEuPp.exe 2132 zkdvMzC.exe 2100 XVbCyBG.exe 868 dydADgW.exe 2256 PoQgpUM.exe 1028 qbsBbzt.exe 2268 yyfsmvw.exe 2748 qRZCNsw.exe 2872 NSuaIQI.exe 2996 BwKPowm.exe -
Loads dropped DLL 21 IoCs
pid Process 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe -
resource yara_rule behavioral1/memory/2756-0-0x000000013F680000-0x000000013F9D1000-memory.dmp upx behavioral1/files/0x0007000000018636-12.dat upx behavioral1/files/0x0007000000018741-13.dat upx behavioral1/files/0x000500000001948d-55.dat upx behavioral1/memory/2604-72-0x000000013F680000-0x000000013F9D1000-memory.dmp upx behavioral1/files/0x00050000000195c4-84.dat upx behavioral1/files/0x00050000000195ca-121.dat upx behavioral1/files/0x000500000001958b-114.dat upx behavioral1/memory/2928-109-0x000000013F250000-0x000000013F5A1000-memory.dmp upx behavioral1/memory/2744-107-0x000000013F440000-0x000000013F791000-memory.dmp upx behavioral1/memory/2560-104-0x000000013FF40000-0x0000000140291000-memory.dmp upx behavioral1/files/0x00050000000195c7-103.dat upx behavioral1/files/0x00050000000195cc-128.dat upx behavioral1/memory/2908-80-0x000000013FCB0000-0x0000000140001000-memory.dmp upx behavioral1/memory/2704-69-0x000000013F940000-0x000000013FC91000-memory.dmp upx behavioral1/files/0x000600000001938e-68.dat upx behavioral1/memory/2756-134-0x000000013F680000-0x000000013F9D1000-memory.dmp upx behavioral1/files/0x000500000001945c-61.dat upx behavioral1/files/0x00050000000193e6-60.dat upx behavioral1/files/0x00050000000195c8-119.dat upx behavioral1/memory/2644-99-0x000000013FC40000-0x000000013FF91000-memory.dmp upx behavioral1/files/0x00050000000195c6-97.dat upx behavioral1/files/0x00050000000195c2-96.dat upx behavioral1/memory/2624-93-0x000000013FD70000-0x00000001400C1000-memory.dmp upx behavioral1/files/0x00050000000193f0-91.dat upx behavioral1/files/0x00050000000194e2-75.dat upx behavioral1/files/0x00070000000191d1-57.dat upx behavioral1/files/0x00070000000191cf-48.dat upx behavioral1/files/0x000600000001919c-44.dat upx behavioral1/memory/2852-38-0x000000013F8B0000-0x000000013FC01000-memory.dmp upx behavioral1/files/0x00060000000191ad-36.dat upx behavioral1/memory/2700-28-0x000000013F3D0000-0x000000013F721000-memory.dmp upx behavioral1/memory/2852-135-0x000000013F8B0000-0x000000013FC01000-memory.dmp upx behavioral1/memory/2500-20-0x000000013F5B0000-0x000000013F901000-memory.dmp upx behavioral1/memory/2804-19-0x000000013F100000-0x000000013F451000-memory.dmp upx behavioral1/files/0x000b00000001225f-6.dat upx behavioral1/memory/2756-137-0x000000013F680000-0x000000013F9D1000-memory.dmp upx behavioral1/memory/868-154-0x000000013F800000-0x000000013FB51000-memory.dmp upx behavioral1/memory/2996-157-0x000000013FE10000-0x0000000140161000-memory.dmp upx behavioral1/memory/2872-155-0x000000013FF90000-0x00000001402E1000-memory.dmp upx behavioral1/memory/2268-153-0x000000013FF60000-0x00000001402B1000-memory.dmp upx behavioral1/memory/2256-151-0x000000013F820000-0x000000013FB71000-memory.dmp upx behavioral1/memory/2132-149-0x000000013FCF0000-0x0000000140041000-memory.dmp upx behavioral1/memory/2748-158-0x000000013F280000-0x000000013F5D1000-memory.dmp upx behavioral1/memory/1028-156-0x000000013FA70000-0x000000013FDC1000-memory.dmp upx behavioral1/memory/2100-152-0x000000013F4E0000-0x000000013F831000-memory.dmp upx behavioral1/memory/2756-159-0x000000013F680000-0x000000013F9D1000-memory.dmp upx behavioral1/memory/2500-224-0x000000013F5B0000-0x000000013F901000-memory.dmp upx behavioral1/memory/2804-226-0x000000013F100000-0x000000013F451000-memory.dmp upx behavioral1/memory/2700-228-0x000000013F3D0000-0x000000013F721000-memory.dmp upx behavioral1/memory/2852-230-0x000000013F8B0000-0x000000013FC01000-memory.dmp upx behavioral1/memory/2644-238-0x000000013FC40000-0x000000013FF91000-memory.dmp upx behavioral1/memory/2624-240-0x000000013FD70000-0x00000001400C1000-memory.dmp upx behavioral1/memory/2908-236-0x000000013FCB0000-0x0000000140001000-memory.dmp upx behavioral1/memory/2604-234-0x000000013F680000-0x000000013F9D1000-memory.dmp upx behavioral1/memory/2704-232-0x000000013F940000-0x000000013FC91000-memory.dmp upx behavioral1/memory/2744-246-0x000000013F440000-0x000000013F791000-memory.dmp upx behavioral1/memory/2928-242-0x000000013F250000-0x000000013F5A1000-memory.dmp upx behavioral1/memory/2560-250-0x000000013FF40000-0x0000000140291000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\zkdvMzC.exe 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xjQVXDz.exe 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kuZXwqZ.exe 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bLIFKre.exe 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EQUEuPp.exe 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CGMJAGE.exe 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DdqPTns.exe 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jsnkRcF.exe 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\OXvQnEI.exe 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PoQgpUM.exe 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\aXXkbpu.exe 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\yyfsmvw.exe 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\dydADgW.exe 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qbsBbzt.exe 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qRZCNsw.exe 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BwKPowm.exe 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\EsngyQt.exe 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\oansrdv.exe 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WFjsTyl.exe 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\XVbCyBG.exe 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NSuaIQI.exe 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2500 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 32 PID 2756 wrote to memory of 2500 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 32 PID 2756 wrote to memory of 2500 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 32 PID 2756 wrote to memory of 2700 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 33 PID 2756 wrote to memory of 2700 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 33 PID 2756 wrote to memory of 2700 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 33 PID 2756 wrote to memory of 2804 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 34 PID 2756 wrote to memory of 2804 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 34 PID 2756 wrote to memory of 2804 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 34 PID 2756 wrote to memory of 2704 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 35 PID 2756 wrote to memory of 2704 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 35 PID 2756 wrote to memory of 2704 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 35 PID 2756 wrote to memory of 2852 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 36 PID 2756 wrote to memory of 2852 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 36 PID 2756 wrote to memory of 2852 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 36 PID 2756 wrote to memory of 2604 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 37 PID 2756 wrote to memory of 2604 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 37 PID 2756 wrote to memory of 2604 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 37 PID 2756 wrote to memory of 2908 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 38 PID 2756 wrote to memory of 2908 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 38 PID 2756 wrote to memory of 2908 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 38 PID 2756 wrote to memory of 2744 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 39 PID 2756 wrote to memory of 2744 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 39 PID 2756 wrote to memory of 2744 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 39 PID 2756 wrote to memory of 2624 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 40 PID 2756 wrote to memory of 2624 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 40 PID 2756 wrote to memory of 2624 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 40 PID 2756 wrote to memory of 2560 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 41 PID 2756 wrote to memory of 2560 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 41 PID 2756 wrote to memory of 2560 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 41 PID 2756 wrote to memory of 2644 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 42 PID 2756 wrote to memory of 2644 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 42 PID 2756 wrote to memory of 2644 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 42 PID 2756 wrote to memory of 2132 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 43 PID 2756 wrote to memory of 2132 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 43 PID 2756 wrote to memory of 2132 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 43 PID 2756 wrote to memory of 2928 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 44 PID 2756 wrote to memory of 2928 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 44 PID 2756 wrote to memory of 2928 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 44 PID 2756 wrote to memory of 2256 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 45 PID 2756 wrote to memory of 2256 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 45 PID 2756 wrote to memory of 2256 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 45 PID 2756 wrote to memory of 2100 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 46 PID 2756 wrote to memory of 2100 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 46 PID 2756 wrote to memory of 2100 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 46 PID 2756 wrote to memory of 2268 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 47 PID 2756 wrote to memory of 2268 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 47 PID 2756 wrote to memory of 2268 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 47 PID 2756 wrote to memory of 868 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 48 PID 2756 wrote to memory of 868 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 48 PID 2756 wrote to memory of 868 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 48 PID 2756 wrote to memory of 2872 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 49 PID 2756 wrote to memory of 2872 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 49 PID 2756 wrote to memory of 2872 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 49 PID 2756 wrote to memory of 1028 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 50 PID 2756 wrote to memory of 1028 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 50 PID 2756 wrote to memory of 1028 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 50 PID 2756 wrote to memory of 2996 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 51 PID 2756 wrote to memory of 2996 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 51 PID 2756 wrote to memory of 2996 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 51 PID 2756 wrote to memory of 2748 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 52 PID 2756 wrote to memory of 2748 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 52 PID 2756 wrote to memory of 2748 2756 2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe 52
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\System\DdqPTns.exeC:\Windows\System\DdqPTns.exe2⤵
- Executes dropped EXE
PID:2500
-
-
C:\Windows\System\EsngyQt.exeC:\Windows\System\EsngyQt.exe2⤵
- Executes dropped EXE
PID:2700
-
-
C:\Windows\System\aXXkbpu.exeC:\Windows\System\aXXkbpu.exe2⤵
- Executes dropped EXE
PID:2804
-
-
C:\Windows\System\xjQVXDz.exeC:\Windows\System\xjQVXDz.exe2⤵
- Executes dropped EXE
PID:2704
-
-
C:\Windows\System\kuZXwqZ.exeC:\Windows\System\kuZXwqZ.exe2⤵
- Executes dropped EXE
PID:2852
-
-
C:\Windows\System\jsnkRcF.exeC:\Windows\System\jsnkRcF.exe2⤵
- Executes dropped EXE
PID:2604
-
-
C:\Windows\System\bLIFKre.exeC:\Windows\System\bLIFKre.exe2⤵
- Executes dropped EXE
PID:2908
-
-
C:\Windows\System\oansrdv.exeC:\Windows\System\oansrdv.exe2⤵
- Executes dropped EXE
PID:2744
-
-
C:\Windows\System\WFjsTyl.exeC:\Windows\System\WFjsTyl.exe2⤵
- Executes dropped EXE
PID:2624
-
-
C:\Windows\System\EQUEuPp.exeC:\Windows\System\EQUEuPp.exe2⤵
- Executes dropped EXE
PID:2560
-
-
C:\Windows\System\CGMJAGE.exeC:\Windows\System\CGMJAGE.exe2⤵
- Executes dropped EXE
PID:2644
-
-
C:\Windows\System\zkdvMzC.exeC:\Windows\System\zkdvMzC.exe2⤵
- Executes dropped EXE
PID:2132
-
-
C:\Windows\System\OXvQnEI.exeC:\Windows\System\OXvQnEI.exe2⤵
- Executes dropped EXE
PID:2928
-
-
C:\Windows\System\PoQgpUM.exeC:\Windows\System\PoQgpUM.exe2⤵
- Executes dropped EXE
PID:2256
-
-
C:\Windows\System\XVbCyBG.exeC:\Windows\System\XVbCyBG.exe2⤵
- Executes dropped EXE
PID:2100
-
-
C:\Windows\System\yyfsmvw.exeC:\Windows\System\yyfsmvw.exe2⤵
- Executes dropped EXE
PID:2268
-
-
C:\Windows\System\dydADgW.exeC:\Windows\System\dydADgW.exe2⤵
- Executes dropped EXE
PID:868
-
-
C:\Windows\System\NSuaIQI.exeC:\Windows\System\NSuaIQI.exe2⤵
- Executes dropped EXE
PID:2872
-
-
C:\Windows\System\qbsBbzt.exeC:\Windows\System\qbsBbzt.exe2⤵
- Executes dropped EXE
PID:1028
-
-
C:\Windows\System\BwKPowm.exeC:\Windows\System\BwKPowm.exe2⤵
- Executes dropped EXE
PID:2996
-
-
C:\Windows\System\qRZCNsw.exeC:\Windows\System\qRZCNsw.exe2⤵
- Executes dropped EXE
PID:2748
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD52613bf50cb15c3eeb4da2e24e1eb3cc1
SHA1b2e91daae24d1c9d718fd331c7f40f8e0da8ebaa
SHA2566c65fe25530b23993af5f08f361cf6f466af4465191f2bf813ef9f84a2de34aa
SHA512b0c0611f14635a7fce479bd9e5a58723b14dad1df2926f649910633f4fc5c4358f837de7d48e0285fea3ba16e098022b992b1fc715158ac8ba8a5f2d5cf80fae
-
Filesize
5.2MB
MD539105ce9f44b46c636f3fb21b6655150
SHA1e560aa3be6641edf3c626ce142a7a85f50ad384c
SHA256f82d64e31d800877c1e3c277d99b97ed713a83b4c1c3060697ef090036a2a39c
SHA512a1303c0a7b461fa5dea4342a6cae7512fe83029e489868776d3d0ed4c61438aa69d12137e85abc1a12615fdbc5665aefccede8c5be2da5204e8be237420fea20
-
Filesize
5.2MB
MD53fcc1f2e68b05f5aca996002b3d36b31
SHA1644348fb1612a5c62bad8937d62e5437fad59036
SHA256e173f26868173cd396b38913a48bb46d3967db6e7814be335062e656502d4091
SHA512de4e5d9300d358a2ba27416557e161e7c45c0a8aed9816fa5a1413b36197a7d2e649fbed495d44c417e15e9ca1188717255d6cbac815ead652a1ddac5503b36f
-
Filesize
5.2MB
MD572f3c96f8f8e6f993d344bdce06c084a
SHA18c94d4f4a4546065f62fd864f1cf9bbcd2285a39
SHA256570bfc590ef3280227998e9f8177af4700c5c7b62b04df870edb3fd648429d1d
SHA5123525f02fdc848ccc8e417ad03274f8d658dc247ec5beecbf7017f931db183f916817b13d566e1b93573b7dc261a32ae0b0cea6c75317b3b95f6c1dedf301d7fc
-
Filesize
5.2MB
MD530f603ce1b666f9b0b265343ce469b7c
SHA1eca89a33d404565a36d3f3f7812b6f62e8fba3dd
SHA25635c03a3e5d42e1dc225f3ebed81718f0aeaf490ab0812c89d756245929d44aa4
SHA5127db6bee657676daa4e87464fe616a8cdbcf2da64d0c780f160aaa26f41653d3d59a206782803b7b0db0cf77cedff4855ed2b7d39ec1ecb3aaf850eb37cf88bf0
-
Filesize
5.2MB
MD5501ef7d551820b7d967fc2bab62ce88e
SHA11944aa603e983e6929d0f1ce7cfc869132bd2e5b
SHA2563131a6dadc48b3309721dee9b176db735dea247120cad1551672e3704d3c8c80
SHA512a43bfd4be8fffd391fe932cdf0715501a64d86051ad9dce9d5f66e9c4437c0890921bc663f9d06cdec3b554aa5d94a4f975d33cf8e4551953e8fdc7feacf2c7b
-
Filesize
5.2MB
MD555649486e4f3a05c8458c51721848da6
SHA198bd7fe1f580504e13fda62725e8e95258569ff6
SHA256ee7a9c0f4cfc55c55d35decdcc7cfbba21c562223abda003e2bdf8c7aa61ebe5
SHA51252728ee21792e921f595dd304d0cdd8abb0ca85df68a41339e21569818e14c0444a3251dc53e05507ee596b71d867e8434de3dc1349e0452ad2b178adfdbf9c7
-
Filesize
5.2MB
MD562f8633b8ded973c704f7d54066233b9
SHA182f0b47a110bb0ade12d78cdc71ca1e2d631b066
SHA2567d31e17283eb1a29a657a5461b0e42046e091730493798e45aade8b91cbe22a4
SHA5124a182213c756b88ea01fd3143c0010263bea701a9bd8e83f8182d825a4191c48a03e092e7a60bf931ebaf2ca0fba9d5f62c94b79480a0429605d704753ca7f21
-
Filesize
5.2MB
MD578f5c6fd30fdfb43f3824d9c392e5434
SHA1becc44c6a0250c4a65cad515adc7e82f07776a17
SHA25612b25e93b33f6c47ef5acceca64dab4bbad3b3a130ce5b59bf30ed17340d5a9e
SHA512e9f1469e550148eb241b467b0501b6a36c8c75c237ef13a670ecccea38d6dbaacb39054d9d9eb1855adc2cc74afc1eeb86562cc2faa6379906b283ca2615804d
-
Filesize
5.2MB
MD521699bc9f075ad448a9e2436e0495848
SHA1a0885d43c2bfc84f411fd14d206316c3483cdf46
SHA256fdc31f685fccc9415b5bb693d916d7caa6a08e18a23dd1cf779be9703bfebe30
SHA512a97a2d44d6a94278d4fb04167b97f71b43642550cac77de1402515881b944134ad3e3b28a23e0fb99b8e4f6f87b63451450866350561e502258b183abd2f3d63
-
Filesize
5.2MB
MD5ea7f5610c2f7edcb51eb03d8e827fb1a
SHA12a1fcbdcfc5341f3c04c4fe10f6aa90923d5989c
SHA25603921e434eac869391a2e3a87b507aa623d58d1e0e35f0ae874652748a6375ee
SHA512d0842768e28390fd8afee4b59588e57caa6806cc5265ed8cca80c0e566c290647cb1d819bf0ff11f7e35a8135fe2463561d8df72eb3023c9d0b642aeec87e05d
-
Filesize
5.2MB
MD5b67f7629e6991cd00b3fd0d1cc05ee8f
SHA1f4b81fad0f67bb476ec6eb93853e4df878362ca3
SHA2568f61dd2507a5c37069782fac01d73a48c672df31d54714164858014f379b5ae4
SHA51259a0ca86421ff9e6666a204d87c9f991f4836c221384373a11974d5cb9c32110713cafaa088566661cbcd37592f54f0c5ff7d24e3f1a24d64e3d75e87c790a68
-
Filesize
5.2MB
MD5ca41431c8488151c9b4c86e938580e3e
SHA1847478c5a464efd63e02ba74b8781ee60b79415c
SHA256cade0a526eca8fffda80e66c4f9d6f517950229f4f7801ffe9f8f3a052e65536
SHA512870362b8912b97138059138216096463d44195b994e4d716d1dee29bd43e1beb9764945fb7bc4b7297b2dde68669db7be85a6036a24c1ff4f457337a4f254031
-
Filesize
5.2MB
MD5484980b936ef492793655204c60ae864
SHA1ea7bbd9ba454099f0524ffb4189c54859767f936
SHA2561e9c12ecd453c4d54f1f4ef3030ab6895c18d9a8899c56b23fa06ba8ab861018
SHA5124f4b10da92f2c7b3655e056b6bf244f464b3127b14f8b7a897c106406a5bdd6fd92105e99fa48d7882b7554aa825314307b0a27ed50cc65705b1a049875902ce
-
Filesize
5.2MB
MD5525ae29d69015703f155d296ca119bda
SHA1e44b896b27ee65b262cfe86b5347e3dcbe41d6bc
SHA256f1cc2a773fd9de4233c694cb0ac52d05c0f9232fe04665b0aafe5d687b523170
SHA512451ff4c00bbfa84e247c450dd725ee745f6f0ee7e6e85a80c4a4de853467ba179b27d1a11e3a9db4daa028db56256f793b915f414856e3eee0f2bff2066a858e
-
Filesize
5.2MB
MD54b93e74864d5d0da34c938b0f1386374
SHA18b1bebfde76dff379b72f976c68b70a86910a9d5
SHA25685edcc256985ac2640f3eb8ea317a7f6b1fbeb45fb8faf7c8c4eb224992635cb
SHA5121d0af930e667d250faa93d47a0af162b333f32f7bbbcfcc192b64a96d182394ba7f0d0ff30d02ea7533e6236b202b156e0c98a5282bf8d612d26b0818b8f9010
-
Filesize
5.2MB
MD5047e5374ddb7daebba98040ebaa54eb6
SHA130acc8ac6e42d0fc184c3071a6345950082b17c5
SHA25606c915c10c749d53056df7c1f603ed45e832db9ce38402e03e86943ba5995df2
SHA5124ee3a7ef304cfb79d2be3e485fb1633f2ab44b43285ed35651bd740ff26ee79a9a8c1a3ecd3fbd4bf325196c3c541f5c219a83f36e50588622417072a2bd565d
-
Filesize
5.2MB
MD520fae3cd0dd0332378adad8a0beb924d
SHA16e2694e2e5d97156e8966b0c4e84fc27891ce8c5
SHA2563c3313ab3d9338f210c6999c7553e07abbd0d040fb03b23e5219cc20afa4ad27
SHA51205197f9e30bfc32206bf488f0dcddba6fb9970b586f7090e5f8edc218303a9840bac791fda67b304015cbc0be674b3fdead29d93e5bd4373f0d6f77ad9073ed4
-
Filesize
5.2MB
MD5dd73aaf2e5da78359ba429f649460781
SHA1c7a7d90c59ebca0152001de78209d9a3056361cc
SHA256ab519b7247ce31c7bc2e8823e6a8181f97224a900d867d52a84780d06dcef053
SHA51283b39b38eaae0164dfe9cdf27b3fa0f1d58dea29724cceba1894df1d4be3212868c9d7d1396761de35f6c05d16fb0f49fe5bbab64576c10863f73966babb0950
-
Filesize
5.2MB
MD53bba1c78e76d613b89d087ced6c45f45
SHA148c45dca270101dc0057ab26af1ac193b3b3c056
SHA25667c22d9c82629efe52b526a384eeec1d259e878fc2a8e6f1937e68c2373f862b
SHA512d68a2e808cb6b9bd011b934c93c13a73ce01ee585347d3d9eb5a94d0e5cca2c4b6e27265c607eae97424ff3a498bf3f3dc1c7174c1757955f5f76e8b7927891d
-
Filesize
5.2MB
MD53ae69071e84e4b04bd60d9c85a6eafd1
SHA1906892921bfdf8f201b8663a042c1ecca74cf228
SHA256ea4564860bada687f00beabac7ed44871f5a814dc2b1b8f13629f82075c0def5
SHA51246ec729f7962b4743f81c053ca5739f842de7a168241bf711885023dfe512799d48a51cf79bf05b325669fc7558b5f080fae21045a88d143c8b334737880adce