Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-01-2025 23:01
Behavioral task
behavioral1
Sample
2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.7MB
-
MD5
c2a514837d984e0c0dd41db126bca062
-
SHA1
ff02f2d7edf928c378cc1a0fb61ac9e8af522643
-
SHA256
f83a6fbc9ab4729d3546c3ff3724312a695bd0e985de4b405384469dd3d427a8
-
SHA512
b604498842019db299288b613ffb7eff12fbb7edf71e72a9f30435f83116a39b6918e8795045324cf6436a6d56a5129283b18e8633d5c162c30320f4522fc457
-
SSDEEP
98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUr:j+R56utgpPF8u/7r
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral1/files/0x0007000000012117-3.dat cobalt_reflective_dll behavioral1/files/0x000700000001924c-7.dat cobalt_reflective_dll behavioral1/files/0x000700000001926b-17.dat cobalt_reflective_dll behavioral1/files/0x0005000000019623-66.dat cobalt_reflective_dll behavioral1/files/0x0005000000019c43-117.dat cobalt_reflective_dll behavioral1/files/0x000500000001998a-112.dat cobalt_reflective_dll behavioral1/files/0x00050000000196be-103.dat cobalt_reflective_dll behavioral1/files/0x0005000000019639-95.dat cobalt_reflective_dll behavioral1/files/0x0005000000019627-83.dat cobalt_reflective_dll behavioral1/files/0x00050000000196f6-109.dat cobalt_reflective_dll behavioral1/files/0x000500000001967d-100.dat cobalt_reflective_dll behavioral1/files/0x0005000000019629-88.dat cobalt_reflective_dll behavioral1/files/0x0005000000019625-76.dat cobalt_reflective_dll behavioral1/files/0x0005000000019620-59.dat cobalt_reflective_dll behavioral1/files/0x0005000000019621-64.dat cobalt_reflective_dll behavioral1/files/0x000500000001961f-52.dat cobalt_reflective_dll behavioral1/files/0x00080000000193c4-47.dat cobalt_reflective_dll behavioral1/files/0x0006000000019389-41.dat cobalt_reflective_dll behavioral1/files/0x0006000000019382-34.dat cobalt_reflective_dll behavioral1/files/0x0006000000019277-29.dat cobalt_reflective_dll behavioral1/files/0x0007000000019271-21.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 42 IoCs
resource yara_rule behavioral1/memory/2532-0-0x000000013F3E0000-0x000000013F72D000-memory.dmp xmrig behavioral1/files/0x0007000000012117-3.dat xmrig behavioral1/files/0x000700000001924c-7.dat xmrig behavioral1/memory/1692-11-0x000000013F780000-0x000000013FACD000-memory.dmp xmrig behavioral1/memory/2108-12-0x000000013F700000-0x000000013FA4D000-memory.dmp xmrig behavioral1/files/0x000700000001926b-17.dat xmrig behavioral1/memory/2420-22-0x000000013F350000-0x000000013F69D000-memory.dmp xmrig behavioral1/memory/2452-30-0x000000013F9B0000-0x000000013FCFD000-memory.dmp xmrig behavioral1/memory/2748-36-0x000000013F4C0000-0x000000013F80D000-memory.dmp xmrig behavioral1/files/0x0005000000019623-66.dat xmrig behavioral1/files/0x0005000000019c43-117.dat xmrig behavioral1/memory/2032-125-0x000000013F1B0000-0x000000013F4FD000-memory.dmp xmrig behavioral1/files/0x000500000001998a-112.dat xmrig behavioral1/files/0x00050000000196be-103.dat xmrig behavioral1/memory/2816-122-0x000000013FC10000-0x000000013FF5D000-memory.dmp xmrig behavioral1/memory/2004-96-0x000000013F250000-0x000000013F59D000-memory.dmp xmrig behavioral1/files/0x0005000000019639-95.dat xmrig behavioral1/memory/2848-118-0x000000013F040000-0x000000013F38D000-memory.dmp xmrig behavioral1/memory/2792-110-0x000000013FD00000-0x000000014004D000-memory.dmp xmrig behavioral1/memory/2684-84-0x000000013F310000-0x000000013F65D000-memory.dmp xmrig behavioral1/files/0x0005000000019627-83.dat xmrig behavioral1/files/0x00050000000196f6-109.dat xmrig behavioral1/memory/1504-102-0x000000013F950000-0x000000013FC9D000-memory.dmp xmrig behavioral1/files/0x000500000001967d-100.dat xmrig behavioral1/memory/2436-90-0x000000013FEE0000-0x000000014022D000-memory.dmp xmrig behavioral1/files/0x0005000000019629-88.dat xmrig behavioral1/memory/2612-81-0x000000013F770000-0x000000013FABD000-memory.dmp xmrig behavioral1/files/0x0005000000019625-76.dat xmrig behavioral1/memory/2776-75-0x000000013FEA0000-0x00000001401ED000-memory.dmp xmrig behavioral1/memory/1924-60-0x000000013F8B0000-0x000000013FBFD000-memory.dmp xmrig behavioral1/files/0x0005000000019620-59.dat xmrig behavioral1/memory/2968-65-0x000000013F680000-0x000000013F9CD000-memory.dmp xmrig behavioral1/files/0x0005000000019621-64.dat xmrig behavioral1/memory/2760-48-0x000000013F030000-0x000000013F37D000-memory.dmp xmrig behavioral1/files/0x000500000001961f-52.dat xmrig behavioral1/files/0x00080000000193c4-47.dat xmrig behavioral1/memory/2840-42-0x000000013F470000-0x000000013F7BD000-memory.dmp xmrig behavioral1/files/0x0006000000019389-41.dat xmrig behavioral1/files/0x0006000000019382-34.dat xmrig behavioral1/files/0x0006000000019277-29.dat xmrig behavioral1/memory/2156-24-0x000000013FBB0000-0x000000013FEFD000-memory.dmp xmrig behavioral1/files/0x0007000000019271-21.dat xmrig -
Executes dropped EXE 21 IoCs
pid Process 1692 NWgYdql.exe 2108 TTpKxsN.exe 2156 STdlKJd.exe 2420 KdhYNEA.exe 2452 lTDaqfG.exe 2748 mIuwHRA.exe 2840 phAwfHG.exe 2760 SlgVjyA.exe 2732 NPWOCrw.exe 1924 zncBJEz.exe 2968 NKXfXFd.exe 2776 IajvOqs.exe 2612 ppHaMHK.exe 2684 HKYmHjE.exe 2436 aiaCNzA.exe 2004 CxRpTDQ.exe 1504 MjzHpgL.exe 2792 ZwlIYYK.exe 2848 WHnuJJn.exe 2816 AMQosLU.exe 2032 NwmWyri.exe -
Loads dropped DLL 21 IoCs
pid Process 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\IajvOqs.exe 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\CxRpTDQ.exe 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AMQosLU.exe 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZwlIYYK.exe 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zncBJEz.exe 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lTDaqfG.exe 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ppHaMHK.exe 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\aiaCNzA.exe 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WHnuJJn.exe 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TTpKxsN.exe 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\STdlKJd.exe 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\SlgVjyA.exe 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MjzHpgL.exe 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NWgYdql.exe 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\mIuwHRA.exe 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\phAwfHG.exe 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NPWOCrw.exe 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NKXfXFd.exe 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HKYmHjE.exe 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\NwmWyri.exe 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KdhYNEA.exe 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2532 wrote to memory of 1692 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 31 PID 2532 wrote to memory of 1692 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 31 PID 2532 wrote to memory of 1692 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 31 PID 2532 wrote to memory of 2108 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 32 PID 2532 wrote to memory of 2108 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 32 PID 2532 wrote to memory of 2108 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 32 PID 2532 wrote to memory of 2156 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 33 PID 2532 wrote to memory of 2156 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 33 PID 2532 wrote to memory of 2156 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 33 PID 2532 wrote to memory of 2420 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 34 PID 2532 wrote to memory of 2420 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 34 PID 2532 wrote to memory of 2420 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 34 PID 2532 wrote to memory of 2452 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 35 PID 2532 wrote to memory of 2452 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 35 PID 2532 wrote to memory of 2452 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 35 PID 2532 wrote to memory of 2748 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 36 PID 2532 wrote to memory of 2748 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 36 PID 2532 wrote to memory of 2748 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 36 PID 2532 wrote to memory of 2840 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 37 PID 2532 wrote to memory of 2840 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 37 PID 2532 wrote to memory of 2840 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 37 PID 2532 wrote to memory of 2760 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 38 PID 2532 wrote to memory of 2760 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 38 PID 2532 wrote to memory of 2760 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 38 PID 2532 wrote to memory of 2732 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 39 PID 2532 wrote to memory of 2732 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 39 PID 2532 wrote to memory of 2732 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 39 PID 2532 wrote to memory of 1924 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 40 PID 2532 wrote to memory of 1924 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 40 PID 2532 wrote to memory of 1924 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 40 PID 2532 wrote to memory of 2968 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 41 PID 2532 wrote to memory of 2968 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 41 PID 2532 wrote to memory of 2968 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 41 PID 2532 wrote to memory of 2776 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 42 PID 2532 wrote to memory of 2776 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 42 PID 2532 wrote to memory of 2776 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 42 PID 2532 wrote to memory of 2612 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 43 PID 2532 wrote to memory of 2612 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 43 PID 2532 wrote to memory of 2612 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 43 PID 2532 wrote to memory of 2684 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 44 PID 2532 wrote to memory of 2684 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 44 PID 2532 wrote to memory of 2684 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 44 PID 2532 wrote to memory of 2436 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 45 PID 2532 wrote to memory of 2436 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 45 PID 2532 wrote to memory of 2436 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 45 PID 2532 wrote to memory of 2004 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 46 PID 2532 wrote to memory of 2004 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 46 PID 2532 wrote to memory of 2004 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 46 PID 2532 wrote to memory of 1504 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 47 PID 2532 wrote to memory of 1504 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 47 PID 2532 wrote to memory of 1504 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 47 PID 2532 wrote to memory of 2816 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 48 PID 2532 wrote to memory of 2816 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 48 PID 2532 wrote to memory of 2816 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 48 PID 2532 wrote to memory of 2792 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 49 PID 2532 wrote to memory of 2792 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 49 PID 2532 wrote to memory of 2792 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 49 PID 2532 wrote to memory of 2032 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 50 PID 2532 wrote to memory of 2032 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 50 PID 2532 wrote to memory of 2032 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 50 PID 2532 wrote to memory of 2848 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 51 PID 2532 wrote to memory of 2848 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 51 PID 2532 wrote to memory of 2848 2532 2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\System\NWgYdql.exeC:\Windows\System\NWgYdql.exe2⤵
- Executes dropped EXE
PID:1692
-
-
C:\Windows\System\TTpKxsN.exeC:\Windows\System\TTpKxsN.exe2⤵
- Executes dropped EXE
PID:2108
-
-
C:\Windows\System\STdlKJd.exeC:\Windows\System\STdlKJd.exe2⤵
- Executes dropped EXE
PID:2156
-
-
C:\Windows\System\KdhYNEA.exeC:\Windows\System\KdhYNEA.exe2⤵
- Executes dropped EXE
PID:2420
-
-
C:\Windows\System\lTDaqfG.exeC:\Windows\System\lTDaqfG.exe2⤵
- Executes dropped EXE
PID:2452
-
-
C:\Windows\System\mIuwHRA.exeC:\Windows\System\mIuwHRA.exe2⤵
- Executes dropped EXE
PID:2748
-
-
C:\Windows\System\phAwfHG.exeC:\Windows\System\phAwfHG.exe2⤵
- Executes dropped EXE
PID:2840
-
-
C:\Windows\System\SlgVjyA.exeC:\Windows\System\SlgVjyA.exe2⤵
- Executes dropped EXE
PID:2760
-
-
C:\Windows\System\NPWOCrw.exeC:\Windows\System\NPWOCrw.exe2⤵
- Executes dropped EXE
PID:2732
-
-
C:\Windows\System\zncBJEz.exeC:\Windows\System\zncBJEz.exe2⤵
- Executes dropped EXE
PID:1924
-
-
C:\Windows\System\NKXfXFd.exeC:\Windows\System\NKXfXFd.exe2⤵
- Executes dropped EXE
PID:2968
-
-
C:\Windows\System\IajvOqs.exeC:\Windows\System\IajvOqs.exe2⤵
- Executes dropped EXE
PID:2776
-
-
C:\Windows\System\ppHaMHK.exeC:\Windows\System\ppHaMHK.exe2⤵
- Executes dropped EXE
PID:2612
-
-
C:\Windows\System\HKYmHjE.exeC:\Windows\System\HKYmHjE.exe2⤵
- Executes dropped EXE
PID:2684
-
-
C:\Windows\System\aiaCNzA.exeC:\Windows\System\aiaCNzA.exe2⤵
- Executes dropped EXE
PID:2436
-
-
C:\Windows\System\CxRpTDQ.exeC:\Windows\System\CxRpTDQ.exe2⤵
- Executes dropped EXE
PID:2004
-
-
C:\Windows\System\MjzHpgL.exeC:\Windows\System\MjzHpgL.exe2⤵
- Executes dropped EXE
PID:1504
-
-
C:\Windows\System\AMQosLU.exeC:\Windows\System\AMQosLU.exe2⤵
- Executes dropped EXE
PID:2816
-
-
C:\Windows\System\ZwlIYYK.exeC:\Windows\System\ZwlIYYK.exe2⤵
- Executes dropped EXE
PID:2792
-
-
C:\Windows\System\NwmWyri.exeC:\Windows\System\NwmWyri.exe2⤵
- Executes dropped EXE
PID:2032
-
-
C:\Windows\System\WHnuJJn.exeC:\Windows\System\WHnuJJn.exe2⤵
- Executes dropped EXE
PID:2848
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.7MB
MD58d7270c78e820fcf754931b6553adf0a
SHA1e6f2b0f799150ca64e18b7740e9cf198fd146d7f
SHA2567159bb3536c30bbaccb8e61d23978b33d524d9c937e7a9e5c1169ec8a2f6657d
SHA512f8e18b4f67cdd846938cd62e4e1d5eb556d74fc11178b18277140a88d40d94c047b80b6c0ff97dd98776c02eee3ca98b31d60cd5d9a9f1618c5b38b9f7dc8b3c
-
Filesize
5.7MB
MD54f2a80ab9bc61771935146d20b727109
SHA1883548f847ed31e9b05acdfbfebe5d2aafb14168
SHA256298b47cb1cbb4568f83f89f467ee7c8e73a10dc0446570c53f31b6d85e9ee62a
SHA512623f36f8ba1538f83ae2e94f094337f004e3e693b0572f39f629e56e8cd2e863536378a633ea148cb6228e2e933d535d0ee062f63907222ed822bbabf65bd221
-
Filesize
5.7MB
MD56bb92c0ee1583ea60975be8e9e1779e5
SHA1b99e52b2cf4b75b374b587d38084bd462ab41a57
SHA2565127531243fcb361294810ea8f304239bd95222c9621025e4d6ea1bdb95cbe38
SHA5120f60a46490fe55e1eabaa14c26b1c2dd29d4c180598e0f9ed4943be831033fa9a94c097725f1798b1f2fa6d00ee6ce2f6b122024af09c05d107b156f0430489a
-
Filesize
5.7MB
MD5bf20c49d3a65963f3bc9e31d0c031579
SHA1d12221f31841d85d70bcc443bd95237f8734e195
SHA2564a312a2713d2ae9f774de6efc4cc09b5e9f7ec9f7c9ce96b016a467ee220c25d
SHA512536e03c764cd6ae3fe5fc180b54f0ba2c41e5678ce3a55b393d970c232f69eb90d38bb2c26dc148042e417aa36afe3e0d946d2acc2e0eabed45ba9d17b47c9e3
-
Filesize
5.7MB
MD5c7432f60d36db060a1a00fe94c88db9c
SHA194879685d34146415984356bf1b063e08a8e0bd6
SHA256ca08270982e27eed6201b73390db94550e9ab9061c0764364f779bd0b80b363e
SHA51294a62f74166c3d3fc882027b50f44fb781053352d86b83d75118b2c14c46bb1b9e52959cea1b0b1f4ce8766a5748b77c5035e690ff59d006b2bdf22af926878e
-
Filesize
5.7MB
MD59ecbb5298c4eab3cceea3bd1aefaa5b0
SHA1dd4850def8b3e0e8c24d00865a0d0f2a31017160
SHA2566e2211f92dce3516ca5fe09874ab0986503a3849fb7192c2a31d09565a7b5880
SHA51284f437971c2adcea36c11c0a992b673a849336d1957cac81cb384f3fcdbce70eb6c58c6d3e8dad1bb21f549614f9f03f98f3f4ec78ae655b219a0a136af6cc29
-
Filesize
5.7MB
MD5750cb217992328ca72da559a9f9ee342
SHA1e3b6707983952027046e31d65cc001bc50f6348f
SHA2560a65b3aa53521e7007579ccfeb85f56ff7548a8708e8a0f9a8c4b38c1c848903
SHA512b230e6147b5679e9d55d67f9b060940153f7a1e2a1ca9719c55b7df4bf1a59fc9d228994e33ed41d5c718d8931c9e1fb09da6d6c455fe2fe55d963dd9e885b44
-
Filesize
5.7MB
MD57830da7fc51c222cc5294849c7fd69e3
SHA1b2935974db8cc62856f5185a795a9a9f603bf7b9
SHA2563ccb6da8095c50a029dfcf0dce0b81eb00516757b8f27237759101d680207e0b
SHA512c39bfa3651b7682a5c89ef567c0d284b2ef2a0e523f7b26faa25d0be6bfd0d14d7b82c989db04a5ce450b72dac4d5216794758ddcc0559cb2a2af737b2ae71e8
-
Filesize
5.7MB
MD54c73fe4295fbecc96a301ba7d32b844d
SHA1d5d2f699fad10a87f2b39bd4c04b11265ef6296c
SHA256239dffafd93887048c79a3cd03c898e621fe4ee0df13dbbd60c34b72b0ea9b2d
SHA512a84547b53de712c17c53fbe687d6f0bc02c7b39515cf3a2cf8597bf724a402654cc0d6d74879d8ec8bbb99d956a31d81532803bf4a5a3662b1510bd8b184a724
-
Filesize
5.7MB
MD54486cc8ae45d4a6b78dbb378f010add1
SHA10622793e8e896e7a203165170ba84ec90f38fc08
SHA256b61e23665f3367409bfe0242dbb978d16aad3ddf2ced6c90d7b7fab03fe23cf7
SHA512edaf2e9e84eb4d46a5e34415b82d4c30ec7c2d97ede5f524c13c4ccc0b2117db25adadea0499342d8dcd25ad7ca58d448d7a77d2e775dc44e1fb7904d2c55545
-
Filesize
5.7MB
MD59947f8ddd8e979d4bd99a16aa050233e
SHA166940e4377356e9bacee31a5093b2d9c0603e83e
SHA256ebda380e5e5669618f128797d99c77db823c42542548b946b1a719c3c090fb7b
SHA512e69fa76a9a980b103807ce8d100435a08f8e98754bdf8c833b639c8257bca3c04f32a6458353f5aab62a1f87359173a60f7eff611d2d06ad2c7d2e09dd45751b
-
Filesize
5.7MB
MD5a10b71594e27c9a3f286e00240d13d38
SHA1e1da169bbacbd4a98113d92d7f2a95cd57f0a4a3
SHA25645b64b0e92dbb6190f9f79ce7a6e32ea947db100fd4cbd2bebf67f63cd0a4905
SHA512c61a212597fd61021555f937952e64727b3840913f16edae577fc45ed993003c07d5f647f65d6d7c2d703daaaa765e7e09e435af5996d35d299f24a8162a2ee5
-
Filesize
5.7MB
MD500f0175a668e1de5ce697aab663f5c19
SHA1315d5181db7eb8ae46b127deb3854662ca429ace
SHA2563e4941f017a1c6a55f13126a9811063676926d5b19de20ea3cd007aa8ff92c8b
SHA512fc99588ffc269ab836551730f527cc406ef8ea9b32cf7db460c714de35996cd573e83c17c6a8d9004cc788efe135206f7fddc781859b60adde19f1cfa040fdb3
-
Filesize
5.7MB
MD57e9bca19ab4b1ef103c7441fe168955d
SHA152a212eb3c0759afb379931f73c86915ca09dd20
SHA256ec7f4346995c1d84e7ef6942e50231822b0eb58a2bc27b1145b4c06190fc992c
SHA51256af23e7555e9bcb4eaac614719bfed9581fa2be5157602204bcb8b77a66f2bbb8accdbeb3828284c7e8e916d7cd813d13f5cfa13ce64045e68dba43e582d239
-
Filesize
5.7MB
MD57a535c2a3e22c911bb4da094067ab1b0
SHA1738b7357bc9e862031a85c14740ce089d1239330
SHA25649c08326c3d8c3909e5b4806917dbea19fd7ed2dee442f24c456604536338de6
SHA5128151884dbc00c4149ae147ac5210dc01397b1733fd75a30e96aaece23c7ab9381648feaad2c225e4355789f195826c8121c26a956ead3ed92cb192112b77e9c6
-
Filesize
5.7MB
MD5bdd21f216660e002198fddd73bf1448c
SHA1d1ebadda246758df436022625ea89dee25761e24
SHA2569af005186513fa2c776b7e6102ba795ab93c541cb092c5da4f83ac624522cf4e
SHA512c93703d83a672e6c3d25de5174c8197438523d1a835babf53e7ad14e20bc9b689d37bb6505a479f6a1f075603deb2af7d8c2f0ed3c1b0e20d2f737dd70a789ee
-
Filesize
5.7MB
MD54c888086a1daf984b54c2d0f7b07bf67
SHA1d6a32767763f0daec4744e1ee6024af92aa004f1
SHA25607f8d96409e0d314ac51748f816e1afd0e5b7f758c748fb80a8cac8607d6f85b
SHA51232f135bf537bebd6f48b96016548ba1365b258e498e61eca2fb004e02e5b600a0f394e2768625ab0e2241b6281bbbc30b5b50f5fc64a7425b8b1f7b04dd02090
-
Filesize
5.7MB
MD5765d89a4b39e8073697fdc4e6cd41e61
SHA1626bfd3cf5fb3c14b1fe15db938ddc3fa2a174df
SHA256318abf6256d18f520b6c4d768cdf730a3175c3d0dc080dc2998d312add3f98c6
SHA5124cc024e2a29d039ba5daf33cab31f6163b7cdd34f1d5c558b69a1f62744684dbe5017f3d0ff04f7736dadd3fbebd81141bc80b1e1e89018bbcfcf888a39aee27
-
Filesize
5.7MB
MD59c8cebde46761e09925c37520975e2a6
SHA151131bd92af2d9185bcfd231b618f24a2a2b6310
SHA256acd1b5784fe4c1be469e3aa23af1de7129f6c5f7894350e8c42128ebad4d097b
SHA512cc8dc8417d9b80df63431509f4c1bea8d35f718c560cb69372b00e5d5c5c615c137f527bc1968e5c592be9751858e2e389f5f7a29b31e68727737e4014a7296c
-
Filesize
5.7MB
MD5c257beaf43a18bf4aa06d62d29d6940d
SHA12eb3aa9f6ba87291c289dde705e54558224ea68c
SHA2562a57dbe4121d98b494311100b358e8026394c7ad921bd9006444b14a683393bb
SHA5125d0a1eeab5e94f76e48e2269090f5205a3ffecd5a70ac26bff3c6fb12eee3e56f02272db416e34f880054b4ee4739311815a3fd2aeadd134d37b8c3eaf88de7a
-
Filesize
5.7MB
MD54ba6947b63f3d4fd1519921d90e38fa1
SHA1c8805a2e02df39b603ddc94f462539ea6facaead
SHA2565764fd3e6c2337cd22eb844c6e889a3c2bee0722b51f9365943c5628e3edbc57
SHA512ab15ab6a1a18bdcdf90835de80e76fb8b6246226944cd2da625592a2067e7f3437a5b69db793c84e62a9d3eaace704622638046859f30971a607d7feaa3f2a35