cobaltstrike | a7cf964013e0b1cf2842ba8c2cc9edce7bb17e829c22ffda9fea8ef4c5764436

Analysis

max time kernel
139s
max time network
149s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

71e1fcf3adcc69196f313cb6f933d791
SHA1

6c60cbf99fb138b8045629ba80705223880f158f
SHA256

a7cf964013e0b1cf2842ba8c2cc9edce7bb17e829c22ffda9fea8ef4c5764436
SHA512

4fcdc209109386d541ee7ae336d03a8be7e62549f967435c62937121e2dc57305e679483d3ce99c44bf70d275d4d41fc34fe938719f324c06724dfbc026db521
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUt:Q+856utgpPF8u/7t

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\kaJbDCU.exe	cobalt_reflective_dll
\Windows\system\XTQrhJG.exe	cobalt_reflective_dll
C:\Windows\system\SExfcVm.exe	cobalt_reflective_dll
C:\Windows\system\THtiXBV.exe	cobalt_reflective_dll
C:\Windows\system\ZzaAFhZ.exe	cobalt_reflective_dll
\Windows\system\hccrayw.exe	cobalt_reflective_dll
C:\Windows\system\XGorZvQ.exe	cobalt_reflective_dll
C:\Windows\system\HagIcvB.exe	cobalt_reflective_dll
C:\Windows\system\BjkceYV.exe	cobalt_reflective_dll
\Windows\system\ppDuoFo.exe	cobalt_reflective_dll
C:\Windows\system\eMtxoFk.exe	cobalt_reflective_dll
C:\Windows\system\zvWbnKD.exe	cobalt_reflective_dll
C:\Windows\system\HfsCUSe.exe	cobalt_reflective_dll
C:\Windows\system\UclwFBq.exe	cobalt_reflective_dll
C:\Windows\system\hGkFAgR.exe	cobalt_reflective_dll
C:\Windows\system\iXgBgWm.exe	cobalt_reflective_dll
C:\Windows\system\sEivhSY.exe	cobalt_reflective_dll
C:\Windows\system\dLZIiaG.exe	cobalt_reflective_dll
C:\Windows\system\DwooMaS.exe	cobalt_reflective_dll
C:\Windows\system\KyrrqPq.exe	cobalt_reflective_dll
C:\Windows\system\ZvWLdpk.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\kaJbDCU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\XTQrhJG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\SExfcVm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\THtiXBV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ZzaAFhZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\hccrayw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\XGorZvQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\HagIcvB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\BjkceYV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ppDuoFo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\eMtxoFk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zvWbnKD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\HfsCUSe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UclwFBq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\hGkFAgR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\iXgBgWm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\sEivhSY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\dLZIiaG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\DwooMaS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\KyrrqPq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ZvWLdpk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 61 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2372-2-0x000000013FDF0000-0x0000000140144000-memory.dmp	UPX
\Windows\system\kaJbDCU.exe	UPX
\Windows\system\XTQrhJG.exe	UPX
C:\Windows\system\SExfcVm.exe	UPX
behavioral1/memory/2848-28-0x000000013F700000-0x000000013FA54000-memory.dmp	UPX
behavioral1/memory/1660-16-0x000000013F980000-0x000000013FCD4000-memory.dmp	UPX
C:\Windows\system\THtiXBV.exe	UPX
behavioral1/memory/2508-26-0x000000013FA40000-0x000000013FD94000-memory.dmp	UPX
behavioral1/memory/1944-20-0x000000013FB30000-0x000000013FE84000-memory.dmp	UPX
C:\Windows\system\ZzaAFhZ.exe	UPX
behavioral1/memory/2632-34-0x000000013F6F0000-0x000000013FA44000-memory.dmp	UPX
\Windows\system\hccrayw.exe	UPX
behavioral1/memory/2764-40-0x000000013F520000-0x000000013F874000-memory.dmp	UPX
behavioral1/memory/2892-52-0x000000013F470000-0x000000013F7C4000-memory.dmp	UPX
C:\Windows\system\XGorZvQ.exe	UPX
C:\Windows\system\HagIcvB.exe	UPX
behavioral1/memory/2480-77-0x000000013F690000-0x000000013F9E4000-memory.dmp	UPX
behavioral1/memory/2848-87-0x000000013F700000-0x000000013FA54000-memory.dmp	UPX
C:\Windows\system\BjkceYV.exe	UPX
\Windows\system\ppDuoFo.exe	UPX
C:\Windows\system\eMtxoFk.exe	UPX
C:\Windows\system\zvWbnKD.exe	UPX
C:\Windows\system\HfsCUSe.exe	UPX
C:\Windows\system\UclwFBq.exe	UPX
behavioral1/memory/2632-95-0x000000013F6F0000-0x000000013FA44000-memory.dmp	UPX
C:\Windows\system\hGkFAgR.exe	UPX
behavioral1/memory/2832-89-0x000000013F850000-0x000000013FBA4000-memory.dmp	UPX
C:\Windows\system\iXgBgWm.exe	UPX
C:\Windows\system\sEivhSY.exe	UPX
behavioral1/memory/2508-75-0x000000013FA40000-0x000000013FD94000-memory.dmp	UPX
behavioral1/memory/2416-70-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	UPX
C:\Windows\system\dLZIiaG.exe	UPX
behavioral1/memory/2640-64-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
behavioral1/memory/2732-58-0x000000013F980000-0x000000013FCD4000-memory.dmp	UPX
behavioral1/memory/1944-63-0x000000013FB30000-0x000000013FE84000-memory.dmp	UPX
behavioral1/memory/2372-57-0x000000013FDF0000-0x0000000140144000-memory.dmp	UPX
C:\Windows\system\DwooMaS.exe	UPX
behavioral1/memory/2652-46-0x000000013FAE0000-0x000000013FE34000-memory.dmp	UPX
C:\Windows\system\KyrrqPq.exe	UPX
C:\Windows\system\ZvWLdpk.exe	UPX
behavioral1/memory/2892-137-0x000000013F470000-0x000000013F7C4000-memory.dmp	UPX
behavioral1/memory/2732-138-0x000000013F980000-0x000000013FCD4000-memory.dmp	UPX
behavioral1/memory/2640-140-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
behavioral1/memory/2416-142-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	UPX
behavioral1/memory/2480-144-0x000000013F690000-0x000000013F9E4000-memory.dmp	UPX
behavioral1/memory/2684-145-0x000000013F470000-0x000000013F7C4000-memory.dmp	UPX
behavioral1/memory/2832-146-0x000000013F850000-0x000000013FBA4000-memory.dmp	UPX
behavioral1/memory/1660-148-0x000000013F980000-0x000000013FCD4000-memory.dmp	UPX
behavioral1/memory/1944-149-0x000000013FB30000-0x000000013FE84000-memory.dmp	UPX
behavioral1/memory/2508-150-0x000000013FA40000-0x000000013FD94000-memory.dmp	UPX
behavioral1/memory/2848-151-0x000000013F700000-0x000000013FA54000-memory.dmp	UPX
behavioral1/memory/2892-153-0x000000013F470000-0x000000013F7C4000-memory.dmp	UPX
behavioral1/memory/2832-156-0x000000013F850000-0x000000013FBA4000-memory.dmp	UPX
behavioral1/memory/2480-155-0x000000013F690000-0x000000013F9E4000-memory.dmp	UPX
behavioral1/memory/2640-154-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
behavioral1/memory/2632-157-0x000000013F6F0000-0x000000013FA44000-memory.dmp	UPX
behavioral1/memory/2684-160-0x000000013F470000-0x000000013F7C4000-memory.dmp	UPX
behavioral1/memory/2732-159-0x000000013F980000-0x000000013FCD4000-memory.dmp	UPX
behavioral1/memory/2652-158-0x000000013FAE0000-0x000000013FE34000-memory.dmp	UPX
behavioral1/memory/2764-152-0x000000013F520000-0x000000013F874000-memory.dmp	UPX
behavioral1/memory/2416-161-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	UPX

XMRig Miner payload 63 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2372-2-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
\Windows\system\kaJbDCU.exe	xmrig
\Windows\system\XTQrhJG.exe	xmrig
C:\Windows\system\SExfcVm.exe	xmrig
behavioral1/memory/2848-28-0x000000013F700000-0x000000013FA54000-memory.dmp	xmrig
behavioral1/memory/1660-16-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
C:\Windows\system\THtiXBV.exe	xmrig
behavioral1/memory/2508-26-0x000000013FA40000-0x000000013FD94000-memory.dmp	xmrig
behavioral1/memory/1944-20-0x000000013FB30000-0x000000013FE84000-memory.dmp	xmrig
C:\Windows\system\ZzaAFhZ.exe	xmrig
behavioral1/memory/2632-34-0x000000013F6F0000-0x000000013FA44000-memory.dmp	xmrig
\Windows\system\hccrayw.exe	xmrig
behavioral1/memory/2764-40-0x000000013F520000-0x000000013F874000-memory.dmp	xmrig
behavioral1/memory/2892-52-0x000000013F470000-0x000000013F7C4000-memory.dmp	xmrig
C:\Windows\system\XGorZvQ.exe	xmrig
C:\Windows\system\HagIcvB.exe	xmrig
behavioral1/memory/2480-77-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/memory/2848-87-0x000000013F700000-0x000000013FA54000-memory.dmp	xmrig
C:\Windows\system\BjkceYV.exe	xmrig
\Windows\system\ppDuoFo.exe	xmrig
C:\Windows\system\eMtxoFk.exe	xmrig
C:\Windows\system\zvWbnKD.exe	xmrig
C:\Windows\system\HfsCUSe.exe	xmrig
C:\Windows\system\UclwFBq.exe	xmrig
behavioral1/memory/2632-95-0x000000013F6F0000-0x000000013FA44000-memory.dmp	xmrig
C:\Windows\system\hGkFAgR.exe	xmrig
behavioral1/memory/2832-89-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
C:\Windows\system\iXgBgWm.exe	xmrig
C:\Windows\system\sEivhSY.exe	xmrig
behavioral1/memory/2508-75-0x000000013FA40000-0x000000013FD94000-memory.dmp	xmrig
behavioral1/memory/2416-70-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	xmrig
C:\Windows\system\dLZIiaG.exe	xmrig
behavioral1/memory/2640-64-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/2732-58-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
behavioral1/memory/1944-63-0x000000013FB30000-0x000000013FE84000-memory.dmp	xmrig
behavioral1/memory/2372-57-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
C:\Windows\system\DwooMaS.exe	xmrig
behavioral1/memory/2652-46-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
C:\Windows\system\KyrrqPq.exe	xmrig
C:\Windows\system\ZvWLdpk.exe	xmrig
behavioral1/memory/2892-137-0x000000013F470000-0x000000013F7C4000-memory.dmp	xmrig
behavioral1/memory/2732-138-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
behavioral1/memory/2640-140-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/2416-142-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	xmrig
behavioral1/memory/2372-143-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/memory/2480-144-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/memory/2684-145-0x000000013F470000-0x000000013F7C4000-memory.dmp	xmrig
behavioral1/memory/2832-146-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/2372-147-0x000000013F410000-0x000000013F764000-memory.dmp	xmrig
behavioral1/memory/1660-148-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
behavioral1/memory/1944-149-0x000000013FB30000-0x000000013FE84000-memory.dmp	xmrig
behavioral1/memory/2508-150-0x000000013FA40000-0x000000013FD94000-memory.dmp	xmrig
behavioral1/memory/2848-151-0x000000013F700000-0x000000013FA54000-memory.dmp	xmrig
behavioral1/memory/2892-153-0x000000013F470000-0x000000013F7C4000-memory.dmp	xmrig
behavioral1/memory/2832-156-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/2480-155-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/memory/2640-154-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/2632-157-0x000000013F6F0000-0x000000013FA44000-memory.dmp	xmrig
behavioral1/memory/2684-160-0x000000013F470000-0x000000013F7C4000-memory.dmp	xmrig
behavioral1/memory/2732-159-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
behavioral1/memory/2652-158-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/2764-152-0x000000013F520000-0x000000013F874000-memory.dmp	xmrig
behavioral1/memory/2416-161-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

kaJbDCU.exeTHtiXBV.exeSExfcVm.exeXTQrhJG.exeZzaAFhZ.exehccrayw.exeZvWLdpk.exeKyrrqPq.exeDwooMaS.exeXGorZvQ.exeHagIcvB.exedLZIiaG.exesEivhSY.exeiXgBgWm.exehGkFAgR.exeUclwFBq.exeHfsCUSe.exeBjkceYV.exezvWbnKD.exeeMtxoFk.exeppDuoFo.exe

pid	process
1660	kaJbDCU.exe
1944	THtiXBV.exe
2508	SExfcVm.exe
2848	XTQrhJG.exe
2632	ZzaAFhZ.exe
2764	hccrayw.exe
2652	ZvWLdpk.exe
2892	KyrrqPq.exe
2732	DwooMaS.exe
2640	XGorZvQ.exe
2416	HagIcvB.exe
2480	dLZIiaG.exe
2684	sEivhSY.exe
2832	iXgBgWm.exe
1776	hGkFAgR.exe
1584	UclwFBq.exe
1316	HfsCUSe.exe
2368	BjkceYV.exe
1720	zvWbnKD.exe
1812	eMtxoFk.exe
1580	ppDuoFo.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2372-2-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
\Windows\system\kaJbDCU.exe	upx
\Windows\system\XTQrhJG.exe	upx
C:\Windows\system\SExfcVm.exe	upx
behavioral1/memory/2848-28-0x000000013F700000-0x000000013FA54000-memory.dmp	upx
behavioral1/memory/1660-16-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
C:\Windows\system\THtiXBV.exe	upx
behavioral1/memory/2508-26-0x000000013FA40000-0x000000013FD94000-memory.dmp	upx
behavioral1/memory/1944-20-0x000000013FB30000-0x000000013FE84000-memory.dmp	upx
C:\Windows\system\ZzaAFhZ.exe	upx
behavioral1/memory/2632-34-0x000000013F6F0000-0x000000013FA44000-memory.dmp	upx
\Windows\system\hccrayw.exe	upx
behavioral1/memory/2764-40-0x000000013F520000-0x000000013F874000-memory.dmp	upx
behavioral1/memory/2892-52-0x000000013F470000-0x000000013F7C4000-memory.dmp	upx
C:\Windows\system\XGorZvQ.exe	upx
C:\Windows\system\HagIcvB.exe	upx
behavioral1/memory/2480-77-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
behavioral1/memory/2848-87-0x000000013F700000-0x000000013FA54000-memory.dmp	upx
C:\Windows\system\BjkceYV.exe	upx
\Windows\system\ppDuoFo.exe	upx
C:\Windows\system\eMtxoFk.exe	upx
C:\Windows\system\zvWbnKD.exe	upx
C:\Windows\system\HfsCUSe.exe	upx
C:\Windows\system\UclwFBq.exe	upx
behavioral1/memory/2632-95-0x000000013F6F0000-0x000000013FA44000-memory.dmp	upx
C:\Windows\system\hGkFAgR.exe	upx
behavioral1/memory/2832-89-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
C:\Windows\system\iXgBgWm.exe	upx
C:\Windows\system\sEivhSY.exe	upx
behavioral1/memory/2508-75-0x000000013FA40000-0x000000013FD94000-memory.dmp	upx
behavioral1/memory/2416-70-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	upx
C:\Windows\system\dLZIiaG.exe	upx
behavioral1/memory/2640-64-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/2732-58-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
behavioral1/memory/1944-63-0x000000013FB30000-0x000000013FE84000-memory.dmp	upx
behavioral1/memory/2372-57-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
C:\Windows\system\DwooMaS.exe	upx
behavioral1/memory/2652-46-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
C:\Windows\system\KyrrqPq.exe	upx
C:\Windows\system\ZvWLdpk.exe	upx
behavioral1/memory/2892-137-0x000000013F470000-0x000000013F7C4000-memory.dmp	upx
behavioral1/memory/2732-138-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
behavioral1/memory/2640-140-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/2416-142-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	upx
behavioral1/memory/2480-144-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
behavioral1/memory/2684-145-0x000000013F470000-0x000000013F7C4000-memory.dmp	upx
behavioral1/memory/2832-146-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/1660-148-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
behavioral1/memory/1944-149-0x000000013FB30000-0x000000013FE84000-memory.dmp	upx
behavioral1/memory/2508-150-0x000000013FA40000-0x000000013FD94000-memory.dmp	upx
behavioral1/memory/2848-151-0x000000013F700000-0x000000013FA54000-memory.dmp	upx
behavioral1/memory/2892-153-0x000000013F470000-0x000000013F7C4000-memory.dmp	upx
behavioral1/memory/2832-156-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/2480-155-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
behavioral1/memory/2640-154-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/2632-157-0x000000013F6F0000-0x000000013FA44000-memory.dmp	upx
behavioral1/memory/2684-160-0x000000013F470000-0x000000013F7C4000-memory.dmp	upx
behavioral1/memory/2732-159-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
behavioral1/memory/2652-158-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/2764-152-0x000000013F520000-0x000000013F874000-memory.dmp	upx
behavioral1/memory/2416-161-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\DwooMaS.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HagIcvB.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UclwFBq.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eMtxoFk.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kaJbDCU.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SExfcVm.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sEivhSY.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zvWbnKD.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ppDuoFo.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\THtiXBV.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZzaAFhZ.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KyrrqPq.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XGorZvQ.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hGkFAgR.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BjkceYV.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XTQrhJG.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hccrayw.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZvWLdpk.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dLZIiaG.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iXgBgWm.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HfsCUSe.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2372 wrote to memory of 1660	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	kaJbDCU.exe
PID 2372 wrote to memory of 1660	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	kaJbDCU.exe
PID 2372 wrote to memory of 1660	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	kaJbDCU.exe
PID 2372 wrote to memory of 1944	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	THtiXBV.exe
PID 2372 wrote to memory of 1944	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	THtiXBV.exe
PID 2372 wrote to memory of 1944	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	THtiXBV.exe
PID 2372 wrote to memory of 2848	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	XTQrhJG.exe
PID 2372 wrote to memory of 2848	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	XTQrhJG.exe
PID 2372 wrote to memory of 2848	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	XTQrhJG.exe
PID 2372 wrote to memory of 2508	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	SExfcVm.exe
PID 2372 wrote to memory of 2508	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	SExfcVm.exe
PID 2372 wrote to memory of 2508	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	SExfcVm.exe
PID 2372 wrote to memory of 2632	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	ZzaAFhZ.exe
PID 2372 wrote to memory of 2632	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	ZzaAFhZ.exe
PID 2372 wrote to memory of 2632	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	ZzaAFhZ.exe
PID 2372 wrote to memory of 2764	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	hccrayw.exe
PID 2372 wrote to memory of 2764	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	hccrayw.exe
PID 2372 wrote to memory of 2764	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	hccrayw.exe
PID 2372 wrote to memory of 2652	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	ZvWLdpk.exe
PID 2372 wrote to memory of 2652	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	ZvWLdpk.exe
PID 2372 wrote to memory of 2652	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	ZvWLdpk.exe
PID 2372 wrote to memory of 2892	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	KyrrqPq.exe
PID 2372 wrote to memory of 2892	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	KyrrqPq.exe
PID 2372 wrote to memory of 2892	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	KyrrqPq.exe
PID 2372 wrote to memory of 2732	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	DwooMaS.exe
PID 2372 wrote to memory of 2732	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	DwooMaS.exe
PID 2372 wrote to memory of 2732	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	DwooMaS.exe
PID 2372 wrote to memory of 2640	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	XGorZvQ.exe
PID 2372 wrote to memory of 2640	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	XGorZvQ.exe
PID 2372 wrote to memory of 2640	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	XGorZvQ.exe
PID 2372 wrote to memory of 2416	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	HagIcvB.exe
PID 2372 wrote to memory of 2416	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	HagIcvB.exe
PID 2372 wrote to memory of 2416	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	HagIcvB.exe
PID 2372 wrote to memory of 2480	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	dLZIiaG.exe
PID 2372 wrote to memory of 2480	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	dLZIiaG.exe
PID 2372 wrote to memory of 2480	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	dLZIiaG.exe
PID 2372 wrote to memory of 2684	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	sEivhSY.exe
PID 2372 wrote to memory of 2684	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	sEivhSY.exe
PID 2372 wrote to memory of 2684	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	sEivhSY.exe
PID 2372 wrote to memory of 2832	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	iXgBgWm.exe
PID 2372 wrote to memory of 2832	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	iXgBgWm.exe
PID 2372 wrote to memory of 2832	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	iXgBgWm.exe
PID 2372 wrote to memory of 1776	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	hGkFAgR.exe
PID 2372 wrote to memory of 1776	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	hGkFAgR.exe
PID 2372 wrote to memory of 1776	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	hGkFAgR.exe
PID 2372 wrote to memory of 1584	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	UclwFBq.exe
PID 2372 wrote to memory of 1584	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	UclwFBq.exe
PID 2372 wrote to memory of 1584	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	UclwFBq.exe
PID 2372 wrote to memory of 1316	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	HfsCUSe.exe
PID 2372 wrote to memory of 1316	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	HfsCUSe.exe
PID 2372 wrote to memory of 1316	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	HfsCUSe.exe
PID 2372 wrote to memory of 2368	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	BjkceYV.exe
PID 2372 wrote to memory of 2368	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	BjkceYV.exe
PID 2372 wrote to memory of 2368	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	BjkceYV.exe
PID 2372 wrote to memory of 1720	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	zvWbnKD.exe
PID 2372 wrote to memory of 1720	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	zvWbnKD.exe
PID 2372 wrote to memory of 1720	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	zvWbnKD.exe
PID 2372 wrote to memory of 1812	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	eMtxoFk.exe
PID 2372 wrote to memory of 1812	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	eMtxoFk.exe
PID 2372 wrote to memory of 1812	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	eMtxoFk.exe
PID 2372 wrote to memory of 1580	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	ppDuoFo.exe
PID 2372 wrote to memory of 1580	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	ppDuoFo.exe
PID 2372 wrote to memory of 1580	2372	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	ppDuoFo.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\System\kaJbDCU.exe
C:\Windows\System\kaJbDCU.exe
2⤵
- Executes dropped EXE
PID:1660

C:\Windows\System\THtiXBV.exe
C:\Windows\System\THtiXBV.exe
2⤵
- Executes dropped EXE
PID:1944

C:\Windows\System\XTQrhJG.exe
C:\Windows\System\XTQrhJG.exe
2⤵
- Executes dropped EXE
PID:2848

C:\Windows\System\SExfcVm.exe
C:\Windows\System\SExfcVm.exe
2⤵
- Executes dropped EXE
PID:2508

C:\Windows\System\ZzaAFhZ.exe
C:\Windows\System\ZzaAFhZ.exe
2⤵
- Executes dropped EXE
PID:2632

C:\Windows\System\hccrayw.exe
C:\Windows\System\hccrayw.exe
2⤵
- Executes dropped EXE
PID:2764

C:\Windows\System\ZvWLdpk.exe
C:\Windows\System\ZvWLdpk.exe
2⤵
- Executes dropped EXE
PID:2652

C:\Windows\System\KyrrqPq.exe
C:\Windows\System\KyrrqPq.exe
2⤵
- Executes dropped EXE
PID:2892

C:\Windows\System\DwooMaS.exe
C:\Windows\System\DwooMaS.exe
2⤵
- Executes dropped EXE
PID:2732

C:\Windows\System\XGorZvQ.exe
C:\Windows\System\XGorZvQ.exe
2⤵
- Executes dropped EXE
PID:2640

C:\Windows\System\HagIcvB.exe
C:\Windows\System\HagIcvB.exe
2⤵
- Executes dropped EXE
PID:2416

C:\Windows\System\dLZIiaG.exe
C:\Windows\System\dLZIiaG.exe
2⤵
- Executes dropped EXE
PID:2480

C:\Windows\System\sEivhSY.exe
C:\Windows\System\sEivhSY.exe
2⤵
- Executes dropped EXE
PID:2684

C:\Windows\System\iXgBgWm.exe
C:\Windows\System\iXgBgWm.exe
2⤵
- Executes dropped EXE
PID:2832

C:\Windows\System\hGkFAgR.exe
C:\Windows\System\hGkFAgR.exe
2⤵
- Executes dropped EXE
PID:1776

C:\Windows\System\UclwFBq.exe
C:\Windows\System\UclwFBq.exe
2⤵
- Executes dropped EXE
PID:1584

C:\Windows\System\HfsCUSe.exe
C:\Windows\System\HfsCUSe.exe
2⤵
- Executes dropped EXE
PID:1316

C:\Windows\System\BjkceYV.exe
C:\Windows\System\BjkceYV.exe
2⤵
- Executes dropped EXE
PID:2368

C:\Windows\System\zvWbnKD.exe
C:\Windows\System\zvWbnKD.exe
2⤵
- Executes dropped EXE
PID:1720

C:\Windows\System\eMtxoFk.exe
C:\Windows\System\eMtxoFk.exe
2⤵
- Executes dropped EXE
PID:1812

C:\Windows\System\ppDuoFo.exe
C:\Windows\System\ppDuoFo.exe
2⤵
- Executes dropped EXE
PID:1580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BjkceYV.exe
Filesize
5.9MB

MD5
d28eae58f67ff9f871a5fc032a8c8784

SHA1
b851e4409eadb46c08c444918d57301efb16ede1

SHA256
2c9bb3997922871a03dd00554f793ba88bceb9498e2c9060a000cea10a9f1e5d

SHA512
1b2d2704daf31f0b100682ac01b89f09a5d986ca33d5be41420e82fa9774737fb5029340e765d79765bd1a42915d86690121fa0a90e75a1ed73b4af2900a320a

Download Submit
C:\Windows\system\DwooMaS.exe
Filesize
5.9MB

MD5
99bb1e7304c8d40ce47c0bab292e7e65

SHA1
418d58f834f776bafbfc73a43852765124f8cc07

SHA256
f0d645ef39e8bdfac213c41aa17a715b8ba5f85cb48dae8cef989a1a97090bbb

SHA512
ed11cd8073a7da6f6e2f3ef02e4dee11f889b246cb8de7e806ed83856be7075315c47d9cb8f00fb54e720399d25f7bdd5122ce960b568591b6f5ab94fa4feb89

Download Submit
C:\Windows\system\HagIcvB.exe
Filesize
5.9MB

MD5
a3bd86d39a4a6c048a73d6e94532f2f7

SHA1
e78e8f007a7460120adc492a749a0d33f7d14c9a

SHA256
f766f433bb692ce2544d9b17f962b7939195af8c8bb451c406b99451f7efff3c

SHA512
8d3211af76d0af16aa3080c3ca8412ce12b3b5dc7d46330053ff43a684ecd5dd676df4c25a086fa70d35dfbec39f0534a73e1e2b7a273ee4dc9f341381966077

Download Submit
C:\Windows\system\HfsCUSe.exe
Filesize
5.9MB

MD5
9e9e419d6c9ba87cf5d33b9a99c11040

SHA1
f461d5c3bfab31c2073d928643d3a8deb4d21d92

SHA256
4d0b9f8eba2206c9265d8ae5b594f4f7d98890d11075fad78b8b1a63e73cfc63

SHA512
6de6c740c81dae7b33c269e64ec2b51208e22a31c5a25bf89b6436f42bb11eee863b6ef5b0bc55fd1f5c127f388bf324ab4db649d3ee26b80a0f95dca1e24a44

Download Submit
C:\Windows\system\KyrrqPq.exe
Filesize
5.9MB

MD5
8140f808c62739a547349b0d2bfe6ba4

SHA1
5737ba719f6338da45e6ea8231e20bae98ea3d72

SHA256
58c1afcee3ed54636289a606f185328340e57fd2eecb37bbaf5eb4d555d1f72f

SHA512
0719724568d73af84a8a3ba8f5fccf09bcfbbc7a7eb1f552438a6fc502f4a1d793744cc2befb5ae7c1487ce056ce989b21f67f0b28ab7aa99ddc2a35fbf0452a

Download Submit
C:\Windows\system\SExfcVm.exe
Filesize
5.9MB

MD5
006b09e15945a1bf9bc635051bb22459

SHA1
ca78b7ae626c4086b5e24044faa67777afedc24b

SHA256
0fb4528c853282234bebb3c09720f2b5621b9e7834cb3e6c519b4c2291f3cd11

SHA512
dd7ba8ef3c399c147e5fda3c024670f5f7eba2b2d253b42ebc7c6a4fe1abb9ff2b94728a6dd944d0bd52eb9802fa45b5d29d6168a43555862f8a97f50ca2097c

Download Submit
C:\Windows\system\THtiXBV.exe
Filesize
5.9MB

MD5
a6bded2b2cf026cce0bc448e4dd16d1e

SHA1
e6d170d6cdac103779da7998432bd64a8d9179d7

SHA256
68ea70fd2edcec2fa6c5fdcf91817df3ec10cc6b4b3fa5be61389194dc83f28d

SHA512
31a459e0e332a9f5ab797b39d3c1f0766843662fb89156203be0bcb9c6d350dc1ea1263c9f8a64a1aeba99374a7becf21d9e519ed2df1b559ad0dac560dcc13e

Download Submit
C:\Windows\system\UclwFBq.exe
Filesize
5.9MB

MD5
5b7bc1b1d98a1595629ce0a22eea8979

SHA1
e96aa9433eeb77c692657d18c5c3cf01d29aaaa0

SHA256
74f3a17b6a287f15807fff2ce9480d5080032c18d4445f80288ea5aa5f0cd437

SHA512
065b8cfece46e009166936bbddb8f91ebbe2228c3a0f06ed0034be2f17d25768e758c999c8b99e613afb3fdec4a4b24163174c1476d6aed866d22274dcc5ba85

Download Submit
C:\Windows\system\XGorZvQ.exe
Filesize
5.9MB

MD5
c2657242151643f629418b7985ef3aa1

SHA1
54d524900864c643ea84fdac8cf14595402897f4

SHA256
e1f9433b5b676a4679fc4ee2c129ce26e18515825f65daaf5c1d39a666643fdc

SHA512
bfda86b61ad742218ccbdcf89611b30f41c5400d69f47cef73874f33b8f46c325fbd5a01b23ed28dd453e77f95dc5023bf8f35f4aec44d32300dc5ad68269103

Download Submit
C:\Windows\system\ZvWLdpk.exe
Filesize
5.9MB

MD5
fe2ab940cec6ce9df32943b6230bea01

SHA1
acfffd9aa41c92542347960cafa048e2fed087ca

SHA256
7f83917db4acc702fff1256f347eab301cef7fde67e5c70903f36a2f8ec9e6ab

SHA512
8e36f4125a90eae623ae786e13a87f84348a0842179849257f652b79fbb6529e66a3b185a3d8478a4ff97d397401e07761909b22e8d89aa4d6db75574de7c255

Download Submit
C:\Windows\system\ZzaAFhZ.exe
Filesize
5.9MB

MD5
696097a82c4b7510174077b0fc7eef6f

SHA1
ff6e569b81e2176d3664cc99ffa9cb0bb6096f14

SHA256
e2d845880315ee16331ba5f6a4746d3588af1b72d1f71f46832a1058bdf9f4c3

SHA512
ce5a6ce6ae5c9ac2b67bc253440a3224d0b1d42df7a5bfb23e3db4df5cd67e547485d2ff4b01eece6959fdf07e76c0b4512450335fb05bdb7fe4325552b3ec19

Download Submit
C:\Windows\system\dLZIiaG.exe
Filesize
5.9MB

MD5
45f4a2cf393ce82be8de58b310251d8b

SHA1
d89103e1a01962e5fef8b1efa3926c1b7e352781

SHA256
bd4391bfe41ef7658352a679671ee28de5b1e2a1bfcd236edfbd8153b09b35cc

SHA512
b1fb0857c3fedf832618803af396d89b3064a1fd16c901a317e2747fb607e4fe616a82e933000d7a5fc0909a1c7f1be8d7865d064b0f53693aa41edd12bdd58e

Download Submit
C:\Windows\system\eMtxoFk.exe
Filesize
5.9MB

MD5
c95840de56bcb877296e78de6fcdcc40

SHA1
382298d2bd7c472afbee000e8d44e67fd4b6a946

SHA256
189f95cff858b7d72538a7fd210bc333a724382942fc21efc02fd7c101beef98

SHA512
52f451a14f7367b4743fe6af17eb28a37a76f9f93013b65fd60f46310fa191bc9e555aa999e03c52043733d1118b49025003cc092923299aaa14b70c91275faa

Download Submit
C:\Windows\system\hGkFAgR.exe
Filesize
5.9MB

MD5
eb4afa259067f80b63f83e6ce0e36a43

SHA1
44887fa14d21f8ad66da21a3e2a9c85f82885114

SHA256
78affb3aeebc3c3b3e5130a9bec424c40a66d2caee852d4c5f370c12dfe0da6e

SHA512
b12f75110de5b592bcc6bc00436367cff2f4420cdb688837a7f7ccbabf6c0d75807629a73ce61eff73bc622d33ef1a17454d1c16c42be98d35448e6528369582

Download Submit
C:\Windows\system\iXgBgWm.exe
Filesize
5.9MB

MD5
8cfc89d90d240f0ba35942cd048689e0

SHA1
833797eed8e3a76a891596d69a2856d28059de87

SHA256
079088c55663157ac19144c1a83b25ecef96081744987b81fc8bf089253621b9

SHA512
f4bf130cdf24fd66e9969442b1a8acf7319de911b8f74ad636b9dfe201e0dac5dc4b00ec7690e07325b50c4e21077d153f0495fa34088a7c4d56140a5fc15ba9

Download Submit
C:\Windows\system\sEivhSY.exe
Filesize
5.9MB

MD5
23d0d4a8000c41e4c12bc80673cb50cd

SHA1
74970739ee8c6a83a5def587befe1f5c58a81b78

SHA256
75ce04068c844711dc3195085c452afdf4749dec9cfe846a8b80f38b2f3c4389

SHA512
422250da6df5400a834876d6e5e5e2171b1eeea16a6eff5247513834259a3e50ed0703767ffa2822fad4d593b2cdfc7e61404253852773698490478e01e7dbc1

Download Submit
C:\Windows\system\zvWbnKD.exe
Filesize
5.9MB

MD5
1c9e84c5f8cd4b444290a858228d6598

SHA1
be33da5b2d9a0e2630cfe6dc0f39c1692821dc41

SHA256
1dbd461a6be0db03f25146d2d2f7bda9e5341ce918d9117ef6ad3eac535e8e8d

SHA512
e49cbd1bdc89200b439b860daac5cca9ee32e54a49c79ddd1981331bf382b1ed0818180d11e7bf626c54287b02228d6a6c4293d6303f67221c6d9de9b96955fe

Download Submit
\Windows\system\XTQrhJG.exe
Filesize
5.9MB

MD5
0d868ecf46f0f837835c6b22952cc63b

SHA1
7b0ef054a5fad97e37c48e76c2c0c09726873faa

SHA256
bebc6e19750287f017d12d5da843b4272cbf2ecd9301fdf2e5789cdd42c8aa04

SHA512
9f3b07fb76f465614e69865ace79bfe57bca5845b2e9d4b066d8270622bdde4305e562968af321befefc4af6715a6d3185d9ca47a7bc7692a8f80fa145b734f9

Download Submit
\Windows\system\hccrayw.exe
Filesize
5.9MB

MD5
510730e0f2a3018a2e28979d519736f7

SHA1
08d3b7aa7c2fdc583223a5aa52e4376a8ceebf8b

SHA256
b9c315df67d3f39ea1117d10511401ab8ee17b663e14cdff8a469227bcf092bc

SHA512
781b2f57771d8751f22d5ba74ae25f715dba0d0e9c969a69f52dfea92fecb4f219fde17bf6525c378a6031a4001244a416925723fb10a1442093c37f74341fb4

Download Submit
\Windows\system\kaJbDCU.exe
Filesize
5.9MB

MD5
3dfa26f46e7527cc9de8775b60a4e917

SHA1
2e9bf163d29ed186b818d47f4b62e1cd1e27baea

SHA256
6ae5addc435cca3ac14011550bf7c4f651d4dde2ba0e2cc8bb14b3f99b0e5abd

SHA512
18a7b25ed03083942b026a45e89ff7ebff5440169417a214a1996f41269405621f17803d7aed651aab96981bdf3ff9f98ad3e9ade0fa666c5e27a1ea01567f4a

Download Submit
\Windows\system\ppDuoFo.exe
Filesize
5.9MB

MD5
69b6a98c2b2d245c2cce86eb89fd38a6

SHA1
f442af2679f334e655e6aa6d803ba8770408d798

SHA256
f3dceb27fc5a4d0fe0000275f0f6a8cf7ec4559ed0963770758c92e31798d89b

SHA512
e6ff8710212aad3c728fd306344ba0c4b19dfa39ffd6868d95e118c1be110a3799bfe01983008a8a33a9d80156eb637f040def483d551aa9accdc028a380e7cd

Download Submit
memory/1660-16-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/1660-148-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/1944-63-0x000000013FB30000-0x000000013FE84000-memory.dmp

Filesize
3.3MB

Download
memory/1944-20-0x000000013FB30000-0x000000013FE84000-memory.dmp

Filesize
3.3MB

Download
memory/1944-149-0x000000013FB30000-0x000000013FE84000-memory.dmp

Filesize
3.3MB

Download
memory/2372-76-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2372-7-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/2372-0-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2372-96-0x000000013F410000-0x000000013F764000-memory.dmp

Filesize
3.3MB

Download
memory/2372-147-0x000000013F410000-0x000000013F764000-memory.dmp

Filesize
3.3MB

Download
memory/2372-94-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/2372-51-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/2372-143-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2372-88-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2372-141-0x0000000002360000-0x00000000026B4000-memory.dmp

Filesize
3.3MB

Download
memory/2372-139-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2372-80-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/2372-2-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2372-39-0x000000013F520000-0x000000013F874000-memory.dmp

Filesize
3.3MB

Download
memory/2372-23-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2372-69-0x0000000002360000-0x00000000026B4000-memory.dmp

Filesize
3.3MB

Download
memory/2372-45-0x0000000002360000-0x00000000026B4000-memory.dmp

Filesize
3.3MB

Download
memory/2372-22-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2372-57-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2416-70-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

Filesize
3.3MB

Download
memory/2416-142-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

Filesize
3.3MB

Download
memory/2416-161-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

Filesize
3.3MB

Download
memory/2480-77-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2480-144-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2480-155-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2508-75-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2508-26-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2508-150-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2632-157-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/2632-34-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/2632-95-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/2640-140-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2640-154-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2640-64-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2652-46-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2652-158-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2684-160-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/2684-145-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/2732-138-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/2732-58-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/2732-159-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/2764-152-0x000000013F520000-0x000000013F874000-memory.dmp

Filesize
3.3MB

Download
memory/2764-40-0x000000013F520000-0x000000013F874000-memory.dmp

Filesize
3.3MB

Download
memory/2832-146-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2832-156-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2832-89-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2848-151-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2848-28-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2848-87-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2892-153-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/2892-137-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/2892-52-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download