cobaltstrike | eb9b61923469bcee5a18282bb4296973d5ace255a66b32ac5950e792b75b10ba

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

721d677ed33ab6f0fb5c8694611d8d25
SHA1

48fb283b383131cf4075ff47e30d3efce4ff7738
SHA256

eb9b61923469bcee5a18282bb4296973d5ace255a66b32ac5950e792b75b10ba
SHA512

2a1e5759f84571388920fdd8f9029c4e259bea1535a75751f91c4e350c6463bfd54e344d75b9dcf943f7641e5da9f59ab0c352c686bdd662c6307534f6acaea1
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUI:Q+856utgpPF8u/7I

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\mpwRZMs.exe	cobalt_reflective_dll
\Windows\system\UkzsSbU.exe	cobalt_reflective_dll
C:\Windows\system\GCoolKQ.exe	cobalt_reflective_dll
\Windows\system\BEWXYsd.exe	cobalt_reflective_dll
C:\Windows\system\oPhgscW.exe	cobalt_reflective_dll
\Windows\system\mLNWrXB.exe	cobalt_reflective_dll
C:\Windows\system\GiHeXrB.exe	cobalt_reflective_dll
C:\Windows\system\urwiPtt.exe	cobalt_reflective_dll
C:\Windows\system\HmkYGNu.exe	cobalt_reflective_dll
\Windows\system\AIkgNHV.exe	cobalt_reflective_dll
C:\Windows\system\sWBBNKb.exe	cobalt_reflective_dll
C:\Windows\system\RVqAzdF.exe	cobalt_reflective_dll
C:\Windows\system\OoyOoRt.exe	cobalt_reflective_dll
C:\Windows\system\WWQKZbM.exe	cobalt_reflective_dll
C:\Windows\system\RnfWDGS.exe	cobalt_reflective_dll
C:\Windows\system\fOngIcp.exe	cobalt_reflective_dll
C:\Windows\system\iDEeojR.exe	cobalt_reflective_dll
C:\Windows\system\RVjcfdM.exe	cobalt_reflective_dll
C:\Windows\system\eIehZtt.exe	cobalt_reflective_dll
C:\Windows\system\MwkRyIJ.exe	cobalt_reflective_dll
C:\Windows\system\QuQaDss.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\mpwRZMs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\UkzsSbU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\GCoolKQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\BEWXYsd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\oPhgscW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\mLNWrXB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\GiHeXrB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\urwiPtt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\HmkYGNu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\AIkgNHV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\sWBBNKb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RVqAzdF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OoyOoRt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\WWQKZbM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RnfWDGS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\fOngIcp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\iDEeojR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RVjcfdM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\eIehZtt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\MwkRyIJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\QuQaDss.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1892-0-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
\Windows\system\mpwRZMs.exe	UPX
behavioral1/memory/1892-6-0x0000000002460000-0x00000000027B4000-memory.dmp	UPX
\Windows\system\UkzsSbU.exe	UPX
C:\Windows\system\GCoolKQ.exe	UPX
behavioral1/memory/2496-18-0x000000013F190000-0x000000013F4E4000-memory.dmp	UPX
behavioral1/memory/2528-22-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	UPX
behavioral1/memory/2688-14-0x000000013F6F0000-0x000000013FA44000-memory.dmp	UPX
\Windows\system\BEWXYsd.exe	UPX
behavioral1/memory/2584-30-0x000000013F370000-0x000000013F6C4000-memory.dmp	UPX
C:\Windows\system\oPhgscW.exe	UPX
behavioral1/memory/2304-43-0x000000013F310000-0x000000013F664000-memory.dmp	UPX
\Windows\system\mLNWrXB.exe	UPX
behavioral1/memory/2448-50-0x000000013FC20000-0x000000013FF74000-memory.dmp	UPX
behavioral1/memory/2416-57-0x000000013F2E0000-0x000000013F634000-memory.dmp	UPX
C:\Windows\system\GiHeXrB.exe	UPX
behavioral1/memory/2856-64-0x000000013FC90000-0x000000013FFE4000-memory.dmp	UPX
behavioral1/memory/2864-71-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
C:\Windows\system\urwiPtt.exe	UPX
behavioral1/memory/2528-85-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	UPX
behavioral1/memory/2640-86-0x000000013F8B0000-0x000000013FC04000-memory.dmp	UPX
C:\Windows\system\HmkYGNu.exe	UPX
\Windows\system\AIkgNHV.exe	UPX
C:\Windows\system\sWBBNKb.exe	UPX
C:\Windows\system\RVqAzdF.exe	UPX
C:\Windows\system\OoyOoRt.exe	UPX
behavioral1/memory/2448-110-0x000000013FC20000-0x000000013FF74000-memory.dmp	UPX
C:\Windows\system\WWQKZbM.exe	UPX
C:\Windows\system\RnfWDGS.exe	UPX
behavioral1/memory/2844-103-0x000000013FBB0000-0x000000013FF04000-memory.dmp	UPX
behavioral1/memory/2304-101-0x000000013F310000-0x000000013F664000-memory.dmp	UPX
C:\Windows\system\fOngIcp.exe	UPX
behavioral1/memory/2820-95-0x000000013F980000-0x000000013FCD4000-memory.dmp	UPX
C:\Windows\system\iDEeojR.exe	UPX
behavioral1/memory/2584-91-0x000000013F370000-0x000000013F6C4000-memory.dmp	UPX
behavioral1/memory/2044-79-0x000000013F630000-0x000000013F984000-memory.dmp	UPX
behavioral1/memory/2496-77-0x000000013F190000-0x000000013F4E4000-memory.dmp	UPX
C:\Windows\system\RVjcfdM.exe	UPX
behavioral1/memory/1892-63-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
C:\Windows\system\eIehZtt.exe	UPX
behavioral1/memory/2688-70-0x000000013F6F0000-0x000000013FA44000-memory.dmp	UPX
behavioral1/memory/2856-141-0x000000013FC90000-0x000000013FFE4000-memory.dmp	UPX
C:\Windows\system\MwkRyIJ.exe	UPX
behavioral1/memory/2504-37-0x000000013F1B0000-0x000000013F504000-memory.dmp	UPX
C:\Windows\system\QuQaDss.exe	UPX
behavioral1/memory/2864-142-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/memory/2044-144-0x000000013F630000-0x000000013F984000-memory.dmp	UPX
behavioral1/memory/2640-146-0x000000013F8B0000-0x000000013FC04000-memory.dmp	UPX
behavioral1/memory/2820-148-0x000000013F980000-0x000000013FCD4000-memory.dmp	UPX
behavioral1/memory/2844-150-0x000000013FBB0000-0x000000013FF04000-memory.dmp	UPX
behavioral1/memory/2688-151-0x000000013F6F0000-0x000000013FA44000-memory.dmp	UPX
behavioral1/memory/2496-152-0x000000013F190000-0x000000013F4E4000-memory.dmp	UPX
behavioral1/memory/2584-153-0x000000013F370000-0x000000013F6C4000-memory.dmp	UPX
behavioral1/memory/2528-154-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	UPX
behavioral1/memory/2504-155-0x000000013F1B0000-0x000000013F504000-memory.dmp	UPX
behavioral1/memory/2304-156-0x000000013F310000-0x000000013F664000-memory.dmp	UPX
behavioral1/memory/2416-157-0x000000013F2E0000-0x000000013F634000-memory.dmp	UPX
behavioral1/memory/2448-158-0x000000013FC20000-0x000000013FF74000-memory.dmp	UPX
behavioral1/memory/2856-159-0x000000013FC90000-0x000000013FFE4000-memory.dmp	UPX
behavioral1/memory/2864-160-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/memory/2044-161-0x000000013F630000-0x000000013F984000-memory.dmp	UPX
behavioral1/memory/2640-162-0x000000013F8B0000-0x000000013FC04000-memory.dmp	UPX
behavioral1/memory/2820-163-0x000000013F980000-0x000000013FCD4000-memory.dmp	UPX
behavioral1/memory/2844-164-0x000000013FBB0000-0x000000013FF04000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1892-0-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
\Windows\system\mpwRZMs.exe	xmrig
behavioral1/memory/1892-6-0x0000000002460000-0x00000000027B4000-memory.dmp	xmrig
\Windows\system\UkzsSbU.exe	xmrig
C:\Windows\system\GCoolKQ.exe	xmrig
behavioral1/memory/2496-18-0x000000013F190000-0x000000013F4E4000-memory.dmp	xmrig
behavioral1/memory/2528-22-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/memory/2688-14-0x000000013F6F0000-0x000000013FA44000-memory.dmp	xmrig
\Windows\system\BEWXYsd.exe	xmrig
behavioral1/memory/2584-30-0x000000013F370000-0x000000013F6C4000-memory.dmp	xmrig
C:\Windows\system\oPhgscW.exe	xmrig
behavioral1/memory/2304-43-0x000000013F310000-0x000000013F664000-memory.dmp	xmrig
\Windows\system\mLNWrXB.exe	xmrig
behavioral1/memory/2448-50-0x000000013FC20000-0x000000013FF74000-memory.dmp	xmrig
behavioral1/memory/2416-57-0x000000013F2E0000-0x000000013F634000-memory.dmp	xmrig
C:\Windows\system\GiHeXrB.exe	xmrig
behavioral1/memory/2856-64-0x000000013FC90000-0x000000013FFE4000-memory.dmp	xmrig
behavioral1/memory/2864-71-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
C:\Windows\system\urwiPtt.exe	xmrig
behavioral1/memory/2528-85-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/memory/2640-86-0x000000013F8B0000-0x000000013FC04000-memory.dmp	xmrig
C:\Windows\system\HmkYGNu.exe	xmrig
\Windows\system\AIkgNHV.exe	xmrig
C:\Windows\system\sWBBNKb.exe	xmrig
C:\Windows\system\RVqAzdF.exe	xmrig
C:\Windows\system\OoyOoRt.exe	xmrig
behavioral1/memory/2448-110-0x000000013FC20000-0x000000013FF74000-memory.dmp	xmrig
C:\Windows\system\WWQKZbM.exe	xmrig
C:\Windows\system\RnfWDGS.exe	xmrig
behavioral1/memory/2844-103-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/memory/2304-101-0x000000013F310000-0x000000013F664000-memory.dmp	xmrig
C:\Windows\system\fOngIcp.exe	xmrig
behavioral1/memory/2820-95-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
C:\Windows\system\iDEeojR.exe	xmrig
behavioral1/memory/2584-91-0x000000013F370000-0x000000013F6C4000-memory.dmp	xmrig
behavioral1/memory/2044-79-0x000000013F630000-0x000000013F984000-memory.dmp	xmrig
behavioral1/memory/2496-77-0x000000013F190000-0x000000013F4E4000-memory.dmp	xmrig
C:\Windows\system\RVjcfdM.exe	xmrig
behavioral1/memory/1892-63-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
C:\Windows\system\eIehZtt.exe	xmrig
behavioral1/memory/2688-70-0x000000013F6F0000-0x000000013FA44000-memory.dmp	xmrig
behavioral1/memory/2856-141-0x000000013FC90000-0x000000013FFE4000-memory.dmp	xmrig
C:\Windows\system\MwkRyIJ.exe	xmrig
behavioral1/memory/2504-37-0x000000013F1B0000-0x000000013F504000-memory.dmp	xmrig
C:\Windows\system\QuQaDss.exe	xmrig
behavioral1/memory/2864-142-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/memory/2044-144-0x000000013F630000-0x000000013F984000-memory.dmp	xmrig
behavioral1/memory/2640-146-0x000000013F8B0000-0x000000013FC04000-memory.dmp	xmrig
behavioral1/memory/2820-148-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
behavioral1/memory/2844-150-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/memory/2688-151-0x000000013F6F0000-0x000000013FA44000-memory.dmp	xmrig
behavioral1/memory/2496-152-0x000000013F190000-0x000000013F4E4000-memory.dmp	xmrig
behavioral1/memory/2584-153-0x000000013F370000-0x000000013F6C4000-memory.dmp	xmrig
behavioral1/memory/2528-154-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/memory/2504-155-0x000000013F1B0000-0x000000013F504000-memory.dmp	xmrig
behavioral1/memory/2304-156-0x000000013F310000-0x000000013F664000-memory.dmp	xmrig
behavioral1/memory/2416-157-0x000000013F2E0000-0x000000013F634000-memory.dmp	xmrig
behavioral1/memory/2448-158-0x000000013FC20000-0x000000013FF74000-memory.dmp	xmrig
behavioral1/memory/2856-159-0x000000013FC90000-0x000000013FFE4000-memory.dmp	xmrig
behavioral1/memory/2864-160-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/memory/2044-161-0x000000013F630000-0x000000013F984000-memory.dmp	xmrig
behavioral1/memory/2640-162-0x000000013F8B0000-0x000000013FC04000-memory.dmp	xmrig
behavioral1/memory/2820-163-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
behavioral1/memory/2844-164-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

mpwRZMs.exeUkzsSbU.exeGCoolKQ.exeBEWXYsd.exeQuQaDss.exeoPhgscW.exemLNWrXB.exeMwkRyIJ.exeeIehZtt.exeGiHeXrB.exeurwiPtt.exeRVjcfdM.exeiDEeojR.exefOngIcp.exeWWQKZbM.exeRnfWDGS.exeRVqAzdF.exeOoyOoRt.exeHmkYGNu.exesWBBNKb.exeAIkgNHV.exe

pid	process
2688	mpwRZMs.exe
2496	UkzsSbU.exe
2528	GCoolKQ.exe
2584	BEWXYsd.exe
2504	QuQaDss.exe
2304	oPhgscW.exe
2448	mLNWrXB.exe
2416	MwkRyIJ.exe
2856	eIehZtt.exe
2864	GiHeXrB.exe
2044	urwiPtt.exe
2640	RVjcfdM.exe
2820	iDEeojR.exe
2844	fOngIcp.exe
1748	WWQKZbM.exe
2276	RnfWDGS.exe
328	RVqAzdF.exe
2176	OoyOoRt.exe
1260	HmkYGNu.exe
2872	sWBBNKb.exe
2840	AIkgNHV.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1892-0-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
\Windows\system\mpwRZMs.exe	upx
behavioral1/memory/1892-6-0x0000000002460000-0x00000000027B4000-memory.dmp	upx
\Windows\system\UkzsSbU.exe	upx
C:\Windows\system\GCoolKQ.exe	upx
behavioral1/memory/2496-18-0x000000013F190000-0x000000013F4E4000-memory.dmp	upx
behavioral1/memory/2528-22-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/memory/2688-14-0x000000013F6F0000-0x000000013FA44000-memory.dmp	upx
\Windows\system\BEWXYsd.exe	upx
behavioral1/memory/2584-30-0x000000013F370000-0x000000013F6C4000-memory.dmp	upx
C:\Windows\system\oPhgscW.exe	upx
behavioral1/memory/2304-43-0x000000013F310000-0x000000013F664000-memory.dmp	upx
\Windows\system\mLNWrXB.exe	upx
behavioral1/memory/2448-50-0x000000013FC20000-0x000000013FF74000-memory.dmp	upx
behavioral1/memory/2416-57-0x000000013F2E0000-0x000000013F634000-memory.dmp	upx
C:\Windows\system\GiHeXrB.exe	upx
behavioral1/memory/2856-64-0x000000013FC90000-0x000000013FFE4000-memory.dmp	upx
behavioral1/memory/2864-71-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
C:\Windows\system\urwiPtt.exe	upx
behavioral1/memory/2528-85-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/memory/2640-86-0x000000013F8B0000-0x000000013FC04000-memory.dmp	upx
C:\Windows\system\HmkYGNu.exe	upx
\Windows\system\AIkgNHV.exe	upx
C:\Windows\system\sWBBNKb.exe	upx
C:\Windows\system\RVqAzdF.exe	upx
C:\Windows\system\OoyOoRt.exe	upx
behavioral1/memory/2448-110-0x000000013FC20000-0x000000013FF74000-memory.dmp	upx
C:\Windows\system\WWQKZbM.exe	upx
C:\Windows\system\RnfWDGS.exe	upx
behavioral1/memory/2844-103-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/memory/2304-101-0x000000013F310000-0x000000013F664000-memory.dmp	upx
C:\Windows\system\fOngIcp.exe	upx
behavioral1/memory/2820-95-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
C:\Windows\system\iDEeojR.exe	upx
behavioral1/memory/2584-91-0x000000013F370000-0x000000013F6C4000-memory.dmp	upx
behavioral1/memory/2044-79-0x000000013F630000-0x000000013F984000-memory.dmp	upx
behavioral1/memory/2496-77-0x000000013F190000-0x000000013F4E4000-memory.dmp	upx
C:\Windows\system\RVjcfdM.exe	upx
behavioral1/memory/1892-63-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
C:\Windows\system\eIehZtt.exe	upx
behavioral1/memory/2688-70-0x000000013F6F0000-0x000000013FA44000-memory.dmp	upx
behavioral1/memory/2856-141-0x000000013FC90000-0x000000013FFE4000-memory.dmp	upx
C:\Windows\system\MwkRyIJ.exe	upx
behavioral1/memory/2504-37-0x000000013F1B0000-0x000000013F504000-memory.dmp	upx
C:\Windows\system\QuQaDss.exe	upx
behavioral1/memory/2864-142-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/memory/2044-144-0x000000013F630000-0x000000013F984000-memory.dmp	upx
behavioral1/memory/2640-146-0x000000013F8B0000-0x000000013FC04000-memory.dmp	upx
behavioral1/memory/2820-148-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
behavioral1/memory/2844-150-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/memory/2688-151-0x000000013F6F0000-0x000000013FA44000-memory.dmp	upx
behavioral1/memory/2496-152-0x000000013F190000-0x000000013F4E4000-memory.dmp	upx
behavioral1/memory/2584-153-0x000000013F370000-0x000000013F6C4000-memory.dmp	upx
behavioral1/memory/2528-154-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/memory/2504-155-0x000000013F1B0000-0x000000013F504000-memory.dmp	upx
behavioral1/memory/2304-156-0x000000013F310000-0x000000013F664000-memory.dmp	upx
behavioral1/memory/2416-157-0x000000013F2E0000-0x000000013F634000-memory.dmp	upx
behavioral1/memory/2448-158-0x000000013FC20000-0x000000013FF74000-memory.dmp	upx
behavioral1/memory/2856-159-0x000000013FC90000-0x000000013FFE4000-memory.dmp	upx
behavioral1/memory/2864-160-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/memory/2044-161-0x000000013F630000-0x000000013F984000-memory.dmp	upx
behavioral1/memory/2640-162-0x000000013F8B0000-0x000000013FC04000-memory.dmp	upx
behavioral1/memory/2820-163-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
behavioral1/memory/2844-164-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\MwkRyIJ.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fOngIcp.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WWQKZbM.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RnfWDGS.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UkzsSbU.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BEWXYsd.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RVqAzdF.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sWBBNKb.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AIkgNHV.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QuQaDss.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oPhgscW.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\urwiPtt.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OoyOoRt.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HmkYGNu.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mLNWrXB.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eIehZtt.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GiHeXrB.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RVjcfdM.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iDEeojR.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mpwRZMs.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GCoolKQ.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 1892 wrote to memory of 2688	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	mpwRZMs.exe
PID 1892 wrote to memory of 2688	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	mpwRZMs.exe
PID 1892 wrote to memory of 2688	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	mpwRZMs.exe
PID 1892 wrote to memory of 2496	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	UkzsSbU.exe
PID 1892 wrote to memory of 2496	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	UkzsSbU.exe
PID 1892 wrote to memory of 2496	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	UkzsSbU.exe
PID 1892 wrote to memory of 2528	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	GCoolKQ.exe
PID 1892 wrote to memory of 2528	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	GCoolKQ.exe
PID 1892 wrote to memory of 2528	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	GCoolKQ.exe
PID 1892 wrote to memory of 2584	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	BEWXYsd.exe
PID 1892 wrote to memory of 2584	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	BEWXYsd.exe
PID 1892 wrote to memory of 2584	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	BEWXYsd.exe
PID 1892 wrote to memory of 2504	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	QuQaDss.exe
PID 1892 wrote to memory of 2504	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	QuQaDss.exe
PID 1892 wrote to memory of 2504	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	QuQaDss.exe
PID 1892 wrote to memory of 2304	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	oPhgscW.exe
PID 1892 wrote to memory of 2304	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	oPhgscW.exe
PID 1892 wrote to memory of 2304	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	oPhgscW.exe
PID 1892 wrote to memory of 2448	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	mLNWrXB.exe
PID 1892 wrote to memory of 2448	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	mLNWrXB.exe
PID 1892 wrote to memory of 2448	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	mLNWrXB.exe
PID 1892 wrote to memory of 2416	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	MwkRyIJ.exe
PID 1892 wrote to memory of 2416	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	MwkRyIJ.exe
PID 1892 wrote to memory of 2416	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	MwkRyIJ.exe
PID 1892 wrote to memory of 2856	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	eIehZtt.exe
PID 1892 wrote to memory of 2856	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	eIehZtt.exe
PID 1892 wrote to memory of 2856	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	eIehZtt.exe
PID 1892 wrote to memory of 2864	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	GiHeXrB.exe
PID 1892 wrote to memory of 2864	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	GiHeXrB.exe
PID 1892 wrote to memory of 2864	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	GiHeXrB.exe
PID 1892 wrote to memory of 2044	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	urwiPtt.exe
PID 1892 wrote to memory of 2044	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	urwiPtt.exe
PID 1892 wrote to memory of 2044	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	urwiPtt.exe
PID 1892 wrote to memory of 2640	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	RVjcfdM.exe
PID 1892 wrote to memory of 2640	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	RVjcfdM.exe
PID 1892 wrote to memory of 2640	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	RVjcfdM.exe
PID 1892 wrote to memory of 2820	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	iDEeojR.exe
PID 1892 wrote to memory of 2820	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	iDEeojR.exe
PID 1892 wrote to memory of 2820	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	iDEeojR.exe
PID 1892 wrote to memory of 2844	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	fOngIcp.exe
PID 1892 wrote to memory of 2844	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	fOngIcp.exe
PID 1892 wrote to memory of 2844	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	fOngIcp.exe
PID 1892 wrote to memory of 1748	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	WWQKZbM.exe
PID 1892 wrote to memory of 1748	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	WWQKZbM.exe
PID 1892 wrote to memory of 1748	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	WWQKZbM.exe
PID 1892 wrote to memory of 2276	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	RnfWDGS.exe
PID 1892 wrote to memory of 2276	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	RnfWDGS.exe
PID 1892 wrote to memory of 2276	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	RnfWDGS.exe
PID 1892 wrote to memory of 328	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	RVqAzdF.exe
PID 1892 wrote to memory of 328	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	RVqAzdF.exe
PID 1892 wrote to memory of 328	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	RVqAzdF.exe
PID 1892 wrote to memory of 2176	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	OoyOoRt.exe
PID 1892 wrote to memory of 2176	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	OoyOoRt.exe
PID 1892 wrote to memory of 2176	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	OoyOoRt.exe
PID 1892 wrote to memory of 1260	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	HmkYGNu.exe
PID 1892 wrote to memory of 1260	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	HmkYGNu.exe
PID 1892 wrote to memory of 1260	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	HmkYGNu.exe
PID 1892 wrote to memory of 2872	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	sWBBNKb.exe
PID 1892 wrote to memory of 2872	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	sWBBNKb.exe
PID 1892 wrote to memory of 2872	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	sWBBNKb.exe
PID 1892 wrote to memory of 2840	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	AIkgNHV.exe
PID 1892 wrote to memory of 2840	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	AIkgNHV.exe
PID 1892 wrote to memory of 2840	1892	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	AIkgNHV.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\System\mpwRZMs.exe
C:\Windows\System\mpwRZMs.exe
2⤵
- Executes dropped EXE
PID:2688

C:\Windows\System\UkzsSbU.exe
C:\Windows\System\UkzsSbU.exe
2⤵
- Executes dropped EXE
PID:2496

C:\Windows\System\GCoolKQ.exe
C:\Windows\System\GCoolKQ.exe
2⤵
- Executes dropped EXE
PID:2528

C:\Windows\System\BEWXYsd.exe
C:\Windows\System\BEWXYsd.exe
2⤵
- Executes dropped EXE
PID:2584

C:\Windows\System\QuQaDss.exe
C:\Windows\System\QuQaDss.exe
2⤵
- Executes dropped EXE
PID:2504

C:\Windows\System\oPhgscW.exe
C:\Windows\System\oPhgscW.exe
2⤵
- Executes dropped EXE
PID:2304

C:\Windows\System\mLNWrXB.exe
C:\Windows\System\mLNWrXB.exe
2⤵
- Executes dropped EXE
PID:2448

C:\Windows\System\MwkRyIJ.exe
C:\Windows\System\MwkRyIJ.exe
2⤵
- Executes dropped EXE
PID:2416

C:\Windows\System\eIehZtt.exe
C:\Windows\System\eIehZtt.exe
2⤵
- Executes dropped EXE
PID:2856

C:\Windows\System\GiHeXrB.exe
C:\Windows\System\GiHeXrB.exe
2⤵
- Executes dropped EXE
PID:2864

C:\Windows\System\urwiPtt.exe
C:\Windows\System\urwiPtt.exe
2⤵
- Executes dropped EXE
PID:2044

C:\Windows\System\RVjcfdM.exe
C:\Windows\System\RVjcfdM.exe
2⤵
- Executes dropped EXE
PID:2640

C:\Windows\System\iDEeojR.exe
C:\Windows\System\iDEeojR.exe
2⤵
- Executes dropped EXE
PID:2820

C:\Windows\System\fOngIcp.exe
C:\Windows\System\fOngIcp.exe
2⤵
- Executes dropped EXE
PID:2844

C:\Windows\System\WWQKZbM.exe
C:\Windows\System\WWQKZbM.exe
2⤵
- Executes dropped EXE
PID:1748

C:\Windows\System\RnfWDGS.exe
C:\Windows\System\RnfWDGS.exe
2⤵
- Executes dropped EXE
PID:2276

C:\Windows\System\RVqAzdF.exe
C:\Windows\System\RVqAzdF.exe
2⤵
- Executes dropped EXE
PID:328

C:\Windows\System\OoyOoRt.exe
C:\Windows\System\OoyOoRt.exe
2⤵
- Executes dropped EXE
PID:2176

C:\Windows\System\HmkYGNu.exe
C:\Windows\System\HmkYGNu.exe
2⤵
- Executes dropped EXE
PID:1260

C:\Windows\System\sWBBNKb.exe
C:\Windows\System\sWBBNKb.exe
2⤵
- Executes dropped EXE
PID:2872

C:\Windows\System\AIkgNHV.exe
C:\Windows\System\AIkgNHV.exe
2⤵
- Executes dropped EXE
PID:2840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\GCoolKQ.exe
Filesize
5.9MB

MD5
d8fb333cd9cfc3504bcbfe3c37e49d5a

SHA1
16c42ab51f859dfbd3908893475596360a807832

SHA256
fb6dbc05fd0abe6c320ca66dcce388408f696b9c0887150d83d06f3d0f197869

SHA512
8c884a35404886339c392fbe3748c8ea6bf58fc76e3ae8b035e2e3ecf29f72c9973f7e7716b210bd42e88813863364eaca7babb32cf28674d62c06d3bcaeb982

Download Submit
C:\Windows\system\GiHeXrB.exe
Filesize
5.9MB

MD5
0ee3d7794e3e26ff326f0757967709cb

SHA1
40a8b2484d15b419f57b4b267c4633e95bd73d9d

SHA256
b55270a21c0947d24ff2e6552772b0c4702fa805b06cac225e7913afb51adabd

SHA512
72326fbeaad3d9b20f7632b3b801fc92f2172347440959b6e09d6d5c05faebd2b08a4534cdc514516bbcf4bc7701d16de595cb694a72a5652afdd501a4e15d9a

Download Submit
C:\Windows\system\HmkYGNu.exe
Filesize
5.9MB

MD5
dbf9adc8ed242f1dcea5c4d61fabbff3

SHA1
47350a33ed2dfb4b0779c579153c0b10cec1165e

SHA256
72c0536f66e7bd859409d5ff773c09020a46f91de344165645a1970446c42853

SHA512
57dac34a63453558f52d4fd8d4ebf82b7fe92b69d35a46c7bb3af46580483b2d8675a5df4438c93dfaad30dabe5f88197ef4442cf6bc9d24e628bb995f291f59

Download Submit
C:\Windows\system\MwkRyIJ.exe
Filesize
5.9MB

MD5
e7d41265dc6d65a8713301ea99b88b75

SHA1
2bd77852ec265980ec3bdd565a38698415b2071f

SHA256
cf417f49ff41bc7cbdfdb5c7bc64f23641e32343195bdc5923215df8a49278b5

SHA512
48cf3c7a35743800d1a85480dcfe642e0cb2c46a5bc1ca85b68479be9c829d982ca534678eb431c75d4ca3db1e33062ad193385345556caca8d740a636f26bc7

Download Submit
C:\Windows\system\OoyOoRt.exe
Filesize
5.9MB

MD5
87064d32aca9d90ed5fedcf5af111323

SHA1
fe8a8ae67116623ae1d76d325bf8768a1f8972e3

SHA256
f39e4b6e0cf9dda0d51de0d963a629c5f6f45842d4c5bdd0a1e9a486b757de6c

SHA512
a72e0efd1158edbc79506ae142a3c1fb97b97fc6add1acb4cd2f0c26d66343dd5b894bf6f083466faf1effa1610c38f255914b5b8519297cbef17fb0241c0d4d

Download Submit
C:\Windows\system\QuQaDss.exe
Filesize
5.9MB

MD5
724a6ad0ffa10fa594d97db56340994e

SHA1
47fcef88f7398c941f86166708edb52e408ac48e

SHA256
86fd7dfd4073a033165cf8c5fe19a059dbbfad5d877b18c6738d4a1266c2492c

SHA512
235631c9060cd364cf88d3ecdb0571a0182c6fae2b3921060f80e87d342d4359fc7d25e922235264c75666aa9ad81dbb6f2cadab7acb2d254f2f5806bc36f47c

Download Submit
C:\Windows\system\RVjcfdM.exe
Filesize
5.9MB

MD5
0b1c25445faa4e3b67aa59426ed32af3

SHA1
12329ed97ad95397468a3e4f2a856d300beb3ed8

SHA256
ebdeae83f2bb3f6fa5f7cd9bf270da030bb411bf9551750b20d061ea99f332b4

SHA512
98310f05efb9e569ba67298ef9bb2f2e27d78a91e473c1ebd05a05a7ae78f908e61de19cf49b99e20e724a3c7deeef546280bce3a23411dec1c1fe19829a099b

Download Submit
C:\Windows\system\RVqAzdF.exe
Filesize
5.9MB

MD5
37877a78701dfd88f102ae855e1389c6

SHA1
6cd99893e5fa7603c7fe84764197583873cfe8d1

SHA256
e5c85921b1cd91eaefaa61fd75d3da225fef65b22bacc7ea6e93576ff9e32492

SHA512
6796ca3ca868e0acaa95e732027c19bd014bc4f359023304209210206db171bfb7d97db4d9da96eee832084351fc0637cd014a410039be7e94f02bca0fcde9c5

Download Submit
C:\Windows\system\RnfWDGS.exe
Filesize
5.9MB

MD5
ac016a56da1d3c84f1ba915f83eda7ad

SHA1
394716bfac93c65deeb7f3fe27e97c780873cde3

SHA256
26cd96776f728ca0fb8848899b9faf47fad7fc483735e8ee0009c882897a538c

SHA512
aa55873ad216ff76afd3934dae02d83898a652315212ec222804a5350179e2ef8051646209ad0757b482f873b462e274ef4e582f95c01478a43826ae09eef23e

Download Submit
C:\Windows\system\WWQKZbM.exe
Filesize
5.9MB

MD5
20c18f48e3e6bd035c0b39cb652aa573

SHA1
be8719c8a32279471acc54aaf39ea3f467749295

SHA256
3ff0a4f3ecc9fbc307967efa6d2d976c29db5a74dc3cf8ecc85bfca58cbf64ea

SHA512
7d79c13a0b89ddbd4c3b9c879a55d488aa0d4c459834108819a6c1066cfa0439388ff49461a3f2e67b1d6e9a894a0fccc396c6e30a8f19f437d21131b99ff3c8

Download Submit
C:\Windows\system\eIehZtt.exe
Filesize
5.9MB

MD5
e4c88cd9544e9b194272843083d9a94c

SHA1
44c5c05eee6997672a46bd90b4dc31823548f6a5

SHA256
017b0b825cdb4171f881aedf1e2d949595cf971e2dbb09861a6ee3ad22fe9011

SHA512
c059f7f5945b2288c1249c7ef976198b96868b812dce59e0072fa1589aade1376b8ebb17ce4b0b7ab84df0825f81b0f4422d9dbf83cf559c15d1b3bbbbc30c5c

Download Submit
C:\Windows\system\fOngIcp.exe
Filesize
5.9MB

MD5
2e7b007c55c9f0200350231925815a58

SHA1
6eaa0b720c9bcb23d7c60df58d9a5dc4be4c5673

SHA256
0ec5e9be123e9c4b94e6efeeda1468b4368b802674bafcc74731a7b6c8f0c46a

SHA512
135561b9a66d58caeffb337d2b1fc046039339ef84c2ead7b2c62a09110c29e78e8b903473c7e1b75fd5b81b7316d793555bd3df934bf69399b09eefbe0d394f

Download Submit
C:\Windows\system\iDEeojR.exe
Filesize
5.9MB

MD5
1fb6b2df3a71873e11ebf8faaec8b2f2

SHA1
73426c2099627f606904c9709d1a7143f626f6c2

SHA256
61d21930eae744dd810cd6260155391bf8bfddc484342e4f75c4503184c91f41

SHA512
2bec0a4351e9f9b8d6e5507af7f0e5ebe3830ee5e6c1eaddb9fea5544d3f09b9da24ddbe9fac2d4d01a9d6aad7cc48a151bc26a7c4ded0d16a40a5763840fa64

Download Submit
C:\Windows\system\oPhgscW.exe
Filesize
5.9MB

MD5
ffca5baeb63f9850c7ba81f124ed6bfe

SHA1
c565a269938b16880e238debb8ffdf6794e1190b

SHA256
da6b0e67d94a5d1a9be9814e0419f7a4626f23c540539f6a468dc52d51955f1e

SHA512
dd0eaa481bf907fb7593cfbfffaf2ae1d7167ac6b06fcbc199f6313ec37bfffbd4ce3453978e6f6f0f643aabc207bdde63b93488f2e90318717f44cf1a8998c8

Download Submit
C:\Windows\system\sWBBNKb.exe
Filesize
5.9MB

MD5
f1dd038708574da93481aa4c79d1b8f8

SHA1
59c53b9b5abf79c7b55fccfa557f19e8ba84aa89

SHA256
0f27ed1a2edab13c474b1ffb6f1f25c1407365ca6e63a14df2c167f9abd4305a

SHA512
49e1c5194d214dba68979f4b024374fa3b7e2b3a88c14163dcd417cd1c63deb85b43805d21dd39202774375e65e80639a44e4dd62977416247ea6b5e4b513a47

Download Submit
C:\Windows\system\urwiPtt.exe
Filesize
5.9MB

MD5
daba168571df35a33b7a4563e3df4249

SHA1
32c77aac422afd5551ad02c86e49bd9cad018068

SHA256
4e005c434aef0bc5848b515110b7dc646c69d5d58bfda24751bbc1ec7b47b678

SHA512
d5b9b9cb477e2b1cb81f128c37073ee18598c7dee03f68b71992a0b78116ab65e37381f803f2d74f6e9994e873dfe3a37be8243a8fe361c05dcc60b5077d37b4

Download Submit
\Windows\system\AIkgNHV.exe
Filesize
5.9MB

MD5
d0d0c2a44857bbf8d6d1808951146480

SHA1
e112a82f4e27e2e7a80881e0ae8e75f0fab22cf3

SHA256
b6e7b85fb921fb04dd58871f4079680a02ceb7e7b2607d9ce99036b011458435

SHA512
c5a1497428fc0c528bda13a9053a6955cde247c53cd6f7396399efa84cae4640d9b9d0d13502b230b4e45d794d7bdf470a1d623c04be37fffbaa4b7bce263011

Download Submit
\Windows\system\BEWXYsd.exe
Filesize
5.9MB

MD5
8b734510f3c58fdcba1ba3589d927304

SHA1
e0f5951d09d338055a0909a7e33fef030031b97f

SHA256
7f94ffcacea9c68e7fd79a774617bb122c6e27399a6e8faaeb271adc0de55167

SHA512
f6a0f9709b594312a927a501483ac717ba07735167dba7a7c603d8fadd442618b804e8c7426c65634fa564a02ad84174051b541fec3afd62ca1fb5d62b9eb5bf

Download Submit
\Windows\system\UkzsSbU.exe
Filesize
5.9MB

MD5
b2e12922c3fa24a472c2612e2fd7c57d

SHA1
20a3e85068b1537daeb475531a93bd3d23c1f5d5

SHA256
6cfcdf393aa441f93cfeef91cabcfe745712fce72ecf52a50bc1de9f61b4d230

SHA512
48af392ffbe2de41508c41f7e7a2a58d402ff99aa193a723354f4bdea99a1c96f42eef1fa448ac09a92f9fbc3b3e5974ef1de9ef9a84b6a6732d0478ca193f55

Download Submit
\Windows\system\mLNWrXB.exe
Filesize
5.9MB

MD5
5ab2f956342af23a30264f5120d6b0f1

SHA1
2f9a74729b0b69250ebfcd35364792e75f3cc6b2

SHA256
8a39f3c768999a00142136681e769d8c83d663c08d6df96ff678fc1f38905f56

SHA512
df8b7e944b95f102d390b3a81413aa59ad91c02a54b28ea9442b7a111220406b0e9d235cd45d3018c96e72091efa0aa3e7cd256321e071c27b03955e584aa4b2

Download Submit
\Windows\system\mpwRZMs.exe
Filesize
5.9MB

MD5
4fc361aa8ffd3685699ee4b1ec6e82cd

SHA1
87240ad7d8c54bb65d023caa15d138ee79634dcc

SHA256
3a2d39fe8247e2ca36cbddf26beee9765ef67e8066d0e5279d1e7529683f837a

SHA512
5644ead83d9faa4f36e7ad555ce419d6ff08d08cee4b32e538964e843cf7af8f174661b00be8986a16436dfc45d3c8a6726fa401cc89045491b444409bd7a9d2

Download Submit
memory/1892-145-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Filesize
3.3MB

Download
memory/1892-17-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/1892-149-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/1892-147-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/1892-0-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/1892-102-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/1892-63-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/1892-82-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Filesize
3.3MB

Download
memory/1892-20-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/1892-41-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/1892-143-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/1892-111-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/1892-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1892-27-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/1892-56-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/1892-36-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/1892-78-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/1892-6-0x0000000002460000-0x00000000027B4000-memory.dmp

Filesize
3.3MB

Download
memory/1892-49-0x000000013FC20000-0x000000013FF74000-memory.dmp

Filesize
3.3MB

Download
memory/1892-92-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/2044-79-0x000000013F630000-0x000000013F984000-memory.dmp

Filesize
3.3MB

Download
memory/2044-161-0x000000013F630000-0x000000013F984000-memory.dmp

Filesize
3.3MB

Download
memory/2044-144-0x000000013F630000-0x000000013F984000-memory.dmp

Filesize
3.3MB

Download
memory/2304-156-0x000000013F310000-0x000000013F664000-memory.dmp

Filesize
3.3MB

Download
memory/2304-101-0x000000013F310000-0x000000013F664000-memory.dmp

Filesize
3.3MB

Download
memory/2304-43-0x000000013F310000-0x000000013F664000-memory.dmp

Filesize
3.3MB

Download
memory/2416-157-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2416-57-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2448-110-0x000000013FC20000-0x000000013FF74000-memory.dmp

Filesize
3.3MB

Download
memory/2448-50-0x000000013FC20000-0x000000013FF74000-memory.dmp

Filesize
3.3MB

Download
memory/2448-158-0x000000013FC20000-0x000000013FF74000-memory.dmp

Filesize
3.3MB

Download
memory/2496-152-0x000000013F190000-0x000000013F4E4000-memory.dmp

Filesize
3.3MB

Download
memory/2496-77-0x000000013F190000-0x000000013F4E4000-memory.dmp

Filesize
3.3MB

Download
memory/2496-18-0x000000013F190000-0x000000013F4E4000-memory.dmp

Filesize
3.3MB

Download
memory/2504-155-0x000000013F1B0000-0x000000013F504000-memory.dmp

Filesize
3.3MB

Download
memory/2504-37-0x000000013F1B0000-0x000000013F504000-memory.dmp

Filesize
3.3MB

Download
memory/2528-154-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-22-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-85-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2584-30-0x000000013F370000-0x000000013F6C4000-memory.dmp

Filesize
3.3MB

Download
memory/2584-91-0x000000013F370000-0x000000013F6C4000-memory.dmp

Filesize
3.3MB

Download
memory/2584-153-0x000000013F370000-0x000000013F6C4000-memory.dmp

Filesize
3.3MB

Download
memory/2640-86-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Filesize
3.3MB

Download
memory/2640-146-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Filesize
3.3MB

Download
memory/2640-162-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Filesize
3.3MB

Download
memory/2688-14-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/2688-151-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/2688-70-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/2820-148-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/2820-95-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/2820-163-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/2844-150-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2844-103-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2844-164-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2856-64-0x000000013FC90000-0x000000013FFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2856-141-0x000000013FC90000-0x000000013FFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2856-159-0x000000013FC90000-0x000000013FFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2864-142-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2864-71-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2864-160-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download