cobaltstrike | ddacdacb80119c581bdd9d0f292e9922c9e8eaf2b654437e7f249bca8376a2e9

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

6025176a0461d6c7c120be1197b35c54
SHA1

85c6787f072c8d7c47440fa4c37586ddfbe5c574
SHA256

ddacdacb80119c581bdd9d0f292e9922c9e8eaf2b654437e7f249bca8376a2e9
SHA512

b907a0273dc2e8f1a18d9035b3880d331c2971ccf138270e86326c95eebc7d4a97f118e89a3950becb23cc11e275989db9000da318411fb20dcc3bbf93aa0f87
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUs:j+R56utgpPF8u/7s

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023bc5-5.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023c94-8.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-7.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-31.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023c97-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-52.dat	cobalt_reflective_dll
behavioral2/files/0x000300000001e764-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-124.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral2/memory/2180-0-0x00007FF730980000-0x00007FF730CCD000-memory.dmp	xmrig
behavioral2/files/0x000a000000023bc5-5.dat	xmrig
behavioral2/files/0x0009000000023c94-8.dat	xmrig
behavioral2/memory/4440-10-0x00007FF6F3CE0000-0x00007FF6F402D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c9a-7.dat	xmrig
behavioral2/memory/4616-19-0x00007FF609050000-0x00007FF60939D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c9b-23.dat	xmrig
behavioral2/memory/2328-25-0x00007FF69B860000-0x00007FF69BBAD000-memory.dmp	xmrig
behavioral2/memory/4240-12-0x00007FF6540D0000-0x00007FF65441D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c9d-31.dat	xmrig
behavioral2/files/0x000a000000023c97-35.dat	xmrig
behavioral2/memory/4844-38-0x00007FF644A20000-0x00007FF644D6D000-memory.dmp	xmrig
behavioral2/memory/4236-44-0x00007FF700460000-0x00007FF7007AD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca0-47.dat	xmrig
behavioral2/memory/3640-48-0x00007FF676EF0000-0x00007FF67723D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c9f-43.dat	xmrig
behavioral2/memory/2088-41-0x00007FF7386D0000-0x00007FF738A1D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca1-52.dat	xmrig
behavioral2/memory/1060-55-0x00007FF72BBB0000-0x00007FF72BEFD000-memory.dmp	xmrig
behavioral2/files/0x000300000001e764-59.dat	xmrig
behavioral2/memory/1280-61-0x00007FF790B20000-0x00007FF790E6D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca3-64.dat	xmrig
behavioral2/memory/3844-73-0x00007FF686CB0000-0x00007FF686FFD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca4-72.dat	xmrig
behavioral2/memory/4976-70-0x00007FF62D8B0000-0x00007FF62DBFD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca5-78.dat	xmrig
behavioral2/files/0x0007000000023ca6-84.dat	xmrig
behavioral2/memory/1828-91-0x00007FF628A70000-0x00007FF628DBD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca7-90.dat	xmrig
behavioral2/memory/3760-88-0x00007FF7A1FD0000-0x00007FF7A231D000-memory.dmp	xmrig
behavioral2/memory/1152-79-0x00007FF7D6590000-0x00007FF7D68DD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca8-95.dat	xmrig
behavioral2/memory/4560-97-0x00007FF6B58E0000-0x00007FF6B5C2D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca9-100.dat	xmrig
behavioral2/memory/1644-107-0x00007FF76B590000-0x00007FF76B8DD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023caa-106.dat	xmrig
behavioral2/memory/4724-109-0x00007FF74FA90000-0x00007FF74FDDD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cab-114.dat	xmrig
behavioral2/files/0x0007000000023cac-119.dat	xmrig
behavioral2/memory/4748-121-0x00007FF6A43F0000-0x00007FF6A473D000-memory.dmp	xmrig
behavioral2/memory/1328-115-0x00007FF77F190000-0x00007FF77F4DD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cad-124.dat	xmrig
behavioral2/memory/716-126-0x00007FF767420000-0x00007FF76776D000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4440	vtjVcYB.exe
4240	lkWfTwh.exe
4616	oyKVwoC.exe
2328	TVcskfd.exe
4844	VJUgsmW.exe
4236	ZhMniOj.exe
2088	XcyTmyo.exe
3640	pvIvpHN.exe
1060	LeevJpV.exe
1280	smoyWoD.exe
4976	AfHEXrX.exe
3844	ZzFUOPE.exe
1152	MpMEtvP.exe
3760	wZukffW.exe
1828	NZhAucD.exe
4560	DcOaHcm.exe
4724	uqIExvs.exe
1644	CaOpKjC.exe
1328	PUXwjgt.exe
4748	cSreHMe.exe
716	cuZQXpT.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\wZukffW.exe	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oyKVwoC.exe	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LeevJpV.exe	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\smoyWoD.exe	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AfHEXrX.exe	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZzFUOPE.exe	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uqIExvs.exe	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cSreHMe.exe	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cuZQXpT.exe	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vtjVcYB.exe	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VJUgsmW.exe	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PUXwjgt.exe	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZhMniOj.exe	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XcyTmyo.exe	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pvIvpHN.exe	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MpMEtvP.exe	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NZhAucD.exe	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DcOaHcm.exe	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CaOpKjC.exe	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lkWfTwh.exe	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TVcskfd.exe	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 4440	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2180 wrote to memory of 4440	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2180 wrote to memory of 4240	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2180 wrote to memory of 4240	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2180 wrote to memory of 4616	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2180 wrote to memory of 4616	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2180 wrote to memory of 2328	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2180 wrote to memory of 2328	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2180 wrote to memory of 4844	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2180 wrote to memory of 4844	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2180 wrote to memory of 4236	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2180 wrote to memory of 4236	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2180 wrote to memory of 2088	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2180 wrote to memory of 2088	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2180 wrote to memory of 3640	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2180 wrote to memory of 3640	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2180 wrote to memory of 1060	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2180 wrote to memory of 1060	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2180 wrote to memory of 1280	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2180 wrote to memory of 1280	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2180 wrote to memory of 4976	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2180 wrote to memory of 4976	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2180 wrote to memory of 3844	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2180 wrote to memory of 3844	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2180 wrote to memory of 1152	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2180 wrote to memory of 1152	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2180 wrote to memory of 3760	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2180 wrote to memory of 3760	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2180 wrote to memory of 1828	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2180 wrote to memory of 1828	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2180 wrote to memory of 4560	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2180 wrote to memory of 4560	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2180 wrote to memory of 4724	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2180 wrote to memory of 4724	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2180 wrote to memory of 1644	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2180 wrote to memory of 1644	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2180 wrote to memory of 1328	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2180 wrote to memory of 1328	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2180 wrote to memory of 4748	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2180 wrote to memory of 4748	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2180 wrote to memory of 716	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2180 wrote to memory of 716	2180	2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-21_6025176a0461d6c7c120be1197b35c54_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\System\vtjVcYB.exe
  C:\Windows\System\vtjVcYB.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System\lkWfTwh.exe
  C:\Windows\System\lkWfTwh.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System\oyKVwoC.exe
  C:\Windows\System\oyKVwoC.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\TVcskfd.exe
  C:\Windows\System\TVcskfd.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System\VJUgsmW.exe
  C:\Windows\System\VJUgsmW.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\ZhMniOj.exe
  C:\Windows\System\ZhMniOj.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System\XcyTmyo.exe
  C:\Windows\System\XcyTmyo.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\pvIvpHN.exe
  C:\Windows\System\pvIvpHN.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System\LeevJpV.exe
  C:\Windows\System\LeevJpV.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System\smoyWoD.exe
  C:\Windows\System\smoyWoD.exe
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\System\AfHEXrX.exe
  C:\Windows\System\AfHEXrX.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\ZzFUOPE.exe
  C:\Windows\System\ZzFUOPE.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System\MpMEtvP.exe
  C:\Windows\System\MpMEtvP.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System\wZukffW.exe
  C:\Windows\System\wZukffW.exe
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Windows\System\NZhAucD.exe
  C:\Windows\System\NZhAucD.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System\DcOaHcm.exe
  C:\Windows\System\DcOaHcm.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System\uqIExvs.exe
  C:\Windows\System\uqIExvs.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System\CaOpKjC.exe
  C:\Windows\System\CaOpKjC.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\PUXwjgt.exe
  C:\Windows\System\PUXwjgt.exe
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\System\cSreHMe.exe
  C:\Windows\System\cSreHMe.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System\cuZQXpT.exe
  C:\Windows\System\cuZQXpT.exe
  2⤵
  - Executes dropped EXE
  PID:716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AfHEXrX.exe

Filesize
5.7MB

MD5
d58adc785ee64c5f93375b0211d6ddc8

SHA1
aacad198d50c2abdceaa785f1ccd20950eaad7ef

SHA256
6d32b69c57d277b7b6e51ca21030c86bebaa6bd51c71b0724d4eefe6b74a319b

SHA512
d20a4037733357097d5eeae4bd96b712078da056f72246c34ead914f70fc897083fe10c7b1acff4120f93311ed15730efcb43ded8a035adae27a8092b5a0339e

Download Submit
C:\Windows\System\CaOpKjC.exe

Filesize
5.7MB

MD5
544ca14b52b8a4f8e6ee34054d511fea

SHA1
b1a6591277a1207efc0c7905f246cab4af2de67c

SHA256
bbea8a0c4fddf1ba162c7a237e8ff8a38880b41620fd1182bee0f806f58a8e18

SHA512
32de99f392035af82779e823902190ff694a07ad6a8db4ec19d40d948156072f333b883d9c56f5bf0ea15894a5cd863b1e5fa55ad0db6c0cc6fa0d770628da84

Download Submit
C:\Windows\System\DcOaHcm.exe

Filesize
5.7MB

MD5
6e679d5b349646ce7d0849497a8425dc

SHA1
9626c3d8537da5e6209ce11aa0abe144625602ce

SHA256
cfd18734f835ff22e60b7252792d1ba7b9405867786c5f183e7e5cb56f898a5f

SHA512
97013b3f857add541f00562b4d71d9a4857889f9a576991cbe3ff24d79246c5c5ef40a6a5c4d65376d60b4c58738e5919e60035a5c384edc53ce61cf06a447f4

Download Submit
C:\Windows\System\LeevJpV.exe

Filesize
5.7MB

MD5
30a971ef14fb2976cf3a1395e3568b9b

SHA1
ccf0c226cb3aade3a0169d1b7effc8f19d69cd85

SHA256
b5997c76a2e2cd95eb7eff1a5f616d892c47a3ba732652780a556d7d5cfa9c61

SHA512
9510f35e99caf1b9b32286f08fcb5a60570cc97226728d17b709368d1fbf8da706da4db0b30b499ab4857c2015a40e8021201749d4667735a221724407060b07

Download Submit
C:\Windows\System\MpMEtvP.exe

Filesize
5.7MB

MD5
dae87180bcebbbe369829e2ca099de07

SHA1
324f2a0df5381a7e6a5aee1a2ddf7753e2e41f12

SHA256
5d89459773451f0d290f40d888d03e53a96d72ba26e0cfd85000c3eb9ca3d04e

SHA512
6a8f264e389f1ab8fad6a02deaed311faaa0b2639675f60705dc788a578862da517d2044e28c918c4f360b785ce58965a7164ad183731a4607eef226c8a0d507

Download Submit
C:\Windows\System\NZhAucD.exe

Filesize
5.7MB

MD5
2d0e858c98cbc7f37e5120dd6115f05e

SHA1
de0eb0ca67059dea06f78feb3caad04b059ae6b7

SHA256
a7b87f47cec2bbbffb448cf6cbc93d7055bf97b305a4031a4db7dd61c790d0cd

SHA512
33f7dfdedd7c45daeb420fdede1d98fb8b5a9eb6f54d840d14abc0bde640b2280d3a1c8609af766e65f922efe02bb83f53728f184b5871cb80c7c0daee0bb823

Download Submit
C:\Windows\System\PUXwjgt.exe

Filesize
5.7MB

MD5
df3ca744dfee4cc159e1579b0d23b86b

SHA1
e13d8e744dc628ee2acdcd571d289a8e7f0849c8

SHA256
bf8f3a80115462fce20c246f4d7ac4748ec34f91d4bde61274c0bbfecddcd719

SHA512
fdadd6390c9a67fd2d44ca1c04eb719755bd4ac71a8e1d422a461ef382b8ea9a213bce01466d00eeb1e314f5fd5886801271ed98465a6bb057015eb00282bd55

Download Submit
C:\Windows\System\TVcskfd.exe

Filesize
5.7MB

MD5
75e45593784873270279800feab59ffa

SHA1
7776bf92d7c5122c765c016c9531056e2b72a88b

SHA256
6aebbf1261ddbe866087ee0f7eb1b0a10f9e82a3dbce1247bd5aa0bd4ac08842

SHA512
407c003fbad2ba33cf6712c3e645d23fb1be1a3b5b03257bfdde4c198acffc39cf1cce9f3f9af528793595152ce8427b8775f5d5d6c10ed87772a444296bb906

Download Submit
C:\Windows\System\VJUgsmW.exe

Filesize
5.7MB

MD5
a909b298ecf9c8fd7f8f4701e6f6c213

SHA1
b63802ca513f65b0facd485978c136fc560ab229

SHA256
7a0e3a1eb78ac7dab478251a708f05827deda4a5fee2549d18036519beaa078a

SHA512
05516d6d55f8e01e2bad5bae735299bebc3a51b203f37b852f1ca339b4cf7264f8d1468e2cea3d7e29a143593682bc0fb02396f4e38fc3a0f177f492447dfd86

Download Submit
C:\Windows\System\XcyTmyo.exe

Filesize
5.7MB

MD5
8de7db2850b2705076f37af0696111b3

SHA1
f4b4f3841230e0686ef41687612485f8c0c915d3

SHA256
049c8c2161b3c34ae284bb22fbce16419b11670143c96a3a74570ca629e5517c

SHA512
48089d31553ec37d4fa075b4674d0a7cf3cb0c38ec175738accb3f010df9097683f8af7f3a6a4ed4e20513c9ca1b9f7982cf96a14ca68c480f35fbc37c8cdd29

Download Submit
C:\Windows\System\ZhMniOj.exe

Filesize
5.7MB

MD5
72c062f915b024d4e774e2629614c75d

SHA1
1bc54e150edb071d44391bc53f08096d0bc5f729

SHA256
b047c06c72a2d31ab770e65ce2d6be84f28b21f2cdd4f96493085e196d2548d1

SHA512
4e10aa5f79f1f11b5610993122ab0313199bbbbe485e9a1b28e51cbb769a5feef386d5bc50dce7272559eca3a7b79d856bf51611177d918d6b6c597e6a6c4f67

Download Submit
C:\Windows\System\ZzFUOPE.exe

Filesize
5.7MB

MD5
7f83d7e7858abdf319b539446bae4a58

SHA1
e6bf9809ef7573f389b2c1153930ce8453b84c95

SHA256
a9553810bdd81dcdaa9e37253447723dedac89b758e9277f1b19c12e0e682abc

SHA512
952eed7a26e57666a3aa72fd4a707647df6eb1d1420a64c89f0fb8734adc2c9727c1fc60f3ebda69252cdd44ed7751d7d7f7b3a369315dea6f576c1ce0391146

Download Submit
C:\Windows\System\cSreHMe.exe

Filesize
5.7MB

MD5
558d2a9025b02552cb9729da4a53fd61

SHA1
243b72813dda6441ed3d94beadbaf25e1e42c90c

SHA256
213dd54294b1c2e94252641a70d71bdc9abca5cd00cb36cde275503cfd9ab409

SHA512
95266da9224caa998de8798c6ede8be1e09454d1bca306336d99e65a9231e3b3bfae2d7f6db6152ebd102d175a86764b77d37d4d09c2925a805d329334647e60

Download Submit
C:\Windows\System\cuZQXpT.exe

Filesize
5.7MB

MD5
a57d1491e649ecdbcd5ca2eaf29250a7

SHA1
cd7d07e64dfbbedccbe2678b4bf6a78876a0bbbf

SHA256
672881ba6605230be6443a1adef271ead40e32108c8f9f89f72e227e4b8d76c3

SHA512
f17cd6a00c8b04b8cf5d208eed7bac5d24fb8926cec6e25a52140c1dfaf8e0c608226741a04c5347c34753651455e6cbee3c26a83749c1a6faa29be05b4bd6fb

Download Submit
C:\Windows\System\lkWfTwh.exe

Filesize
5.7MB

MD5
cd90a4be8685b7fabce4200db4c0c2c7

SHA1
f55fce1c35fada6a5fc81f7ac696e7e2a13275e1

SHA256
1eb64447c48916fdecabbbd0f23e9cd40a0dd97edbf7ef8ae412e7f83484a502

SHA512
609d08659a63e821acf77fbaf3b5ed709ac3465362bfd6aa731a2cb004b13e70eccb4698e9ced4960da2c2b5dace5c48c71958260485b8f3a9f6c0fd7e7aee1f

Download Submit
C:\Windows\System\oyKVwoC.exe

Filesize
5.7MB

MD5
08c2cc67005d73380be2b20273c494bc

SHA1
97f49014f792cd8374e27f54d599187ccad533b5

SHA256
9178be42346658a36206a09b2ec5342260c1b36f7c7b501e6d9feebd913655c5

SHA512
b8c4ba3674899c3b4c2ca1570bf584184d6c8dad510846c076743e721104abd77f46f8fe413165fca1189a1be971133c8d4fc8b726dc80dd49753aed64b22021

Download Submit
C:\Windows\System\pvIvpHN.exe

Filesize
5.7MB

MD5
ee91f6136149e14d8cf2860aa6f51b62

SHA1
a380ee4470188dee1830361bbb377a85adcb20ba

SHA256
22d39b5ca10f4e58336e045c0696d82599f9de79a60c87644f658e8f53b06363

SHA512
bccdfc049011fdcbff729a99343865f54946237ecc5e7fdddd4d0c6d43e492a0e7b687c8d42eeab8d3d976368c8097dbe1f545a41f75590718593cbad8b39b92

Download Submit
C:\Windows\System\smoyWoD.exe

Filesize
5.7MB

MD5
55b3b55965dbc50fd306ae834dabfee5

SHA1
4f03c21ba3bc7b27d3a72ae30c6cdaca96abba81

SHA256
afcde0b3f07c4101b329b191f74304d10489ece5823af9d5b6ed79860b01357a

SHA512
1d78daf2182ae118a5580779c51c1ace3223bb87af30cd16d0625672b1de93659a84aa3b07bb425f92981a6f9a7323f384c1595d6da42d3d37aeb5ddae17d180

Download Submit
C:\Windows\System\uqIExvs.exe

Filesize
5.7MB

MD5
fcaa2d1bd92232241d40c1f0975cebc6

SHA1
baf7a427e9a03f1d6cf0bd66e4d8632e1aca108f

SHA256
0b0a1105a619193bd13658d33488fdaffaab5f9eef239a27a18b4e79d4786627

SHA512
07d45b1c217db0c04774ae0f8871736cc30a9fdb7d9402292bbc99527737ac3cf14ff866037479a8d613a18bbde71f565c93401e708e0aeb3b855834b2573699

Download Submit
C:\Windows\System\vtjVcYB.exe

Filesize
5.7MB

MD5
9b325bb6f64ea9f6788663c23166ca06

SHA1
bdd26c4092e16a6d9b3d750f32531a35b7665d70

SHA256
6090c1e50a3fb2791900dff5322c6030c92a0343441861fdb8118965b9e314f1

SHA512
1a68e110fabf9792f37f5181f0afdecdb3c0a0330fdb8d7661f69278bd5b8b3eb07a560f79d9676670ef42714644a80072bc63593403b4f2fdca27fc08ba421c

Download Submit
C:\Windows\System\wZukffW.exe

Filesize
5.7MB

MD5
dc34530d9be713e3e501997dd3d9001d

SHA1
7766df08adf3a371060657c2a858024d27d6f0fb

SHA256
ff6b749ef3752adb698ce3952a0cbe04c10731f1ee3de4361cbaeadd9f9d1e1c

SHA512
bcfeb937ba75126156a7d08ab7899e733bb85a11840d14146b738296fc584e2d9b50a2ddca3d8c1fbf06e4609250043ecb5c763821ae102461882b5b06ac0fac

Download Submit
memory/716-126-0x00007FF767420000-0x00007FF76776D000-memory.dmp

Filesize
3.3MB

Download
memory/1060-55-0x00007FF72BBB0000-0x00007FF72BEFD000-memory.dmp

Filesize
3.3MB

Download
memory/1152-79-0x00007FF7D6590000-0x00007FF7D68DD000-memory.dmp

Filesize
3.3MB

Download
memory/1280-61-0x00007FF790B20000-0x00007FF790E6D000-memory.dmp

Filesize
3.3MB

Download
memory/1328-115-0x00007FF77F190000-0x00007FF77F4DD000-memory.dmp

Filesize
3.3MB

Download
memory/1644-107-0x00007FF76B590000-0x00007FF76B8DD000-memory.dmp

Filesize
3.3MB

Download
memory/1828-91-0x00007FF628A70000-0x00007FF628DBD000-memory.dmp

Filesize
3.3MB

Download
memory/2088-41-0x00007FF7386D0000-0x00007FF738A1D000-memory.dmp

Filesize
3.3MB

Download
memory/2180-1-0x000001509CD80000-0x000001509CD90000-memory.dmp

Filesize
64KB

Download
memory/2180-0-0x00007FF730980000-0x00007FF730CCD000-memory.dmp

Filesize
3.3MB

Download
memory/2328-25-0x00007FF69B860000-0x00007FF69BBAD000-memory.dmp

Filesize
3.3MB

Download
memory/3640-48-0x00007FF676EF0000-0x00007FF67723D000-memory.dmp

Filesize
3.3MB

Download
memory/3760-88-0x00007FF7A1FD0000-0x00007FF7A231D000-memory.dmp

Filesize
3.3MB

Download
memory/3844-73-0x00007FF686CB0000-0x00007FF686FFD000-memory.dmp

Filesize
3.3MB

Download
memory/4236-44-0x00007FF700460000-0x00007FF7007AD000-memory.dmp

Filesize
3.3MB

Download
memory/4240-12-0x00007FF6540D0000-0x00007FF65441D000-memory.dmp

Filesize
3.3MB

Download
memory/4440-10-0x00007FF6F3CE0000-0x00007FF6F402D000-memory.dmp

Filesize
3.3MB

Download
memory/4560-97-0x00007FF6B58E0000-0x00007FF6B5C2D000-memory.dmp

Filesize
3.3MB

Download
memory/4616-19-0x00007FF609050000-0x00007FF60939D000-memory.dmp

Filesize
3.3MB

Download
memory/4724-109-0x00007FF74FA90000-0x00007FF74FDDD000-memory.dmp

Filesize
3.3MB

Download
memory/4748-121-0x00007FF6A43F0000-0x00007FF6A473D000-memory.dmp

Filesize
3.3MB

Download
memory/4844-38-0x00007FF644A20000-0x00007FF644D6D000-memory.dmp

Filesize
3.3MB

Download
memory/4976-70-0x00007FF62D8B0000-0x00007FF62DBFD000-memory.dmp

Filesize
3.3MB

Download