cobaltstrike | f83a6fbc9ab4729d3546c3ff3724312a695bd0e985de4b405384469dd3d427a8

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

c2a514837d984e0c0dd41db126bca062
SHA1

ff02f2d7edf928c378cc1a0fb61ac9e8af522643
SHA256

f83a6fbc9ab4729d3546c3ff3724312a695bd0e985de4b405384469dd3d427a8
SHA512

b604498842019db299288b613ffb7eff12fbb7edf71e72a9f30435f83116a39b6918e8795045324cf6436a6d56a5129283b18e8633d5c162c30320f4522fc457
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUr:j+R56utgpPF8u/7r

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b82-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c78-14.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7a-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7c-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7b-38.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c79-33.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023c71-15.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7d-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7e-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c7f-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c80-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c82-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c83-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c85-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c84-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c87-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c88-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c86-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c89-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8b-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8a-120.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral2/memory/4244-0-0x00007FF77A020000-0x00007FF77A36D000-memory.dmp	xmrig
behavioral2/files/0x000c000000023b82-5.dat	xmrig
behavioral2/memory/4876-7-0x00007FF6B9EC0000-0x00007FF6BA20D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c78-14.dat	xmrig
behavioral2/memory/2948-16-0x00007FF7AE000000-0x00007FF7AE34D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c7a-29.dat	xmrig
behavioral2/memory/216-34-0x00007FF6B7C60000-0x00007FF6B7FAD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c7c-41.dat	xmrig
behavioral2/memory/5016-42-0x00007FF6EDFC0000-0x00007FF6EE30D000-memory.dmp	xmrig
behavioral2/memory/5036-39-0x00007FF76AC40000-0x00007FF76AF8D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c7b-38.dat	xmrig
behavioral2/files/0x0007000000023c79-33.dat	xmrig
behavioral2/memory/1944-30-0x00007FF73B280000-0x00007FF73B5CD000-memory.dmp	xmrig
behavioral2/memory/4728-21-0x00007FF7EB690000-0x00007FF7EB9DD000-memory.dmp	xmrig
behavioral2/files/0x000b000000023c71-15.dat	xmrig
behavioral2/files/0x0007000000023c7d-47.dat	xmrig
behavioral2/files/0x0007000000023c7e-51.dat	xmrig
behavioral2/memory/212-52-0x00007FF727A10000-0x00007FF727D5D000-memory.dmp	xmrig
behavioral2/memory/2856-56-0x00007FF68EF30000-0x00007FF68F27D000-memory.dmp	xmrig
behavioral2/memory/2828-60-0x00007FF657030000-0x00007FF65737D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c7f-59.dat	xmrig
behavioral2/files/0x0007000000023c80-65.dat	xmrig
behavioral2/files/0x0007000000023c82-72.dat	xmrig
behavioral2/memory/3128-78-0x00007FF663D90000-0x00007FF6640DD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c83-77.dat	xmrig
behavioral2/memory/1640-73-0x00007FF7BAD80000-0x00007FF7BB0CD000-memory.dmp	xmrig
behavioral2/memory/5004-70-0x00007FF718110000-0x00007FF71845D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c85-91.dat	xmrig
behavioral2/files/0x0007000000023c84-86.dat	xmrig
behavioral2/files/0x0007000000023c87-94.dat	xmrig
behavioral2/memory/4248-99-0x00007FF7DE440000-0x00007FF7DE78D000-memory.dmp	xmrig
behavioral2/memory/1752-103-0x00007FF611770000-0x00007FF611ABD000-memory.dmp	xmrig
behavioral2/memory/4020-109-0x00007FF64EEB0000-0x00007FF64F1FD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c88-108.dat	xmrig
behavioral2/memory/5056-96-0x00007FF6DD000000-0x00007FF6DD34D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c86-98.dat	xmrig
behavioral2/memory/2888-87-0x00007FF7BEA20000-0x00007FF7BED6D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c89-114.dat	xmrig
behavioral2/files/0x0007000000023c8b-125.dat	xmrig
behavioral2/memory/820-126-0x00007FF731FA0000-0x00007FF7322ED000-memory.dmp	xmrig
behavioral2/memory/3884-121-0x00007FF63E8A0000-0x00007FF63EBED000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c8a-120.dat	xmrig
behavioral2/memory/2644-115-0x00007FF6A6DB0000-0x00007FF6A70FD000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4876	QHALwRd.exe
2948	nCiKzbC.exe
4728	BLEQbUg.exe
216	kdLiigm.exe
1944	BusVMEJ.exe
5036	wSYkVzN.exe
5016	rKxhXoI.exe
212	lARRgId.exe
2856	PzNdiRy.exe
2828	LWtKSIc.exe
5004	rWDwKAY.exe
1640	IsfeuQa.exe
3128	vxXmgNE.exe
2888	kYeRVOS.exe
5056	RGLrQOk.exe
4248	LdFtamT.exe
1752	dsFqLBq.exe
4020	yIvwAka.exe
2644	KemUXqc.exe
3884	coTAnwf.exe
820	iBvJJUE.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\dsFqLBq.exe	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yIvwAka.exe	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BusVMEJ.exe	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BLEQbUg.exe	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kdLiigm.exe	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wSYkVzN.exe	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lARRgId.exe	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PzNdiRy.exe	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LWtKSIc.exe	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IsfeuQa.exe	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QHALwRd.exe	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KemUXqc.exe	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LdFtamT.exe	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rKxhXoI.exe	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vxXmgNE.exe	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kYeRVOS.exe	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nCiKzbC.exe	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RGLrQOk.exe	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\coTAnwf.exe	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iBvJJUE.exe	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rWDwKAY.exe	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 4876	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4244 wrote to memory of 4876	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4244 wrote to memory of 2948	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4244 wrote to memory of 2948	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4244 wrote to memory of 4728	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4244 wrote to memory of 4728	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4244 wrote to memory of 216	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4244 wrote to memory of 216	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4244 wrote to memory of 1944	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4244 wrote to memory of 1944	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4244 wrote to memory of 5036	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4244 wrote to memory of 5036	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4244 wrote to memory of 5016	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4244 wrote to memory of 5016	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4244 wrote to memory of 212	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4244 wrote to memory of 212	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4244 wrote to memory of 2856	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4244 wrote to memory of 2856	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4244 wrote to memory of 2828	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4244 wrote to memory of 2828	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4244 wrote to memory of 5004	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4244 wrote to memory of 5004	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4244 wrote to memory of 1640	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4244 wrote to memory of 1640	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4244 wrote to memory of 3128	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4244 wrote to memory of 3128	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4244 wrote to memory of 2888	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4244 wrote to memory of 2888	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4244 wrote to memory of 5056	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4244 wrote to memory of 5056	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4244 wrote to memory of 4248	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4244 wrote to memory of 4248	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4244 wrote to memory of 1752	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4244 wrote to memory of 1752	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4244 wrote to memory of 4020	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4244 wrote to memory of 4020	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4244 wrote to memory of 2644	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4244 wrote to memory of 2644	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4244 wrote to memory of 3884	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4244 wrote to memory of 3884	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4244 wrote to memory of 820	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4244 wrote to memory of 820	4244	2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-21_c2a514837d984e0c0dd41db126bca062_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\System\QHALwRd.exe
  C:\Windows\System\QHALwRd.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System\nCiKzbC.exe
  C:\Windows\System\nCiKzbC.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System\BLEQbUg.exe
  C:\Windows\System\BLEQbUg.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System\kdLiigm.exe
  C:\Windows\System\kdLiigm.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\BusVMEJ.exe
  C:\Windows\System\BusVMEJ.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\wSYkVzN.exe
  C:\Windows\System\wSYkVzN.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\rKxhXoI.exe
  C:\Windows\System\rKxhXoI.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System\lARRgId.exe
  C:\Windows\System\lARRgId.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System\PzNdiRy.exe
  C:\Windows\System\PzNdiRy.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\LWtKSIc.exe
  C:\Windows\System\LWtKSIc.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\rWDwKAY.exe
  C:\Windows\System\rWDwKAY.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System\IsfeuQa.exe
  C:\Windows\System\IsfeuQa.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System\vxXmgNE.exe
  C:\Windows\System\vxXmgNE.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System\kYeRVOS.exe
  C:\Windows\System\kYeRVOS.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\RGLrQOk.exe
  C:\Windows\System\RGLrQOk.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\LdFtamT.exe
  C:\Windows\System\LdFtamT.exe
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\System\dsFqLBq.exe
  C:\Windows\System\dsFqLBq.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System\yIvwAka.exe
  C:\Windows\System\yIvwAka.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System\KemUXqc.exe
  C:\Windows\System\KemUXqc.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System\coTAnwf.exe
  C:\Windows\System\coTAnwf.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\System\iBvJJUE.exe
  C:\Windows\System\iBvJJUE.exe
  2⤵
  - Executes dropped EXE
  PID:820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BLEQbUg.exe

Filesize
5.7MB

MD5
1f9e7238fe0fa0144413e1498cd4eb89

SHA1
07980d59a531d06f0c93027c3f147382a92815db

SHA256
0eef2a478dcd802daa4d26ae1634a395dcbc7159991ae0178e1c1ad3e6691a25

SHA512
d9082c1c6c94bd0f7c4098b7589cd8f50748d0678caf4b146581969a7623ab2426d29382f435ead0ff12087bb216048b26df58e3e6a167618e5420e071dfce5b

Download Submit
C:\Windows\System\BusVMEJ.exe

Filesize
5.7MB

MD5
d946c3174dbef5e4005dc5a3c5505f0a

SHA1
d391d11d5c73afddfb890cd5b8af0c1a4d1221f8

SHA256
b58877255d10af7db2dcd36a6cdba88a24956fc4ba243a78b7f5b9b3d4f42334

SHA512
128d8c151a554e965ddd877852fb0b2ae887d84f1504c4bbd243b4edea3791726eed7b7d1c8631e4ee5c53544d3b42f5f3bef99a3999f952e233743aa3d416ed

Download Submit
C:\Windows\System\IsfeuQa.exe

Filesize
5.7MB

MD5
4822d9a9ac636561a6347d7427a0a01f

SHA1
dc68ecd4a1246b6f74472e59f6feb085dc0e71bf

SHA256
607219bf0a485fdc9e4672ee619da1d30a4d43d9e9c3cd87ef34a6f80e858be3

SHA512
09da69b8f20dbe8cfe2ab0816194aaff7b4e61af0f5d1d5f8d417797f8ae12b2cae343b9f2112bf53d68bcf97cca1f6b736bc6c505be0c3e1da11e41230f27b9

Download Submit
C:\Windows\System\KemUXqc.exe

Filesize
5.7MB

MD5
85e3202207cb445f659d8e02281b996a

SHA1
da6f559d7747b81f7d643c86848a94128cda7c35

SHA256
d50efe77cf29f72e99a1a5ccc295969cb677d681fabd87cdc7b3bab6ba351c89

SHA512
de1dbe343a5e35f7e55c83dd5b7606091e9e2a43a4447970b93d55bc716f86e98ca39032512ea97f08d0f878daa561079873a2caed3550dd854f91442fc695a5

Download Submit
C:\Windows\System\LWtKSIc.exe

Filesize
5.7MB

MD5
a470f2b31615917e07e62294a79b90da

SHA1
f99155df3784341d8dbc5df81f53db131efa4e10

SHA256
b242b55baa938b9d777b6480e6b641f061c590687addd52a450591952258fa29

SHA512
2fc000d1d010fbb6be8eb514485be1ad8b4562d376e59e276d653db9036a4532861ea6fe5725c988025909a8fb91624676773b1b2c6fea4131cf4f5a41c91ae9

Download Submit
C:\Windows\System\LdFtamT.exe

Filesize
5.7MB

MD5
0acf9eebcee7b1782ff2953ffc3ac94b

SHA1
e130ae9cbca3ddd10a99561bc9b94c8c6dd4ee3f

SHA256
acebef0b4e65c66283857a7232e0f469f4081826df3495ca3e433bb899ad44b9

SHA512
66697ff8165f405b6c78b45671e0dd9e98470a828af3c1fcdbd54927b0529cda7a7019ced0e56cba95f30f87e08e88930089a4692f2f8eeee297645dc5c7fb70

Download Submit
C:\Windows\System\PzNdiRy.exe

Filesize
5.7MB

MD5
c53dbc12ebcd2b20bf6bcb9c4d14256c

SHA1
57270486d15ed662981ae28f937ad37cc679220f

SHA256
ddc097a22e3c3affcac013891a8d848c40b7e434690e4a26fcbaa39e0281bf03

SHA512
6716893d6c5e88928d9e8da707c3ae6f191ed63efcc509a5d78de8ab6273281a0abf4aebf1222a2bfb28b788b381b61e3d17c1b6c04ffb78a27a522ccbe13f04

Download Submit
C:\Windows\System\QHALwRd.exe

Filesize
5.7MB

MD5
8bb61d0d4614ccc1a20606220cd8e1b0

SHA1
4e47fb5e39307642b259685a1d148378a0c1cc92

SHA256
abd3a6c0d6b70c019d1830e198cb36bbd10566a8d3c7ae7b73df7f7e9edcfda1

SHA512
3002e233b2e3c14b3a692b01e849aecab600da9c394dd92d48dcd0f6f45058ebc8d26e215d565e3bd6f2ece0b3d6e8eb4dbd31c3ce07e92136f4326e8ab1ce96

Download Submit
C:\Windows\System\RGLrQOk.exe

Filesize
5.7MB

MD5
465cf92ff6c8e825f5b881c19b81b519

SHA1
f9af131386f17d5a85fa39f1b2f41bb96421e014

SHA256
86de77cdc424512d36e00fc3c6ae85d07127d49be15f11b4f6f688140a84f11d

SHA512
09a747f4e4b13f27d3bda55e1b38126ca57f8ea4ed1bd3affc8a3d49da5100421aa4e52c09aedc408ade1205a76c3fb3f3916af921a481cdff092189450585a5

Download Submit
C:\Windows\System\coTAnwf.exe

Filesize
5.7MB

MD5
7d5bb6cf055650b2182b9e574ca5860f

SHA1
43a2b794dfce09f5cf3c8b85cc1f64493d0cc757

SHA256
d6cf0ff8c7c52db8ad52dec0b7eaada15eaa55b228f358f5380b3f8c3de39f57

SHA512
d6a44844d89575c4e5d0ff1bb7d37ac79d2fcedecaf9f8f64e415f4e1a9700e350ec796d13b90abee0effa43abf4e4aa44e12b3af51c215086884d6bd9fd87ce

Download Submit
C:\Windows\System\dsFqLBq.exe

Filesize
5.7MB

MD5
ac291cafd65f882991c93dae0dafa79e

SHA1
56b7b7657c8e7124696c4def60e4ef04ca39a6ed

SHA256
b2985e81f8e788f36d0e31edda20a11d982e4fc39fe205442f5ede73efbad712

SHA512
cd2221bd428549a8fd7f8c166e996c4460e614cb593f0e524f5ba6dab978c291636739bde849522881d8eb26eca756df3a94037fc1b68ac467fcc786e03a9ec3

Download Submit
C:\Windows\System\iBvJJUE.exe

Filesize
5.7MB

MD5
84dd4f41dacaf0786eb13c269f6ae418

SHA1
cd0cc63e74e8a88f6d00a790ba0eddf8c9673cc0

SHA256
8d1cb3fac359c9425f683a0a49c738d438b8c7ddfff0562f8a05029361be07a7

SHA512
5ce2f53e9fe6837af937379ae86e073df9603dcf6ce072beec30db5739bbedebbd02654d0ca66c99054721f72cc56b2138717a1506d246b9b21db6242fee9d6d

Download Submit
C:\Windows\System\kYeRVOS.exe

Filesize
5.7MB

MD5
b6445db00b50e5ba57406f266c208026

SHA1
6d43e051c86ff60c6710b4d72f283ac99053a0a8

SHA256
464e018d5c415a1925aec945ceb8d781ae04de8f40df692788c25667382e9c80

SHA512
5f603a2e34fcff0615c2e4f4356daa90e893a545a3f6263ec1f37a2d513d299f5c657b94506d1941daedaed873c3f8bbf5bef5d974a1cd59117c55a1571d7d3b

Download Submit
C:\Windows\System\kdLiigm.exe

Filesize
5.7MB

MD5
1f82ff42f4986cbe55ad0cd7c340604f

SHA1
f900e0a64aacc4d20fcd4602b7e4a6e2cb1d57ee

SHA256
6c106bbcf8734739f906f87f905afb5d9cdc12131f3cf201aff69301f6563201

SHA512
107d417899c78d0bae26b73d1b49efe2522c2c6a8dbf6f8740c776923eadf913d141ff5383af891a6af912d856bc6a6b11cbec32a1ea0f10803bbd84180410b0

Download Submit
C:\Windows\System\lARRgId.exe

Filesize
5.7MB

MD5
12402d14fed03423f003dc73ebad3045

SHA1
e0d54a886aa9cc09e920f848dbb33dd00d6827fa

SHA256
770ffaa47965a9a29f9f6e7d56d98690fd72cdf1f706534dff321d10fb0c87e8

SHA512
b5c9d2d42cd92e12bef9479a62ddc7680c859f7c714153ecd361db867477e1d9ced0371a4ecfcec240d6670ccfea3f5a59243c8443dac41a82bfb685ca8a78c7

Download Submit
C:\Windows\System\nCiKzbC.exe

Filesize
5.7MB

MD5
e0a88cdcb7c28313e2db133aa9bae1d5

SHA1
7b52a18191a2e6760543bca1cf039b80d55c7ee3

SHA256
fcd93a2ab05b6293888bc3d618108c2f0e1258060971339bab6718dd5d8fa73c

SHA512
60d15370af686801521b9b60c7974bce8bec6aa7b48388993a4e46e26e551e68f1b7bc783439dc3b47331f70fff6b7522d01893f8e03d59c204b4696ba669141

Download Submit
C:\Windows\System\rKxhXoI.exe

Filesize
5.7MB

MD5
a14d67c9fba31cb2d1b90d90dd3c5cb7

SHA1
346904caea4c0bc7c15d8efa967a0db1ad65d437

SHA256
ccb049480b529bdd04124d23139560f41887e54cf1540cc08c27a58b4883c35e

SHA512
9ef2b9a0777892a70b5e2c100e753915ae1d0e2c61de40175d8ac842d878e0db013b4ee3960891bd7b6792de402c60c747f34b8c43277e4ea0cd88f499f881c3

Download Submit
C:\Windows\System\rWDwKAY.exe

Filesize
5.7MB

MD5
d2836ad0cf068cbc5b1fc2ca1cef30e5

SHA1
a0bb7d9a3e10c12c9070c74812ca48b4c1589d38

SHA256
2618777a32c750461baa9b681198571127837fdf68633acabf5f01c273249398

SHA512
532829d49f8bd37122e339128e874ac5fe54c08b43950c13e121f7c328f6133eb249afc46a37109ee1609f520476856c0482f28a43593ef5a012c9c0aaa20986

Download Submit
C:\Windows\System\vxXmgNE.exe

Filesize
5.7MB

MD5
dd96d155a2004f1bfbd24b60069215fb

SHA1
d4d849c014378211b0d6c4d8c889a1a551458443

SHA256
f8c7a0ea3e161e3ea87feb7d63250218b2e9e8c826139f71d7ae4a5bfaef9ba0

SHA512
af88bb2832f57652e92a4e2d88b9c8e20e3964caa9aca608ea1b2671fe23202b5ff6f6f3361a0741aab33efca84852892d23dbb9da848f8458e3104861184fe0

Download Submit
C:\Windows\System\wSYkVzN.exe

Filesize
5.7MB

MD5
ece14e8a080ad9140c200fbf348fba76

SHA1
dba933c16705329d5d3385da79df4882b70e91d3

SHA256
8e20cce47ca645cf3ceecadbe6d8903679e68deb2763aad898cd470240b54452

SHA512
dfaed3d4d6ed3c59eb750fbade22223a72e851b0408800291f0a4bd06b464ef0aef5caad3ded851c66b24a7e573937b79afd918d97160939999c9fc48f0f6fe1

Download Submit
C:\Windows\System\yIvwAka.exe

Filesize
5.7MB

MD5
7d81d2bb1d2c7dbb2755216b01c8a612

SHA1
950d97a8e5934cf8415febde5598f051268dd160

SHA256
937ec5a782bd0df0305c130cbb613adc017760f8bc563dbddf2c78c9287c35ba

SHA512
c53108a327dc6e5932ef48aebf79c3060ee619f3894e01c9a52ac89d917f475497533e161ddd7193c0e2359dec129f52df8033ab573eaf68e666408baedc26bf

Download Submit
memory/212-52-0x00007FF727A10000-0x00007FF727D5D000-memory.dmp

Filesize
3.3MB

Download
memory/216-34-0x00007FF6B7C60000-0x00007FF6B7FAD000-memory.dmp

Filesize
3.3MB

Download
memory/820-126-0x00007FF731FA0000-0x00007FF7322ED000-memory.dmp

Filesize
3.3MB

Download
memory/1640-73-0x00007FF7BAD80000-0x00007FF7BB0CD000-memory.dmp

Filesize
3.3MB

Download
memory/1752-103-0x00007FF611770000-0x00007FF611ABD000-memory.dmp

Filesize
3.3MB

Download
memory/1944-30-0x00007FF73B280000-0x00007FF73B5CD000-memory.dmp

Filesize
3.3MB

Download
memory/2644-115-0x00007FF6A6DB0000-0x00007FF6A70FD000-memory.dmp

Filesize
3.3MB

Download
memory/2828-60-0x00007FF657030000-0x00007FF65737D000-memory.dmp

Filesize
3.3MB

Download
memory/2856-56-0x00007FF68EF30000-0x00007FF68F27D000-memory.dmp

Filesize
3.3MB

Download
memory/2888-87-0x00007FF7BEA20000-0x00007FF7BED6D000-memory.dmp

Filesize
3.3MB

Download
memory/2948-16-0x00007FF7AE000000-0x00007FF7AE34D000-memory.dmp

Filesize
3.3MB

Download
memory/3128-78-0x00007FF663D90000-0x00007FF6640DD000-memory.dmp

Filesize
3.3MB

Download
memory/3884-121-0x00007FF63E8A0000-0x00007FF63EBED000-memory.dmp

Filesize
3.3MB

Download
memory/4020-109-0x00007FF64EEB0000-0x00007FF64F1FD000-memory.dmp

Filesize
3.3MB

Download
memory/4244-1-0x0000013780690000-0x00000137806A0000-memory.dmp

Filesize
64KB

Download
memory/4244-0-0x00007FF77A020000-0x00007FF77A36D000-memory.dmp

Filesize
3.3MB

Download
memory/4248-99-0x00007FF7DE440000-0x00007FF7DE78D000-memory.dmp

Filesize
3.3MB

Download
memory/4728-21-0x00007FF7EB690000-0x00007FF7EB9DD000-memory.dmp

Filesize
3.3MB

Download
memory/4876-7-0x00007FF6B9EC0000-0x00007FF6BA20D000-memory.dmp

Filesize
3.3MB

Download
memory/5004-70-0x00007FF718110000-0x00007FF71845D000-memory.dmp

Filesize
3.3MB

Download
memory/5016-42-0x00007FF6EDFC0000-0x00007FF6EE30D000-memory.dmp

Filesize
3.3MB

Download
memory/5036-39-0x00007FF76AC40000-0x00007FF76AF8D000-memory.dmp

Filesize
3.3MB

Download
memory/5056-96-0x00007FF6DD000000-0x00007FF6DD34D000-memory.dmp

Filesize
3.3MB

Download