cobaltstrike | 70c94bffbb98a94a777c4b306ddd1d01dc52e30b00c079f93ba1a152c20ae6f0

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

51868e035d41da60f68aed05a097d5ee
SHA1

4c2d17f2b2d58b8dd732c961976fa76f88f43152
SHA256

70c94bffbb98a94a777c4b306ddd1d01dc52e30b00c079f93ba1a152c20ae6f0
SHA512

f20fe98677d7b66970b231a1c02021f11a73fed124106108f711a9d41307855e61a35fa13d60860e86979cc585838c4c5f7d0747b6ad020c1afc639eba7519cb
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUA:j+R56utgpPF8u/7A

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023bde-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-11.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cb0-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-46.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbe-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc0-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc1-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc2-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc4-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc5-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc6-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc7-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc8-125.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral2/memory/2376-0-0x00007FF7982F0000-0x00007FF79863D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023bde-4.dat	xmrig
behavioral2/memory/4976-7-0x00007FF66A6F0000-0x00007FF66AA3D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb3-10.dat	xmrig
behavioral2/files/0x0007000000023cb4-11.dat	xmrig
behavioral2/memory/4332-13-0x00007FF611850000-0x00007FF611B9D000-memory.dmp	xmrig
behavioral2/memory/1332-21-0x00007FF6F3B80000-0x00007FF6F3ECD000-memory.dmp	xmrig
behavioral2/files/0x0008000000023cb0-22.dat	xmrig
behavioral2/files/0x0007000000023cb6-28.dat	xmrig
behavioral2/memory/5060-37-0x00007FF6B24A0000-0x00007FF6B27ED000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb9-46.dat	xmrig
behavioral2/memory/3388-52-0x00007FF7860A0000-0x00007FF7863ED000-memory.dmp	xmrig
behavioral2/memory/1180-55-0x00007FF707890000-0x00007FF707BDD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cba-54.dat	xmrig
behavioral2/memory/4612-45-0x00007FF773AB0000-0x00007FF773DFD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb8-42.dat	xmrig
behavioral2/files/0x0007000000023cb7-36.dat	xmrig
behavioral2/memory/2408-34-0x00007FF7E61E0000-0x00007FF7E652D000-memory.dmp	xmrig
behavioral2/memory/2388-27-0x00007FF64BEC0000-0x00007FF64C20D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cbb-58.dat	xmrig
behavioral2/files/0x0007000000023cbd-63.dat	xmrig
behavioral2/files/0x0007000000023cbe-71.dat	xmrig
behavioral2/memory/4656-73-0x00007FF7AF3D0000-0x00007FF7AF71D000-memory.dmp	xmrig
behavioral2/memory/2916-65-0x00007FF7381B0000-0x00007FF7384FD000-memory.dmp	xmrig
behavioral2/memory/5112-69-0x00007FF79F5E0000-0x00007FF79F92D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cbf-77.dat	xmrig
behavioral2/memory/3824-78-0x00007FF6C6610000-0x00007FF6C695D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc0-83.dat	xmrig
behavioral2/memory/1624-85-0x00007FF759780000-0x00007FF759ACD000-memory.dmp	xmrig
behavioral2/memory/4888-90-0x00007FF6FC2B0000-0x00007FF6FC5FD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc1-89.dat	xmrig
behavioral2/files/0x0007000000023cc2-94.dat	xmrig
behavioral2/memory/4992-97-0x00007FF76AB40000-0x00007FF76AE8D000-memory.dmp	xmrig
behavioral2/memory/3576-103-0x00007FF61FEA0000-0x00007FF6201ED000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc4-102.dat	xmrig
behavioral2/files/0x0007000000023cc5-106.dat	xmrig
behavioral2/files/0x0007000000023cc6-112.dat	xmrig
behavioral2/memory/1716-115-0x00007FF7BBC20000-0x00007FF7BBF6D000-memory.dmp	xmrig
behavioral2/memory/1204-110-0x00007FF790010000-0x00007FF79035D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc7-119.dat	xmrig
behavioral2/files/0x0007000000023cc8-125.dat	xmrig
behavioral2/memory/5020-121-0x00007FF602BC0000-0x00007FF602F0D000-memory.dmp	xmrig
behavioral2/memory/2448-126-0x00007FF624230000-0x00007FF62457D000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4976	oItViYO.exe
4332	mYYxpUZ.exe
1332	XxlfoLR.exe
2388	oPIEhyr.exe
2408	JCzIypf.exe
5060	mttnBFn.exe
4612	zfoebJQ.exe
3388	PSbdmcb.exe
1180	kqYnxxa.exe
2916	fhMALUH.exe
5112	VNXBHZz.exe
4656	JSgfrBL.exe
3824	RGszlOa.exe
1624	SADBsXw.exe
4888	zJSHPfC.exe
4992	XCRMIDM.exe
3576	suTRhTj.exe
1204	uZPRrSP.exe
1716	WryfKAo.exe
5020	RNaStXD.exe
2448	urFGscH.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\oItViYO.exe	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mYYxpUZ.exe	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oPIEhyr.exe	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\suTRhTj.exe	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kqYnxxa.exe	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zJSHPfC.exe	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uZPRrSP.exe	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RNaStXD.exe	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XxlfoLR.exe	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PSbdmcb.exe	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fhMALUH.exe	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VNXBHZz.exe	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JSgfrBL.exe	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RGszlOa.exe	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SADBsXw.exe	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\urFGscH.exe	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JCzIypf.exe	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mttnBFn.exe	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zfoebJQ.exe	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XCRMIDM.exe	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WryfKAo.exe	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 4976	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2376 wrote to memory of 4976	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2376 wrote to memory of 4332	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2376 wrote to memory of 4332	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2376 wrote to memory of 1332	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2376 wrote to memory of 1332	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2376 wrote to memory of 2388	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2376 wrote to memory of 2388	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2376 wrote to memory of 2408	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2376 wrote to memory of 2408	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2376 wrote to memory of 5060	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2376 wrote to memory of 5060	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2376 wrote to memory of 4612	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2376 wrote to memory of 4612	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2376 wrote to memory of 3388	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2376 wrote to memory of 3388	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2376 wrote to memory of 1180	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2376 wrote to memory of 1180	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2376 wrote to memory of 2916	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2376 wrote to memory of 2916	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2376 wrote to memory of 5112	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2376 wrote to memory of 5112	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2376 wrote to memory of 4656	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2376 wrote to memory of 4656	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2376 wrote to memory of 3824	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2376 wrote to memory of 3824	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2376 wrote to memory of 1624	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2376 wrote to memory of 1624	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2376 wrote to memory of 4888	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2376 wrote to memory of 4888	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2376 wrote to memory of 4992	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2376 wrote to memory of 4992	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2376 wrote to memory of 3576	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2376 wrote to memory of 3576	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2376 wrote to memory of 1204	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2376 wrote to memory of 1204	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2376 wrote to memory of 1716	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2376 wrote to memory of 1716	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2376 wrote to memory of 5020	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2376 wrote to memory of 5020	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2376 wrote to memory of 2448	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2376 wrote to memory of 2448	2376	2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-21_51868e035d41da60f68aed05a097d5ee_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\System\oItViYO.exe
  C:\Windows\System\oItViYO.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\mYYxpUZ.exe
  C:\Windows\System\mYYxpUZ.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System\XxlfoLR.exe
  C:\Windows\System\XxlfoLR.exe
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\System\oPIEhyr.exe
  C:\Windows\System\oPIEhyr.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System\JCzIypf.exe
  C:\Windows\System\JCzIypf.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\mttnBFn.exe
  C:\Windows\System\mttnBFn.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\zfoebJQ.exe
  C:\Windows\System\zfoebJQ.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\PSbdmcb.exe
  C:\Windows\System\PSbdmcb.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System\kqYnxxa.exe
  C:\Windows\System\kqYnxxa.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System\fhMALUH.exe
  C:\Windows\System\fhMALUH.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System\VNXBHZz.exe
  C:\Windows\System\VNXBHZz.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\JSgfrBL.exe
  C:\Windows\System\JSgfrBL.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\RGszlOa.exe
  C:\Windows\System\RGszlOa.exe
  2⤵
  - Executes dropped EXE
  PID:3824
- C:\Windows\System\SADBsXw.exe
  C:\Windows\System\SADBsXw.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System\zJSHPfC.exe
  C:\Windows\System\zJSHPfC.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System\XCRMIDM.exe
  C:\Windows\System\XCRMIDM.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\suTRhTj.exe
  C:\Windows\System\suTRhTj.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System\uZPRrSP.exe
  C:\Windows\System\uZPRrSP.exe
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\System\WryfKAo.exe
  C:\Windows\System\WryfKAo.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\RNaStXD.exe
  C:\Windows\System\RNaStXD.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\urFGscH.exe
  C:\Windows\System\urFGscH.exe
  2⤵
  - Executes dropped EXE
  PID:2448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\JCzIypf.exe

Filesize
5.7MB

MD5
e63f048a2024407376024d8159ec5700

SHA1
5e033549c6c5e8e5ca77cbf277647e6818bf3b8a

SHA256
4a5aa739b2cfded06be9f11a9875e6e8dd06f3f0406c746886eed2473069e705

SHA512
e50a88a16faf374489b1182f1e6b288952b8c8dbef766ea19ce3a0106af07a6080a6903cc1685847ef343ad47f8313cc3a2c81d6b2a11a55efe116fb2e4fcf8c

Download Submit
C:\Windows\System\JSgfrBL.exe

Filesize
5.7MB

MD5
1b028676288a88d1853da62af8777e85

SHA1
e03c5d4b0e70e2f3f65d0592a944f2d1cbac4565

SHA256
3492981c9253fcc99f778334740d4b6168ac3aa43251a538bca11414d8204f0c

SHA512
4f04306d4b6a1d4dc67dcd445a4e04a4f5c353c96fdb8f0140f726eac4464313575fee893b5b2b9aff060477abc10ee54f0f726387a2b219db4c6e82b00b3d55

Download Submit
C:\Windows\System\PSbdmcb.exe

Filesize
5.7MB

MD5
de56df294ff76dfccbb29a41c0914e65

SHA1
ba28fd203e1802af2af3a37c19dec0a279dbc07e

SHA256
5442315435130ce82c49d83c3b022ae45484fbbcefc482f0c80d859f5a476bc3

SHA512
1b7cef73b4b04855f7f7cca945e61a1aa95a4d738c52c178687eaba6d64b33f3f91371ad5bc6349ffd7fd9c4e9f3b1fbe6dbf9a0849cfdd06f173c58c25e2215

Download Submit
C:\Windows\System\RGszlOa.exe

Filesize
5.7MB

MD5
563422f2b68ca275bf043239ec49c5b6

SHA1
ccc834bf6247ffe2c6ed0a2c8b0eb2b159244dfe

SHA256
3b28225c3b248a9c7a20cd38e31a9ff8484f8b4f6fc1f31e9578a5e853aed382

SHA512
16876ca3074bb59685ca7320a0988add6df08d3ccce90eb5ecfadf23b2db37719a4bbfa2a974b510d5b0474e9f7470d920486f8d88e4839fb757a79af97e3cb5

Download Submit
C:\Windows\System\RNaStXD.exe

Filesize
5.7MB

MD5
4892c62d3a7b3fa342fa436d8c840fca

SHA1
ba1a5774a65d11ea279d535f4527693c7073d2a0

SHA256
4337db192db06c5c8bf9c6f5f39d258715ca40c7ead185bb2e0567136677f6c6

SHA512
9e511c5206a5493fb98187274b098ed9ca8964e1fb55414d822b2098ca26d22a97f8e626a27f7a24b0e13768c6b8cfe0f9b68131c86d889c04125424e5f22039

Download Submit
C:\Windows\System\SADBsXw.exe

Filesize
5.7MB

MD5
5ca17bc7ea6d542a12056941ffd0c6ee

SHA1
a072faae78343d24841a2426b35cf4f4b6353fb8

SHA256
360313955fb6b306604f98d60aff7a9f4a7d42644b3278a75f677abed1b1de09

SHA512
c134d8082fdbfa83fed9b82f3580398853b68692a49244c95001f57e0d0d48604bcfff55c04c26fdcc8c0cdcc2d773bdfcaa76cdbeecbb5649e204f51c2b1bb1

Download Submit
C:\Windows\System\VNXBHZz.exe

Filesize
5.7MB

MD5
ca1b2a63dfacdb82ccab76617c6828c9

SHA1
748fd74ee57fc9a1d39d3eb73a6f34d9ef3d60d9

SHA256
a2b4a4146c06b8807d25424a838291ec5080647ecb5f04d5c0eda6e4388da7b9

SHA512
170a40db25a306cb808a30114261467c385cc7b9da06dbad5f930d5d5b660b3c6af54d77823876243d8149c5add89ecdf3c78c151a662d919bf51af1fc3beea0

Download Submit
C:\Windows\System\WryfKAo.exe

Filesize
5.7MB

MD5
915bcff62a982d825ea650f63c7767e7

SHA1
7153cae5a1c27b768b0e69d98e62d45ad2446785

SHA256
f5a364e66e7c483ec168ff00666f4a5abb6797d2e22f5def423e16fd20d89b13

SHA512
982baec5b9b56c544b8be635451a4ee87b66302234d2ffb779069369d8fbaace9027fb1e0b11338601e5081a25875038d355e7a435dc2854c777ac75a3b2eb09

Download Submit
C:\Windows\System\XCRMIDM.exe

Filesize
5.7MB

MD5
efa6a0edfaf5d0f63a01ece843ad7942

SHA1
3ea4aa947c612cb7128d1374ddd1729536d062b4

SHA256
858962ae8a4de1c573daac30eb073ea206b0b3d59979fa0a5ffa9c8e8c99d2fa

SHA512
1b7b98c0b66c2fbafeb1b939e5989edcaf5da3a24de39a9f5bca8648288acc7457fdb87fc8d165818e443784ad848dc02f5722d732807341c1a83732ccc4433e

Download Submit
C:\Windows\System\XxlfoLR.exe

Filesize
5.7MB

MD5
65d000a42265fcc6ece856a10e05d1c7

SHA1
5c17202edc58c50fde9152b7ff28cd585a041f52

SHA256
3f0fc854278a552bfe8315dcc7ee208f4082159e82bcea68b850d143c8e07880

SHA512
0b21296137aa3c7145157cb76d1f08fa3d99ec85e67fa3fc8c2fc1ef43baf0700c6d5c55b89e66fca9eb5065e44c699e5b72e49baf0d1743b0599819d223e748

Download Submit
C:\Windows\System\fhMALUH.exe

Filesize
5.7MB

MD5
e99f856b1a947535e86e493291f88629

SHA1
53f7a3152427d37d0b164ed42ca58f295daf3af1

SHA256
361c4643ae8c21a02733843697108fe6a2f5eee3229a60e52a0abd9d76047dcc

SHA512
671ca4ea39607953fc39cf1e9f345606f1907f12b0b736a82f46977a6574857f3f6af5e1ec0f1e7fe0ec9e12d79400a51d2fd43e9f9fbc4a7423df86f1bd8258

Download Submit
C:\Windows\System\kqYnxxa.exe

Filesize
5.7MB

MD5
1f3308a1a339a1aadb6fa1413516ac91

SHA1
9c3ec2f2a40a9d32f617dca555f5c9157a7ef0d7

SHA256
63b1b66a575a0beb371658b5f5faf3554d5e7e763c2965481baaad1c1f1f69c8

SHA512
f7c7a1a959d89e7e0005e64b351c6b7efc477d2840bc8d03fdd1e55717aea3b674cdd05e9689b8f57323bf176e466b919165cde1533c29585a8c664e39d663f8

Download Submit
C:\Windows\System\mYYxpUZ.exe

Filesize
5.7MB

MD5
72a28fa58d9cd7264878781c7a9fa18c

SHA1
7d7e2047ff59bfb3072bf379586992bd502f3f8e

SHA256
21919f8fd93c5541b6aac62f0f97a2ff4c486acac111e8b4f58f10768b87727d

SHA512
1b33d8e30245b0b7cc799527e6e62b72ede2c1a504804466edc3745bc706b7f75e460132d58afb487e8a18c7f5ae77dec66241452ed4be86738591e0bd871def

Download Submit
C:\Windows\System\mttnBFn.exe

Filesize
5.7MB

MD5
2b4046f52054ba9b3189322bafd31e02

SHA1
db7e664d2613686be107c3aac2c7a01c70108ccc

SHA256
945335755f26eac3307fd2b530c1002d76de60839efea8acc603b6f3c5fba93d

SHA512
5bde37fc5a36efe450e3fb63c1c78f80f94d3679c5809b2645c3c71c45d1d57c8b2c5bfe6572ef7dc372ac3f2620eadc145e93e45749e7f2498a53d0e1dae851

Download Submit
C:\Windows\System\oItViYO.exe

Filesize
5.7MB

MD5
dcce5f9e34c60296d1081b3d0d274177

SHA1
60569b5e2cc94abbd533a1c741c00068896bfbeb

SHA256
138755197150da4104cac2e309b6f978e20a98a0f13995226675dfee8e9ef273

SHA512
38be30d9dfb8834359a479c2e0d6def07ef62479282fc9f32e8705aa48edb84d8a55d110bae031b2d7fab67308fd8a9babb472ed756519a9b37a740345782100

Download Submit
C:\Windows\System\oPIEhyr.exe

Filesize
5.7MB

MD5
f156b30983b716b2709bc664a228d979

SHA1
70d6b878089744d9def4977941f242dd90cec61a

SHA256
b6005bcb8e2de4b6e56e5f5c25305893712023d733444ffb183ca832871ff220

SHA512
49f076248392221cde27f0e8bdeb95869a8a2cd466dfab38fe9a89e33bfeeca7fae8cf32902119bc0f7279fa6a260fba063c0877fe77469096c4da348b766cde

Download Submit
C:\Windows\System\suTRhTj.exe

Filesize
5.7MB

MD5
d3409a315abea634a3a435f56845686b

SHA1
c3300be04ed396b87ba4208f9f00ccf6c2504c88

SHA256
9da14e0c28e14c2f6edd1a2a8c987e77ee0b9c070cded038499b097e1572480e

SHA512
c5cd2d8f6ea6d921df39bddd2146fc901fad0ea047e1b9e1427ed92bd4ae499f9c362dcca2fae3f7b0b4abf21f4811b83fcd9e9cfa22403d9302045a82b37ca6

Download Submit
C:\Windows\System\uZPRrSP.exe

Filesize
5.7MB

MD5
f702e0bb7a66b82135fd0cf34b6e3ff4

SHA1
71d88f86b9c9abaebf770893cb2559bcc2769ff5

SHA256
df2cb71634ce33b43933b76854d47e1b84d71c74319790d98b153c53dfcb77cd

SHA512
3ca1cb2fcca27452e5c7f1145de58d65ba18536f221be6792add94c43f760008c612ef04ea8da8128df80c626bca02138aca328db8305f7dd199efc1a6825343

Download Submit
C:\Windows\System\urFGscH.exe

Filesize
5.7MB

MD5
98eb748b8fb843c1c505eb2c4e780eed

SHA1
fae0f99232bd1775f33ad205fed1fe6924a979e4

SHA256
363854558a9012205c50fa7fd36cb3513bcff244260eef4695dcda472de0ee6e

SHA512
3d2f9716484509ff8faa919813017484f8e3e8beca0602c1d30192b7451b4dc65227c056c27397e04e7fdc59cbdbdc4f4e93943de9a098d53b2750fba26c6bcb

Download Submit
C:\Windows\System\zJSHPfC.exe

Filesize
5.7MB

MD5
bdf3d82037eacaad31e889ecf94c836a

SHA1
7c0466d482779fc16c07a294892b31fc04da063e

SHA256
6088e05071c3fabb06e51e1afba503e4334d68ff6ff0b0fad41b8935db8aef94

SHA512
1d5034c472067fd78d64c0c19abc0c09e5a418574a08f63009fc329ec7136c86c40e225357542ae0deef032dcac7d978064f3274cd92ae9bed306aff2f5ac33b

Download Submit
C:\Windows\System\zfoebJQ.exe

Filesize
5.7MB

MD5
b006c12f9c9353c6ebc51f543f87d032

SHA1
255740b6821e8cb7d5487a65b2d615ea851e94d7

SHA256
0ccf25bddd28cabfd2fddb01049dad4819690d18b037ad1f48d492b9a3ce64c5

SHA512
a4e80a67442134d7004b3c8f6849b83ec7a26fdac5a2780315c470ecab4dafd8ac35d65fe37f03a2b696b3ce5f97fe939c66d1df378bcf8f213c04aeb1ace8ab

Download Submit
memory/1180-55-0x00007FF707890000-0x00007FF707BDD000-memory.dmp

Filesize
3.3MB

Download
memory/1204-110-0x00007FF790010000-0x00007FF79035D000-memory.dmp

Filesize
3.3MB

Download
memory/1332-21-0x00007FF6F3B80000-0x00007FF6F3ECD000-memory.dmp

Filesize
3.3MB

Download
memory/1624-85-0x00007FF759780000-0x00007FF759ACD000-memory.dmp

Filesize
3.3MB

Download
memory/1716-115-0x00007FF7BBC20000-0x00007FF7BBF6D000-memory.dmp

Filesize
3.3MB

Download
memory/2376-0-0x00007FF7982F0000-0x00007FF79863D000-memory.dmp

Filesize
3.3MB

Download
memory/2376-1-0x000001BC54920000-0x000001BC54930000-memory.dmp

Filesize
64KB

Download
memory/2388-27-0x00007FF64BEC0000-0x00007FF64C20D000-memory.dmp

Filesize
3.3MB

Download
memory/2408-34-0x00007FF7E61E0000-0x00007FF7E652D000-memory.dmp

Filesize
3.3MB

Download
memory/2448-126-0x00007FF624230000-0x00007FF62457D000-memory.dmp

Filesize
3.3MB

Download
memory/2916-65-0x00007FF7381B0000-0x00007FF7384FD000-memory.dmp

Filesize
3.3MB

Download
memory/3388-52-0x00007FF7860A0000-0x00007FF7863ED000-memory.dmp

Filesize
3.3MB

Download
memory/3576-103-0x00007FF61FEA0000-0x00007FF6201ED000-memory.dmp

Filesize
3.3MB

Download
memory/3824-78-0x00007FF6C6610000-0x00007FF6C695D000-memory.dmp

Filesize
3.3MB

Download
memory/4332-13-0x00007FF611850000-0x00007FF611B9D000-memory.dmp

Filesize
3.3MB

Download
memory/4612-45-0x00007FF773AB0000-0x00007FF773DFD000-memory.dmp

Filesize
3.3MB

Download
memory/4656-73-0x00007FF7AF3D0000-0x00007FF7AF71D000-memory.dmp

Filesize
3.3MB

Download
memory/4888-90-0x00007FF6FC2B0000-0x00007FF6FC5FD000-memory.dmp

Filesize
3.3MB

Download
memory/4976-7-0x00007FF66A6F0000-0x00007FF66AA3D000-memory.dmp

Filesize
3.3MB

Download
memory/4992-97-0x00007FF76AB40000-0x00007FF76AE8D000-memory.dmp

Filesize
3.3MB

Download
memory/5020-121-0x00007FF602BC0000-0x00007FF602F0D000-memory.dmp

Filesize
3.3MB

Download
memory/5060-37-0x00007FF6B24A0000-0x00007FF6B27ED000-memory.dmp

Filesize
3.3MB

Download
memory/5112-69-0x00007FF79F5E0000-0x00007FF79F92D000-memory.dmp

Filesize
3.3MB

Download