cobaltstrike | f59bdf91166adc7ab0bece3d0edfb4f7725b2bf6cda10de8022fd4eff066444f

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

4fc025f4fabc9fd37315f7a23b08f429
SHA1

c5bd48ea66b8a0c761b06892df19b7075a1cb5ca
SHA256

f59bdf91166adc7ab0bece3d0edfb4f7725b2bf6cda10de8022fd4eff066444f
SHA512

6e1e4258bab652bf95f2b558c4ec22a2d46d04bdad8e332e6242789a1998d81268e604c086ce6a27b6ace8f72c592996fe98d5c4e86079c0e50e179e952ce02f
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUN:j+R56utgpPF8u/7N

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b8b-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-22.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b8c-30.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-35.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-40.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-47.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b96-54.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-66.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-73.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-86.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-94.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-102.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9f-108.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba0-113.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-88.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-82.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-60.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba1-119.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba3-124.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral2/memory/4948-0-0x00007FF6F62A0000-0x00007FF6F65ED000-memory.dmp	xmrig
behavioral2/files/0x000b000000023b8b-5.dat	xmrig
behavioral2/memory/3800-7-0x00007FF6C48B0000-0x00007FF6C4BFD000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b8f-11.dat	xmrig
behavioral2/memory/1368-13-0x00007FF7FAE90000-0x00007FF7FB1DD000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b90-10.dat	xmrig
behavioral2/files/0x000a000000023b91-22.dat	xmrig
behavioral2/memory/3820-21-0x00007FF601550000-0x00007FF60189D000-memory.dmp	xmrig
behavioral2/memory/4048-27-0x00007FF7C7B70000-0x00007FF7C7EBD000-memory.dmp	xmrig
behavioral2/memory/3856-31-0x00007FF609FE0000-0x00007FF60A32D000-memory.dmp	xmrig
behavioral2/files/0x000b000000023b8c-30.dat	xmrig
behavioral2/files/0x000a000000023b92-35.dat	xmrig
behavioral2/memory/3464-37-0x00007FF7D8A40000-0x00007FF7D8D8D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b93-40.dat	xmrig
behavioral2/memory/2796-43-0x00007FF7C6220000-0x00007FF7C656D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b94-47.dat	xmrig
behavioral2/memory/1800-49-0x00007FF7DECC0000-0x00007FF7DF00D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b96-54.dat	xmrig
behavioral2/memory/4736-55-0x00007FF728B50000-0x00007FF728E9D000-memory.dmp	xmrig
behavioral2/memory/4412-61-0x00007FF6AF2E0000-0x00007FF6AF62D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b98-66.dat	xmrig
behavioral2/files/0x000a000000023b99-73.dat	xmrig
behavioral2/files/0x000a000000023b9c-86.dat	xmrig
behavioral2/files/0x000a000000023b9d-94.dat	xmrig
behavioral2/files/0x000a000000023b9e-102.dat	xmrig
behavioral2/memory/3484-103-0x00007FF6AB520000-0x00007FF6AB86D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b9f-108.dat	xmrig
behavioral2/memory/5040-114-0x00007FF7CDDE0000-0x00007FF7CE12D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023ba0-113.dat	xmrig
behavioral2/memory/4376-111-0x00007FF706160000-0x00007FF7064AD000-memory.dmp	xmrig
behavioral2/memory/4440-100-0x00007FF751420000-0x00007FF75176D000-memory.dmp	xmrig
behavioral2/memory/3200-96-0x00007FF635510000-0x00007FF63585D000-memory.dmp	xmrig
behavioral2/memory/2340-89-0x00007FF6A5930000-0x00007FF6A5C7D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b9b-88.dat	xmrig
behavioral2/memory/3976-84-0x00007FF613730000-0x00007FF613A7D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b9a-82.dat	xmrig
behavioral2/memory/2744-79-0x00007FF7048C0000-0x00007FF704C0D000-memory.dmp	xmrig
behavioral2/memory/1252-67-0x00007FF706460000-0x00007FF7067AD000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b97-60.dat	xmrig
behavioral2/files/0x000a000000023ba1-119.dat	xmrig
behavioral2/memory/2428-121-0x00007FF6F8F70000-0x00007FF6F92BD000-memory.dmp	xmrig
behavioral2/files/0x000a000000023ba3-124.dat	xmrig
behavioral2/memory/4968-126-0x00007FF606110000-0x00007FF60645D000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3800	CTBHdKZ.exe
1368	BuCHxUm.exe
3820	mMEWCas.exe
4048	DKwwDWQ.exe
3856	wrLvxBJ.exe
3464	oOkHyka.exe
2796	AAsAMtj.exe
1800	mWUmZGk.exe
4736	KpfDqnf.exe
4412	CVbrnAY.exe
1252	dZpODSD.exe
2744	NclkRwR.exe
3976	IruPwux.exe
2340	okbBuRj.exe
3200	xtBbEtJ.exe
4440	bhzZhyH.exe
3484	BWnQRCV.exe
4376	cAosADy.exe
5040	fQJuFqN.exe
2428	dRDvcTX.exe
4968	vBFJcmU.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\oOkHyka.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bhzZhyH.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BWnQRCV.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CVbrnAY.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NclkRwR.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IruPwux.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\okbBuRj.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xtBbEtJ.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mMEWCas.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AAsAMtj.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mWUmZGk.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cAosADy.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fQJuFqN.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vBFJcmU.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dRDvcTX.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DKwwDWQ.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KpfDqnf.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dZpODSD.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CTBHdKZ.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BuCHxUm.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wrLvxBJ.exe	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 3800	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4948 wrote to memory of 3800	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4948 wrote to memory of 1368	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4948 wrote to memory of 1368	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4948 wrote to memory of 3820	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4948 wrote to memory of 3820	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4948 wrote to memory of 4048	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4948 wrote to memory of 4048	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4948 wrote to memory of 3856	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4948 wrote to memory of 3856	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4948 wrote to memory of 3464	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4948 wrote to memory of 3464	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4948 wrote to memory of 2796	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4948 wrote to memory of 2796	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4948 wrote to memory of 1800	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4948 wrote to memory of 1800	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4948 wrote to memory of 4736	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4948 wrote to memory of 4736	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4948 wrote to memory of 4412	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4948 wrote to memory of 4412	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4948 wrote to memory of 1252	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4948 wrote to memory of 1252	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4948 wrote to memory of 2744	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4948 wrote to memory of 2744	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4948 wrote to memory of 3976	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4948 wrote to memory of 3976	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4948 wrote to memory of 2340	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4948 wrote to memory of 2340	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4948 wrote to memory of 3200	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4948 wrote to memory of 3200	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4948 wrote to memory of 4440	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4948 wrote to memory of 4440	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4948 wrote to memory of 3484	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4948 wrote to memory of 3484	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4948 wrote to memory of 4376	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4948 wrote to memory of 4376	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4948 wrote to memory of 5040	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4948 wrote to memory of 5040	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4948 wrote to memory of 2428	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4948 wrote to memory of 2428	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4948 wrote to memory of 4968	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4948 wrote to memory of 4968	4948	2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-21_4fc025f4fabc9fd37315f7a23b08f429_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\System\CTBHdKZ.exe
  C:\Windows\System\CTBHdKZ.exe
  2⤵
  - Executes dropped EXE
  PID:3800
- C:\Windows\System\BuCHxUm.exe
  C:\Windows\System\BuCHxUm.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\System\mMEWCas.exe
  C:\Windows\System\mMEWCas.exe
  2⤵
  - Executes dropped EXE
  PID:3820
- C:\Windows\System\DKwwDWQ.exe
  C:\Windows\System\DKwwDWQ.exe
  2⤵
  - Executes dropped EXE
  PID:4048
- C:\Windows\System\wrLvxBJ.exe
  C:\Windows\System\wrLvxBJ.exe
  2⤵
  - Executes dropped EXE
  PID:3856
- C:\Windows\System\oOkHyka.exe
  C:\Windows\System\oOkHyka.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System\AAsAMtj.exe
  C:\Windows\System\AAsAMtj.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\mWUmZGk.exe
  C:\Windows\System\mWUmZGk.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System\KpfDqnf.exe
  C:\Windows\System\KpfDqnf.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System\CVbrnAY.exe
  C:\Windows\System\CVbrnAY.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System\dZpODSD.exe
  C:\Windows\System\dZpODSD.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System\NclkRwR.exe
  C:\Windows\System\NclkRwR.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\IruPwux.exe
  C:\Windows\System\IruPwux.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System\okbBuRj.exe
  C:\Windows\System\okbBuRj.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\xtBbEtJ.exe
  C:\Windows\System\xtBbEtJ.exe
  2⤵
  - Executes dropped EXE
  PID:3200
- C:\Windows\System\bhzZhyH.exe
  C:\Windows\System\bhzZhyH.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System\BWnQRCV.exe
  C:\Windows\System\BWnQRCV.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System\cAosADy.exe
  C:\Windows\System\cAosADy.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System\fQJuFqN.exe
  C:\Windows\System\fQJuFqN.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\dRDvcTX.exe
  C:\Windows\System\dRDvcTX.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\vBFJcmU.exe
  C:\Windows\System\vBFJcmU.exe
  2⤵
  - Executes dropped EXE
  PID:4968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AAsAMtj.exe

Filesize
5.7MB

MD5
a2c9ca858271e9c27ff9ea22253fe4c5

SHA1
e3e0234f5ac5b834a283cce1bf29ce5482394d53

SHA256
78e2f4e42df31fc0270a7ab3c6eafacfe31d8afe9d0c61aad7835f9ca5e39eea

SHA512
0b5c7ff479ac98d97515e508cd8e54ded63f2e5b3c4ea8d57de622a1c2f0a64b633b94942d43fe3f78aa2d7b40094f099cae7f2ec08b4f559c729e0c7ed75e80

Download Submit
C:\Windows\System\BWnQRCV.exe

Filesize
5.7MB

MD5
ef5f8b3ec0cdfff2dc5fc2afad8f68ca

SHA1
3879fa2e388377bca2814dd998054e75dd81116d

SHA256
771b7f08908a2e03f54eac367ac8c0c854a750cead9b5fda2c36a72637ce4497

SHA512
4540ea987794e4399fbf48316152c7c98b9a607cc958d09ecec1cefc7ac3944d5c5c592060113e983528fa50484e83e62dde2c5848001276c6d4127c748d7093

Download Submit
C:\Windows\System\BuCHxUm.exe

Filesize
5.7MB

MD5
f41f2def6bfa69809e54df8695a34963

SHA1
05404fb7476c0aa6b1a0c0847c73f3147e601d9e

SHA256
28723b3947e966592b5fc67640d0bdd765df183456ab655d248b5a10cf0e4823

SHA512
2221032787235698a8ea4f7e0b005af5c151245581a5bf2779039e0b20babc33c7d18f0425a96933d9198448771981225a2000b1b79920b41b7722418a691b17

Download Submit
C:\Windows\System\CTBHdKZ.exe

Filesize
5.7MB

MD5
451533beb1fd546bcfd0efbb62b18fda

SHA1
59aaeb753c3929ef5a6b8bbbcca1ac04c6526c82

SHA256
1640c8ede6791539f81e08dcd29ba2da6bf1a5f09e59dde5424fd5645b9b4f4d

SHA512
e0706202e69ebb83aa4447a541729c7db5e76f52f9d6dab18c40681aa6d9460b9adf6ce01676e2a170370e85a4676bf1878776862905e94bc61cac558617b585

Download Submit
C:\Windows\System\CVbrnAY.exe

Filesize
5.7MB

MD5
a4a8555ea8d5c12db1c7b3c4b41c4da7

SHA1
6afff4e3d6fadb29a205967548a4e6b2f65c5e25

SHA256
d1378069f0592b0c912b027f3a5cfd54bcc2ba86f63a5c118da04bc2b232016a

SHA512
c5867b2685879727330150ccffc37a0c09d1bff46972cf9eff20e842b6912214d36cd43eed6979de5f3bf0dd4783c60fc5d19de0e298ca0a10f0060b95ff7573

Download Submit
C:\Windows\System\DKwwDWQ.exe

Filesize
5.7MB

MD5
affa05e3e561a9799495a0067e09e3d9

SHA1
77dd3bf5bd773128cfc99c4ae60634568b90c207

SHA256
fa4126048229694fd2ad4b4eaad5e93b292eb0c4467e18bf3b99cd883f6a9c4a

SHA512
f878e7d2b9bbf5fc62f877abe02d1b0d75c388541cea449e2562b0fc64feb57c797adf4718ec0c95a3bf9790ecd75d18bbb98d432848b5d42e2f46a044bd0a4b

Download Submit
C:\Windows\System\IruPwux.exe

Filesize
5.7MB

MD5
7c657829a1e14fe69c653d45aa425e57

SHA1
bc32b990f44cf6cfebf510d539fc76600f6f60f1

SHA256
926f46a1e0f850d97460b24cc68cfc9c05e6a30b254a19c0fa9e4727d79d0b47

SHA512
b33ca0f4a1e680924475dd955e3b493551b75860ec6c6fa16c56ebfb0a44a10ee3353f9cd01988fa5f008c60386aa49e95cd8f6106cef5ccb2b5d4c5bdac0ea7

Download Submit
C:\Windows\System\KpfDqnf.exe

Filesize
5.7MB

MD5
7d7349fd56b81df5abc6dd651c9de5bb

SHA1
59d5726bf414279c752ec34cbb6760c6bba586cb

SHA256
86260cdd9268726b7a92f3d06116750ef112914067c4244e261afddb136f6a70

SHA512
1a55d7a74331a3184a4a6b8f53155509b4667a4fd01aad8fb30d717a4795531752967d2fa4913cfc5502f53c6dcf09dcd1c5d424822e906154ca642a2a005da8

Download Submit
C:\Windows\System\NclkRwR.exe

Filesize
5.7MB

MD5
50275cf507c6bdfd412434b7006a04ae

SHA1
508367068e174ee06cc9b1452152b0a190b4ddac

SHA256
cf0a57ad7036e568af72a57f0e96e01e4a5641029e2abee7b105891dbfaab43b

SHA512
f082f880f4761d37504a73233021367692d0288ca6eb15e43633e0f04a8e10624f849cb581542c52f441e5a8d0f736002943053d28212733416792cd19235fb4

Download Submit
C:\Windows\System\bhzZhyH.exe

Filesize
5.7MB

MD5
0fcee524ecb461a26273b18c858a424d

SHA1
9e1b57215dddbc3326defe7ee1450e43149c29c2

SHA256
12859ca37d66058714d57d7020a3cd2f5598d798440a1f0d947a92d9eaba8fa4

SHA512
4cc4cb0c77639110a354db07a7731e53f9e411b7b0d35d64c00b69734066853b505af68ef6b2cbc54018245ccac4d1eaa1669e29f00467ed0a704f6a3fd387e0

Download Submit
C:\Windows\System\cAosADy.exe

Filesize
5.7MB

MD5
a16ee80c516aedf062497fc087515a50

SHA1
f63d157316f73688e615c7720d4dfcbf84eb1191

SHA256
0d18a67c8fd06372611ff5682f934620fd0395a7b90082d59707c5ba2badafc7

SHA512
1aeed81539f994078a496bb5dbb5ca02c835ef786896d8b14089c97263841b626004025e3c415d86386739ce5a85b1604d1f8e53e6c2f0a23272513d21704f2b

Download Submit
C:\Windows\System\dRDvcTX.exe

Filesize
5.7MB

MD5
03668d4dee572194e57626ad48533ee7

SHA1
11d060617718ad982fab163f9dad9cfa0cadc402

SHA256
9cf858fde26bcedf92c32e787392ac13b3b2a479473e6fe927ce13b6a7393058

SHA512
6f677f57169a839335d537efdac442f7abb3c17171b3a6683290895ed743f9cfcfbd4f8919e060f809d57d377fed31678726654b272de07a88ae68887038fe7c

Download Submit
C:\Windows\System\dZpODSD.exe

Filesize
5.7MB

MD5
5f1f5906748c0f47dd32d36139704268

SHA1
ecfa8c9a54f99f8991a26ffc4739a94b9ae4af93

SHA256
96372fc6b7e34661966563ae204d25c63bc0f07eee2c9f02ebd1c58a4aa3c908

SHA512
c409848baf36f6e07f2e91267b9d152872b79199d99dd3e69fe485fc44e47ea6940bee6a6f88ca5e5ae6a9708a246f05c93b2b479c2a60752ed6a1714e6c30bf

Download Submit
C:\Windows\System\fQJuFqN.exe

Filesize
5.7MB

MD5
dd539e5a4e8d62b3142f7f96d4326023

SHA1
5a48b5c3808ae25b21656834f9d7950852e87a66

SHA256
1687bcfe198f2ae84381c0902a8f9b15b24dd1c08ed4ebeb7e81010e033a4302

SHA512
61eef8e782717a6149198041449893cbffcf162219df697d9aee75963f6cbbbfe8446b8785014c0677ed23e322d74959763ac2ecc6f83db3f6ac0f63150d6b88

Download Submit
C:\Windows\System\mMEWCas.exe

Filesize
5.7MB

MD5
5809f9436ee0581e17d2d9c52e5612eb

SHA1
18043478e13504bf448bcc5d41090c0f79ebea06

SHA256
a0a6548383cd5f03baa8e46e460a150b0921ed71a881796d344f88ceeb5869da

SHA512
ae161c9a2eb52d2d062de716329425a743766620cdeee28f9efdf6848320a4986f2b77b9ae13f2cd5c0d37a39414613b83069aa30b6fab72cde56787a440a7c2

Download Submit
C:\Windows\System\mWUmZGk.exe

Filesize
5.7MB

MD5
9b06d929b9412fadbcc59f6342d41ce8

SHA1
3983c0bc3afea1d632445e4323aec56b2d6a138f

SHA256
b4f11af506ebd7d0f344348fd227fbc6d50a4e2574192f6194daa0b3a61c5c1a

SHA512
cbfe1904fcbc86bd197a7cf185f082b8456d04b198230b6ed69d2f20b327d2f3b4fe7adb473de8e31e21455f076d07853b7d6fc87d0947753e123ecca6b348dc

Download Submit
C:\Windows\System\oOkHyka.exe

Filesize
5.7MB

MD5
3fb52f0da6903c22f08e55f5bbf3b8ec

SHA1
e23a50b091a58c5200a51ae30e08ae6edb276e57

SHA256
f0e8e0e1bbf7043c32fc185771a2a75b829f3fb3e440048f1bbfb54891f2103a

SHA512
e3a8cd4b5db500b23bd737efe24244e5bf4ee70399dfd66de82fc7161945f8c71a82d41aa381f0946cac7cdaab9283d250767bb926075722a17a5be4280abfa0

Download Submit
C:\Windows\System\okbBuRj.exe

Filesize
5.7MB

MD5
f299cdefbd0265da3b2afbf62d00caf9

SHA1
fc81a1ebd11a02207317c2211ddb3a95335cb5b7

SHA256
666bcc8daadba9b5370bdb32352300531e8427f3670f4a957fbf4394d4adf9a2

SHA512
5195122ad1b2f455448767b956f0d3b337bd91e338247c574d062971de8213dda82cd5e0363c7c69fa3e712d1b5af5248dff10925f4dc5dcc54747a7418d708d

Download Submit
C:\Windows\System\vBFJcmU.exe

Filesize
5.7MB

MD5
fdff3170c7e639795c040f71fe1cfd4e

SHA1
4245e4bdaa82696d48d2b97b4809c4f807a3f572

SHA256
6f2ef660779596d3d0201a41e69813c52f177bc047d38ed24ccb2a2d372127f3

SHA512
83046d3e8abe6487863223efc8a11e01d9cde83bcf477c73ed8996a7ca2cc0576d14b283198d3f617b5c07cca66e3bcbde75006e57ab7dc91ff5c36112ebb898

Download Submit
C:\Windows\System\wrLvxBJ.exe

Filesize
5.7MB

MD5
76e2cef0eb134299926f9479df1dc998

SHA1
44b19a8984ba61611351e20b2326daeb949ad90b

SHA256
231f55e7c483cd4d18cdca9e9dba443b1629c1947ad9a232542a6a4cf0590f03

SHA512
3e3a7d81091547fe3c792d3479b6147e48d40fca1737189a08cc770ba4cc3cccb4723726eca48054d2f733fa90d7d99ec8ef83d4963c720f7411f2b16588a8f1

Download Submit
C:\Windows\System\xtBbEtJ.exe

Filesize
5.7MB

MD5
2f837ca269c6025c60e7a9f2b8db72bf

SHA1
f1c7e7f1d7563d9daa8d26d3e98a768c67055439

SHA256
fe44c8b7684e60e53fa9816570c33cc54ead4290da351f9cfab1434a0e3d4c2f

SHA512
f768e33fbae8252886c5b5c256b2a0ca6af04cb35ddc46373241d70b88c10cf407ad23e498679792256109a2c1342b273f6184c97865caf836f2daf00f83521f

Download Submit
memory/1252-67-0x00007FF706460000-0x00007FF7067AD000-memory.dmp

Filesize
3.3MB

Download
memory/1368-13-0x00007FF7FAE90000-0x00007FF7FB1DD000-memory.dmp

Filesize
3.3MB

Download
memory/1800-49-0x00007FF7DECC0000-0x00007FF7DF00D000-memory.dmp

Filesize
3.3MB

Download
memory/2340-89-0x00007FF6A5930000-0x00007FF6A5C7D000-memory.dmp

Filesize
3.3MB

Download
memory/2428-121-0x00007FF6F8F70000-0x00007FF6F92BD000-memory.dmp

Filesize
3.3MB

Download
memory/2744-79-0x00007FF7048C0000-0x00007FF704C0D000-memory.dmp

Filesize
3.3MB

Download
memory/2796-43-0x00007FF7C6220000-0x00007FF7C656D000-memory.dmp

Filesize
3.3MB

Download
memory/3200-96-0x00007FF635510000-0x00007FF63585D000-memory.dmp

Filesize
3.3MB

Download
memory/3464-37-0x00007FF7D8A40000-0x00007FF7D8D8D000-memory.dmp

Filesize
3.3MB

Download
memory/3484-103-0x00007FF6AB520000-0x00007FF6AB86D000-memory.dmp

Filesize
3.3MB

Download
memory/3800-7-0x00007FF6C48B0000-0x00007FF6C4BFD000-memory.dmp

Filesize
3.3MB

Download
memory/3820-21-0x00007FF601550000-0x00007FF60189D000-memory.dmp

Filesize
3.3MB

Download
memory/3856-31-0x00007FF609FE0000-0x00007FF60A32D000-memory.dmp

Filesize
3.3MB

Download
memory/3976-84-0x00007FF613730000-0x00007FF613A7D000-memory.dmp

Filesize
3.3MB

Download
memory/4048-27-0x00007FF7C7B70000-0x00007FF7C7EBD000-memory.dmp

Filesize
3.3MB

Download
memory/4376-111-0x00007FF706160000-0x00007FF7064AD000-memory.dmp

Filesize
3.3MB

Download
memory/4412-61-0x00007FF6AF2E0000-0x00007FF6AF62D000-memory.dmp

Filesize
3.3MB

Download
memory/4440-100-0x00007FF751420000-0x00007FF75176D000-memory.dmp

Filesize
3.3MB

Download
memory/4736-55-0x00007FF728B50000-0x00007FF728E9D000-memory.dmp

Filesize
3.3MB

Download
memory/4948-1-0x0000015AF9080000-0x0000015AF9090000-memory.dmp

Filesize
64KB

Download
memory/4948-0-0x00007FF6F62A0000-0x00007FF6F65ED000-memory.dmp

Filesize
3.3MB

Download
memory/4968-126-0x00007FF606110000-0x00007FF60645D000-memory.dmp

Filesize
3.3MB

Download
memory/5040-114-0x00007FF7CDDE0000-0x00007FF7CE12D000-memory.dmp

Filesize
3.3MB

Download