cobaltstrike | 55f7a18fada369ad944511c315c4be423cc001c664ed7a57e261b6a41f880e3d

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

d3bc172294e592706b53fa1e81bbd1eb
SHA1

d79d668b6462e43694c4260e59fb87afd285b0e6
SHA256

55f7a18fada369ad944511c315c4be423cc001c664ed7a57e261b6a41f880e3d
SHA512

99cc3bcc5668df3f4bd770446ec135750458fa3c9736e3d69ff171ca74727b4b20a7dd2175633d767f33a9f466483ed429b182bbe0b5a19f1fc5f8720058b57c
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUa:j+R56utgpPF8u/7a

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023caa-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-19.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-54.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cab-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbe-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc1-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc2-125.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral2/memory/4560-0-0x00007FF7DAFA0000-0x00007FF7DB2ED000-memory.dmp	xmrig
behavioral2/files/0x0008000000023caa-5.dat	xmrig
behavioral2/files/0x0007000000023caf-9.dat	xmrig
behavioral2/files/0x0007000000023cb0-19.dat	xmrig
behavioral2/files/0x0007000000023cae-17.dat	xmrig
behavioral2/memory/2728-18-0x00007FF79E7A0000-0x00007FF79EAED000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb1-33.dat	xmrig
behavioral2/files/0x0007000000023cb3-40.dat	xmrig
behavioral2/files/0x0007000000023cb4-48.dat	xmrig
behavioral2/memory/1560-49-0x00007FF77A940000-0x00007FF77AC8D000-memory.dmp	xmrig
behavioral2/memory/1464-46-0x00007FF762510000-0x00007FF76285D000-memory.dmp	xmrig
behavioral2/memory/4756-42-0x00007FF701820000-0x00007FF701B6D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb2-41.dat	xmrig
behavioral2/memory/2364-34-0x00007FF611AF0000-0x00007FF611E3D000-memory.dmp	xmrig
behavioral2/memory/2392-27-0x00007FF7C3BF0000-0x00007FF7C3F3D000-memory.dmp	xmrig
behavioral2/memory/1364-22-0x00007FF68AB90000-0x00007FF68AEDD000-memory.dmp	xmrig
behavioral2/memory/548-7-0x00007FF795700000-0x00007FF795A4D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb5-54.dat	xmrig
behavioral2/memory/2852-55-0x00007FF67B760000-0x00007FF67BAAD000-memory.dmp	xmrig
behavioral2/files/0x0008000000023cab-59.dat	xmrig
behavioral2/memory/1872-63-0x00007FF74F080000-0x00007FF74F3CD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb6-69.dat	xmrig
behavioral2/memory/1128-73-0x00007FF6DD870000-0x00007FF6DDBBD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb7-72.dat	xmrig
behavioral2/memory/2416-70-0x00007FF711760000-0x00007FF711AAD000-memory.dmp	xmrig
behavioral2/memory/1444-79-0x00007FF743280000-0x00007FF7435CD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb8-78.dat	xmrig
behavioral2/memory/5088-85-0x00007FF698090000-0x00007FF6983DD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cba-84.dat	xmrig
behavioral2/files/0x0007000000023cbb-88.dat	xmrig
behavioral2/memory/4520-91-0x00007FF7CA090000-0x00007FF7CA3DD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cbc-94.dat	xmrig
behavioral2/files/0x0007000000023cbd-101.dat	xmrig
behavioral2/memory/1204-97-0x00007FF611D40000-0x00007FF61208D000-memory.dmp	xmrig
behavioral2/memory/764-103-0x00007FF7D0D20000-0x00007FF7D106D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cbe-108.dat	xmrig
behavioral2/memory/5016-109-0x00007FF6438C0000-0x00007FF643C0D000-memory.dmp	xmrig
behavioral2/memory/4164-115-0x00007FF74B720000-0x00007FF74BA6D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cbf-114.dat	xmrig
behavioral2/files/0x0007000000023cc1-120.dat	xmrig
behavioral2/memory/1888-121-0x00007FF630920000-0x00007FF630C6D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc2-125.dat	xmrig
behavioral2/memory/1104-126-0x00007FF76BDB0000-0x00007FF76C0FD000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
548	TkmtRWV.exe
2728	GwWtxeJ.exe
1364	XlrkPoA.exe
2392	PAFABfn.exe
2364	UgMCJmc.exe
4756	zJIivdD.exe
1464	KMimJlb.exe
1560	MIgEANH.exe
2852	IkrRdcK.exe
1872	kKcFFHw.exe
2416	YgJysiJ.exe
1128	ZVEPPzf.exe
1444	ayvyHgI.exe
5088	rwcSUOF.exe
4520	VYNCnic.exe
1204	rehhrXC.exe
764	LJeelln.exe
5016	RAXENtv.exe
4164	aCQKQkB.exe
1888	EcMDLyz.exe
1104	OEAuSAd.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ZVEPPzf.exe	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ayvyHgI.exe	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LJeelln.exe	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RAXENtv.exe	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aCQKQkB.exe	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UgMCJmc.exe	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zJIivdD.exe	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KMimJlb.exe	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YgJysiJ.exe	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OEAuSAd.exe	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TkmtRWV.exe	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GwWtxeJ.exe	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PAFABfn.exe	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MIgEANH.exe	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IkrRdcK.exe	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kKcFFHw.exe	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EcMDLyz.exe	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XlrkPoA.exe	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rwcSUOF.exe	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VYNCnic.exe	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rehhrXC.exe	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 548	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4560 wrote to memory of 548	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4560 wrote to memory of 2728	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4560 wrote to memory of 2728	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4560 wrote to memory of 1364	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4560 wrote to memory of 1364	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4560 wrote to memory of 2392	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4560 wrote to memory of 2392	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4560 wrote to memory of 2364	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4560 wrote to memory of 2364	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4560 wrote to memory of 4756	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4560 wrote to memory of 4756	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4560 wrote to memory of 1464	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4560 wrote to memory of 1464	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4560 wrote to memory of 1560	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4560 wrote to memory of 1560	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4560 wrote to memory of 2852	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4560 wrote to memory of 2852	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4560 wrote to memory of 1872	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4560 wrote to memory of 1872	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4560 wrote to memory of 2416	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4560 wrote to memory of 2416	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4560 wrote to memory of 1128	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4560 wrote to memory of 1128	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4560 wrote to memory of 1444	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4560 wrote to memory of 1444	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4560 wrote to memory of 5088	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4560 wrote to memory of 5088	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4560 wrote to memory of 4520	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4560 wrote to memory of 4520	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4560 wrote to memory of 1204	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4560 wrote to memory of 1204	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4560 wrote to memory of 764	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4560 wrote to memory of 764	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4560 wrote to memory of 5016	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4560 wrote to memory of 5016	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4560 wrote to memory of 4164	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4560 wrote to memory of 4164	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4560 wrote to memory of 1888	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4560 wrote to memory of 1888	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4560 wrote to memory of 1104	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4560 wrote to memory of 1104	4560	2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-21_d3bc172294e592706b53fa1e81bbd1eb_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\System\TkmtRWV.exe
  C:\Windows\System\TkmtRWV.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\GwWtxeJ.exe
  C:\Windows\System\GwWtxeJ.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\XlrkPoA.exe
  C:\Windows\System\XlrkPoA.exe
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\System\PAFABfn.exe
  C:\Windows\System\PAFABfn.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\UgMCJmc.exe
  C:\Windows\System\UgMCJmc.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System\zJIivdD.exe
  C:\Windows\System\zJIivdD.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\KMimJlb.exe
  C:\Windows\System\KMimJlb.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System\MIgEANH.exe
  C:\Windows\System\MIgEANH.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\System\IkrRdcK.exe
  C:\Windows\System\IkrRdcK.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\kKcFFHw.exe
  C:\Windows\System\kKcFFHw.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\YgJysiJ.exe
  C:\Windows\System\YgJysiJ.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\ZVEPPzf.exe
  C:\Windows\System\ZVEPPzf.exe
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\System\ayvyHgI.exe
  C:\Windows\System\ayvyHgI.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\rwcSUOF.exe
  C:\Windows\System\rwcSUOF.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\VYNCnic.exe
  C:\Windows\System\VYNCnic.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\rehhrXC.exe
  C:\Windows\System\rehhrXC.exe
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\System\LJeelln.exe
  C:\Windows\System\LJeelln.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\RAXENtv.exe
  C:\Windows\System\RAXENtv.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System\aCQKQkB.exe
  C:\Windows\System\aCQKQkB.exe
  2⤵
  - Executes dropped EXE
  PID:4164
- C:\Windows\System\EcMDLyz.exe
  C:\Windows\System\EcMDLyz.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System\OEAuSAd.exe
  C:\Windows\System\OEAuSAd.exe
  2⤵
  - Executes dropped EXE
  PID:1104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EcMDLyz.exe

Filesize
5.7MB

MD5
4761bd9144296974cfa9ac780533f911

SHA1
4e477cb6b1774a8590d85526effc9603bc4e0568

SHA256
72fa434cd927a8460a306bf6f58752291553ff24f4b5cde5a3a6d899049a836f

SHA512
d73f9cb681b630703d7c1bd238a7ccede458dd1719fb802dd62f1f6841374599265972207d6334ec995b63d1b311d3617a8c643aa8c8e53f2133662ced2c58ac

Download Submit
C:\Windows\System\GwWtxeJ.exe

Filesize
5.7MB

MD5
bd4fb209f5af27be40fc94ae72741262

SHA1
18e5a1d6c71f06b7a13e8733014fd4ef35f9b851

SHA256
e520d73f6e2135403e50a1a28e16c2049a7b4bf3dd8bab93bd69e0b23524c6be

SHA512
ce5a6fda6a2cef2846c0dde8f48eb4dec8114e11e8daa13ab9ae5eac7d8518a4edd49b17a10a6675ee5d21d2a9c7013623384823155e37dc867c5ca6ac880346

Download Submit
C:\Windows\System\IkrRdcK.exe

Filesize
5.7MB

MD5
520e6d9ad75cf51e050d307538725087

SHA1
358ba6ee03cfc37828a35ab9f451bb118d8a6b13

SHA256
1d8349076f02c29d513e800882d02be42eb1ef3c03ccdfa13ff10e3cb13b8b56

SHA512
9cc85e3e00f71376e8d5b136a4b2d198e3990c04e5e4d2b45adaf24244ae2e5f9ebbe2884cbc9766151d8347d87cee8e802333097a519e5a2a47386c4483b71b

Download Submit
C:\Windows\System\KMimJlb.exe

Filesize
5.7MB

MD5
087ba5c4b8a2b29be5482aab4a08c824

SHA1
2d7588f3fa2d97df42de325fa9f07db5ecc66a66

SHA256
7da7a838e128822cc327a1c4e455a4657d0383c7387a79a22be100de9eae4452

SHA512
128a535d1827378b809cd01f1862a7a0f8aa68c27446b863f56ada4a49b384a30c3be9eedb7873045d0254ddcbe85d6831a583fa11ed5c712a6c05fffeba4062

Download Submit
C:\Windows\System\LJeelln.exe

Filesize
5.7MB

MD5
0ab7d59d1941c6311886028096ccfe5d

SHA1
8cdecc5294ccc1aaab42fd0bd063a54e11aefa91

SHA256
a85631761cb66d33259e0f8322d6fd8240204a2b9ea2012c92e16e11814c8e87

SHA512
e23aa3b8fb83e489ba9623216853cf8052b2fb13a18b09d83e42f8946753d16953790142bbfbd41264b77849fbcae10453464d35160196fabb27bebabcaaea31

Download Submit
C:\Windows\System\MIgEANH.exe

Filesize
5.7MB

MD5
8e488975105beb20a21eab3370fc4790

SHA1
c05bae8a1385fa0529e39b52492cbbc645734e1e

SHA256
00f00d3dc393d64d6e550c4905c41ebf15f51a9bd1845ee2b4e1155249f9777f

SHA512
253865a80ecff926d9539b6d61c4bc13ae5f34df1aff3a4cf75d127fe768eafc54a5c7f699807de7360e95b5de7b8a6f709f158b0d3a5491286bd75ae2daadfc

Download Submit
C:\Windows\System\OEAuSAd.exe

Filesize
5.7MB

MD5
c0e89cfce1325b02010d6d8534d29ddf

SHA1
5d8d016b179ffa748c0a910021cb38c7a4b1ffcf

SHA256
c695e54ec8cee14f32e0a430ed4a7fa50af5949a5e299355afc6d8b378a4dd60

SHA512
9267ebd503cbcdaf25cba87781849fd7c78a747d8b2dfef1bff13edde50e189750a218c6803ebbf41be6c4fbffeb9779ccb4cbcf58cee14017ba90be806e0a69

Download Submit
C:\Windows\System\PAFABfn.exe

Filesize
5.7MB

MD5
03d88cf4969b55c5d918254b61c2d11b

SHA1
83776b55cdd9cb5ddfdebebeed3c23ec66731ba0

SHA256
e45a1b650da4781f83c1f33c190af6fb1362b4933db9f082c315cf9b83f138bb

SHA512
b9e1a8c8e0db93226b323f856df2d2569f88d734f0e3274cba97fe1f150f257f4ad71667070a19ae58f201a8a279757f2707514b7be027cf3e1d41e199015d87

Download Submit
C:\Windows\System\RAXENtv.exe

Filesize
5.7MB

MD5
f22f7f9a7ec960a3bf4a56bad9a86349

SHA1
bb330459d350b69a5d6f9eece12606734b9ddac6

SHA256
dc61dbc69a26a7eba46db89a7edcc84e5f38cf6b134b6cdb86b09a3c28b29e67

SHA512
19ae3c05e199cd3f532bc5b94ae73bb8c5db2ce74b0adaeea599ca534ddf5d77734d148f43a42ef11ba888a513a3c58b295287263fbb4e55177f6cf5f3116d93

Download Submit
C:\Windows\System\TkmtRWV.exe

Filesize
5.7MB

MD5
4511610931cef060122d7ffce438a6d6

SHA1
20debc2a45e01d3cf08a03189821c0bb91f08846

SHA256
4adb97b46532a1afb57eed6214e21283b2c3b225a6a525a2604ed73a1b90c6c7

SHA512
446009b60db78a223481e365ce7881a2f9dad8f8e9c6c45baad4cd95ac1565cd378f8a4034db7d3919ef8e3f5532d11d4f44bc46869c79d96dd376e540b8399e

Download Submit
C:\Windows\System\UgMCJmc.exe

Filesize
5.7MB

MD5
9badec6918f172e773d94ee3da0873fd

SHA1
2e4c6142e568a5f6dbe8776a15de0a9cf1ea48e3

SHA256
b6ae2810d088ff6a2f5394e0ec481b5233f58656296596f2ddd1ca19ffccd36d

SHA512
85f3657eb9a241202071b1ac416f6c8c3c33e7fbdf4c730bb007b8e018d197c2eb10d97cb93bf0bb496d26f8370e5106c6f0c2a38f711c09754018f4947d71c9

Download Submit
C:\Windows\System\VYNCnic.exe

Filesize
5.7MB

MD5
4eaf641bffb2cfafdbfb54938da99f05

SHA1
07fdbd5fd9f7c892867aa9e6b99ba2923cd11d0a

SHA256
f363b0f306c49a7c514d1d2954032a3055c1f3dcba3eebc2ab12d0673752a654

SHA512
1c36758c5ac0004cea5c910fea3ee26a6fc070e5d8a0479d6fc56597af9d812c0c0583c9187c41e61d7b546586851a76999e3a930607927441e0ba2c07c87e52

Download Submit
C:\Windows\System\XlrkPoA.exe

Filesize
5.7MB

MD5
2c6040eaab3e6640dab334b473294a2d

SHA1
7e6609b43fb56cc0b4dfc3ec163a34ced5fbf968

SHA256
931376bab52c6c6435170d387c89c20d44d0728948250ce5b73478bcd23d57ef

SHA512
a082c635c0426c916ebf01e34472171f7adb6283d0e52710e99c18da157b408f745b19ed5cbe22011deaeead7d561ac70f1d2cf67d203db6d1309d133fda0e74

Download Submit
C:\Windows\System\YgJysiJ.exe

Filesize
5.7MB

MD5
f18306fe151e53c7ae5fd2c6d0a53a0b

SHA1
7c64a1362745d16be5e4830bab2ca89d3f7c60c8

SHA256
4caaa26af7e7cf6b81bda2666b6cef7ce27d69e0e6e588f097734440a7996895

SHA512
c2fba9e725957ad205868806e474eb9f34a8435f5b7f2600fe6ff960fda0ce761f54ce64067f7763323eef4de6f1b68a4e0f4390d0733df64e877058edc27dae

Download Submit
C:\Windows\System\ZVEPPzf.exe

Filesize
5.7MB

MD5
a92da21391880386a222bc05f9465869

SHA1
7c25194db0f8238aa78acec9c4580432b64594e1

SHA256
03367d48d8417497f5906e09229c5dfa43646a04f015d324efe20f1ad11b4411

SHA512
afa8034c7f1049b4f738abaa1b74d48d8d09e46ea6361e1dec2a60d7c9a7bdff64f3c17367ce62744608fcc95e50fc3f43656b0cc88b00559e0dceddfae99c90

Download Submit
C:\Windows\System\aCQKQkB.exe

Filesize
5.7MB

MD5
7c248758c6ee8c319b4d95999ac9df48

SHA1
5a7d3d3c5e810fec32c6935a522db8e7d387cbfd

SHA256
9d7cf3a4e572b5f75442d3393e2709f537e65f3da048e195c15bbd8213966d16

SHA512
76739df5584788d80681ace66b1b4d3457202e60a9bd49df1582899358c5dcdab5e8293d73a53523d908457d7ce3b7562f1199493816ae0ea34dff2cafb453f5

Download Submit
C:\Windows\System\ayvyHgI.exe

Filesize
5.7MB

MD5
21e01b5e58dd57ad6863988f8685b067

SHA1
1eae650f193e8ab3b60cc21cfa972205f48c514b

SHA256
020d59b7475dfdf59fbd04bfaf7d1a441768981bd2a6aa32e4ae5e34e9442510

SHA512
5ac6659a7164c4ad8a54f56d2cab750172c7e10576778d5e226ad793878a43aa9ec0200934d5f35c30bfa954e8e2fb81e685a87d67aa613114bed5a91490b7d0

Download Submit
C:\Windows\System\kKcFFHw.exe

Filesize
5.7MB

MD5
e641d6e8bbc3803596316e64a165aa36

SHA1
86776dfc0f49bf815bd3b9448c50c458ff84b644

SHA256
51e2abfb8a76f3b14f10bd89a81841bc612dbcf82b2ee71fb650756a8e95bffb

SHA512
dc35f798572ba7ba5598c1ba8c8120523dd602588efbcc84bc1e2b90a00da58685f5d91318c6d7af33d662edb8994005b35925a631f97d4ffe7ea935911ef997

Download Submit
C:\Windows\System\rehhrXC.exe

Filesize
5.7MB

MD5
2969e45b114d05efe63fc981b0a322c6

SHA1
5dfe0673eac02b4b53960fd4112fa20fa4eaf73a

SHA256
aa3ebf2d7c95e207447a15420fd0be80fc991f47d4cf9ae43d4d7cf95271c0b5

SHA512
f1903f23c7763e37187a7a61013d4713f646f56c6b0a2f186f1eef9c3c8cbd3a03b8a0576551fd759888acbda10253aa68118d2d82f258983c3c63b1088bef7a

Download Submit
C:\Windows\System\rwcSUOF.exe

Filesize
5.7MB

MD5
7a34d289615afe44db81364d42c0e9bc

SHA1
6a3d320aec9de49586afd523370e7a1a3441315f

SHA256
a03b5fa2698a90fe92eef9b131417eedcaf76ee7e488a43b5100064fbdd2736f

SHA512
0d899bf189df41d5de356f73c9bd5744963c78d970a31f379882f90f4c3fd74a9a02aeaae0102f02ce255f9b2b95e8e18d0bd707638095efff1a13f03766eee0

Download Submit
C:\Windows\System\zJIivdD.exe

Filesize
5.7MB

MD5
210f4e7962fcfe2a86de435c4373edc4

SHA1
55aaa7a57d1bde8488551a4a9ccaee1ed177c5fa

SHA256
d87d6080235e81e32d36349fca383a2659b149bfae2ea37872a38194021cd1f6

SHA512
d94214e8a348c540a244df3778eb7f8e5ca97f1500854a7cb478eb2d00d9bdaf8375cd20cfb9d6cf0667cf5cf8c0472d0df9423d2ff8132ad8b3047a4d715711

Download Submit
memory/548-7-0x00007FF795700000-0x00007FF795A4D000-memory.dmp

Filesize
3.3MB

Download
memory/764-103-0x00007FF7D0D20000-0x00007FF7D106D000-memory.dmp

Filesize
3.3MB

Download
memory/1104-126-0x00007FF76BDB0000-0x00007FF76C0FD000-memory.dmp

Filesize
3.3MB

Download
memory/1128-73-0x00007FF6DD870000-0x00007FF6DDBBD000-memory.dmp

Filesize
3.3MB

Download
memory/1204-97-0x00007FF611D40000-0x00007FF61208D000-memory.dmp

Filesize
3.3MB

Download
memory/1364-22-0x00007FF68AB90000-0x00007FF68AEDD000-memory.dmp

Filesize
3.3MB

Download
memory/1444-79-0x00007FF743280000-0x00007FF7435CD000-memory.dmp

Filesize
3.3MB

Download
memory/1464-46-0x00007FF762510000-0x00007FF76285D000-memory.dmp

Filesize
3.3MB

Download
memory/1560-49-0x00007FF77A940000-0x00007FF77AC8D000-memory.dmp

Filesize
3.3MB

Download
memory/1872-63-0x00007FF74F080000-0x00007FF74F3CD000-memory.dmp

Filesize
3.3MB

Download
memory/1888-121-0x00007FF630920000-0x00007FF630C6D000-memory.dmp

Filesize
3.3MB

Download
memory/2364-34-0x00007FF611AF0000-0x00007FF611E3D000-memory.dmp

Filesize
3.3MB

Download
memory/2392-27-0x00007FF7C3BF0000-0x00007FF7C3F3D000-memory.dmp

Filesize
3.3MB

Download
memory/2416-70-0x00007FF711760000-0x00007FF711AAD000-memory.dmp

Filesize
3.3MB

Download
memory/2728-18-0x00007FF79E7A0000-0x00007FF79EAED000-memory.dmp

Filesize
3.3MB

Download
memory/2852-55-0x00007FF67B760000-0x00007FF67BAAD000-memory.dmp

Filesize
3.3MB

Download
memory/4164-115-0x00007FF74B720000-0x00007FF74BA6D000-memory.dmp

Filesize
3.3MB

Download
memory/4520-91-0x00007FF7CA090000-0x00007FF7CA3DD000-memory.dmp

Filesize
3.3MB

Download
memory/4560-1-0x0000014D8F9B0000-0x0000014D8F9C0000-memory.dmp

Filesize
64KB

Download
memory/4560-0-0x00007FF7DAFA0000-0x00007FF7DB2ED000-memory.dmp

Filesize
3.3MB

Download
memory/4756-42-0x00007FF701820000-0x00007FF701B6D000-memory.dmp

Filesize
3.3MB

Download
memory/5016-109-0x00007FF6438C0000-0x00007FF643C0D000-memory.dmp

Filesize
3.3MB

Download
memory/5088-85-0x00007FF698090000-0x00007FF6983DD000-memory.dmp

Filesize
3.3MB

Download