cobaltstrike | 875b9be175d67734b97ea6afd47831b2e69e260f45e7609093bb592458fa6480

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

16e4ca4bdea10f8a6d0a5bc5d95a021e
SHA1

c449deea45d0628a9ba9fd5990631090855a21cb
SHA256

875b9be175d67734b97ea6afd47831b2e69e260f45e7609093bb592458fa6480
SHA512

61690056a40283b8df8da1cad12aaba88624e6c7428951244a6ff61b917d010b579137c02c5d2491eca4294e68f8af40acac448da2def28735d47cfbac6978d0
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUX:j+R56utgpPF8u/7X

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023c6d-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd2-10.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023ccc-12.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023ccf-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd3-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd4-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd7-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd9-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd8-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cda-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cdd-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cde-68.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cdf-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce0-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce1-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce2-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce3-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce4-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce5-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce7-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce6-125.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral2/memory/4976-0-0x00007FF7C3890000-0x00007FF7C3BDD000-memory.dmp	xmrig
behavioral2/files/0x000a000000023c6d-5.dat	xmrig
behavioral2/memory/2716-7-0x00007FF601A90000-0x00007FF601DDD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cd2-10.dat	xmrig
behavioral2/memory/3652-13-0x00007FF7FADF0000-0x00007FF7FB13D000-memory.dmp	xmrig
behavioral2/files/0x0009000000023ccc-12.dat	xmrig
behavioral2/memory/3700-19-0x00007FF631340000-0x00007FF63168D000-memory.dmp	xmrig
behavioral2/files/0x0009000000023ccf-23.dat	xmrig
behavioral2/memory/4940-28-0x00007FF7D6BF0000-0x00007FF7D6F3D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cd3-26.dat	xmrig
behavioral2/memory/4528-31-0x00007FF6F31D0000-0x00007FF6F351D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cd4-36.dat	xmrig
behavioral2/memory/2180-37-0x00007FF7D1260000-0x00007FF7D15AD000-memory.dmp	xmrig
behavioral2/memory/2612-43-0x00007FF7E2DD0000-0x00007FF7E311D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cd7-41.dat	xmrig
behavioral2/memory/1704-49-0x00007FF66B2A0000-0x00007FF66B5ED000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cd9-53.dat	xmrig
behavioral2/memory/1000-54-0x00007FF639F50000-0x00007FF63A29D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cd8-48.dat	xmrig
behavioral2/files/0x0007000000023cda-59.dat	xmrig
behavioral2/memory/3752-61-0x00007FF732910000-0x00007FF732C5D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cdd-65.dat	xmrig
behavioral2/files/0x0007000000023cde-68.dat	xmrig
behavioral2/memory/4812-70-0x00007FF766940000-0x00007FF766C8D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cdf-74.dat	xmrig
behavioral2/files/0x0007000000023ce0-80.dat	xmrig
behavioral2/files/0x0007000000023ce1-87.dat	xmrig
behavioral2/memory/1512-91-0x00007FF6B9A00000-0x00007FF6B9D4D000-memory.dmp	xmrig
behavioral2/memory/2280-85-0x00007FF64C870000-0x00007FF64CBBD000-memory.dmp	xmrig
behavioral2/memory/5100-82-0x00007FF64D460000-0x00007FF64D7AD000-memory.dmp	xmrig
behavioral2/memory/416-78-0x00007FF742F50000-0x00007FF74329D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ce2-95.dat	xmrig
behavioral2/memory/5016-97-0x00007FF6EA250000-0x00007FF6EA59D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ce3-101.dat	xmrig
behavioral2/files/0x0007000000023ce4-108.dat	xmrig
behavioral2/files/0x0007000000023ce5-114.dat	xmrig
behavioral2/memory/4824-117-0x00007FF729DE0000-0x00007FF72A12D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ce7-122.dat	xmrig
behavioral2/files/0x0007000000023ce6-125.dat	xmrig
behavioral2/memory/1008-126-0x00007FF6424E0000-0x00007FF64282D000-memory.dmp	xmrig
behavioral2/memory/1088-123-0x00007FF7A6A50000-0x00007FF7A6D9D000-memory.dmp	xmrig
behavioral2/memory/1420-109-0x00007FF62B520000-0x00007FF62B86D000-memory.dmp	xmrig
behavioral2/memory/1412-103-0x00007FF6E1070000-0x00007FF6E13BD000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2716	cSgAkIk.exe
3652	GmmHQxJ.exe
3700	GKZNLGR.exe
4940	Pdwglft.exe
4528	dtjIEoS.exe
2180	yfXofcH.exe
2612	urHnEQA.exe
1704	BeMrDQc.exe
1000	TeGWQPz.exe
3752	lVPPfoK.exe
4812	rMKDTQh.exe
416	ZXqscJg.exe
2280	yfICxCY.exe
5100	mxktBDt.exe
1512	IYKqECI.exe
5016	gzvnXWn.exe
1412	tArieEc.exe
1420	SbCkpTY.exe
4824	ybVXbFl.exe
1088	xqxBqDC.exe
1008	HDdAWYR.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\gzvnXWn.exe	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tArieEc.exe	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GmmHQxJ.exe	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GKZNLGR.exe	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\urHnEQA.exe	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TeGWQPz.exe	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lVPPfoK.exe	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rMKDTQh.exe	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Pdwglft.exe	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BeMrDQc.exe	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HDdAWYR.exe	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZXqscJg.exe	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yfICxCY.exe	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mxktBDt.exe	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SbCkpTY.exe	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xqxBqDC.exe	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cSgAkIk.exe	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dtjIEoS.exe	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yfXofcH.exe	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IYKqECI.exe	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ybVXbFl.exe	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 2716	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4976 wrote to memory of 2716	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4976 wrote to memory of 3652	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4976 wrote to memory of 3652	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4976 wrote to memory of 3700	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4976 wrote to memory of 3700	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4976 wrote to memory of 4940	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4976 wrote to memory of 4940	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4976 wrote to memory of 4528	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4976 wrote to memory of 4528	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4976 wrote to memory of 2180	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4976 wrote to memory of 2180	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4976 wrote to memory of 2612	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4976 wrote to memory of 2612	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4976 wrote to memory of 1704	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4976 wrote to memory of 1704	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4976 wrote to memory of 1000	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4976 wrote to memory of 1000	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4976 wrote to memory of 3752	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4976 wrote to memory of 3752	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4976 wrote to memory of 4812	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4976 wrote to memory of 4812	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4976 wrote to memory of 416	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4976 wrote to memory of 416	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4976 wrote to memory of 2280	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4976 wrote to memory of 2280	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4976 wrote to memory of 5100	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4976 wrote to memory of 5100	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4976 wrote to memory of 1512	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4976 wrote to memory of 1512	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4976 wrote to memory of 5016	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4976 wrote to memory of 5016	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4976 wrote to memory of 1412	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4976 wrote to memory of 1412	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4976 wrote to memory of 1420	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4976 wrote to memory of 1420	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4976 wrote to memory of 4824	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4976 wrote to memory of 4824	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4976 wrote to memory of 1008	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4976 wrote to memory of 1008	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4976 wrote to memory of 1088	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4976 wrote to memory of 1088	4976	2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-21_16e4ca4bdea10f8a6d0a5bc5d95a021e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Windows\System\cSgAkIk.exe
  C:\Windows\System\cSgAkIk.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\GmmHQxJ.exe
  C:\Windows\System\GmmHQxJ.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System\GKZNLGR.exe
  C:\Windows\System\GKZNLGR.exe
  2⤵
  - Executes dropped EXE
  PID:3700
- C:\Windows\System\Pdwglft.exe
  C:\Windows\System\Pdwglft.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System\dtjIEoS.exe
  C:\Windows\System\dtjIEoS.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System\yfXofcH.exe
  C:\Windows\System\yfXofcH.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\urHnEQA.exe
  C:\Windows\System\urHnEQA.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\BeMrDQc.exe
  C:\Windows\System\BeMrDQc.exe
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\System\TeGWQPz.exe
  C:\Windows\System\TeGWQPz.exe
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\System\lVPPfoK.exe
  C:\Windows\System\lVPPfoK.exe
  2⤵
  - Executes dropped EXE
  PID:3752
- C:\Windows\System\rMKDTQh.exe
  C:\Windows\System\rMKDTQh.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\ZXqscJg.exe
  C:\Windows\System\ZXqscJg.exe
  2⤵
  - Executes dropped EXE
  PID:416
- C:\Windows\System\yfICxCY.exe
  C:\Windows\System\yfICxCY.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System\mxktBDt.exe
  C:\Windows\System\mxktBDt.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System\IYKqECI.exe
  C:\Windows\System\IYKqECI.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\System\gzvnXWn.exe
  C:\Windows\System\gzvnXWn.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System\tArieEc.exe
  C:\Windows\System\tArieEc.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System\SbCkpTY.exe
  C:\Windows\System\SbCkpTY.exe
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\System\ybVXbFl.exe
  C:\Windows\System\ybVXbFl.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System\HDdAWYR.exe
  C:\Windows\System\HDdAWYR.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\System\xqxBqDC.exe
  C:\Windows\System\xqxBqDC.exe
  2⤵
  - Executes dropped EXE
  PID:1088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BeMrDQc.exe

Filesize
5.7MB

MD5
ffada29d76bbe2e0a92b2c63fd02ffb1

SHA1
008f2698024246499436094f038140d3ac970c78

SHA256
acef0b9e07154bf7e9f213be9ee7bba1e8893eef26a9d0bf99aba387b48b19b2

SHA512
bac1da90c3bdab37ad2ef0b73a6bb5487b145d024da381ed099aa1e0379b9e8b2fb9b781795269c1fcfd22b90b56ea859ea17d97e9d54f27657007437817b2f2

Download Submit
C:\Windows\System\GKZNLGR.exe

Filesize
5.7MB

MD5
f43dd0d49b12a5a31b20df3778be2e20

SHA1
c64e180beccaf8bb89353530ec3dcb368c9f2d4f

SHA256
092edb6ecc7b090ce228a6cf2f45512fa67d104a09894511540ad252d0ec2ba5

SHA512
64a8374c06fc136c1d2890b18fa6b000d560be8e365e2dc11ae089505f593393a60538f6dc71af1727dbb25f2fc5666939dde18dd3bd69a305d4952fe6ae737d

Download Submit
C:\Windows\System\GmmHQxJ.exe

Filesize
5.7MB

MD5
1ee0d4f2d42217b21935302d40fb5a12

SHA1
422bc5efd39fb9ade619721e8d39b18daf1f4aa9

SHA256
da386f0183a7b1f20e8e630efb89940780dc3270a5ca1e235a49540ece6947c2

SHA512
b119b60cdb64ce8fefb8ab7ffcd9a41fe4d38402ddc3675b03dc7fae621a850ef9a87db715e6f55e50e23aa93e6709b9f6577bf0bd180e8e08298dafeb884712

Download Submit
C:\Windows\System\HDdAWYR.exe

Filesize
5.7MB

MD5
f8b7c8fd4fccd8c5995dbc47a8d371cf

SHA1
ba2484f7512c923d1c7c2eb084c1dbf824791630

SHA256
de3d78571ede89e8ec9ad3e766e21af333d7a2cec968829956b732174f6ccbcd

SHA512
3d34671e5b6899504cca864b05d9dff9578b3de5cace31d5b9485005fb645a3869aebb32744989b58f30ecd2b488e8486fa47698642f9719856fadc8f7d9422d

Download Submit
C:\Windows\System\IYKqECI.exe

Filesize
5.7MB

MD5
b07931be0062400d28bd07264b97eada

SHA1
de74da6a7c5356fa4474972a481bef9f61040ec3

SHA256
e402d51c9c957eab8cf872614330423f65de185b007f6bd3a39f6efc8f143716

SHA512
036bc5c7720ca706680e9f14f2675bd4b700470649fbeb2ab9a6f429cbdb43000168d9c28b582b4e8c4152cb84a09bcba1b35cbee529f69ed78248bdb15f12f7

Download Submit
C:\Windows\System\Pdwglft.exe

Filesize
5.7MB

MD5
784891a5c37d93389ac89c7705dfec43

SHA1
2416683195cc6c9911590004b9d690e72f2eafea

SHA256
8f31f6563e1b2a2b9fc239fc96160c96c2f316883f5e10a811c9b431b6664fd2

SHA512
605e7efd3c7ccf3a8035ecdd71444f2f2e5a394307d8f9ef38a96ae52a88c8171b2a2fc1f9cf0b7e691abc0ca3d9dedce46f1ca2ef1d7d589d619d1b764cc8cf

Download Submit
C:\Windows\System\SbCkpTY.exe

Filesize
5.7MB

MD5
f90d939b1c9378b1d51bb64d64db1711

SHA1
f47f1c4867e1111f1bd44e54e83097d9adad9375

SHA256
5c122d7ae2be2edb4cdc630254c23e4e3753023e5c4d1f139d24cf4766fe40ba

SHA512
54cff9c7aef8c87291d20af4348780f8f11404eb5c95150609ba92296bc5f64ea3b1effe7c3a2b050fed24a589996258a65da80f13f8b5cb8e365a7d0f3492f0

Download Submit
C:\Windows\System\TeGWQPz.exe

Filesize
5.7MB

MD5
6cf4d71cc747fdc02c47922e330fc0d5

SHA1
b07f2faa7815b450b7fbb5e7bdaf85d1a449af32

SHA256
c1ebda708b5a03e1f4a1d7ddba2bd3b83016485d7a7ab468f8f1641ab30bb503

SHA512
aeb2e7995baba75540a2f28d872c77a3d3283cf10cfb1c74b7dc39b6fb0820e7d3ed01b0e6d5b8dcb4ac4da49625077b97ac3940419a0190d928fbf3721b4647

Download Submit
C:\Windows\System\ZXqscJg.exe

Filesize
5.7MB

MD5
0a4d99fdbe62db6ddbf4ca47a6d7d2d7

SHA1
ff55336e160c4abccf49af9891887c59b9a25128

SHA256
034b3d0878f5248d9dc6f489bcf228a082b41151f641660489315c8ce5ec3366

SHA512
2d774d893ba19d0df7af120b8aaad6c3002947f61c0f570d9fed8c925e48b74f5266eac0a37777af60acc0b82a3f3734d51fc55853ea0c8030805c970a15c5c9

Download Submit
C:\Windows\System\cSgAkIk.exe

Filesize
5.7MB

MD5
7a989a10365e503f4fa1d8f4bc26f21b

SHA1
2a50f0bd70fdc45a9da898695fc165c5ba1c802d

SHA256
5b6afcd6a8a57cff5e5435dcf685a858b7e6f061cac7f143030b312369214394

SHA512
772411431e81770f6db74bb6f3344a9ef0583f0cc9ac23f843d70f97b9c7272a971530b0156ffd0f7ef815b711a0ff118b0c3200220b091bd14ae88d836613b6

Download Submit
C:\Windows\System\dtjIEoS.exe

Filesize
5.7MB

MD5
4312361e3e49ed334234b4b01d73ddc6

SHA1
cbf8fb90053b10c108ebbb5216ae83be6de04c97

SHA256
01e7ece3c7db0aa2e01601fe66f696fa75444ede0e5f61967e0e07aecbb25a3e

SHA512
8b46c9f1613ae4e8bacb5e71c9c63fc275fb40fcd0e87b31e85579eb3b7eceb687c6fc4159b18d92b26f89c5f8b217d209f9b221256784f31e9026b5fcf1daca

Download Submit
C:\Windows\System\gzvnXWn.exe

Filesize
5.7MB

MD5
154c72c386acc9dab76eab72bf77759b

SHA1
f866ca482acd531f4a5721dbbf2fb93e5e460aeb

SHA256
e0f8d2e82d03f8c8c42673396a02d4912fe9320cfa5d456dba501bd8a4e86736

SHA512
d22ff5a39e160ebd8aa6d706633cdcd42ff87b7b0917a844bef631e1b2eea39dd4d9c627b6a6e7a5163ab3fba4433a37f77666e913f9a14d7b9af8ac9a3d6aa1

Download Submit
C:\Windows\System\lVPPfoK.exe

Filesize
5.7MB

MD5
39a539ea6bb83352e997322f0f5a9c63

SHA1
6eb58bd846a058dd1c5899e284abedea974e025a

SHA256
cb71373db883f7e478b892a521f74ee436a36d02c126243df8d26a4ca762efab

SHA512
6aa4a5acf2979aa361178eaee93890fbdc25c893c185e5055caa29073fb6c64a809141f80a425b2789e066d0438611dd4e0455dc19266d1cefb604de2aef00ed

Download Submit
C:\Windows\System\mxktBDt.exe

Filesize
5.7MB

MD5
ebeba5ca05291781aafdf8df2f057b13

SHA1
247a2a71d46a70abb05f7fa60df5b6d0fb095409

SHA256
b896d889487e227e5eab6b4434b4d4fcc9e746e35169fbe5fa9a293439d8b5e3

SHA512
13c0e674d4d7ed40b4563b10eb9f9e4b51c41232aba0cbb0adce75e8e9f421c9958460d694ce05b1b5241f29a8ffbc7773bae6b96d5d5181cca1f30cbffa0387

Download Submit
C:\Windows\System\rMKDTQh.exe

Filesize
5.7MB

MD5
745303f26c0c62675abd01506bf3b951

SHA1
e97a2f3e5f31c6efffc4cdcac9ed44cd24ced0ca

SHA256
442d5c7838a9d5fcb52527a1df7f548dc70693824bcb10f4ca0e661aec7ae8f9

SHA512
55832f0d8d9e5c9922d0d29a70e77714b0d66fc2c70328a297226197d585734787aecc8629f3b3f0efde1220e1ee503c1e139a7a948ab33c3870fd9e7fcc15f4

Download Submit
C:\Windows\System\tArieEc.exe

Filesize
5.7MB

MD5
605cfbfbbd0c9d9ad0318944a460d83a

SHA1
2cba07acd4a6dd634bfe4c9a2e43f48b96cf8ac1

SHA256
0e987a6f3b1ef1cadc7598d330bdd46b28af44a77f2e11364f5bb35de446bd4d

SHA512
7c684664585d0d32dc027576e5edaf26b0dd3755aa234ab470b25d6be8c04f3e04f2d716f2dcc2f46dd79d93e344149308d1396d2002019881590ae318893658

Download Submit
C:\Windows\System\urHnEQA.exe

Filesize
5.7MB

MD5
3976294892542798f86fd6ab134be43f

SHA1
acb767b306b9d1c8dbeb3d678ec1b6916c8412e7

SHA256
ed3e97a33497e8a64c43c36b0a5d215b38962f6f26a5717c94d30c33b9cf59d8

SHA512
4dc054e5938a12e69fdfa994890862ce57c225b5748e685672249c466948f66a91efb5d5b402ecf83fc4a560c3ce7d5d371ae8050558f1dab3dd29c0090cb8cb

Download Submit
C:\Windows\System\xqxBqDC.exe

Filesize
5.7MB

MD5
2efd95e958f7d8912d546a182c18b7c6

SHA1
08b6932664bfe3b69ae9b808d28ceff332f5fc5d

SHA256
3c3141b26df6bea942e7e32333fdfb4ec366ce7bc14414dbee7f7a8e2f14fdf2

SHA512
dbc8bfe80e22ccfa01f1620581f613786f3c33eb129fd07a24c656adfe3d47cdd4ad0d7ca417ceeca86f20616e6fedf8fa4745439113d69656dff5e9935a67f4

Download Submit
C:\Windows\System\ybVXbFl.exe

Filesize
5.7MB

MD5
36bc47e2b5b7024c74a3801826ad69e1

SHA1
7381fc42345042b3d720a97f027f160d0d313777

SHA256
257ee4805989c14f8a122d8404d7f2c47e75627401bce767caaf2dca47cd97d6

SHA512
584ccbcece1bf4c785db200eaf0b381f44c13ef76fa41f2ad9a9d325bd3ee9aad79900b0e500b5943302907fc2db24480eaa9cffcbaf4ffd30e3442e88dd41fd

Download Submit
C:\Windows\System\yfICxCY.exe

Filesize
5.7MB

MD5
3652bd7ac68384aa6d42cb6042ed1c4b

SHA1
f1bfa2c0773a7d47fc0bc159f5f24392ec8fdfd3

SHA256
8b0adf8fe49335ceb3a6d34f0bb32750036ef4c202515aa5b9e2b20071691ea9

SHA512
2305622cb8f02e7f80443be4cf9f065215a10ca47c68a4c47116bc4537f9815927bfbc64e1899f9211fe5891010c08f088bbc84902936cea982494369ab0be08

Download Submit
C:\Windows\System\yfXofcH.exe

Filesize
5.7MB

MD5
3a447a18e44855f6795012bad5e00b1a

SHA1
63082248588b6807f89ed99fd7d9197521836491

SHA256
4ac565587c0a1eee1cfb53b55edd40e52f95501580349b371eb0050124d89d5a

SHA512
a02b2e070c77d6c7e94042c3faf50b4cd879a874e3d9266da649eebe4d40a195997df34f20868d39a7e238c2b9faf193470d60cb61ee8fd30fcfd1985f30f305

Download Submit
memory/416-78-0x00007FF742F50000-0x00007FF74329D000-memory.dmp

Filesize
3.3MB

Download
memory/1000-54-0x00007FF639F50000-0x00007FF63A29D000-memory.dmp

Filesize
3.3MB

Download
memory/1008-126-0x00007FF6424E0000-0x00007FF64282D000-memory.dmp

Filesize
3.3MB

Download
memory/1088-123-0x00007FF7A6A50000-0x00007FF7A6D9D000-memory.dmp

Filesize
3.3MB

Download
memory/1412-103-0x00007FF6E1070000-0x00007FF6E13BD000-memory.dmp

Filesize
3.3MB

Download
memory/1420-109-0x00007FF62B520000-0x00007FF62B86D000-memory.dmp

Filesize
3.3MB

Download
memory/1512-91-0x00007FF6B9A00000-0x00007FF6B9D4D000-memory.dmp

Filesize
3.3MB

Download
memory/1704-49-0x00007FF66B2A0000-0x00007FF66B5ED000-memory.dmp

Filesize
3.3MB

Download
memory/2180-37-0x00007FF7D1260000-0x00007FF7D15AD000-memory.dmp

Filesize
3.3MB

Download
memory/2280-85-0x00007FF64C870000-0x00007FF64CBBD000-memory.dmp

Filesize
3.3MB

Download
memory/2612-43-0x00007FF7E2DD0000-0x00007FF7E311D000-memory.dmp

Filesize
3.3MB

Download
memory/2716-7-0x00007FF601A90000-0x00007FF601DDD000-memory.dmp

Filesize
3.3MB

Download
memory/3652-13-0x00007FF7FADF0000-0x00007FF7FB13D000-memory.dmp

Filesize
3.3MB

Download
memory/3700-19-0x00007FF631340000-0x00007FF63168D000-memory.dmp

Filesize
3.3MB

Download
memory/3752-61-0x00007FF732910000-0x00007FF732C5D000-memory.dmp

Filesize
3.3MB

Download
memory/4528-31-0x00007FF6F31D0000-0x00007FF6F351D000-memory.dmp

Filesize
3.3MB

Download
memory/4812-70-0x00007FF766940000-0x00007FF766C8D000-memory.dmp

Filesize
3.3MB

Download
memory/4824-117-0x00007FF729DE0000-0x00007FF72A12D000-memory.dmp

Filesize
3.3MB

Download
memory/4940-28-0x00007FF7D6BF0000-0x00007FF7D6F3D000-memory.dmp

Filesize
3.3MB

Download
memory/4976-0-0x00007FF7C3890000-0x00007FF7C3BDD000-memory.dmp

Filesize
3.3MB

Download
memory/4976-1-0x0000026449BA0000-0x0000026449BB0000-memory.dmp

Filesize
64KB

Download
memory/5016-97-0x00007FF6EA250000-0x00007FF6EA59D000-memory.dmp

Filesize
3.3MB

Download
memory/5100-82-0x00007FF64D460000-0x00007FF64D7AD000-memory.dmp

Filesize
3.3MB

Download