cobaltstrike | cb264637c159a6fc70326b33534bfc3904f0e7514a69df3cf168077f9e511a63

Analysis

max time kernel
134s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

6665dd42efee70f1416052368753ff3b
SHA1

85988efd48668e9434128cb98a5d79c6e32a103b
SHA256

cb264637c159a6fc70326b33534bfc3904f0e7514a69df3cf168077f9e511a63
SHA512

b2e88566aa01e5230004dfaf3fd7708465bd8be580658fffc4a22d20bdaf68fcb55f802e844a41fc9e8171a14cbf62989b2f59ec66410c831536d235ed84eb6f
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUH:j+R56utgpPF8u/7H

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000d000000015ceb-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015da1-10.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015f4c-11.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015fba-23.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001878d-43.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000186c8-42.dat	cobalt_reflective_dll
behavioral1/files/0x000a000000016136-34.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016033-29.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000190c6-53.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191f3-67.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000190c9-63.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015d68-59.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019217-84.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191fd-75.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019220-87.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019278-114.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019263-120.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019280-117.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019240-100.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019238-98.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001925d-107.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral1/memory/2364-0-0x000000013F1C0000-0x000000013F50D000-memory.dmp	xmrig
behavioral1/files/0x000d000000015ceb-3.dat	xmrig
behavioral1/memory/492-7-0x000000013FC20000-0x000000013FF6D000-memory.dmp	xmrig
behavioral1/memory/2480-13-0x000000013F5D0000-0x000000013F91D000-memory.dmp	xmrig
behavioral1/files/0x0008000000015da1-10.dat	xmrig
behavioral1/files/0x0007000000015f4c-11.dat	xmrig
behavioral1/memory/1872-19-0x000000013F820000-0x000000013FB6D000-memory.dmp	xmrig
behavioral1/files/0x0007000000015fba-23.dat	xmrig
behavioral1/memory/2256-25-0x000000013F160000-0x000000013F4AD000-memory.dmp	xmrig
behavioral1/files/0x000500000001878d-43.dat	xmrig
behavioral1/memory/2972-36-0x000000013F4F0000-0x000000013F83D000-memory.dmp	xmrig
behavioral1/memory/2288-47-0x000000013F8D0000-0x000000013FC1D000-memory.dmp	xmrig
behavioral1/files/0x00060000000186c8-42.dat	xmrig
behavioral1/memory/2888-31-0x000000013FF50000-0x000000014029D000-memory.dmp	xmrig
behavioral1/files/0x000a000000016136-34.dat	xmrig
behavioral1/files/0x0007000000016033-29.dat	xmrig
behavioral1/memory/2980-54-0x000000013FEB0000-0x00000001401FD000-memory.dmp	xmrig
behavioral1/files/0x00060000000190c6-53.dat	xmrig
behavioral1/memory/2748-49-0x000000013FD20000-0x000000014006D000-memory.dmp	xmrig
behavioral1/memory/2616-61-0x000000013FD00000-0x000000014004D000-memory.dmp	xmrig
behavioral1/files/0x00050000000191f3-67.dat	xmrig
behavioral1/files/0x00060000000190c9-63.dat	xmrig
behavioral1/memory/2700-68-0x000000013F430000-0x000000013F77D000-memory.dmp	xmrig
behavioral1/files/0x0009000000015d68-59.dat	xmrig
behavioral1/memory/1128-85-0x000000013F680000-0x000000013F9CD000-memory.dmp	xmrig
behavioral1/files/0x0005000000019217-84.dat	xmrig
behavioral1/memory/2332-77-0x000000013F120000-0x000000013F46D000-memory.dmp	xmrig
behavioral1/files/0x00050000000191fd-75.dat	xmrig
behavioral1/files/0x0005000000019220-87.dat	xmrig
behavioral1/memory/2940-108-0x000000013F240000-0x000000013F58D000-memory.dmp	xmrig
behavioral1/files/0x0005000000019278-114.dat	xmrig
behavioral1/files/0x0005000000019263-120.dat	xmrig
behavioral1/memory/2816-123-0x000000013FB00000-0x000000013FE4D000-memory.dmp	xmrig
behavioral1/files/0x0005000000019280-117.dat	xmrig
behavioral1/memory/2944-121-0x000000013F180000-0x000000013F4CD000-memory.dmp	xmrig
behavioral1/memory/2968-101-0x000000013FE80000-0x00000001401CD000-memory.dmp	xmrig
behavioral1/files/0x0005000000019240-100.dat	xmrig
behavioral1/files/0x0005000000019238-98.dat	xmrig
behavioral1/memory/1296-97-0x000000013F6D0000-0x000000013FA1D000-memory.dmp	xmrig
behavioral1/files/0x000500000001925d-107.dat	xmrig
behavioral1/memory/3016-106-0x000000013F7F0000-0x000000013FB3D000-memory.dmp	xmrig
behavioral1/memory/1720-78-0x000000013F4E0000-0x000000013F82D000-memory.dmp	xmrig
behavioral1/memory/3056-126-0x000000013F580000-0x000000013F8CD000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
492	gAtmdlB.exe
2480	zcwgXrB.exe
1872	ziSIFJn.exe
2256	zjJkLwv.exe
2888	LFtMLTz.exe
2972	nQOgwkJ.exe
2748	pjgyRke.exe
2288	DJIWrdJ.exe
2980	nVbDKDx.exe
2616	WyKXMGm.exe
2700	IucOFDy.exe
2332	EkWkidD.exe
1720	lzcIrqb.exe
1128	rolASZf.exe
1296	uXMpBMN.exe
3016	mYmJcrW.exe
2968	MqncdnI.exe
2940	CUPaLSZ.exe
2944	vCirlkG.exe
2816	isJIoia.exe
3056	pCOvmXT.exe

Loads dropped DLL 21 IoCs

pid	Process
2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\gAtmdlB.exe	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ziSIFJn.exe	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WyKXMGm.exe	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\isJIoia.exe	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zcwgXrB.exe	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zjJkLwv.exe	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EkWkidD.exe	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rolASZf.exe	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uXMpBMN.exe	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nVbDKDx.exe	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mYmJcrW.exe	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pCOvmXT.exe	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LFtMLTz.exe	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nQOgwkJ.exe	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pjgyRke.exe	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DJIWrdJ.exe	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IucOFDy.exe	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lzcIrqb.exe	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MqncdnI.exe	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CUPaLSZ.exe	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vCirlkG.exe	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 492	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2364 wrote to memory of 492	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2364 wrote to memory of 492	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2364 wrote to memory of 2480	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2364 wrote to memory of 2480	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2364 wrote to memory of 2480	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2364 wrote to memory of 1872	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2364 wrote to memory of 1872	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2364 wrote to memory of 1872	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2364 wrote to memory of 2256	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2364 wrote to memory of 2256	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2364 wrote to memory of 2256	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2364 wrote to memory of 2888	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2364 wrote to memory of 2888	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2364 wrote to memory of 2888	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2364 wrote to memory of 2972	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2364 wrote to memory of 2972	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2364 wrote to memory of 2972	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2364 wrote to memory of 2748	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2364 wrote to memory of 2748	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2364 wrote to memory of 2748	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2364 wrote to memory of 2288	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2364 wrote to memory of 2288	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2364 wrote to memory of 2288	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2364 wrote to memory of 2980	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2364 wrote to memory of 2980	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2364 wrote to memory of 2980	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2364 wrote to memory of 2616	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2364 wrote to memory of 2616	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2364 wrote to memory of 2616	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2364 wrote to memory of 2700	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2364 wrote to memory of 2700	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2364 wrote to memory of 2700	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2364 wrote to memory of 2332	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2364 wrote to memory of 2332	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2364 wrote to memory of 2332	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2364 wrote to memory of 1720	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2364 wrote to memory of 1720	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2364 wrote to memory of 1720	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2364 wrote to memory of 1128	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2364 wrote to memory of 1128	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2364 wrote to memory of 1128	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2364 wrote to memory of 1296	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2364 wrote to memory of 1296	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2364 wrote to memory of 1296	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2364 wrote to memory of 3016	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2364 wrote to memory of 3016	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2364 wrote to memory of 3016	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2364 wrote to memory of 2968	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2364 wrote to memory of 2968	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2364 wrote to memory of 2968	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2364 wrote to memory of 2940	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2364 wrote to memory of 2940	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2364 wrote to memory of 2940	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2364 wrote to memory of 2816	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2364 wrote to memory of 2816	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2364 wrote to memory of 2816	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2364 wrote to memory of 2944	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2364 wrote to memory of 2944	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2364 wrote to memory of 2944	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2364 wrote to memory of 3056	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2364 wrote to memory of 3056	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2364 wrote to memory of 3056	2364	2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe	52

C:\Users\Admin\AppData\Local\Temp\2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-21_6665dd42efee70f1416052368753ff3b_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\System\gAtmdlB.exe
  C:\Windows\System\gAtmdlB.exe
  2⤵
  - Executes dropped EXE
  PID:492
- C:\Windows\System\zcwgXrB.exe
  C:\Windows\System\zcwgXrB.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\ziSIFJn.exe
  C:\Windows\System\ziSIFJn.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\zjJkLwv.exe
  C:\Windows\System\zjJkLwv.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System\LFtMLTz.exe
  C:\Windows\System\LFtMLTz.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\nQOgwkJ.exe
  C:\Windows\System\nQOgwkJ.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\pjgyRke.exe
  C:\Windows\System\pjgyRke.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\DJIWrdJ.exe
  C:\Windows\System\DJIWrdJ.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System\nVbDKDx.exe
  C:\Windows\System\nVbDKDx.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\WyKXMGm.exe
  C:\Windows\System\WyKXMGm.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System\IucOFDy.exe
  C:\Windows\System\IucOFDy.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\EkWkidD.exe
  C:\Windows\System\EkWkidD.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\lzcIrqb.exe
  C:\Windows\System\lzcIrqb.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System\rolASZf.exe
  C:\Windows\System\rolASZf.exe
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\System\uXMpBMN.exe
  C:\Windows\System\uXMpBMN.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System\mYmJcrW.exe
  C:\Windows\System\mYmJcrW.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\MqncdnI.exe
  C:\Windows\System\MqncdnI.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\CUPaLSZ.exe
  C:\Windows\System\CUPaLSZ.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\isJIoia.exe
  C:\Windows\System\isJIoia.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\vCirlkG.exe
  C:\Windows\System\vCirlkG.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System\pCOvmXT.exe
  C:\Windows\System\pCOvmXT.exe
  2⤵
  - Executes dropped EXE
  PID:3056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CUPaLSZ.exe

Filesize
5.7MB

MD5
9e9f1c4a5ee6954ca5b54b68aff27c7d

SHA1
a4de961f1e766237fed6ba73378568330845ffe9

SHA256
dfb599c279875184ee63b504fa6418fb678bc979f987a80061dc633b54d23671

SHA512
abca76c5986bb15fd9446ce5f70294d46187b7204b65d23162a5ba6721633ec69472e538ba62d27c0b6b77fcbdc3c43fb534d92a9ac238277e747e47a4857062

Download Submit
C:\Windows\system\LFtMLTz.exe

Filesize
5.7MB

MD5
813bffd04d456333694507886916de7b

SHA1
05a540bd32df615915cbac926d610b06eaae0496

SHA256
fac9b0eef2f42127298ff3dc2c3ab1576f8ec57680a232abecffe452e64a92fa

SHA512
dd03de1fbc84b43c4506038b63b13a8e14be54bcb973fc9dd76db02ef81ffe2d39394fd6c161306370bb441f46bd94347b302ee9b921dc8708985b6ed3241e9d

Download Submit
C:\Windows\system\MqncdnI.exe

Filesize
5.7MB

MD5
393abeeb8142b44664bec697972710cc

SHA1
63ce78e24361220a472de5a8cdf8fc70eaf4e8f5

SHA256
46db0a260a9094c3e145b8fbc2b2de9908d74649a2e862175b6a3682d13183cc

SHA512
3c4457fee40af9c3f3d719d3e3a898f26d915a28c62a531cb8712ad968f77a58402444012700d3903290b63c2694f530a4dc15cc78b1b20ec90b0841b59b9600

Download Submit
C:\Windows\system\WyKXMGm.exe

Filesize
5.7MB

MD5
b0d6ec3b149c0614ff7846321f437fef

SHA1
ed5db4d6bdec9ba6cca68a398400832db9b57867

SHA256
9a9dce2da3fdd99856dbf9e844381cfb515d987abab3589c76b36a5d6992979e

SHA512
85d30d210dfa0410c9054424a192c9762ce98b4be98ce942e823466a0672929d7a9bada15e996d631a6820e8353383098c4ee9c26b4fbec43a7f3edba21b9b6a

Download Submit
C:\Windows\system\isJIoia.exe

Filesize
5.7MB

MD5
b19bf9156a1f66dc3b72ffe9f4777eff

SHA1
c49b08eafd8ff6a69ff6ad6cd3d22c8809c05ee2

SHA256
fb87a624fb82cb3632544342880fbde4479669db665e2909a22ec772d9e3effa

SHA512
75cc39371ddb6cd66d259a60e9218102691643f3aa0d0e48b6ad90408944ba6cabd6eab9bd920f508d45a9030fba85180f915f0901c1f52fba822ba2a7c9a397

Download Submit
C:\Windows\system\lzcIrqb.exe

Filesize
5.7MB

MD5
54494be0171778d1dad4e63deb75f708

SHA1
3af7c7801242e93f36c6b0238a83ec15ee3f2771

SHA256
37f1a5e9ffc86f939fd490950e385e147689d4f0d251f3324e8dd1dc6c52ae05

SHA512
8f966a90b8d66dec7c2a5b4c2726ce291ce4aeb19aff63aa68e7817b3e34bfc1f6d3856026e7c16e77b2da776aab61d652deeea94a5174c0f1f93d65685b376f

Download Submit
C:\Windows\system\mYmJcrW.exe

Filesize
5.7MB

MD5
c391ee71a2c9fd6fcd7660a3e993f432

SHA1
0f50f663bd5135570dfeec0ba54bbfa41b2d788f

SHA256
a2172b2e6829ac5032d1f15f37357f3e5f50b769dfbb39ad6ed1344110e6157e

SHA512
3bc58cdb466b1492a636f790853ed746a76b59bd41e8438cdbff526b8a5e59725bc9947f2f73d0f6a692cc30dcb62d3f47d177bf0abb02a11d391fb0b4889571

Download Submit
C:\Windows\system\nQOgwkJ.exe

Filesize
5.7MB

MD5
00aa07fab781686317d86bf98520e57d

SHA1
a530d0008dfbc899a80aab5a5161ca9e794bbf4e

SHA256
c753870603c6e049f332f3ded8a589f0e78be3df1eaea8efd160b618920f19e5

SHA512
de854251e11415df1ebb6daeab94cb781c7e0a074d12fd74b69f7757e85602c25e0d50fc537a096874a360b4d493fd94522a47081597cad16e3b942d4612c98e

Download Submit
C:\Windows\system\nVbDKDx.exe

Filesize
5.7MB

MD5
d8801cd21b47d60f515c933906881a3b

SHA1
f9bef126aa777c56cdcf76940294fefb54cdd595

SHA256
cceffe4983b22efd818c449114eee9f1164f94f333b1094de6a8461fbfe4acb8

SHA512
6dece4e39ffc10bec421c22385d340d3ca375c35c54fa8c2cf3d0b6d1f3f3125c9c67f2d00bfb745aa835680115db7ab384b2a16a9ffdb3f98a4f7fb547911d7

Download Submit
C:\Windows\system\pjgyRke.exe

Filesize
5.7MB

MD5
e613004c4961f8973d33b62badb99bb5

SHA1
1a33132060c57ad565427f8d3493846b35b18dac

SHA256
ceef4192a81baac9ad3b2beb6e0fed4d694b4c0a9fd56a7a771e951fa3ec4c8e

SHA512
9ea77812550f10c2c03de7d356cf72cc1f2c47864fe063f9ec8d4308bb29e323071c10b30a764e559369acf51f5ebf86473bf33434f9f7d6103286a6fef3ac05

Download Submit
C:\Windows\system\rolASZf.exe

Filesize
5.7MB

MD5
bfbca1d20e71209aa4b00d4ce0802f3b

SHA1
f70749a268f77e9de59d797dd51c696e2c86b8eb

SHA256
868b703315d84457ada946ce2cbdeb55d6403380e91efd8f88859bc3d095283c

SHA512
b4840f53181569345ddc9223394ee9462efea07faa8f3d395508b720b64215c18b4ae8ae390e293d275a009175daff3b3ad7ab8a9ed51966d2e8b0cb8182241f

Download Submit
C:\Windows\system\zcwgXrB.exe

Filesize
5.7MB

MD5
4007af7cb3080d03764d5333e196f696

SHA1
58c0eb3db36f03809cb1c828af4db61f99459e45

SHA256
92423d1fa59a5014af8d2dac3c040b76fe247a49da0ae8992736a6be56e12b45

SHA512
134a02bd0a19b484cbf61a6cff031e18e7e6fdc1a8294bf15613d7082e0e6c796f8453dba9820b8a502bd1eff86302957370ec84392a6a5a02097b34e578d935

Download Submit
C:\Windows\system\ziSIFJn.exe

Filesize
5.7MB

MD5
a828cee487da8fa722ab86667b5e68c0

SHA1
761f8067fa8ca358fd891132a549bcbb9fa43f0b

SHA256
08bbf20a3dd8c478ab0703ee8a142c13df09440be186675a697a9ceba0aea7e4

SHA512
a1225e8ae8c843fb0f0f0916d915c0f42a14565fc22e98bd62773eaaae9da88d1b9cfcf5d20c2723a6d7fe1faebb24f471047771c42fdb0be649c02f8d6d4c3e

Download Submit
C:\Windows\system\zjJkLwv.exe

Filesize
5.7MB

MD5
21f18c8e33f5ccb9f7dbd375d541b3f7

SHA1
e1fa30d006cd835a8fa6bbc2aeb47a0365d6ac40

SHA256
18dda8c03a8b805d9b22a746651ef9355b249702d4b932c3b6e6e6b3cd39df1e

SHA512
5f8b8ee7e3d38c520a74ec2daac3c07cbf152ef5e870994a6e601802572f3c1dfc3f40743cc51ab95a6d8bd7fe3fe491c21224e97fb278bc193e9008fb6cc3cb

Download Submit
\Windows\system\DJIWrdJ.exe

Filesize
5.7MB

MD5
35b5808de42423b7307877752161cc23

SHA1
63312272b3438744dacb50de7ea6ec606432fd9d

SHA256
69c28ff011565128960add9503d1ffe6330781c453bb88defc423716ef5b189e

SHA512
c79348f1eddb78b02f2d7e6e08fd454db9d194552ccd6feded266bebafdfe38c327902b5dbc3495fb78db875e9d52dec2e97606331d70146a59dd7e2ff65b54e

Download Submit
\Windows\system\EkWkidD.exe

Filesize
5.7MB

MD5
7ef31a4a0df6db13fb50505e65634900

SHA1
05cdef5f58aa34fff46d7f416da782179fb3493d

SHA256
7fd34518a2cd429c55741d4e936d79f63344b4dcc09e664b28a0950671b2ad01

SHA512
1ae6f717903b0fae7202069662619e71a3685a21e372746e4e22d353752fa3d22ae0c7e147b7e05f6cf0ea5ec30aaff97dc718968e7a8255788fdc4882f0ee6d

Download Submit
\Windows\system\IucOFDy.exe

Filesize
5.7MB

MD5
86dfa79bbe35438c84c8de3c75a75dd9

SHA1
d91636a7316b885c66a6d9486d4461618f5f68b2

SHA256
32cd54783b5478120047a8a315b10414f336cc13e52acee9f7131f3b46e5dc06

SHA512
c0086f4fdadd0bb0c9060bff03bc754c0eb159f64de84469a1158c8c931a16398633aa942105a9393afb274beb2d3631dc4f0554ac6834117c098d5c76f4e1d7

Download Submit
\Windows\system\gAtmdlB.exe

Filesize
5.7MB

MD5
278e430050cd43ca06dc78f578bc6a98

SHA1
f59405fd268dd0f242fac9acd762fee5b1abddae

SHA256
0f9644674b3027129f1f0fc911cb9d054ad6383a0884eeaa89c373691216dea7

SHA512
cb4eab7b13ed08ae8bb2f09bdd322bbb3903673e6d94611a80fac4d135c2f365014998566138afff4dd0aaeed2181f66efce1adad830ca6ced5f8596daaa0b6d

Download Submit
\Windows\system\pCOvmXT.exe

Filesize
5.7MB

MD5
3b63982273e99d488246bf60148789d9

SHA1
0929d41273f6a3c521ac59096709b9534c987fb8

SHA256
3f41473dc26ee98c0724aa0c924804d732d1fc6eac734b94e99985510954a66f

SHA512
28ebc6a74ffe671ce29b521d56554e456e579ea57d5ff4be2825b109b44f3e747cdf08e385d49029328fc81cf158ab5557907a3b626a056ee5e16ce1dd164a38

Download Submit
\Windows\system\uXMpBMN.exe

Filesize
5.7MB

MD5
d0f147b29c58769378eeb950d2aaed29

SHA1
e5c1b69e714a3409cb168bd5b35291ff3e608518

SHA256
ca06cd75bd34df6cf15b75b64b50d770110faa3a7e7f306d0ccd0e4755c9f602

SHA512
8151b195d3d08d6f347c2a8b84aba161db8a1eea3537edef4bc2bf2b0d3d946cf016b5497e4db20a6b95213c10ed5e3bda290c5b2bbfabbbf761af543e5ffd9d

Download Submit
\Windows\system\vCirlkG.exe

Filesize
5.7MB

MD5
9cbd8344b190999c3d29cc8d5cf7879a

SHA1
d3e4d2d83937a95ca9de5c50770f00b5daebf79e

SHA256
80262e104141a3a8220954ae159ffaa06defa4618f4dd3fe56b2cedc17246b50

SHA512
a5a237592a54759649d8bc693534687049af419146179ce7f4fe829eb5e1d3d6ac516f6376ea4340e85800fb8b043a12afdcc6477a539747021912443b961917

Download Submit
memory/492-7-0x000000013FC20000-0x000000013FF6D000-memory.dmp

Filesize
3.3MB

Download
memory/1128-85-0x000000013F680000-0x000000013F9CD000-memory.dmp

Filesize
3.3MB

Download
memory/1296-97-0x000000013F6D0000-0x000000013FA1D000-memory.dmp

Filesize
3.3MB

Download
memory/1720-78-0x000000013F4E0000-0x000000013F82D000-memory.dmp

Filesize
3.3MB

Download
memory/1872-19-0x000000013F820000-0x000000013FB6D000-memory.dmp

Filesize
3.3MB

Download
memory/2256-25-0x000000013F160000-0x000000013F4AD000-memory.dmp

Filesize
3.3MB

Download
memory/2288-47-0x000000013F8D0000-0x000000013FC1D000-memory.dmp

Filesize
3.3MB

Download
memory/2332-77-0x000000013F120000-0x000000013F46D000-memory.dmp

Filesize
3.3MB

Download
memory/2364-0-0x000000013F1C0000-0x000000013F50D000-memory.dmp

Filesize
3.3MB

Download
memory/2364-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2480-13-0x000000013F5D0000-0x000000013F91D000-memory.dmp

Filesize
3.3MB

Download
memory/2616-61-0x000000013FD00000-0x000000014004D000-memory.dmp

Filesize
3.3MB

Download
memory/2700-68-0x000000013F430000-0x000000013F77D000-memory.dmp

Filesize
3.3MB

Download
memory/2748-49-0x000000013FD20000-0x000000014006D000-memory.dmp

Filesize
3.3MB

Download
memory/2816-123-0x000000013FB00000-0x000000013FE4D000-memory.dmp

Filesize
3.3MB

Download
memory/2888-31-0x000000013FF50000-0x000000014029D000-memory.dmp

Filesize
3.3MB

Download
memory/2940-108-0x000000013F240000-0x000000013F58D000-memory.dmp

Filesize
3.3MB

Download
memory/2944-121-0x000000013F180000-0x000000013F4CD000-memory.dmp

Filesize
3.3MB

Download
memory/2968-101-0x000000013FE80000-0x00000001401CD000-memory.dmp

Filesize
3.3MB

Download
memory/2972-36-0x000000013F4F0000-0x000000013F83D000-memory.dmp

Filesize
3.3MB

Download
memory/2980-54-0x000000013FEB0000-0x00000001401FD000-memory.dmp

Filesize
3.3MB

Download
memory/3016-106-0x000000013F7F0000-0x000000013FB3D000-memory.dmp

Filesize
3.3MB

Download
memory/3056-126-0x000000013F580000-0x000000013F8CD000-memory.dmp

Filesize
3.3MB

Download