cobaltstrike | 592b4f16c31241dc7e3b11adcbc35711145e1a83880b304f361d6934ea7273a0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

1a3ca3fd2e861ff41206e38d3e3b15d2
SHA1

fb59bdb6d99ac0cf1c65c6dde3091e6761e01dcf
SHA256

592b4f16c31241dc7e3b11adcbc35711145e1a83880b304f361d6934ea7273a0
SHA512

e1b1a2670385e2e833f0b83679b2245b5bc1eb15ac2a9d861ad0709407885a66ee6ff5c4dd36afdd2be015bcbbb011a6b5c1986f08a35da2c151f40d6aa540ea
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUp:j+R56utgpPF8u/7p

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023bbe-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-9.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023caa-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-45.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbe-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc0-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc2-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc3-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc1-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc4-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc5-121.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral2/memory/2956-0-0x00007FF75CC80000-0x00007FF75CFCD000-memory.dmp	xmrig
behavioral2/files/0x000c000000023bbe-5.dat	xmrig
behavioral2/files/0x0007000000023cb2-9.dat	xmrig
behavioral2/memory/4092-7-0x00007FF7341F0000-0x00007FF73453D000-memory.dmp	xmrig
behavioral2/files/0x000b000000023caa-12.dat	xmrig
behavioral2/memory/4836-13-0x00007FF64A970000-0x00007FF64ACBD000-memory.dmp	xmrig
behavioral2/memory/876-19-0x00007FF7DB270000-0x00007FF7DB5BD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb3-23.dat	xmrig
behavioral2/memory/4820-30-0x00007FF698C10000-0x00007FF698F5D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb4-36.dat	xmrig
behavioral2/files/0x0007000000023cb5-45.dat	xmrig
behavioral2/memory/796-46-0x00007FF65D590000-0x00007FF65D8DD000-memory.dmp	xmrig
behavioral2/memory/3024-55-0x00007FF6AA560000-0x00007FF6AA8AD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb8-54.dat	xmrig
behavioral2/memory/5004-52-0x00007FF719960000-0x00007FF719CAD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb7-51.dat	xmrig
behavioral2/memory/1732-43-0x00007FF6BBDE0000-0x00007FF6BC12D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb6-42.dat	xmrig
behavioral2/memory/428-40-0x00007FF78FEB0000-0x00007FF7901FD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb9-58.dat	xmrig
behavioral2/memory/3144-61-0x00007FF7D0840000-0x00007FF7D0B8D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cba-66.dat	xmrig
behavioral2/files/0x0007000000023cbb-71.dat	xmrig
behavioral2/memory/3108-68-0x00007FF60CC30000-0x00007FF60CF7D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cbc-74.dat	xmrig
behavioral2/memory/544-76-0x00007FF6E6B50000-0x00007FF6E6E9D000-memory.dmp	xmrig
behavioral2/memory/3112-82-0x00007FF79E1E0000-0x00007FF79E52D000-memory.dmp	xmrig
behavioral2/memory/968-85-0x00007FF6118A0000-0x00007FF611BED000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cbd-84.dat	xmrig
behavioral2/files/0x0007000000023cbe-89.dat	xmrig
behavioral2/memory/2332-91-0x00007FF64D3D0000-0x00007FF64D71D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc0-95.dat	xmrig
behavioral2/memory/1092-97-0x00007FF626D00000-0x00007FF62704D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc2-104.dat	xmrig
behavioral2/files/0x0007000000023cc3-112.dat	xmrig
behavioral2/memory/4600-115-0x00007FF79D1C0000-0x00007FF79D50D000-memory.dmp	xmrig
behavioral2/memory/1696-109-0x00007FF696740000-0x00007FF696A8D000-memory.dmp	xmrig
behavioral2/memory/2024-106-0x00007FF79B1F0000-0x00007FF79B53D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc1-105.dat	xmrig
behavioral2/files/0x0007000000023cc4-119.dat	xmrig
behavioral2/files/0x0007000000023cc5-121.dat	xmrig
behavioral2/memory/2352-123-0x00007FF68F220000-0x00007FF68F56D000-memory.dmp	xmrig
behavioral2/memory/4160-126-0x00007FF74CBF0000-0x00007FF74CF3D000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4092	CNGQdDJ.exe
4836	STkNvFC.exe
876	ekzjetA.exe
4820	GtmgzGG.exe
428	QbIQYnW.exe
796	bFrLwPQ.exe
1732	QhYqgFI.exe
5004	RJoETtF.exe
3024	XNQCPhl.exe
3144	YiyfbDq.exe
3108	NmPRcta.exe
544	rSKgaJZ.exe
3112	PDZIUwb.exe
968	NjfbDBN.exe
2332	gkxVOiW.exe
1092	CKSHpdt.exe
2024	HovuFhF.exe
1696	yPORAxe.exe
4600	lzgxRVo.exe
2352	YiUoSoj.exe
4160	KCDGhwV.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\rSKgaJZ.exe	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KCDGhwV.exe	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CNGQdDJ.exe	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ekzjetA.exe	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QbIQYnW.exe	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bFrLwPQ.exe	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XNQCPhl.exe	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NmPRcta.exe	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PDZIUwb.exe	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yPORAxe.exe	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\STkNvFC.exe	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GtmgzGG.exe	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gkxVOiW.exe	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CKSHpdt.exe	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lzgxRVo.exe	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YiUoSoj.exe	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QhYqgFI.exe	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RJoETtF.exe	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YiyfbDq.exe	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NjfbDBN.exe	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HovuFhF.exe	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 4092	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2956 wrote to memory of 4092	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2956 wrote to memory of 4836	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2956 wrote to memory of 4836	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2956 wrote to memory of 876	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2956 wrote to memory of 876	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2956 wrote to memory of 4820	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2956 wrote to memory of 4820	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2956 wrote to memory of 428	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2956 wrote to memory of 428	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2956 wrote to memory of 796	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2956 wrote to memory of 796	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2956 wrote to memory of 1732	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2956 wrote to memory of 1732	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2956 wrote to memory of 5004	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2956 wrote to memory of 5004	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2956 wrote to memory of 3024	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2956 wrote to memory of 3024	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2956 wrote to memory of 3144	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2956 wrote to memory of 3144	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2956 wrote to memory of 3108	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2956 wrote to memory of 3108	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2956 wrote to memory of 544	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2956 wrote to memory of 544	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2956 wrote to memory of 3112	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2956 wrote to memory of 3112	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2956 wrote to memory of 968	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2956 wrote to memory of 968	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2956 wrote to memory of 2332	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2956 wrote to memory of 2332	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2956 wrote to memory of 1092	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2956 wrote to memory of 1092	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2956 wrote to memory of 2024	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2956 wrote to memory of 2024	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2956 wrote to memory of 1696	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2956 wrote to memory of 1696	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2956 wrote to memory of 4600	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2956 wrote to memory of 4600	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2956 wrote to memory of 2352	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2956 wrote to memory of 2352	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2956 wrote to memory of 4160	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2956 wrote to memory of 4160	2956	2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-22_1a3ca3fd2e861ff41206e38d3e3b15d2_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\System\CNGQdDJ.exe
  C:\Windows\System\CNGQdDJ.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\System\STkNvFC.exe
  C:\Windows\System\STkNvFC.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\ekzjetA.exe
  C:\Windows\System\ekzjetA.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System\GtmgzGG.exe
  C:\Windows\System\GtmgzGG.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System\QbIQYnW.exe
  C:\Windows\System\QbIQYnW.exe
  2⤵
  - Executes dropped EXE
  PID:428
- C:\Windows\System\bFrLwPQ.exe
  C:\Windows\System\bFrLwPQ.exe
  2⤵
  - Executes dropped EXE
  PID:796
- C:\Windows\System\QhYqgFI.exe
  C:\Windows\System\QhYqgFI.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System\RJoETtF.exe
  C:\Windows\System\RJoETtF.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System\XNQCPhl.exe
  C:\Windows\System\XNQCPhl.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System\YiyfbDq.exe
  C:\Windows\System\YiyfbDq.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System\NmPRcta.exe
  C:\Windows\System\NmPRcta.exe
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Windows\System\rSKgaJZ.exe
  C:\Windows\System\rSKgaJZ.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System\PDZIUwb.exe
  C:\Windows\System\PDZIUwb.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System\NjfbDBN.exe
  C:\Windows\System\NjfbDBN.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System\gkxVOiW.exe
  C:\Windows\System\gkxVOiW.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\CKSHpdt.exe
  C:\Windows\System\CKSHpdt.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\System\HovuFhF.exe
  C:\Windows\System\HovuFhF.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\System\yPORAxe.exe
  C:\Windows\System\yPORAxe.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System\lzgxRVo.exe
  C:\Windows\System\lzgxRVo.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\YiUoSoj.exe
  C:\Windows\System\YiUoSoj.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\KCDGhwV.exe
  C:\Windows\System\KCDGhwV.exe
  2⤵
  - Executes dropped EXE
  PID:4160

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CKSHpdt.exe

Filesize
5.7MB

MD5
00ce5fcad0cb35957c8aae4b4a72a6c2

SHA1
df9f9478b05b0f957c50d96d2a8e36683f2129b2

SHA256
079255e6e5697d7a007e453b3e1ff1d1dc1ac7f5d203e07116ed77b24ae9a1d8

SHA512
e146208a95c88d7ea9a1c96a7acd98fe4102c747c4e5349ce59c66db8bd569710ed27560239ea3172bb252a2018cc4efa4cc7e7cbd3e979d73385ff7f461d378

Download Submit
C:\Windows\System\CNGQdDJ.exe

Filesize
5.7MB

MD5
affa0d5778297e59ce3f299448609228

SHA1
3076bff7c2ffcd522e5354238f78eb879629c064

SHA256
622d1a213f7b3a5e2308f0928ca98d66b242b8afb46fc3e3346bcbec8020dfff

SHA512
d4d7d472916f2a870651c27229fe84c7d4703186c95ba62e0797dfa01e7faed7a8666dfa46ddbbe16baded2ca106c645dc0cb431dc95aadb7614932043ac508a

Download Submit
C:\Windows\System\GtmgzGG.exe

Filesize
5.7MB

MD5
b91a05666cc8bedc267e09c809dd7540

SHA1
db5b7aa7765cd141916b8ca4b71714803b2c950f

SHA256
c8dc70b1ef9ad7180c3ee2aba31715ebb0f8dc2e3e73bd689b272b72c3fb7614

SHA512
5683c9f700a44260cc7986edbe6023980bb45e324aec6e29184e5625f725980dfe43ee3a98173b7b6dd5cf1b51b55aaf8bf001fa1945623b0b822d822e8bbe58

Download Submit
C:\Windows\System\HovuFhF.exe

Filesize
5.7MB

MD5
901b56f1ca037f9ea08fb078e10944f4

SHA1
a0f9d06f63b4c19c3077159dd35a7b88ba8f8431

SHA256
8bf9ee8ef723d03ec38119300f2b65f111872286599b7d5b94c76bd187395c86

SHA512
03b63ca9dec486211050009c77d8f9f3f7f19119562c40aa2cbc0ab6032b26c3c80bc6cc07bbdef31d01c94080c93418d6a2cb8a2e256adaf63141961a61d715

Download Submit
C:\Windows\System\KCDGhwV.exe

Filesize
5.7MB

MD5
2124ca37cb1c1770c404964bd52326f1

SHA1
3f2348ea2dbe83da32cb15e538e3fc0bf5737445

SHA256
a4508bf12e3f401eec86e1617667a31b958da43d906e0fc7fe33fd4b6c3e5db7

SHA512
9caa5b67cbad31854968aadb711f13f3c0ea00bb178b2f12e275aca911961478c6ca976104713bbf45c7886eec8194c45d7c9946bba08b7453f66d1f9a2e6409

Download Submit
C:\Windows\System\NjfbDBN.exe

Filesize
5.7MB

MD5
b247af44798be836de6d0e043f1affe1

SHA1
fe8bc0513114e7212289fbf242fde74613d9eda1

SHA256
d7fabaa9e817fa64c3bf31dab483117c96aefc3655a1c3b6a4aae39c1fff6386

SHA512
f705e0870d2d7f06f3848a469ddbc98f7787d4ded787bfd52d919de6ef1689e5c71a2a9b196c333dceeba46d02f6bae296f31a20d892b6d398ff0a770ee1263c

Download Submit
C:\Windows\System\NmPRcta.exe

Filesize
5.7MB

MD5
005e81ea37c9d1fe14a8b058b33d5585

SHA1
e8e5952e5aa7b3b5de797e174c1ef134a053f330

SHA256
2a1656b5b702928bd17364d522c1f960e728a3995ba805944c72811ad560c9aa

SHA512
fb2c54274e0b3360d6b67da794b388c63418a70c5f5b73ad0e9f70a48ada84eb767f57f00a7caa61a8aa0078d6ac60b52a568cc2fa166d3d121e742b636f6301

Download Submit
C:\Windows\System\PDZIUwb.exe

Filesize
5.7MB

MD5
4263f635b381724513c4ac664ef9cdb3

SHA1
3bbd84ea196e816ce539a73985833a5c68ff500e

SHA256
723a4f886835bb71c532d0832fa3c939fecd858e159c19bc74615a1a695c0128

SHA512
c0810ca67dd24ab6a0a963a1aa1796e65cedfcf7c3115381e86ae868909d98f4767d1234b61de22f0ecd133c9151ba5760bcc58d3305cf472b3f63706e9a328c

Download Submit
C:\Windows\System\QbIQYnW.exe

Filesize
5.7MB

MD5
6ec6de96344d84814bd28b83c8bfdda9

SHA1
41bed69502017fc8bdafb0dd80f4ea8ef538897e

SHA256
115b80beff1df001de859b44b218ba29d0470e43da0547482b16fcb774196dea

SHA512
4c5e3e5247775ca42087e4823e4c0451e55a4af2510b4365e96a900464f81bfa6af2431e4d0fca2c6da758c29dc7fc1eb654902801e8457dd01b12f21b22b3fb

Download Submit
C:\Windows\System\QhYqgFI.exe

Filesize
5.7MB

MD5
65e99efff992caa6cd3f71a9587b5f07

SHA1
0ffd53d72480f7a81d4e65529cce83196c6e91d7

SHA256
dc99a54c55f11d044c9f12d3f89a277aa2fd3322089d24c13dd16c5d0f86199a

SHA512
d83ed5af20896346c5e14157c2e6328552eb461f23da91a067bb3b26e40d41ab150de8468502485ba28d7d9951d1075dc91e2725b557a4a6852ba78f85c78b78

Download Submit
C:\Windows\System\RJoETtF.exe

Filesize
5.7MB

MD5
70543d108e31d4c50b6ba593351806dd

SHA1
077fb75cdd5959425cd488716ee23acfbbdea555

SHA256
ffd94001ad0c2c6ae2bece21b2836ea9b3e4e97edcc45fe6706a37380a2bb2d6

SHA512
947046e33349ad48723636402a312312732fde82b151ed2010c02d4a590b67b464e11934f8160d1fdfb062d092e457cbb8ab695bd035900c9bd75d0e90211cec

Download Submit
C:\Windows\System\STkNvFC.exe

Filesize
5.7MB

MD5
486acb9abbe0876668456a95e613b5d9

SHA1
1a039a2cecb4042b65491d6064cd430db632a482

SHA256
83fb89f1aa0660898660c016f147485351abc2c92b5a31c471ce893bad716d4a

SHA512
dcd1f302bfd5bb6172c7df7744ac1414d80d051b0524d83fe4d6d5c4b8db4939fe97b2eed2986027550853d45ad14bc50bbbcfedc876797c95fbc75655919f40

Download Submit
C:\Windows\System\XNQCPhl.exe

Filesize
5.7MB

MD5
b4c09d0c365cb1441e1f9768721ba46f

SHA1
f2b95f0bf7eef6c5348c4ddfce435d679cf70044

SHA256
34bc05f9805c5071a33bd02a187335f3a775f54d471fd1151e0c45cf32c2c3c9

SHA512
05420c27c5f2d7f2157480409ec65e29d78c86132090e00b82846a9c1b4c13046da46e8fb217b8ddb81fa357d8bfe5885ef838dcca8be9844830ddf5863d1d44

Download Submit
C:\Windows\System\YiUoSoj.exe

Filesize
5.7MB

MD5
e313db34313e654196c8262bbba2a1ed

SHA1
4fcabc4f19d4f223f5af552803734858b5f81840

SHA256
399d0876d76ab64e8a4929907a21fd5b23151f00f37cb8f71282704137ed2b58

SHA512
f93a439950c25e7e1b620ffe02ea196c2469a4c7c279311d219f2c9d317b9aa61aa06b07c410ea2e11fc763e92c5dec14bb4a7f6e91c4cf0ea71d74d88fe6f62

Download Submit
C:\Windows\System\YiyfbDq.exe

Filesize
5.7MB

MD5
4b8710c31aab901eedd0bfddc4ab62fd

SHA1
37c2406c667b12f2cc46650dfd621438d4fc68ba

SHA256
6f660983b9ce40a6c3164cf885447202f017baf47c92f632726e20f128115d59

SHA512
3db3a03244a213473fe35b0bb33ff182ffdbd49a814c32136138aa8211dbc5ea38afdc36c8d4040dcfbeb69ea1b94bb701d1a3120079e15da8355bbac71765e7

Download Submit
C:\Windows\System\bFrLwPQ.exe

Filesize
5.7MB

MD5
a312d3efa594bd7fffa7616c0a9c2c37

SHA1
f1272a3f8d1173813fc5643415d0a53996dce926

SHA256
d6d287b2c884112aaa90abdf05ced1504a311d80eff6e72f387c8a8b09841411

SHA512
664266aa219f6d7a9c63b98cc58cb80c67dd27516435cb3ad66772bc84467aa7bad337403371e7529da471acd004be29c3c7e675de7a15cb99ab779217f74037

Download Submit
C:\Windows\System\ekzjetA.exe

Filesize
5.7MB

MD5
61f700182c9e61d42767373716afcfea

SHA1
9b5cca5c2329fba647d2d5a94a776b45351e1f41

SHA256
07b776c3706850269a8adaee70d9b04f4414a0f4dd1ad052ed1417df05f5bee9

SHA512
e2b41f490a44c7f90355b2a948662cb04ba28a595d3ad1ae7ca884b5fc20f8965bb55f6a60c4ac9c256e09e36faf803f4dd713f8c6c084a45bf6e336c3a0b768

Download Submit
C:\Windows\System\gkxVOiW.exe

Filesize
5.7MB

MD5
cf31b78a3c4d7950c6400fdfe1ce647a

SHA1
3fb54fadc82c5f10775610c3f9616c2bdcecc940

SHA256
a0c8430dd1bbbc1dd53c4f77bbd332240669e0f6e3272a2796a1eb9ed718a1e6

SHA512
7d8a063b4c7ed57b1d3d5571ed7ed66f3e3eb7c038013b9a3b90b47a8ba7a87c40a7c6ac3f162e1429176888bcb16f87bc58a1b4245b6c17ad4622a2a5366697

Download Submit
C:\Windows\System\lzgxRVo.exe

Filesize
5.7MB

MD5
528f6d8f665ccc4766d655d85297fd09

SHA1
e3ff35797187f3ebf125c9e38c5bd49f4d3abe45

SHA256
1e64567ac3dc33fca3d04876689c1d8b38741ec3188a2185eae7d3380212b53a

SHA512
c0c7be67732f0410a7c7d6cb28d56ab093d5545a8f5cbf7517ed9cc52206178539e1f4542e5347830a263ccb3c7c59ac762c534ed17a6e22cf03ec4f3f5679fe

Download Submit
C:\Windows\System\rSKgaJZ.exe

Filesize
5.7MB

MD5
8d9540498d27786a1c1fff5a5d58c814

SHA1
8ba54cd1cc3debf44941017a9f0464bbc1771c09

SHA256
e303d7a83e50975cc8dacfbfc3c1fef19cb81bb276b6b68a3be657441fddd613

SHA512
be5560778018f89665670a24ba6c5db3c4306d438d82304924101fd4617d61109d7990ed59d4a4173371b75508eeba5b6ef98afa193ebde8eba42e7f35d7cafb

Download Submit
C:\Windows\System\yPORAxe.exe

Filesize
5.7MB

MD5
f24cf91cf876ef7a3f4c9111bd8e270e

SHA1
d734396e300d7495cc188a3d67f84d900994b967

SHA256
26cc025ccab59dcd417de8190d491837388b626aa3e730863a23c16bc2b551fa

SHA512
379f5ddccbccaea1cd1ecdcd3acfa7fa0f1ca6cc5c796ae99e57b96e324c13e0e3c80ddf13b184404e63e527e64eb67db368e5535928997c12f3c1dcc3c71f11

Download Submit
memory/428-40-0x00007FF78FEB0000-0x00007FF7901FD000-memory.dmp

Filesize
3.3MB

Download
memory/544-76-0x00007FF6E6B50000-0x00007FF6E6E9D000-memory.dmp

Filesize
3.3MB

Download
memory/796-46-0x00007FF65D590000-0x00007FF65D8DD000-memory.dmp

Filesize
3.3MB

Download
memory/876-19-0x00007FF7DB270000-0x00007FF7DB5BD000-memory.dmp

Filesize
3.3MB

Download
memory/968-85-0x00007FF6118A0000-0x00007FF611BED000-memory.dmp

Filesize
3.3MB

Download
memory/1092-97-0x00007FF626D00000-0x00007FF62704D000-memory.dmp

Filesize
3.3MB

Download
memory/1696-109-0x00007FF696740000-0x00007FF696A8D000-memory.dmp

Filesize
3.3MB

Download
memory/1732-43-0x00007FF6BBDE0000-0x00007FF6BC12D000-memory.dmp

Filesize
3.3MB

Download
memory/2024-106-0x00007FF79B1F0000-0x00007FF79B53D000-memory.dmp

Filesize
3.3MB

Download
memory/2332-91-0x00007FF64D3D0000-0x00007FF64D71D000-memory.dmp

Filesize
3.3MB

Download
memory/2352-123-0x00007FF68F220000-0x00007FF68F56D000-memory.dmp

Filesize
3.3MB

Download
memory/2956-1-0x000001FD09810000-0x000001FD09820000-memory.dmp

Filesize
64KB

Download
memory/2956-0-0x00007FF75CC80000-0x00007FF75CFCD000-memory.dmp

Filesize
3.3MB

Download
memory/3024-55-0x00007FF6AA560000-0x00007FF6AA8AD000-memory.dmp

Filesize
3.3MB

Download
memory/3108-68-0x00007FF60CC30000-0x00007FF60CF7D000-memory.dmp

Filesize
3.3MB

Download
memory/3112-82-0x00007FF79E1E0000-0x00007FF79E52D000-memory.dmp

Filesize
3.3MB

Download
memory/3144-61-0x00007FF7D0840000-0x00007FF7D0B8D000-memory.dmp

Filesize
3.3MB

Download
memory/4092-7-0x00007FF7341F0000-0x00007FF73453D000-memory.dmp

Filesize
3.3MB

Download
memory/4160-126-0x00007FF74CBF0000-0x00007FF74CF3D000-memory.dmp

Filesize
3.3MB

Download
memory/4600-115-0x00007FF79D1C0000-0x00007FF79D50D000-memory.dmp

Filesize
3.3MB

Download
memory/4820-30-0x00007FF698C10000-0x00007FF698F5D000-memory.dmp

Filesize
3.3MB

Download
memory/4836-13-0x00007FF64A970000-0x00007FF64ACBD000-memory.dmp

Filesize
3.3MB

Download
memory/5004-52-0x00007FF719960000-0x00007FF719CAD000-memory.dmp

Filesize
3.3MB

Download