cobaltstrike | 2ec0cb1fd332e410c48fa7ff4232964b7c9139c6ea700ae70dd0bc0d034f1016

Analysis

max time kernel
133s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/01/2025, 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

3353cf8ad412e04446e898042334cab4
SHA1

3075d70ed7b6f07029be75b178a726438c7b923c
SHA256

2ec0cb1fd332e410c48fa7ff4232964b7c9139c6ea700ae70dd0bc0d034f1016
SHA512

1203d3ee216749f256347b8e6f41112409dc5261b45900b3fb376fecd6b418d43b504801f3d2986bb891bb283d55b9de0c883c5a0808417de654d3fdc4d0f0a8
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUE:j+R56utgpPF8u/7E

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b00000001225a-5.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d75-9.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d7f-16.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015e25-20.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015e47-21.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015f1b-27.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016c89-35.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019030-43.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001920f-51.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019228-55.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019273-71.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019346-87.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001933e-83.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001932a-79.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000192f0-75.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001925c-67.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019241-63.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019234-59.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001903d-47.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018d68-39.dat	cobalt_reflective_dll
behavioral1/files/0x00090000000160ae-32.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral1/memory/1920-0-0x000000013F100000-0x000000013F44D000-memory.dmp	xmrig
behavioral1/files/0x000b00000001225a-5.dat	xmrig
behavioral1/memory/2408-7-0x000000013FDB0000-0x00000001400FD000-memory.dmp	xmrig
behavioral1/files/0x0008000000015d75-9.dat	xmrig
behavioral1/files/0x0008000000015d7f-16.dat	xmrig
behavioral1/files/0x0007000000015e25-20.dat	xmrig
behavioral1/files/0x0007000000015e47-21.dat	xmrig
behavioral1/files/0x0007000000015f1b-27.dat	xmrig
behavioral1/files/0x0009000000016c89-35.dat	xmrig
behavioral1/files/0x0006000000019030-43.dat	xmrig
behavioral1/files/0x000500000001920f-51.dat	xmrig
behavioral1/files/0x0005000000019228-55.dat	xmrig
behavioral1/files/0x0005000000019273-71.dat	xmrig
behavioral1/files/0x0005000000019346-87.dat	xmrig
behavioral1/files/0x000500000001933e-83.dat	xmrig
behavioral1/files/0x000500000001932a-79.dat	xmrig
behavioral1/files/0x00050000000192f0-75.dat	xmrig
behavioral1/memory/2728-101-0x000000013FD40000-0x000000014008D000-memory.dmp	xmrig
behavioral1/memory/2868-100-0x000000013FEF0000-0x000000014023D000-memory.dmp	xmrig
behavioral1/memory/2744-93-0x000000013F220000-0x000000013F56D000-memory.dmp	xmrig
behavioral1/memory/452-106-0x000000013FE50000-0x000000014019D000-memory.dmp	xmrig
behavioral1/memory/2740-112-0x000000013FFE0000-0x000000014032D000-memory.dmp	xmrig
behavioral1/memory/340-123-0x000000013F410000-0x000000013F75D000-memory.dmp	xmrig
behavioral1/memory/2144-124-0x000000013F480000-0x000000013F7CD000-memory.dmp	xmrig
behavioral1/memory/1908-122-0x000000013FAE0000-0x000000013FE2D000-memory.dmp	xmrig
behavioral1/memory/2616-120-0x000000013F670000-0x000000013F9BD000-memory.dmp	xmrig
behavioral1/memory/2664-118-0x000000013F150000-0x000000013F49D000-memory.dmp	xmrig
behavioral1/memory/2676-116-0x000000013FCE0000-0x000000014002D000-memory.dmp	xmrig
behavioral1/memory/2660-114-0x000000013F7B0000-0x000000013FAFD000-memory.dmp	xmrig
behavioral1/memory/2632-109-0x000000013FBC0000-0x000000013FF0D000-memory.dmp	xmrig
behavioral1/memory/2148-108-0x000000013F940000-0x000000013FC8D000-memory.dmp	xmrig
behavioral1/memory/2856-104-0x000000013F400000-0x000000013F74D000-memory.dmp	xmrig
behavioral1/memory/2820-92-0x000000013F520000-0x000000013F86D000-memory.dmp	xmrig
behavioral1/memory/2884-91-0x000000013F810000-0x000000013FB5D000-memory.dmp	xmrig
behavioral1/memory/2128-90-0x000000013FBE0000-0x000000013FF2D000-memory.dmp	xmrig
behavioral1/memory/2040-89-0x000000013FAC0000-0x000000013FE0D000-memory.dmp	xmrig
behavioral1/memory/2328-88-0x000000013F050000-0x000000013F39D000-memory.dmp	xmrig
behavioral1/files/0x000500000001925c-67.dat	xmrig
behavioral1/files/0x0005000000019241-63.dat	xmrig
behavioral1/files/0x0005000000019234-59.dat	xmrig
behavioral1/files/0x000600000001903d-47.dat	xmrig
behavioral1/files/0x0006000000018d68-39.dat	xmrig
behavioral1/files/0x00090000000160ae-32.dat	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2408	xmHYaKv.exe
2040	gWrEmSI.exe
2328	dttjWiX.exe
2884	GLWZNXD.exe
2128	ojazPLj.exe
2744	POXzOxA.exe
2820	JEZZnpR.exe
2868	dTlabGq.exe
2728	NuYdMhF.exe
2856	XmBgnrT.exe
452	FNmPVgz.exe
2148	CfEoKhj.exe
2632	Anzjlnc.exe
2740	LLzLmQu.exe
2660	XdFmIUA.exe
2616	zIfQRds.exe
2676	rCOfCNw.exe
1908	WsvWeZq.exe
2144	jszeAje.exe
2664	EWFRBkQ.exe
340	xZRxygS.exe

Loads dropped DLL 21 IoCs

pid	Process
1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\xmHYaKv.exe	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dttjWiX.exe	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GLWZNXD.exe	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NuYdMhF.exe	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\POXzOxA.exe	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FNmPVgz.exe	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CfEoKhj.exe	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XdFmIUA.exe	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ojazPLj.exe	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JEZZnpR.exe	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dTlabGq.exe	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LLzLmQu.exe	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zIfQRds.exe	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rCOfCNw.exe	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WsvWeZq.exe	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gWrEmSI.exe	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XmBgnrT.exe	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Anzjlnc.exe	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jszeAje.exe	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EWFRBkQ.exe	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xZRxygS.exe	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2408	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1920 wrote to memory of 2408	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1920 wrote to memory of 2408	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1920 wrote to memory of 2040	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1920 wrote to memory of 2040	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1920 wrote to memory of 2040	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1920 wrote to memory of 2328	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1920 wrote to memory of 2328	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1920 wrote to memory of 2328	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1920 wrote to memory of 2884	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1920 wrote to memory of 2884	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1920 wrote to memory of 2884	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1920 wrote to memory of 2128	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1920 wrote to memory of 2128	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1920 wrote to memory of 2128	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1920 wrote to memory of 2744	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1920 wrote to memory of 2744	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1920 wrote to memory of 2744	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1920 wrote to memory of 2820	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1920 wrote to memory of 2820	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1920 wrote to memory of 2820	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1920 wrote to memory of 2868	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1920 wrote to memory of 2868	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1920 wrote to memory of 2868	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1920 wrote to memory of 2728	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1920 wrote to memory of 2728	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1920 wrote to memory of 2728	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1920 wrote to memory of 2856	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1920 wrote to memory of 2856	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1920 wrote to memory of 2856	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1920 wrote to memory of 452	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1920 wrote to memory of 452	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1920 wrote to memory of 452	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1920 wrote to memory of 2148	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1920 wrote to memory of 2148	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1920 wrote to memory of 2148	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1920 wrote to memory of 2632	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1920 wrote to memory of 2632	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1920 wrote to memory of 2632	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1920 wrote to memory of 2740	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1920 wrote to memory of 2740	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1920 wrote to memory of 2740	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1920 wrote to memory of 2660	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1920 wrote to memory of 2660	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1920 wrote to memory of 2660	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1920 wrote to memory of 2616	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1920 wrote to memory of 2616	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1920 wrote to memory of 2616	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1920 wrote to memory of 2676	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1920 wrote to memory of 2676	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1920 wrote to memory of 2676	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1920 wrote to memory of 1908	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1920 wrote to memory of 1908	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1920 wrote to memory of 1908	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1920 wrote to memory of 2144	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1920 wrote to memory of 2144	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1920 wrote to memory of 2144	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1920 wrote to memory of 2664	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1920 wrote to memory of 2664	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1920 wrote to memory of 2664	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1920 wrote to memory of 340	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1920 wrote to memory of 340	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1920 wrote to memory of 340	1920	2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-22_3353cf8ad412e04446e898042334cab4_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\System\xmHYaKv.exe
  C:\Windows\System\xmHYaKv.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\gWrEmSI.exe
  C:\Windows\System\gWrEmSI.exe
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\System\dttjWiX.exe
  C:\Windows\System\dttjWiX.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System\GLWZNXD.exe
  C:\Windows\System\GLWZNXD.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\ojazPLj.exe
  C:\Windows\System\ojazPLj.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\POXzOxA.exe
  C:\Windows\System\POXzOxA.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\JEZZnpR.exe
  C:\Windows\System\JEZZnpR.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\dTlabGq.exe
  C:\Windows\System\dTlabGq.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\NuYdMhF.exe
  C:\Windows\System\NuYdMhF.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\XmBgnrT.exe
  C:\Windows\System\XmBgnrT.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\FNmPVgz.exe
  C:\Windows\System\FNmPVgz.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System\CfEoKhj.exe
  C:\Windows\System\CfEoKhj.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System\Anzjlnc.exe
  C:\Windows\System\Anzjlnc.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\LLzLmQu.exe
  C:\Windows\System\LLzLmQu.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System\XdFmIUA.exe
  C:\Windows\System\XdFmIUA.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\zIfQRds.exe
  C:\Windows\System\zIfQRds.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System\rCOfCNw.exe
  C:\Windows\System\rCOfCNw.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\WsvWeZq.exe
  C:\Windows\System\WsvWeZq.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\jszeAje.exe
  C:\Windows\System\jszeAje.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System\EWFRBkQ.exe
  C:\Windows\System\EWFRBkQ.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\xZRxygS.exe
  C:\Windows\System\xZRxygS.exe
  2⤵
  - Executes dropped EXE
  PID:340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\Anzjlnc.exe

Filesize
5.7MB

MD5
085e1c17067f7d810f0916ada5ddb40d

SHA1
6be9e286e3a06199590e2679b9e6fd50b9be6e05

SHA256
8d2b326f26b9f124446cce6b294c690a7c9dcc32bbf6a3ae3661d00d2d250c48

SHA512
4cb96ef1b0b1dff6d151fd0786914c896af68e212a374f9b595a5a1b253e9daabc4d9a04469d325ad412287564e1646b9984cf2a8710f8dc6ea51ed75610d411

Download Submit
C:\Windows\system\CfEoKhj.exe

Filesize
5.7MB

MD5
fd083fc5110f948d14b315317bbeb81a

SHA1
daace0ff6e9879aca9d011504a17413cf778759c

SHA256
9259441e4db413a07a609a6db9f43dafcddbe8eec254c5d545676d36dec0f4fc

SHA512
5f999984acc736fa0c1f0cceea55c4cde0c4fc2267fd5d551a8b901944f3fd01b9101c538c510dcdbdd3cd1245902e5d18e089419d9143bcd6ff49e53c6b0706

Download Submit
C:\Windows\system\EWFRBkQ.exe

Filesize
5.7MB

MD5
1a78a319cc638317daba61fd77d72c57

SHA1
479015de4df476c746db2372d8d2f3428741ca94

SHA256
7122bad7d23b8bacd718b55e4d606aa521c2298250a583777c123c2e16e3380e

SHA512
ee36c981b17b54cbc28e591b10358ee016511e5ad7d081fd1f1cda0638d1db6be23166e47412973c02ac37681d35c1f977e7eab9312ad7a401b9099dc91dad31

Download Submit
C:\Windows\system\FNmPVgz.exe

Filesize
5.7MB

MD5
7142fd685e9d181d892118fc8c59b5f2

SHA1
9fde00cbf1f6addf8b69e26f6e505ebcee40f3af

SHA256
2e7fe4d151db730fd1cf19af24ced3641eb09953f2c5172676f969356355fe87

SHA512
c214f639acb314f34c83182cf9f91b9e7370b12704c6f38935d2b5e87ef2a4df196d4678070caa1afee41368e84709a11a048f98136b59ee3a854f4e220da377

Download Submit
C:\Windows\system\GLWZNXD.exe

Filesize
5.7MB

MD5
01529c546987958d6f284afcbe6fcda4

SHA1
f30bb5663fd8e7242bea6ebfaf6b2875c6138eb1

SHA256
39996c357f56725b021a50eb6814acbe94db171d1ee7becfbe77c634c29230df

SHA512
056ba67ab88747e60a6f0647eade1f825a512c6e47648eec81bcdc2a50c935bee71774de1da524acf603ea09be2f44465aa275054086c946b7d7e76f9f99dd6c

Download Submit
C:\Windows\system\JEZZnpR.exe

Filesize
5.7MB

MD5
987089ccf7173d430e51faa6b5b9e8e4

SHA1
3687d79e318f04c704c6baff786a618c17d2fb64

SHA256
e795407412bf3eb23c688149cc9693c0c71b3c96ac71c28f8e69c62c3ae4a4f5

SHA512
27e27f0e51ab7a8b84e11454ed37a5ca960d72e931fdf833c74c63874b8ae5c689d63948d3aaff7d288ec20e52d46fc0b257eb3ed94924f7c1d306cd77b508fe

Download Submit
C:\Windows\system\LLzLmQu.exe

Filesize
5.7MB

MD5
2d96a2c176baa90b8a9f4936be76936d

SHA1
639d989a81d2937c941deb40368b6513f6752150

SHA256
7e6b2dd76529912d11dec2465eb4879b0f4ec7f744ed12c44f16dd96abfbc5a4

SHA512
e6d444e4a24971d034dc99ec8bbee3129e3711f2922ca0e413054aef594e0565243970718e0d1378cf864b6df1c45e140c89e1b6a4e7ad23a770f3e010c032ca

Download Submit
C:\Windows\system\NuYdMhF.exe

Filesize
5.7MB

MD5
40172c6a58dad3e0ef6eeae26a75f4b6

SHA1
7eed42770516b3d79716271694fdd996a95e6668

SHA256
01ebb3cc81db14da5cc72330d9d2bfcfe6536896fa28474a716027ed97c2797e

SHA512
8b2da00524806c4df714aa07ccbfc54751518c803ced6c975af2f33d768ad7b081ef467fabe692d73647d38616349f43aa32ca304b0d12d266d2b46b77864623

Download Submit
C:\Windows\system\POXzOxA.exe

Filesize
5.7MB

MD5
becdb92f22751e558282a53dc7f6825a

SHA1
1841d29584e1518894d92b4e556274b6aa7d9419

SHA256
e4a38d32bb5ef709d7b3c6f8d677108285c9e8de832b015a5f01da0cd721f980

SHA512
dc9163297c77b35af90d02a9a73e372d98a5ebff954b06f7fb0dbc2a9f23218d816b4d4bc86d78e4fcb42c020f6b848464fd3e11e4823047c4a99605a9eaecfd

Download Submit
C:\Windows\system\WsvWeZq.exe

Filesize
5.7MB

MD5
1eee5653cf18cb0073e0847ce392d65f

SHA1
dfed76030c09ed38bdf06241bc6ea58d9ea00b9c

SHA256
a6893c17208eee413299b36f7f2bc9d38e5eec510c23d2db5a65034206248eb6

SHA512
465795355f8f7ea3386a53ce964b4ab78c55c06d29da06c863d1140c9a0aeb2db7700ca73654af4449ed8d4cdb6d3e0380b2d5818908b8a1d03b11f78e8e46d5

Download Submit
C:\Windows\system\XdFmIUA.exe

Filesize
5.7MB

MD5
ecd38a8562c41c9457ce4f1ef0c10c98

SHA1
817ae20817898f84aadf05fb9f0ecd2ec7c4ba26

SHA256
f0791f581dbaf679b11bc68f40b0131e397edccd53865c8cdd064b66f729f179

SHA512
9c361f9ba41f5898ce36252d331ad50e8d9715e1f5d91de5b95b5085ade027dc569b0b4e9b2a71b0779f805257d0f3a1a805738585317686c064d5baad7ec3d0

Download Submit
C:\Windows\system\XmBgnrT.exe

Filesize
5.7MB

MD5
bce6bd343b7b37981c2ed15522ae7310

SHA1
a97daadb7a28ff58f1423e189f38d47f96464206

SHA256
253c0176eb308dc9e7c1733403f2dcf3a1b00ba85de3ee216617d4d200baa716

SHA512
3f427659b88bf34a6c22b7389eaca95a85af042e7e86ed175012013223143b8648d99e396c323255bf5a203623a83188af73e71cb209453daad9e62a35f8e5b3

Download Submit
C:\Windows\system\dTlabGq.exe

Filesize
5.7MB

MD5
0dbb752bd119cfe5e808b81a3e32bc26

SHA1
ddbb2ff59de405ac746ae516a67934efab768004

SHA256
fc2f346f34897f6ce4dd120b24191ddf37e29f654fae7109c36bc6c20ab5e006

SHA512
3a13040b400cc0928ad85bd4f428bce4157bfabfb16b9020d703d5331523c87b2cf50c2ff06ebde726e85482370dc65d5236a226f7af1cadfe60b7c0a90a24b9

Download Submit
C:\Windows\system\dttjWiX.exe

Filesize
5.7MB

MD5
44bdd52397e3f62eb6d7d206908fc1b5

SHA1
e0b3d3da8586c51d30375be0af0719d7df844782

SHA256
5699693a601c3debb94d4f215f95e4a21016547b3f56d8d9eb4ef91711bff706

SHA512
319b7bfe87cb2e269680e994327e39eedab4a53ff2fa1aee8a48a5a464932b2b41ba5a9368384b3d456ff4b257cb173dbda042a9048f2126add08fdd01c9575c

Download Submit
C:\Windows\system\jszeAje.exe

Filesize
5.7MB

MD5
1370c8bab402976860f129fa98efa566

SHA1
7cb2651c9136bea07ca27bed7a3e0806eb52cb83

SHA256
c76755b35b304e1067655e50b5d6f630407866fc09bbdac2f3c827b51cb96646

SHA512
e8a3b83c78ae42d140f04c5cd6879b00582ade8c2b097622aea1a1315cd75115eaab0114785b379eafac33fb52fa49bfc26849bc4d138853241ddf9040bd38fa

Download Submit
C:\Windows\system\rCOfCNw.exe

Filesize
5.7MB

MD5
327d6a956e44003acde9f83e556aff68

SHA1
e30d6789a6b0b86ce7deffa46079c0f16e471331

SHA256
d1155194e1382c315c3d1b0a7157ba7d4fc3d96b2a2909c0549f86717ef9ef3e

SHA512
be93b870f48523d95204fed2f9a4971bde1514d336f2c39872df314d3aa7afdf5cf66ebb2984b27d7691cc44edf83c8fa8d68298365ce6fa602dd8dc37b4034e

Download Submit
C:\Windows\system\xZRxygS.exe

Filesize
5.7MB

MD5
d1cba4fb87340c979c17b0d5339bac7c

SHA1
4ac15e2677c48d3bc352bd98688d47f29e5f3f60

SHA256
267ee667a7718434561a693aff11908143b5a8212aaecb637f82cd6256b099a1

SHA512
a79c9e3ed43a83412b289fbd941a2cddd9cf7ae65e581ee906c066ed86127fa24326ccda2cd9c52ec69b51cc35a3db297c08549a38969620d709f7aca6a6961a

Download Submit
C:\Windows\system\xmHYaKv.exe

Filesize
5.7MB

MD5
01b247c33b578d3ffaa22d02e556001d

SHA1
3923d5bd4df984f856a4073b5a258c682444ce73

SHA256
d476a0a6efa006ab2dc4c3a9fe860f8316bc3ebe1be5f0f04e6712974192ce43

SHA512
c0a67e01435d4783e16d2edf63236805d109e5dff1eb61f85e45d0eb16e2050c1c2e1ad1908032775d2bd9aaaf3f8179517a3bb38c6c584612bc68c54bfdfa32

Download Submit
C:\Windows\system\zIfQRds.exe

Filesize
5.7MB

MD5
32610670c91ba6ada4527c2470453f2e

SHA1
2b91739014e190436b438908bf303ce9dca78b2c

SHA256
675daf9204eb0e4cf0b7868bbd926593c435327b4856da366215d3ba95f08f10

SHA512
6a4aeff33b110ac72ee3e360412a8c2c216ccc61bfbb8f1114e3857e90187271827270943e97938cd3c6f92a1418cccd091d9a4e2b49a0fe848e482ea7ca2f84

Download Submit
\Windows\system\gWrEmSI.exe

Filesize
5.7MB

MD5
d7e56543683e3c208273f4d14ed50441

SHA1
7fa2bdc6b63c43a7786c6d47f1b66b19835019d5

SHA256
38a1e158a841277e99cf140a357b7240f1049b548006d2a1a30aa59486710f6e

SHA512
0d238196a78767818f2e741836f6198be5443d150fe89cebf1cee8adce4ae9ce67bbfd259c151c3198075d499ba860b989f77927f48f1c54c508a94028f5fbe7

Download Submit
\Windows\system\ojazPLj.exe

Filesize
5.7MB

MD5
eb504bef8c76e5a4cdb8e120c4d68bad

SHA1
6605fe236f00e9cae930cd5c937fc4c9b51f2855

SHA256
b3d5e8c7be60588b98214dcc6451e5598bb8cfcb4ccb7126f3df054b0c20dfb9

SHA512
fe49467ad97b6e4738da7e1e1555f6db2358f755a26fe89e2574adcaa128fb0358a1c4a20efd0419573be8555460cdaa82dd4bc3a75ecfda3e031e737b11d774

Download Submit
memory/340-123-0x000000013F410000-0x000000013F75D000-memory.dmp

Filesize
3.3MB

Download
memory/452-106-0x000000013FE50000-0x000000014019D000-memory.dmp

Filesize
3.3MB

Download
memory/1908-122-0x000000013FAE0000-0x000000013FE2D000-memory.dmp

Filesize
3.3MB

Download
memory/1920-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1920-0-0x000000013F100000-0x000000013F44D000-memory.dmp

Filesize
3.3MB

Download
memory/2040-89-0x000000013FAC0000-0x000000013FE0D000-memory.dmp

Filesize
3.3MB

Download
memory/2128-90-0x000000013FBE0000-0x000000013FF2D000-memory.dmp

Filesize
3.3MB

Download
memory/2144-124-0x000000013F480000-0x000000013F7CD000-memory.dmp

Filesize
3.3MB

Download
memory/2148-108-0x000000013F940000-0x000000013FC8D000-memory.dmp

Filesize
3.3MB

Download
memory/2328-88-0x000000013F050000-0x000000013F39D000-memory.dmp

Filesize
3.3MB

Download
memory/2408-7-0x000000013FDB0000-0x00000001400FD000-memory.dmp

Filesize
3.3MB

Download
memory/2616-120-0x000000013F670000-0x000000013F9BD000-memory.dmp

Filesize
3.3MB

Download
memory/2632-109-0x000000013FBC0000-0x000000013FF0D000-memory.dmp

Filesize
3.3MB

Download
memory/2660-114-0x000000013F7B0000-0x000000013FAFD000-memory.dmp

Filesize
3.3MB

Download
memory/2664-118-0x000000013F150000-0x000000013F49D000-memory.dmp

Filesize
3.3MB

Download
memory/2676-116-0x000000013FCE0000-0x000000014002D000-memory.dmp

Filesize
3.3MB

Download
memory/2728-101-0x000000013FD40000-0x000000014008D000-memory.dmp

Filesize
3.3MB

Download
memory/2740-112-0x000000013FFE0000-0x000000014032D000-memory.dmp

Filesize
3.3MB

Download
memory/2744-93-0x000000013F220000-0x000000013F56D000-memory.dmp

Filesize
3.3MB

Download
memory/2820-92-0x000000013F520000-0x000000013F86D000-memory.dmp

Filesize
3.3MB

Download
memory/2856-104-0x000000013F400000-0x000000013F74D000-memory.dmp

Filesize
3.3MB

Download
memory/2868-100-0x000000013FEF0000-0x000000014023D000-memory.dmp

Filesize
3.3MB

Download
memory/2884-91-0x000000013F810000-0x000000013FB5D000-memory.dmp

Filesize
3.3MB

Download