cobaltstrike | 283544ccaeb8547fc78ac6e287074cd1928a6415c6ecebee11d123bc9dcf8f39

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2025, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

7f4d659cd45dcdab09d655024f070793
SHA1

c93efe2fd41309a6b94fa9a3e3611c6158e139fd
SHA256

283544ccaeb8547fc78ac6e287074cd1928a6415c6ecebee11d123bc9dcf8f39
SHA512

3c7f9b3d8feede68f4d2e055cdf993621713196dd90e146528373c6e9a4da47b8438459b610b2afdac25519776ad50988798efd354bf2f842e61922cc1843a02
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUt:j+R56utgpPF8u/7t

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023c57-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-15.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-41.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ca8-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-68.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-62.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbe-124.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral2/memory/4024-0-0x00007FF6C3200000-0x00007FF6C354D000-memory.dmp	xmrig
behavioral2/files/0x0009000000023c57-4.dat	xmrig
behavioral2/memory/3192-7-0x00007FF634660000-0x00007FF6349AD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cac-10.dat	xmrig
behavioral2/files/0x0007000000023cab-15.dat	xmrig
behavioral2/files/0x0007000000023caf-32.dat	xmrig
behavioral2/memory/4220-37-0x00007FF6D8740000-0x00007FF6D8A8D000-memory.dmp	xmrig
behavioral2/memory/824-34-0x00007FF7B7960000-0x00007FF7B7CAD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cae-33.dat	xmrig
behavioral2/memory/3872-30-0x00007FF72E220000-0x00007FF72E56D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cad-29.dat	xmrig
behavioral2/memory/1572-27-0x00007FF654D70000-0x00007FF6550BD000-memory.dmp	xmrig
behavioral2/memory/1904-16-0x00007FF7AF8D0000-0x00007FF7AFC1D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb0-41.dat	xmrig
behavioral2/memory/3576-43-0x00007FF73A100000-0x00007FF73A44D000-memory.dmp	xmrig
behavioral2/files/0x0008000000023ca8-47.dat	xmrig
behavioral2/memory/1712-49-0x00007FF797180000-0x00007FF7974CD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb1-56.dat	xmrig
behavioral2/files/0x0007000000023cb4-68.dat	xmrig
behavioral2/files/0x0007000000023cb5-74.dat	xmrig
behavioral2/memory/2796-69-0x00007FF612D10000-0x00007FF61305D000-memory.dmp	xmrig
behavioral2/memory/3236-82-0x00007FF743390000-0x00007FF7436DD000-memory.dmp	xmrig
behavioral2/memory/4404-85-0x00007FF6920F0000-0x00007FF69243D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb6-84.dat	xmrig
behavioral2/memory/2296-79-0x00007FF65CEE0000-0x00007FF65D22D000-memory.dmp	xmrig
behavioral2/memory/1284-64-0x00007FF7FD880000-0x00007FF7FDBCD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb3-67.dat	xmrig
behavioral2/files/0x0007000000023cb2-62.dat	xmrig
behavioral2/memory/2236-61-0x00007FF6AEEE0000-0x00007FF6AF22D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb9-96.dat	xmrig
behavioral2/memory/4500-91-0x00007FF611F30000-0x00007FF61227D000-memory.dmp	xmrig
behavioral2/memory/4832-97-0x00007FF636BB0000-0x00007FF636EFD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cba-101.dat	xmrig
behavioral2/memory/228-109-0x00007FF7F0380000-0x00007FF7F06CD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cbb-108.dat	xmrig
behavioral2/memory/4960-103-0x00007FF789EA0000-0x00007FF78A1ED000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb7-90.dat	xmrig
behavioral2/files/0x0007000000023cbc-113.dat	xmrig
behavioral2/memory/1848-115-0x00007FF66BFE0000-0x00007FF66C32D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cbd-119.dat	xmrig
behavioral2/memory/552-121-0x00007FF797AE0000-0x00007FF797E2D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cbe-124.dat	xmrig
behavioral2/memory/2800-126-0x00007FF7AB990000-0x00007FF7ABCDD000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3192	MkIlDAN.exe
1904	WtViDyo.exe
1572	OaiChpF.exe
3872	wNkQiwn.exe
824	kAkNlAC.exe
4220	jyjtofU.exe
3576	ZEXRJaz.exe
1712	UvJReSZ.exe
1284	tzEJtix.exe
2236	OpkpROT.exe
2796	QsTHpZX.exe
2296	RqMkeJP.exe
3236	ugjlLSM.exe
4404	YkkfhJG.exe
4500	YYsTgDk.exe
4832	rfamRSu.exe
4960	livbcWb.exe
228	iNspSYU.exe
1848	RVotQVU.exe
552	CMndrNJ.exe
2800	PAggoZd.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\wNkQiwn.exe	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kAkNlAC.exe	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jyjtofU.exe	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ugjlLSM.exe	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PAggoZd.exe	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MkIlDAN.exe	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OaiChpF.exe	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tzEJtix.exe	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QsTHpZX.exe	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\livbcWb.exe	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RVotQVU.exe	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CMndrNJ.exe	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZEXRJaz.exe	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UvJReSZ.exe	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YkkfhJG.exe	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YYsTgDk.exe	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rfamRSu.exe	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iNspSYU.exe	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WtViDyo.exe	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RqMkeJP.exe	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OpkpROT.exe	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 3192	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4024 wrote to memory of 3192	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4024 wrote to memory of 1904	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4024 wrote to memory of 1904	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4024 wrote to memory of 1572	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4024 wrote to memory of 1572	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4024 wrote to memory of 3872	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4024 wrote to memory of 3872	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4024 wrote to memory of 824	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4024 wrote to memory of 824	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4024 wrote to memory of 4220	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4024 wrote to memory of 4220	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4024 wrote to memory of 3576	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4024 wrote to memory of 3576	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4024 wrote to memory of 1712	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4024 wrote to memory of 1712	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4024 wrote to memory of 2236	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4024 wrote to memory of 2236	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4024 wrote to memory of 1284	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4024 wrote to memory of 1284	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4024 wrote to memory of 2796	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4024 wrote to memory of 2796	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4024 wrote to memory of 2296	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4024 wrote to memory of 2296	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4024 wrote to memory of 3236	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4024 wrote to memory of 3236	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4024 wrote to memory of 4404	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4024 wrote to memory of 4404	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4024 wrote to memory of 4500	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4024 wrote to memory of 4500	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4024 wrote to memory of 4832	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4024 wrote to memory of 4832	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4024 wrote to memory of 4960	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4024 wrote to memory of 4960	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4024 wrote to memory of 228	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4024 wrote to memory of 228	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4024 wrote to memory of 1848	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4024 wrote to memory of 1848	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4024 wrote to memory of 552	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4024 wrote to memory of 552	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4024 wrote to memory of 2800	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4024 wrote to memory of 2800	4024	2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-22_7f4d659cd45dcdab09d655024f070793_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Windows\System\MkIlDAN.exe
  C:\Windows\System\MkIlDAN.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System\WtViDyo.exe
  C:\Windows\System\WtViDyo.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System\OaiChpF.exe
  C:\Windows\System\OaiChpF.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System\wNkQiwn.exe
  C:\Windows\System\wNkQiwn.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System\kAkNlAC.exe
  C:\Windows\System\kAkNlAC.exe
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\System\jyjtofU.exe
  C:\Windows\System\jyjtofU.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\ZEXRJaz.exe
  C:\Windows\System\ZEXRJaz.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System\UvJReSZ.exe
  C:\Windows\System\UvJReSZ.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System\OpkpROT.exe
  C:\Windows\System\OpkpROT.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System\tzEJtix.exe
  C:\Windows\System\tzEJtix.exe
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Windows\System\QsTHpZX.exe
  C:\Windows\System\QsTHpZX.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\RqMkeJP.exe
  C:\Windows\System\RqMkeJP.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\ugjlLSM.exe
  C:\Windows\System\ugjlLSM.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System\YkkfhJG.exe
  C:\Windows\System\YkkfhJG.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System\YYsTgDk.exe
  C:\Windows\System\YYsTgDk.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System\rfamRSu.exe
  C:\Windows\System\rfamRSu.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System\livbcWb.exe
  C:\Windows\System\livbcWb.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System\iNspSYU.exe
  C:\Windows\System\iNspSYU.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\RVotQVU.exe
  C:\Windows\System\RVotQVU.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\CMndrNJ.exe
  C:\Windows\System\CMndrNJ.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\PAggoZd.exe
  C:\Windows\System\PAggoZd.exe
  2⤵
  - Executes dropped EXE
  PID:2800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CMndrNJ.exe

Filesize
5.7MB

MD5
be773f3ef0a0ecf22fbaf3cf0b6e1fe5

SHA1
576229fff2a7b3a2d762c1fcca9eb5d341a4b1ac

SHA256
4ffe94b6ae0bd319c5bc44d38cf662af39ec6c8294bc363c8707ffb895ab6c26

SHA512
95c755936c47317c9b169361ad585c52f001c6706786e8f03e783aba3bb3f96eb2f5a564a56cb8a2f20274b2f3d7f9c01546c93c1a4e1f61c47c848f03bcdd1a

Download Submit
C:\Windows\System\MkIlDAN.exe

Filesize
5.7MB

MD5
f478cef85e03d4861fb0a23ae81288b9

SHA1
44848144eaae70297a59c63d8ec566564e7076a8

SHA256
da16d9fca717be3f37f25e9895576afa87b2a55598d9ffe82b4f1f2abc299aa8

SHA512
7c973930559545829d3ce1ebbdab856b28812c9d3b958716ee62dbc6f1e540ff690c822fb72b55e6de2af115f98b408cdb4de9b252aff1e83487d98001f05681

Download Submit
C:\Windows\System\OaiChpF.exe

Filesize
5.7MB

MD5
ca6c581ac790a6caf0fc6b7918abf3ca

SHA1
3ed343e75076a0e89d282fe30d1190b76639b456

SHA256
50813fe23e58ead527b6d307207b64adc799f630f445545a86906d851448d036

SHA512
3b8377495c0353475a627602b6ea79eaadda4401921ce0eacaafbcea2e5a87964c89337bb686ab906513d30c18313aeec9641bf7d564e1ec1da99ffc804971cb

Download Submit
C:\Windows\System\OpkpROT.exe

Filesize
5.7MB

MD5
557bc6aeffb48cb0215ef6735244742f

SHA1
8bab5cc84c7639db055f52ee794c46b23f85138b

SHA256
db19a2a969263858d07c9bb07d56f908549477f7bfa9763a884d0cda40cfa4e6

SHA512
f0a42821d4482668dc115975caf1d2cd388681798804752bb15f2396be4ed590350c7c5e1c7fd51b8ae1a4c027f283f1fd232dd3a1746d8bb825a3dde7351c47

Download Submit
C:\Windows\System\PAggoZd.exe

Filesize
5.7MB

MD5
faa0cdf0c7a5dc8d4779a45d40241b9b

SHA1
3d1f730bb3b126b4ee8abad09c3470ff3b8672a6

SHA256
a378f23d2366d0d5c04f8ebdc889e768482546445de8e36bccb06d1532bb1131

SHA512
db457e5e63fd863ed9165d5be2796c29a3c2b8929804aa023365393a487053fd0f607cfcd84794cc98306b9405286d4dc01b92494013a7e027c7882c45183a6e

Download Submit
C:\Windows\System\QsTHpZX.exe

Filesize
5.7MB

MD5
e89f857e60b84c605592313a7a6f8704

SHA1
323edb3a17c2b8c9eda6c03c45493c512519f89e

SHA256
b021968aad2461e707015dbdec936da0eeba8e90dcbb292d64489b235d3f6cea

SHA512
630ea1d060aebe0461db2d806f47a458335679380b63d8abd5d64a9036f0e68eb70ee1cee8fd6325ac347a3a59aab24941129b89444558de3ff851d151777cc8

Download Submit
C:\Windows\System\RVotQVU.exe

Filesize
5.7MB

MD5
b1a2492f91722acc3fc85595028c4d6f

SHA1
5ded4053b82987c13cfb5ec0d71a02b7ab121cbd

SHA256
1ea57f9b014c0d86321e95035ab8e9a45958e274f1a262949fffdd0c227cf8f5

SHA512
46df9b2fc6b81a0bc0afa30505801701c7e0f021045007ca78417de24fde5ce990a963d97209eba844b0a5a163ec2df9ed7bbb9dfd97e72d6284977bb5954638

Download Submit
C:\Windows\System\RqMkeJP.exe

Filesize
5.7MB

MD5
e77f5c86802af2dbba5d5a724bec58ac

SHA1
223455a245afd4e7a7d6adbbdb2bc5934dea7fb7

SHA256
29a86cdc51463ffb714aa6fbcd983e940e31cf19be6722ab108537070026144d

SHA512
c3d253d4a5c059690dc7f2c1259bfe4a97166f0f567e290b456ad31482aa8d6c27db70f0e084c6778a7d78db786a5426eed047503fd62ecb124419c39dd478de

Download Submit
C:\Windows\System\UvJReSZ.exe

Filesize
5.7MB

MD5
c8d9ddd0b6fd64756b766a1d24b055b8

SHA1
3fe97965d67a710beac451012126cece313b258a

SHA256
d6e131b6357dd9ea813ecdb06364d03e7afa9a10bc9e1b453d2ef98c2e3ec7e8

SHA512
bc997f6a83e7f7d563063ecae65826181aa46fd963ea8a712ffca09ceb54371a8f4028dc8938f03ab74939df3749317d01e4894dec7a271e2f3be58f918aa722

Download Submit
C:\Windows\System\WtViDyo.exe

Filesize
5.7MB

MD5
fb0f2baf6bf1d239704bd38d0720bfdb

SHA1
afaa98e329e2a8470777f5510fa079883b7d353f

SHA256
42443adda2ee96859f416ddc220118eca08196e4e0d9a35408997cf1bfe1f138

SHA512
5d69077f207d0d330f05565cba0638622289ce4a1261f5481b5db2898c4f237288e41dfca37be4ddd300229d0aed75436d8e7ea2f6411eb40c43b8fb58de5ea7

Download Submit
C:\Windows\System\YYsTgDk.exe

Filesize
5.7MB

MD5
ca602dee408d07ec7cebe5dc147dc683

SHA1
89fa5aeb95acb46402a6782d35603c4cea706204

SHA256
b6ee97909c141e81fccdd2966d3033683edd5d07b1feeda8713e255602da4876

SHA512
7311a2f2cc7ac0458553473e2ccf43dab540c5dfb0b8dd8e2bc0c9ef18a40898d801d895616d869ce1c7886b71e2ec39b1e889415a471c3b5cb9cc1941a34ce2

Download Submit
C:\Windows\System\YkkfhJG.exe

Filesize
5.7MB

MD5
625019d01ca3ea5cb2d04f220d294ed2

SHA1
4b47a338f884bf988ec0cd33f330e596b7f93c4a

SHA256
7cf4c4320bac1560e9fe191fe6f808a54346e6cf4966be8b235c41b05485ec45

SHA512
d0ed22d27d2ba4261da21c207ed172e9df89ce1373fc8e1fec13a070d8f3098a43ff57c6f2d69b2f50f67dc7bb779afd806446c9fbefb54ec0f35eeef9b26822

Download Submit
C:\Windows\System\ZEXRJaz.exe

Filesize
5.7MB

MD5
531da6a97a081a66e52cd9205d0eda0e

SHA1
dd425757b940ee656e399b84c45eb5b0641012c1

SHA256
b3277991742065ff686d213965b73f49bec6d2f9790eea5ae24465e70de6e611

SHA512
4d226f9a96f124ab6d403214071a6fccf6b7a7efe099b485007f54202bdbf6809621f08ee712c10d3ce7754234bca4caf476974a4b1c3bf9e6e18be88de9b612

Download Submit
C:\Windows\System\iNspSYU.exe

Filesize
5.7MB

MD5
dc8901fd5ba18373a0d1959ea2168425

SHA1
0607954ab91f1adfec14f22d40700f37e6613986

SHA256
e669ff76b5b16525cb628189e1f18cf602e0bf8cf1371df9d2b3ce14ce18ec6d

SHA512
b30dc7f31d52adcd78c874991d4d74fda22490d40b8c9c2d4b611da43b37fc8d4b6ada484a7f87cabb19a34f172aac1b2a5c2b841957ea928c1d0c71b6f45416

Download Submit
C:\Windows\System\jyjtofU.exe

Filesize
5.7MB

MD5
31e8e3dab499ab7f123a2b89b4929b85

SHA1
54d37cdbdb7d2480ba120591f8eb657f63b698b2

SHA256
293c7835cfa3c83d4fdd5db869310283db6467e24ea19f8aec97f629f57fb664

SHA512
7fb2d7805a6af996d5ab8b7e6771640beb73a5280a80da955b83421a6bfc72d15c1157c182ffac851842df1b00b2f71f1114c9f4d9801597951841f54517b79b

Download Submit
C:\Windows\System\kAkNlAC.exe

Filesize
5.7MB

MD5
f83e19f0ac5a79a043e78ec600fe7ccb

SHA1
f2aa504151368d287833571972e07c0aa661e085

SHA256
13a8dd81dbffacb1a32a65b195011b629b7f081858f88f579f325b9e665ccb7a

SHA512
d1d433823151e6e6940c681e1e666a794a5671649b40e29d560b64db6b9633be7d2eb54e0cec47ca81305c12c5be5ef90468d2e4dff81498f65a14164b7d82e1

Download Submit
C:\Windows\System\livbcWb.exe

Filesize
5.7MB

MD5
036b164a66db8d68b8a309b5491c686d

SHA1
14eacaf5c1ef0d72fa7b39eda47480f1c115a84b

SHA256
9137090689e8c7ab2ce51b5e18ea2a314fc2e2a11a96e70111d047fd2ac882b9

SHA512
67833d1a519bddc8c84d80f89065566b14f5fcbb7d4c54004b00787a130be7839088a3749d490bea7ff9985764db6862829f9b4714ddbad4cca98b66f922d723

Download Submit
C:\Windows\System\rfamRSu.exe

Filesize
5.7MB

MD5
2376701274d986b9a2fbbf4b47d9628f

SHA1
143255da70abacfa6c659efda235c1b6d75d75f0

SHA256
908eb75525ca5f865fd68aee193743d9b3dd9b04ad832b8ac9817f2ab124f079

SHA512
7c5be9f4c741e3c29233f2196154022845a29a189f0421df8406b8383407b0c3b2dbab83ecaf16b9e2398cfdc623d9f3a1ebdaa4a4e6ce98b243a856416ba43b

Download Submit
C:\Windows\System\tzEJtix.exe

Filesize
5.7MB

MD5
7a970bb829ee5cbd376cd84285900193

SHA1
778e6ba94136b80481f75a97b50cdfd938280056

SHA256
725d15e76c2f617d1c88dcd19fe9af2f747c7d1633986d5e8ca6bde9f3c48c2c

SHA512
92c313c4ddccdea06c66a72699508fce680ae89fbbe077cd264f717a06adc762c4b2aae6a8be5b8cc80e8a77a73ff1a7acbeeaac6b1acb53cc1b9983844a6e8c

Download Submit
C:\Windows\System\ugjlLSM.exe

Filesize
5.7MB

MD5
d98a0f53989fa7dc4ff7bd3be33c61b0

SHA1
9b15904811e03cd7ccaa7a95f60b78e04007ff41

SHA256
148847f058e5578f2ebc0c7b77c0dfa67af74c730d58ccdeb86b07415fe061a0

SHA512
eaae28cf22c9bcb6d1a833e3947823f33b4fa6ae5f21735dd51bda26730c41de7745b2a57d71e5466ccee31cee7e53fb1df9dac197866b26b5d5185687b651c3

Download Submit
C:\Windows\System\wNkQiwn.exe

Filesize
5.7MB

MD5
cda36463041bd0767e921ba540660b5b

SHA1
a92b64ede5f233cb5d7cacdef854a9f1201608be

SHA256
3c6351544c44cd140ac74bc49e58a588c7be3f1bd21dd9c7efc2ebf4cad98bdf

SHA512
9fc6a2e868952abcb5d8ee2e913ba5790a7b5d9beac258e0bfd9c1c0e1c1ae7e15bcd2cf3d7e4974649451125a2cf95aea455d99bff94826b585607631398040

Download Submit
memory/228-109-0x00007FF7F0380000-0x00007FF7F06CD000-memory.dmp

Filesize
3.3MB

Download
memory/552-121-0x00007FF797AE0000-0x00007FF797E2D000-memory.dmp

Filesize
3.3MB

Download
memory/824-34-0x00007FF7B7960000-0x00007FF7B7CAD000-memory.dmp

Filesize
3.3MB

Download
memory/1284-64-0x00007FF7FD880000-0x00007FF7FDBCD000-memory.dmp

Filesize
3.3MB

Download
memory/1572-27-0x00007FF654D70000-0x00007FF6550BD000-memory.dmp

Filesize
3.3MB

Download
memory/1712-49-0x00007FF797180000-0x00007FF7974CD000-memory.dmp

Filesize
3.3MB

Download
memory/1848-115-0x00007FF66BFE0000-0x00007FF66C32D000-memory.dmp

Filesize
3.3MB

Download
memory/1904-16-0x00007FF7AF8D0000-0x00007FF7AFC1D000-memory.dmp

Filesize
3.3MB

Download
memory/2236-61-0x00007FF6AEEE0000-0x00007FF6AF22D000-memory.dmp

Filesize
3.3MB

Download
memory/2296-79-0x00007FF65CEE0000-0x00007FF65D22D000-memory.dmp

Filesize
3.3MB

Download
memory/2796-69-0x00007FF612D10000-0x00007FF61305D000-memory.dmp

Filesize
3.3MB

Download
memory/2800-126-0x00007FF7AB990000-0x00007FF7ABCDD000-memory.dmp

Filesize
3.3MB

Download
memory/3192-7-0x00007FF634660000-0x00007FF6349AD000-memory.dmp

Filesize
3.3MB

Download
memory/3236-82-0x00007FF743390000-0x00007FF7436DD000-memory.dmp

Filesize
3.3MB

Download
memory/3576-43-0x00007FF73A100000-0x00007FF73A44D000-memory.dmp

Filesize
3.3MB

Download
memory/3872-30-0x00007FF72E220000-0x00007FF72E56D000-memory.dmp

Filesize
3.3MB

Download
memory/4024-1-0x0000013885880000-0x0000013885890000-memory.dmp

Filesize
64KB

Download
memory/4024-0-0x00007FF6C3200000-0x00007FF6C354D000-memory.dmp

Filesize
3.3MB

Download
memory/4220-37-0x00007FF6D8740000-0x00007FF6D8A8D000-memory.dmp

Filesize
3.3MB

Download
memory/4404-85-0x00007FF6920F0000-0x00007FF69243D000-memory.dmp

Filesize
3.3MB

Download
memory/4500-91-0x00007FF611F30000-0x00007FF61227D000-memory.dmp

Filesize
3.3MB

Download
memory/4832-97-0x00007FF636BB0000-0x00007FF636EFD000-memory.dmp

Filesize
3.3MB

Download
memory/4960-103-0x00007FF789EA0000-0x00007FF78A1ED000-memory.dmp

Filesize
3.3MB

Download