cobaltstrike | d0cfcee5c86b5f229e2e908e00c1937666def8d045e49f6243ed1fd1f511c0f9

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

9f757061a1f63b3ec5a7b62afb90623f
SHA1

f7b9728eab3f767e5816b4beb503eeed2ec46bb0
SHA256

d0cfcee5c86b5f229e2e908e00c1937666def8d045e49f6243ed1fd1f511c0f9
SHA512

144cb6b738219a36e5bbac5917d18926a2efff27b9b61fc7fd3b303b5f66302ba399578b10c2c32080f05f7b8154aae5820065150f4cbf88b05d93d99f693895
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lU/:j+R56utgpPF8u/7/

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023c01-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-23.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c9b-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-124.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral2/memory/2448-0-0x00007FF6D3DB0000-0x00007FF6D40FD000-memory.dmp	xmrig
behavioral2/files/0x000a000000023c01-5.dat	xmrig
behavioral2/files/0x0007000000023c9f-10.dat	xmrig
behavioral2/files/0x0007000000023c9e-11.dat	xmrig
behavioral2/memory/4680-13-0x00007FF679140000-0x00007FF67948D000-memory.dmp	xmrig
behavioral2/memory/4784-7-0x00007FF7974F0000-0x00007FF79783D000-memory.dmp	xmrig
behavioral2/memory/4976-19-0x00007FF6FCE90000-0x00007FF6FD1DD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca1-23.dat	xmrig
behavioral2/files/0x0008000000023c9b-30.dat	xmrig
behavioral2/memory/4884-31-0x00007FF6E3790000-0x00007FF6E3ADD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca2-35.dat	xmrig
behavioral2/memory/1548-37-0x00007FF6C7200000-0x00007FF6C754D000-memory.dmp	xmrig
behavioral2/memory/1508-25-0x00007FF62C690000-0x00007FF62C9DD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca3-41.dat	xmrig
behavioral2/memory/1044-43-0x00007FF65E090000-0x00007FF65E3DD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca4-47.dat	xmrig
behavioral2/memory/3336-49-0x00007FF793D80000-0x00007FF7940CD000-memory.dmp	xmrig
behavioral2/memory/2904-55-0x00007FF70FE40000-0x00007FF71018D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca5-54.dat	xmrig
behavioral2/files/0x0007000000023ca6-58.dat	xmrig
behavioral2/memory/4348-61-0x00007FF7831B0000-0x00007FF7834FD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca7-64.dat	xmrig
behavioral2/memory/4952-67-0x00007FF73B030000-0x00007FF73B37D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca9-71.dat	xmrig
behavioral2/files/0x0007000000023caa-77.dat	xmrig
behavioral2/memory/2940-79-0x00007FF6894F0000-0x00007FF68983D000-memory.dmp	xmrig
behavioral2/memory/1984-73-0x00007FF77BFC0000-0x00007FF77C30D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cab-82.dat	xmrig
behavioral2/memory/3528-85-0x00007FF61B960000-0x00007FF61BCAD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cac-89.dat	xmrig
behavioral2/memory/2724-91-0x00007FF77EA50000-0x00007FF77ED9D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cad-94.dat	xmrig
behavioral2/memory/5084-97-0x00007FF695A60000-0x00007FF695DAD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb0-106.dat	xmrig
behavioral2/memory/4824-109-0x00007FF692320000-0x00007FF69266D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb1-114.dat	xmrig
behavioral2/memory/844-115-0x00007FF6469F0000-0x00007FF646D3D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb2-119.dat	xmrig
behavioral2/memory/1996-121-0x00007FF68A0E0000-0x00007FF68A42D000-memory.dmp	xmrig
behavioral2/memory/2884-104-0x00007FF61C300000-0x00007FF61C64D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cae-102.dat	xmrig
behavioral2/files/0x0007000000023cb3-124.dat	xmrig
behavioral2/memory/5004-126-0x00007FF795060000-0x00007FF7953AD000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4784	gxeBcxj.exe
4680	JuJWsTB.exe
4976	aHhtlVO.exe
1508	KPxLTmP.exe
4884	FyBaATW.exe
1548	QuZMNxd.exe
1044	ywiPMcx.exe
3336	klmcLpZ.exe
2904	BSzjyCC.exe
4348	MBbjugY.exe
4952	aifbeUp.exe
1984	cXCoGtr.exe
2940	KymjfHd.exe
3528	aRWfDEI.exe
2724	UlKUsTv.exe
5084	fYfmkJH.exe
2884	ZHnfDYt.exe
4824	bzJpVTO.exe
844	AJbPzbF.exe
1996	KflUwVC.exe
5004	TbxtxVA.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\BSzjyCC.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KymjfHd.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fYfmkJH.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AJbPzbF.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TbxtxVA.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gxeBcxj.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QuZMNxd.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ywiPMcx.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MBbjugY.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cXCoGtr.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UlKUsTv.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aHhtlVO.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aRWfDEI.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZHnfDYt.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JuJWsTB.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KPxLTmP.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FyBaATW.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\klmcLpZ.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aifbeUp.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bzJpVTO.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KflUwVC.exe	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 4784	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2448 wrote to memory of 4784	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2448 wrote to memory of 4680	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2448 wrote to memory of 4680	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2448 wrote to memory of 4976	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2448 wrote to memory of 4976	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2448 wrote to memory of 1508	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2448 wrote to memory of 1508	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2448 wrote to memory of 4884	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2448 wrote to memory of 4884	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2448 wrote to memory of 1548	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2448 wrote to memory of 1548	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2448 wrote to memory of 1044	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2448 wrote to memory of 1044	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2448 wrote to memory of 3336	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2448 wrote to memory of 3336	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2448 wrote to memory of 2904	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2448 wrote to memory of 2904	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2448 wrote to memory of 4348	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2448 wrote to memory of 4348	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2448 wrote to memory of 4952	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2448 wrote to memory of 4952	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2448 wrote to memory of 1984	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2448 wrote to memory of 1984	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2448 wrote to memory of 2940	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2448 wrote to memory of 2940	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2448 wrote to memory of 3528	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2448 wrote to memory of 3528	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2448 wrote to memory of 2724	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2448 wrote to memory of 2724	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2448 wrote to memory of 5084	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2448 wrote to memory of 5084	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2448 wrote to memory of 2884	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2448 wrote to memory of 2884	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2448 wrote to memory of 4824	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2448 wrote to memory of 4824	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2448 wrote to memory of 844	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2448 wrote to memory of 844	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2448 wrote to memory of 1996	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2448 wrote to memory of 1996	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2448 wrote to memory of 5004	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2448 wrote to memory of 5004	2448	2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-22_9f757061a1f63b3ec5a7b62afb90623f_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\System\gxeBcxj.exe
  C:\Windows\System\gxeBcxj.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System\JuJWsTB.exe
  C:\Windows\System\JuJWsTB.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\System\aHhtlVO.exe
  C:\Windows\System\aHhtlVO.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\KPxLTmP.exe
  C:\Windows\System\KPxLTmP.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System\FyBaATW.exe
  C:\Windows\System\FyBaATW.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System\QuZMNxd.exe
  C:\Windows\System\QuZMNxd.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System\ywiPMcx.exe
  C:\Windows\System\ywiPMcx.exe
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\System\klmcLpZ.exe
  C:\Windows\System\klmcLpZ.exe
  2⤵
  - Executes dropped EXE
  PID:3336
- C:\Windows\System\BSzjyCC.exe
  C:\Windows\System\BSzjyCC.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\MBbjugY.exe
  C:\Windows\System\MBbjugY.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System\aifbeUp.exe
  C:\Windows\System\aifbeUp.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System\cXCoGtr.exe
  C:\Windows\System\cXCoGtr.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\KymjfHd.exe
  C:\Windows\System\KymjfHd.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\aRWfDEI.exe
  C:\Windows\System\aRWfDEI.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System\UlKUsTv.exe
  C:\Windows\System\UlKUsTv.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\fYfmkJH.exe
  C:\Windows\System\fYfmkJH.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\ZHnfDYt.exe
  C:\Windows\System\ZHnfDYt.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\bzJpVTO.exe
  C:\Windows\System\bzJpVTO.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System\AJbPzbF.exe
  C:\Windows\System\AJbPzbF.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\System\KflUwVC.exe
  C:\Windows\System\KflUwVC.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System\TbxtxVA.exe
  C:\Windows\System\TbxtxVA.exe
  2⤵
  - Executes dropped EXE
  PID:5004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AJbPzbF.exe

Filesize
5.7MB

MD5
e041d2ec9d51f3fe049e3007165c3650

SHA1
62eb3a0d7f283a7f6adf0ff69abc8d410b67bf11

SHA256
0ff03a9beab663c864887216f460b12e20592d07b2bdf98367dc36bc58b60259

SHA512
1b0c6d6673bbf632222794179c94b51018f457475c06b2768ea7cae81830f8147a978351df1c7f432a80e164a505e498c9da82a1427204dfcb22f8550d871a2c

Download Submit
C:\Windows\System\BSzjyCC.exe

Filesize
5.7MB

MD5
cb0003180d7a0fd375830c27b7e4783d

SHA1
72337006abd93cd2da353c60b1a6058b5ffb97ac

SHA256
8acbd1c8a180ee25edd075de5d620ae0ef1f3377e67dce6bac60b2eecc949994

SHA512
8e1e419818f5552e6b3c89d2914daff77b8fdab3666a463566e56b46deb0929f3d4c637f7b9f6a0c25b69c1b23f3bbc2ee6dbc83ea35d99dbabb9022c3ec8a0f

Download Submit
C:\Windows\System\FyBaATW.exe

Filesize
5.7MB

MD5
120ff3cc685de23c76cbdc5d0d2da788

SHA1
cac270a45c363d96f3333233eade2d8a6f40ce67

SHA256
b10a4f9013caaad119123deb11fb51c05984af662f72cc08433ffad72ac972d1

SHA512
999e75c72d82e9f721a2941aded14662d56c1f0fd684121afee8234909367dac142d0dfd18d5f820fad77547662486d6d8e4f0bd385b247a2661648dc1c939d0

Download Submit
C:\Windows\System\JuJWsTB.exe

Filesize
5.7MB

MD5
8fcc70e0df1f87051fcb5088f80a7171

SHA1
35ec2e5c588f3c14e3512125e764a5f4ed6ab5a5

SHA256
5c8a263415747bfd51ac13cef3c212d3463da9f7e0c41c31fff4f8bace31eeee

SHA512
d43cc58cbdb9adcac9ae1c6636035c233b5d03653e4ed5869d78d8c0fd15f1438afd53580c7368b6c8bc6c28d8d774e64f58204fe04303ef5fdce90e639078ed

Download Submit
C:\Windows\System\KPxLTmP.exe

Filesize
5.7MB

MD5
6d0002346cb863c903fba4ca7b9add8f

SHA1
9dfb1b5c98ca714246ca5bd614a7689a8b044d14

SHA256
82e267d457d935405b62d5743426ba11bc60bc0aeab28646d0a1e057981f3a51

SHA512
71ace8c5943aa33932e0313494552deb4f3e1a64760b07fea23cae8eafa54effdbe9b46d9d92b0848f9ef27e91b4bd1f2533530409e42d5d19d6762178e5741a

Download Submit
C:\Windows\System\KflUwVC.exe

Filesize
5.7MB

MD5
7b9c439e99bfbacbd0edd68b161af2a8

SHA1
91c2db28c90404f2387a55ad46547fc45c79e5af

SHA256
6a95855ad9755f90edeceafa99de94ecf3321d0c49034b6a19466e49868472db

SHA512
d0338f04c4ed13a795189150aeef0dc565ba4ea4162d463fedfce714bc7b6c8f7d02dfd8448c70639eece472fb8024b5f62cdb1268c8e0bfb9d69a308865622c

Download Submit
C:\Windows\System\KymjfHd.exe

Filesize
5.7MB

MD5
d7effd639424f9281fb2e982e5f657c2

SHA1
24da3ae24f239e7e647d6140c871ea8dd94796d5

SHA256
7d0b79a23e325262a95ea352c73c204c34aaaccdaee7d084763277b3555a3981

SHA512
7f073f6b05c219a1d41a325414c6cc7bdde40d4119e2edc125de3c0acd7c5113bdd58ae484692817fd1fd3117a80ac974f282870987981b5f6c0c226c343e40b

Download Submit
C:\Windows\System\MBbjugY.exe

Filesize
5.7MB

MD5
22086cc6b78a31c934fbd3d6f0a107b2

SHA1
22bf264780d6e9eb2f0cdd4c2b7042624e287072

SHA256
15e4fc14f4e3ca2e21cf440e5d2bc1bed2262c2899cd012c1d6c791dfad92b4d

SHA512
7a6e6fcef3f11b58556083f0756d7aae7310835f558374eb076f343128d16f2aa6ae7bc9de5f79c4a2e2aa8d70f77a68f65434c4c229a98f6030e082cd3daed2

Download Submit
C:\Windows\System\QuZMNxd.exe

Filesize
5.7MB

MD5
c5357f41dad435a162398da70e160b51

SHA1
05c638ec975b95c53bf7c0552de845ccafe18f96

SHA256
c83b5f2b5a333800726d6fdcd98ee3bedb3b943cff1b5a761fcd03adfd85e91a

SHA512
01cbd0f8d2ca04c08ef8e3761898ba4d867f3b3e8a0db1d0f2b2f8637a21cd9d2a2405f3be5481b5aab168b15c38c17519e9086315b8c15666ee20de2618c1f3

Download Submit
C:\Windows\System\TbxtxVA.exe

Filesize
5.7MB

MD5
3d56c1b628f07fe4582e5f8dd67537cb

SHA1
55d3b865f570ce378b1980f8b2ee3d74f624ccdd

SHA256
f4e0081427542271a548e61cd99fbbb9e4e7f2d8765e823215ee776ccf5078c6

SHA512
f9645ac74a808962079fc8d278cb060cd3be528d3c9eb4c8bc954c0d209d54c50bbabef6c5c0491270e600c45a6dd62225bfe5f594f4f9c0b936d548af703b43

Download Submit
C:\Windows\System\UlKUsTv.exe

Filesize
5.7MB

MD5
70826cade11797b0342f4c66756dcda9

SHA1
ace85085f49f1be86c7773be9f2dd746ff56eb32

SHA256
e2d36d3e9087c7e5fc25907ca1a0810c74cc8c72fa2e135014b7c12f40bc28be

SHA512
6aa3e509d69c2d879202859609eb9b239a7d3ad9fbee7aed54c7b7bdfc03ddea5bbb4edf8520acb8f8f609dd4b54140300ed0ab24f3b4483707b4c6215b475b6

Download Submit
C:\Windows\System\ZHnfDYt.exe

Filesize
5.7MB

MD5
862ce4bc1d21399fe8074334dd510174

SHA1
1e45d63fec2cd606e2a580d7f452d378eb21f721

SHA256
66db7ce1803f7071337eaabee59a627170dfa85999a42f0068b4153e20ea1167

SHA512
25eb5da5a9fce46f3927e927875d74a1100688aee14328cd82f57cd1ecccd715eebab675b9c01802dbe733cf319a9bfa542a0c29751f6ccd7a7ded63ca77b220

Download Submit
C:\Windows\System\aHhtlVO.exe

Filesize
5.7MB

MD5
eb875fced3b3a18c8b7ac310346da645

SHA1
3258e789ced43de611ef3de779a5fc7f2510ab34

SHA256
3c9306fb8136cced0eb9c005534a34bfdcd876c467bff3b3f863743c09dc1e45

SHA512
e28698dd92f475425b112cf03a04c03be95bca9b6f359e072a4b7fd7f8273747f90d97665fc7d9969dc78c23d6f7881e8a61850ac6dcb796dea254f5694be0d7

Download Submit
C:\Windows\System\aRWfDEI.exe

Filesize
5.7MB

MD5
94ced77680cb5d359e2d30bc07de4bfb

SHA1
8909b4d842e517bc15ae56cdbbc90cb1a325ad88

SHA256
5e017268798a0b562f37d258678f766cdeb4b652e844f6529cca36018e64aada

SHA512
226d6b3f7411e7eb7decc754a60282aa871d8b99e74d8d8295a5de7b6f1636d842a3a93494c48b4e60109f13e33dadbca5be2d4cd9e3686308e503658cd39cd7

Download Submit
C:\Windows\System\aifbeUp.exe

Filesize
5.7MB

MD5
403a2f5b36cd221b032a73216ae78821

SHA1
0049d38b0b76abb80d055b2682d47a066ee410f4

SHA256
186f1d823e6332a5ece556bf6e92f3cd2f127e991df4c7c6df7611e1834b6120

SHA512
e49a795ba2500ff523bc40c11e3a76b55141fc98e25f060617841dd50c30473c9368c278921e6ccf619bac41811a6900ff6cb2cb1278888bc06ed1a9244b2aaa

Download Submit
C:\Windows\System\bzJpVTO.exe

Filesize
5.7MB

MD5
d70b0fbd281c1e04025c64059c652b37

SHA1
0e34af546735e46adf7d495edc827bcce297153c

SHA256
91bb8fc83cc2caad88a3bce04d908748b2fadb15f4268fe953d16c581d47de1c

SHA512
ef8fe2e48e8a507663e8d860160706e9e5a3b49e87e60142ca29850e7c0bc6522eb3fd5287cc5e945d608bd0dadd404398e1422a74fae5230dbf3b2a294408e5

Download Submit
C:\Windows\System\cXCoGtr.exe

Filesize
5.7MB

MD5
1b934062c61e15e4636b465a9a158513

SHA1
505e74a953ecd7ca9615a885a04293e64e0096e3

SHA256
e3e6b79ea19aa2876eee53e3d407f686e91be95f2dd1842e061a5b13c0d86149

SHA512
b99337501731d00b7fe308c2deccf52edd1183fb6381b9c5755cc1aa11f1aa5fd0d70ce9c8d51ee9dffd31c4d4906c763c941f7d8a72083682f00a8f33f611c0

Download Submit
C:\Windows\System\fYfmkJH.exe

Filesize
5.7MB

MD5
b9d5d9b7e0769994b70fd052b2e8338d

SHA1
c6332bb329467148030d6ac53a937e2d991f7512

SHA256
8700e2ba0501ef16758ffb43b3e63080a182c13ff8c10eab1a25709b62757904

SHA512
a3c9908705598069441a0bbce46d42f5c4a335897fc676c3ee4c002123937a0fcabdd96f57e89f8040b6e4ea58bbdad47fe4b81251d04ec39fbb602b3afff79b

Download Submit
C:\Windows\System\gxeBcxj.exe

Filesize
5.7MB

MD5
37d0c6686ec92351b2cfda2685742d08

SHA1
a2c76c372069f423bdcd8009443bddcb780d64b0

SHA256
62331fbfb05135f21bdda7868afabc22eec728146c42a6959aa1994b855fd115

SHA512
92d4b80b8a88fee5284539837ed0e4dbb454b7ea90f37618c7dd844b523f8a48382627ae2b6eb1d02f5f7844cc3f6bf2a710e17bb8480562e9a5be1fd5748c43

Download Submit
C:\Windows\System\klmcLpZ.exe

Filesize
5.7MB

MD5
8dea978c798904faac72aeb9c34f601a

SHA1
4b0a9e72032d1919fbb6babc86e2c11a957b45ce

SHA256
d5b96401681ac3ca14727beeca833876aa353b55cd11ed999b309ecf57520540

SHA512
11be756e2d95bc6c878063e9acb934659c06882617b957315e7616d997e83d1a6cc7de32738a2131e734db6bd9cf0adcb2f0e3de6438a2b9c1eb9c1d1a71f0b5

Download Submit
C:\Windows\System\ywiPMcx.exe

Filesize
5.7MB

MD5
d302fadffa4175482b59d9bed05fac5e

SHA1
0fdb9374c0b4c02d796cba91880431457e368dcb

SHA256
571cfb82cd4aaf35097129e7fccca1b4461d11af5a1761bd48afc10bc3b20303

SHA512
fb88b8da1da799d582fdd201d4df4e40c53848297db972be1f906a188b51e56559184addc3d4b941b2e7fbb8a73946c6a884cc61910a53f9be998314b3a5bcef

Download Submit
memory/844-115-0x00007FF6469F0000-0x00007FF646D3D000-memory.dmp

Filesize
3.3MB

Download
memory/1044-43-0x00007FF65E090000-0x00007FF65E3DD000-memory.dmp

Filesize
3.3MB

Download
memory/1508-25-0x00007FF62C690000-0x00007FF62C9DD000-memory.dmp

Filesize
3.3MB

Download
memory/1548-37-0x00007FF6C7200000-0x00007FF6C754D000-memory.dmp

Filesize
3.3MB

Download
memory/1984-73-0x00007FF77BFC0000-0x00007FF77C30D000-memory.dmp

Filesize
3.3MB

Download
memory/1996-121-0x00007FF68A0E0000-0x00007FF68A42D000-memory.dmp

Filesize
3.3MB

Download
memory/2448-1-0x0000018C32300000-0x0000018C32310000-memory.dmp

Filesize
64KB

Download
memory/2448-0-0x00007FF6D3DB0000-0x00007FF6D40FD000-memory.dmp

Filesize
3.3MB

Download
memory/2724-91-0x00007FF77EA50000-0x00007FF77ED9D000-memory.dmp

Filesize
3.3MB

Download
memory/2884-104-0x00007FF61C300000-0x00007FF61C64D000-memory.dmp

Filesize
3.3MB

Download
memory/2904-55-0x00007FF70FE40000-0x00007FF71018D000-memory.dmp

Filesize
3.3MB

Download
memory/2940-79-0x00007FF6894F0000-0x00007FF68983D000-memory.dmp

Filesize
3.3MB

Download
memory/3336-49-0x00007FF793D80000-0x00007FF7940CD000-memory.dmp

Filesize
3.3MB

Download
memory/3528-85-0x00007FF61B960000-0x00007FF61BCAD000-memory.dmp

Filesize
3.3MB

Download
memory/4348-61-0x00007FF7831B0000-0x00007FF7834FD000-memory.dmp

Filesize
3.3MB

Download
memory/4680-13-0x00007FF679140000-0x00007FF67948D000-memory.dmp

Filesize
3.3MB

Download
memory/4784-7-0x00007FF7974F0000-0x00007FF79783D000-memory.dmp

Filesize
3.3MB

Download
memory/4824-109-0x00007FF692320000-0x00007FF69266D000-memory.dmp

Filesize
3.3MB

Download
memory/4884-31-0x00007FF6E3790000-0x00007FF6E3ADD000-memory.dmp

Filesize
3.3MB

Download
memory/4952-67-0x00007FF73B030000-0x00007FF73B37D000-memory.dmp

Filesize
3.3MB

Download
memory/4976-19-0x00007FF6FCE90000-0x00007FF6FD1DD000-memory.dmp

Filesize
3.3MB

Download
memory/5004-126-0x00007FF795060000-0x00007FF7953AD000-memory.dmp

Filesize
3.3MB

Download
memory/5084-97-0x00007FF695A60000-0x00007FF695DAD000-memory.dmp

Filesize
3.3MB

Download