cobaltstrike | f1107562d8cf2ae8f14490b79b786c1a7a2379dea35ebd5024935d52f1bedd76

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2025, 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

35a575428e2b33bcb3bfb04e565ab220
SHA1

88f437fb93ec31ed8b0c878bf9f06ba61a41fa16
SHA256

f1107562d8cf2ae8f14490b79b786c1a7a2379dea35ebd5024935d52f1bedd76
SHA512

3cdf035683545b8b9951e8828915be423372538159621e84d7aa78984087991e35fc396b6fed764b70dcc8af1aead0773d526d40bd2a5540c3f6e1a3ce03e121
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUs:j+R56utgpPF8u/7s

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023ca7-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-68.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-45.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ca8-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-123.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral2/memory/3356-0-0x00007FF7F42A0000-0x00007FF7F45ED000-memory.dmp	xmrig
behavioral2/files/0x0008000000023ca7-5.dat	xmrig
behavioral2/memory/4016-7-0x00007FF6FE740000-0x00007FF6FEA8D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cac-11.dat	xmrig
behavioral2/memory/5056-13-0x00007FF6377D0000-0x00007FF637B1D000-memory.dmp	xmrig
behavioral2/memory/860-18-0x00007FF6D6420000-0x00007FF6D676D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cab-12.dat	xmrig
behavioral2/files/0x0007000000023cad-23.dat	xmrig
behavioral2/memory/2552-25-0x00007FF7657C0000-0x00007FF765B0D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023caf-39.dat	xmrig
behavioral2/memory/2736-40-0x00007FF687480000-0x00007FF6877CD000-memory.dmp	xmrig
behavioral2/memory/3628-51-0x00007FF6484B0000-0x00007FF6487FD000-memory.dmp	xmrig
behavioral2/memory/5084-56-0x00007FF793D00000-0x00007FF79404D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb3-59.dat	xmrig
behavioral2/memory/2716-69-0x00007FF79E2F0000-0x00007FF79E63D000-memory.dmp	xmrig
behavioral2/memory/4344-72-0x00007FF714140000-0x00007FF71448D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb5-71.dat	xmrig
behavioral2/files/0x0007000000023cb4-68.dat	xmrig
behavioral2/memory/1816-65-0x00007FF623960000-0x00007FF623CAD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb2-55.dat	xmrig
behavioral2/files/0x0007000000023cb0-49.dat	xmrig
behavioral2/memory/2156-46-0x00007FF765250000-0x00007FF76559D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb1-45.dat	xmrig
behavioral2/memory/4000-33-0x00007FF7D4580000-0x00007FF7D48CD000-memory.dmp	xmrig
behavioral2/files/0x0008000000023ca8-30.dat	xmrig
behavioral2/memory/1968-78-0x00007FF7AEBB0000-0x00007FF7AEEFD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb6-77.dat	xmrig
behavioral2/memory/3832-88-0x00007FF7B6C50000-0x00007FF7B6F9D000-memory.dmp	xmrig
behavioral2/memory/2160-91-0x00007FF712CB0000-0x00007FF712FFD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb8-90.dat	xmrig
behavioral2/files/0x0007000000023cb7-87.dat	xmrig
behavioral2/memory/5016-97-0x00007FF7CA9E0000-0x00007FF7CAD2D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb9-96.dat	xmrig
behavioral2/memory/3112-103-0x00007FF7F42F0000-0x00007FF7F463D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cbb-108.dat	xmrig
behavioral2/memory/2068-115-0x00007FF7BBF70000-0x00007FF7BC2BD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cbc-114.dat	xmrig
behavioral2/memory/3084-111-0x00007FF657370000-0x00007FF6576BD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cba-102.dat	xmrig
behavioral2/files/0x0007000000023cbd-118.dat	xmrig
behavioral2/memory/2000-122-0x00007FF778B30000-0x00007FF778E7D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cbf-123.dat	xmrig
behavioral2/memory/3152-126-0x00007FF64E480000-0x00007FF64E7CD000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4016	AYYnurQ.exe
5056	OsJaUll.exe
860	pcpycGD.exe
2552	sQqbezs.exe
4000	AFhQKMn.exe
2736	znbEWEu.exe
3628	FdvGDdt.exe
2156	JTjNGio.exe
5084	noxPdNa.exe
1816	cvwZukZ.exe
2716	YiKSzxl.exe
4344	lgrPStc.exe
1968	MrrMYuU.exe
3832	wONTYCU.exe
2160	wmssOVf.exe
5016	JwqPxBB.exe
3112	DqniXEB.exe
3084	qeCZZEv.exe
2068	hLuRybE.exe
2000	nerglHS.exe
3152	bQnRYkp.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\AFhQKMn.exe	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FdvGDdt.exe	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lgrPStc.exe	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sQqbezs.exe	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\znbEWEu.exe	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JTjNGio.exe	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\noxPdNa.exe	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cvwZukZ.exe	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wONTYCU.exe	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DqniXEB.exe	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qeCZZEv.exe	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nerglHS.exe	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YiKSzxl.exe	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MrrMYuU.exe	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JwqPxBB.exe	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AYYnurQ.exe	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OsJaUll.exe	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pcpycGD.exe	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wmssOVf.exe	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hLuRybE.exe	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bQnRYkp.exe	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 4016	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3356 wrote to memory of 4016	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3356 wrote to memory of 5056	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3356 wrote to memory of 5056	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3356 wrote to memory of 860	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3356 wrote to memory of 860	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3356 wrote to memory of 2552	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3356 wrote to memory of 2552	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3356 wrote to memory of 4000	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3356 wrote to memory of 4000	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3356 wrote to memory of 2736	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3356 wrote to memory of 2736	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3356 wrote to memory of 3628	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3356 wrote to memory of 3628	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3356 wrote to memory of 2156	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3356 wrote to memory of 2156	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3356 wrote to memory of 5084	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3356 wrote to memory of 5084	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3356 wrote to memory of 1816	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3356 wrote to memory of 1816	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3356 wrote to memory of 2716	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3356 wrote to memory of 2716	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3356 wrote to memory of 4344	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3356 wrote to memory of 4344	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3356 wrote to memory of 1968	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3356 wrote to memory of 1968	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3356 wrote to memory of 3832	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3356 wrote to memory of 3832	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3356 wrote to memory of 2160	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3356 wrote to memory of 2160	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3356 wrote to memory of 5016	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3356 wrote to memory of 5016	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3356 wrote to memory of 3112	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3356 wrote to memory of 3112	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3356 wrote to memory of 3084	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3356 wrote to memory of 3084	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3356 wrote to memory of 2068	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3356 wrote to memory of 2068	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3356 wrote to memory of 2000	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3356 wrote to memory of 2000	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3356 wrote to memory of 3152	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3356 wrote to memory of 3152	3356	2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\System\AYYnurQ.exe
  C:\Windows\System\AYYnurQ.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System\OsJaUll.exe
  C:\Windows\System\OsJaUll.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\pcpycGD.exe
  C:\Windows\System\pcpycGD.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System\sQqbezs.exe
  C:\Windows\System\sQqbezs.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System\AFhQKMn.exe
  C:\Windows\System\AFhQKMn.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System\znbEWEu.exe
  C:\Windows\System\znbEWEu.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System\FdvGDdt.exe
  C:\Windows\System\FdvGDdt.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System\JTjNGio.exe
  C:\Windows\System\JTjNGio.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\noxPdNa.exe
  C:\Windows\System\noxPdNa.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\cvwZukZ.exe
  C:\Windows\System\cvwZukZ.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\System\YiKSzxl.exe
  C:\Windows\System\YiKSzxl.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\lgrPStc.exe
  C:\Windows\System\lgrPStc.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System\MrrMYuU.exe
  C:\Windows\System\MrrMYuU.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\wONTYCU.exe
  C:\Windows\System\wONTYCU.exe
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\System\wmssOVf.exe
  C:\Windows\System\wmssOVf.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\JwqPxBB.exe
  C:\Windows\System\JwqPxBB.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System\DqniXEB.exe
  C:\Windows\System\DqniXEB.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System\qeCZZEv.exe
  C:\Windows\System\qeCZZEv.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System\hLuRybE.exe
  C:\Windows\System\hLuRybE.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\nerglHS.exe
  C:\Windows\System\nerglHS.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System\bQnRYkp.exe
  C:\Windows\System\bQnRYkp.exe
  2⤵
  - Executes dropped EXE
  PID:3152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AFhQKMn.exe

Filesize
5.7MB

MD5
e082e63cda1c7a49e41017c1255f9acc

SHA1
9fb44eec7cb06c1c2bce62a7f23b629dc62c35b5

SHA256
295c6b0e0d253552e7dc39de7b130784bea6b5df337f830df7871750180b7a5b

SHA512
592300c79d09bd6e79408f5e6791717da32ef8b0b5f23f085a8e4c76536a70b6aef1f41a72dfdcd9eb119ae9b7a1f64f92ae0010cc23e03784917f05c4397858

Download Submit
C:\Windows\System\AYYnurQ.exe

Filesize
5.7MB

MD5
cb0945bed90e2067c5b7428c65ebc692

SHA1
c45b98b7fcea913104832d1c9872e8822f48c388

SHA256
125e01973b714958860a624707deb94c0e114b2b9145e2cb270be60c0fc7493b

SHA512
ff3705a1d7677c0901d8439363dca1fad4295ade34118665068977c803f83a33c54e4380a5a031a8592eaf6752da10c5138361e5998ee38e090492f4efc7c8e7

Download Submit
C:\Windows\System\DqniXEB.exe

Filesize
5.7MB

MD5
1839444a6a1d1d4ca18d72b2b3d8fb6a

SHA1
1b52e40bd897a38e67443f539dd50a060ca56513

SHA256
568b3ea48823a5053dfe21e21139c5935b0e6ef1eb1c9da9c1e214997e4e789e

SHA512
8694c2909b45f8ce4a20909baddf967eee83f91541af864f4774c6aece521bf958b6e2c9dcb6b95542d5fbff982a415c4229ace4d695c54218b025066fb8ff0b

Download Submit
C:\Windows\System\FdvGDdt.exe

Filesize
5.7MB

MD5
be2206bf0b743236dd61bd16b6cf72f8

SHA1
76ec6ec962101e62fe5cfd65bcfe7ed1cf8d0f14

SHA256
51ae88a753423ba0115ce0f0f841435a802671d8858ca354a4bd9695f2d37399

SHA512
58a66dac0c659ec5147a680d0fa78ff255861a8a16062360ed1e1b5f298415b88664ac08242c7b73929fb90888b015e5108b2b58d20fa0adc22ebe8c616c836f

Download Submit
C:\Windows\System\JTjNGio.exe

Filesize
5.7MB

MD5
e0fdb777a01e2c50c1778609df5fa864

SHA1
9946f592ada3169b497b0fb8d35ea9d696e13f16

SHA256
993113db212e1f985694d5a20ebbba617810b5e60c83f22032eb3e8a0f01ae83

SHA512
33869b993501f095a8a8a89dcd327fdb89635eb71e4dd7664d8960d787335eda5f214ca0e084939086a282c0e7a526edfc5a4cd5cbfe441260e65e9b521c7984

Download Submit
C:\Windows\System\JwqPxBB.exe

Filesize
5.7MB

MD5
e2832d6748d18f912b215b6432e1b2cd

SHA1
df114f83bb3823e03839060c183df6cff6c1dbc9

SHA256
58353d495a1ef457c0eea37e6d5897330b395fc240ddfeeb6d6cd5f2dab097eb

SHA512
b8435acfdac2d4f70c7e96e5d457ab5ca5717488994486699b677617663fac3b66452a86cde57771d10b2ddfa7fca1bb2e54c63508445a0f06f835ceaf753878

Download Submit
C:\Windows\System\MrrMYuU.exe

Filesize
5.7MB

MD5
7d4627f9599d6f0d2c10aedee66a0c0d

SHA1
ecb5546aa2e9bb7ff8963cdb74b6884ffba313f2

SHA256
8357beac0dd74053b26a424b945a1c2947e5ceb9354a03ec9de151ddf42a20b3

SHA512
98a8ad96da10d11277c20fcdedbfc5480ac314b57db225fbd40a4f14b217fceb67851879ca0c73d6a01c2e3b6980c8796f979341f6e333daccbb4602fc9992de

Download Submit
C:\Windows\System\OsJaUll.exe

Filesize
5.7MB

MD5
3aeedebc98c4a034fb498c947ff0eb07

SHA1
c9f3270b8c6a7b5dee90663242c940ceed54596c

SHA256
acd86474db823b2c1e0253913cdab07214d83dd1101ea69dd5fd2d794da75930

SHA512
735144eed8fce845f004c2badb343690a8762c01855dc0f173dd82c17f6918b6313e1869d95a431c50bf9a2210cb45a14a63cb7ce1585ef84cdb04a6d2b27240

Download Submit
C:\Windows\System\YiKSzxl.exe

Filesize
5.7MB

MD5
20fd69d3bf6af94f0a1e3f9db6a930c2

SHA1
eceec73db99f263f70a6f2e880768567bee284de

SHA256
b30ca4d555a3359c4bc8cfacd48849588c1ecde32bbe158691d157f83633e171

SHA512
2fc0001e1a3d2eb83894e98f78d862c1239a00b68f25d5f9148117be39cc3888143f5569eab2aba22bf3ad8e7b4aeeac86e74da07fbcb2844e4dde834d83536a

Download Submit
C:\Windows\System\bQnRYkp.exe

Filesize
5.7MB

MD5
44c3e61740b7ad452363c2747c3a0462

SHA1
fa8faf66673ae561022f161673781c39f4e4a502

SHA256
9e97d6d2c1c599b43de2f5afc1193ab68b74d5c5324b3e30e3513f43610f9c37

SHA512
73ad53d1f552d1abd5e9e8589b74bed76cb34f0233c463e700ba5e64b0f2761168aeb5670c8ad1566fcab2e967e51503cde1d21da1cb62066e0a18ab53346ec8

Download Submit
C:\Windows\System\cvwZukZ.exe

Filesize
5.7MB

MD5
c8f8e7413fa4635ea7a0e6419d8c43fe

SHA1
40fad29bf9b54be8ca40f1109d383089bf5310c9

SHA256
8f4565afa284ebba35834ccf1321cad121693de54b2955e8e7e05cc3424112e7

SHA512
f7cfdf34448ee9b951e49fcddb5136aad85d1b3f4899d1646c42da554731f9395615a299a531c239113496a1227e10fb16449f61d14126d271cbab7c7b17c657

Download Submit
C:\Windows\System\hLuRybE.exe

Filesize
5.7MB

MD5
061fada4edac380c3edc70104d427577

SHA1
ed3301b5dae9eadbe50055c9c6d5c5a9fcdcc5b1

SHA256
660b243a5e3dd7f671bdd8e469eb5b267ff5ed177b6a7ed75413f7c0e3b82df1

SHA512
616dbaee49a074d2a7179b4865e95a9e8d46dcec7d47b7223cccbf198270a8071b2ecdb081ba16569effbd8e52ac492f5415bd7cae80cbe05ad234400a6d4daa

Download Submit
C:\Windows\System\lgrPStc.exe

Filesize
5.7MB

MD5
1c8613e671496845d0f0250f7dc198a1

SHA1
2d4ade02678265e18692ea2afdd7d3a3cd8b79a9

SHA256
385f60db026304ce59590f59ba187eeccc8be9a3934a60b715f9b1e11912f449

SHA512
b7450955f27581317bfa03c01c586e65346823a95d2f3c18815f45f268b21dceada40ced049e6f437dfaf365bc0f795a090c263c5e51b0c3f1db20528641a1ec

Download Submit
C:\Windows\System\nerglHS.exe

Filesize
5.7MB

MD5
9e1b2df19bd6d8deb644e389a7766492

SHA1
16752086c477f519efa16da9f55ec5d2a86db697

SHA256
31c1408c3975e9e940efd75072e389fdecde402832b08ee36440924ac1793d56

SHA512
7b0cd3ad332b3e098c5150eb65d838918369ad7b92a9dbf8aa08cd57f9d1a46b01a4a5bf2938600897d11ab41ccff22ddf94661f62a5aa18d8437877edf44d3c

Download Submit
C:\Windows\System\noxPdNa.exe

Filesize
5.7MB

MD5
a526a62ac2956aa6b43b344ee85f51e1

SHA1
252f75b16815f54e3559c85343d796705c4e98ce

SHA256
0f172f0f39b971f9c3b2a7c1f9bfb3462f8b5c40554a16c5fae9fad8584b4709

SHA512
bac15ec0faf731467d10f026ef461bbcdea4ff0fb57ae6230f8fcf5a75ef165e1c1a5a31261a9d64115f177e722b9deb94ff30a378882a244d9fdaedf5a02578

Download Submit
C:\Windows\System\pcpycGD.exe

Filesize
5.7MB

MD5
8d5ff2a20569de960fcc937635c1732c

SHA1
92d83e741661cdd4166c21509d0ae3406835ea61

SHA256
abd41be38fb692ef414f15bddef826743c2b546b4882f179c8e772aa1a90ac25

SHA512
7d68470537d6af1d36470754aab81af194d80281ec3bf44db7b4084877848b40018f9b62d973e3af061a0e9536d68cc08f66d385e195382f057a3ba7f28cf631

Download Submit
C:\Windows\System\qeCZZEv.exe

Filesize
5.7MB

MD5
7eb94311c46b95e92e7bf0a9af2ac349

SHA1
a9ce0ae581d51a0190e29c4f1210f9215a9bc1c1

SHA256
4c40b23829a292a13c6c948711de907b59d1e6576c760db6b0d26f36cd159f11

SHA512
6c1155e4f6f1e24cede5d1124bf57d2087d8454cfdb9f7010023357c1d0115d5fa3808c13fe27de8a1aef2849f18b5bc55090364ab961d41ea5b3e0f1e12374f

Download Submit
C:\Windows\System\sQqbezs.exe

Filesize
5.7MB

MD5
20e1b0479002b2aefe861d498a7f2d75

SHA1
6502ff99ac0493155141c895c357967e9b1acbdc

SHA256
86344083bfc7afa789e2433070b636f47899621ff77da1e855a5b6f87b2890e6

SHA512
bc90c437324e440269b03f47e8490d41ee1ec334fb709a5fd1a7190bb102a101548fced7f77dc40084963446208331959abdd4529b2333cc20ab6a17e9a61723

Download Submit
C:\Windows\System\wONTYCU.exe

Filesize
5.7MB

MD5
1d62f8052c828b8aa8c82bb38aa9604d

SHA1
84c0af7bc34fb1a31cee743d3242e822db769148

SHA256
01cf610186a9a67e31e808eab78b36ecdade0f58c96fe33376d2426e1b2f8c36

SHA512
8e21e58f9ad16c42478d400a2d3c0de7a89bccf3eada9f300fa8a2b9c184afd686786786c3c3d0d8c7b53d87a1b5458f500aa184f1843a05ef8a06f7c7005d22

Download Submit
C:\Windows\System\wmssOVf.exe

Filesize
5.7MB

MD5
4e6d6c0ba4d3f58c0af8c1973f762dfd

SHA1
fd2ef1c4433897f82d6d9eda57559042eb65e30d

SHA256
0e3847fff9d97afbc418f8696c0ff9887316f33fb2c90bb0c3963eec6281fb8c

SHA512
051ad599c3c2e8dfe49680eba5bdf194e9cdc5d650e5b99cd5bbec9e33f270461c9b6a5c1fd3b428a4051e089cac2d56cba6112403928044d0e12d1b3ede80be

Download Submit
C:\Windows\System\znbEWEu.exe

Filesize
5.7MB

MD5
bd9dc3ae0e73b246f73ce8e6370d94c7

SHA1
528cacff9e97345e09497b164266d3aadae76372

SHA256
0532a45b7c9a15abed365f8205ba25043f2fbb9562b7faddf4eb7399eb207aab

SHA512
5c1564cf4c3ea1f694dca1b20e54f94fb4053d25b4c26876be53f2f1f1e8d772ba21204d0cad8d7ea8b38943190f6c2d1283ab579d27375ed1fed885b64661b8

Download Submit
memory/860-18-0x00007FF6D6420000-0x00007FF6D676D000-memory.dmp

Filesize
3.3MB

Download
memory/1816-65-0x00007FF623960000-0x00007FF623CAD000-memory.dmp

Filesize
3.3MB

Download
memory/1968-78-0x00007FF7AEBB0000-0x00007FF7AEEFD000-memory.dmp

Filesize
3.3MB

Download
memory/2000-122-0x00007FF778B30000-0x00007FF778E7D000-memory.dmp

Filesize
3.3MB

Download
memory/2068-115-0x00007FF7BBF70000-0x00007FF7BC2BD000-memory.dmp

Filesize
3.3MB

Download
memory/2156-46-0x00007FF765250000-0x00007FF76559D000-memory.dmp

Filesize
3.3MB

Download
memory/2160-91-0x00007FF712CB0000-0x00007FF712FFD000-memory.dmp

Filesize
3.3MB

Download
memory/2552-25-0x00007FF7657C0000-0x00007FF765B0D000-memory.dmp

Filesize
3.3MB

Download
memory/2716-69-0x00007FF79E2F0000-0x00007FF79E63D000-memory.dmp

Filesize
3.3MB

Download
memory/2736-40-0x00007FF687480000-0x00007FF6877CD000-memory.dmp

Filesize
3.3MB

Download
memory/3084-111-0x00007FF657370000-0x00007FF6576BD000-memory.dmp

Filesize
3.3MB

Download
memory/3112-103-0x00007FF7F42F0000-0x00007FF7F463D000-memory.dmp

Filesize
3.3MB

Download
memory/3152-126-0x00007FF64E480000-0x00007FF64E7CD000-memory.dmp

Filesize
3.3MB

Download
memory/3356-1-0x000001A551FB0000-0x000001A551FC0000-memory.dmp

Filesize
64KB

Download
memory/3356-0-0x00007FF7F42A0000-0x00007FF7F45ED000-memory.dmp

Filesize
3.3MB

Download
memory/3628-51-0x00007FF6484B0000-0x00007FF6487FD000-memory.dmp

Filesize
3.3MB

Download
memory/3832-88-0x00007FF7B6C50000-0x00007FF7B6F9D000-memory.dmp

Filesize
3.3MB

Download
memory/4000-33-0x00007FF7D4580000-0x00007FF7D48CD000-memory.dmp

Filesize
3.3MB

Download
memory/4016-7-0x00007FF6FE740000-0x00007FF6FEA8D000-memory.dmp

Filesize
3.3MB

Download
memory/4344-72-0x00007FF714140000-0x00007FF71448D000-memory.dmp

Filesize
3.3MB

Download
memory/5016-97-0x00007FF7CA9E0000-0x00007FF7CAD2D000-memory.dmp

Filesize
3.3MB

Download
memory/5056-13-0x00007FF6377D0000-0x00007FF637B1D000-memory.dmp

Filesize
3.3MB

Download
memory/5084-56-0x00007FF793D00000-0x00007FF79404D000-memory.dmp

Filesize
3.3MB

Download