cobaltstrike | 329324662cc852bdce02a574983c6f703612ddc40ef86ae1473ec36e43b6fa31

Analysis

max time kernel
137s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

eedb06beb565c89538a1e90db99cb907
SHA1

6fa4237d5134d755674d7e442fb2e5781f3d99bf
SHA256

329324662cc852bdce02a574983c6f703612ddc40ef86ae1473ec36e43b6fa31
SHA512

c70610d00f2ed799976880d7f42e9514d2561aff3bb52fc35719a90a239a93b3623f17f6a9c04a84e7af96a063136f19a6227c3edc85ecdc622bf038b567ce2c
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lU+:j+R56utgpPF8u/7+

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x00090000000120f6-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d63-9.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d69-13.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d6d-21.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016dd9-28.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016de0-32.dat	cobalt_reflective_dll
behavioral1/files/0x0034000000016d3f-39.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016dea-48.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000017047-53.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019227-56.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016eb4-50.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019261-81.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000193a4-121.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019379-111.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001939d-117.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019284-99.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000192a9-105.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019279-93.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001926a-88.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001925e-75.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001922c-70.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 42 IoCs

miner

resource	yara_rule
behavioral1/memory/2824-0-0x000000013F990000-0x000000013FCDD000-memory.dmp	xmrig
behavioral1/files/0x00090000000120f6-3.dat	xmrig
behavioral1/memory/2888-7-0x000000013F740000-0x000000013FA8D000-memory.dmp	xmrig
behavioral1/files/0x0008000000016d63-9.dat	xmrig
behavioral1/memory/2800-12-0x000000013FC90000-0x000000013FFDD000-memory.dmp	xmrig
behavioral1/files/0x0007000000016d69-13.dat	xmrig
behavioral1/memory/2916-19-0x000000013F100000-0x000000013F44D000-memory.dmp	xmrig
behavioral1/files/0x0008000000016d6d-21.dat	xmrig
behavioral1/memory/2796-25-0x000000013FC30000-0x000000013FF7D000-memory.dmp	xmrig
behavioral1/files/0x0007000000016dd9-28.dat	xmrig
behavioral1/memory/1948-30-0x000000013FC80000-0x000000013FFCD000-memory.dmp	xmrig
behavioral1/files/0x0007000000016de0-32.dat	xmrig
behavioral1/memory/2596-37-0x000000013F770000-0x000000013FABD000-memory.dmp	xmrig
behavioral1/files/0x0034000000016d3f-39.dat	xmrig
behavioral1/memory/1944-43-0x000000013F600000-0x000000013F94D000-memory.dmp	xmrig
behavioral1/files/0x0007000000016dea-48.dat	xmrig
behavioral1/files/0x0008000000017047-53.dat	xmrig
behavioral1/files/0x0005000000019227-56.dat	xmrig
behavioral1/files/0x0008000000016eb4-50.dat	xmrig
behavioral1/memory/2856-64-0x000000013F450000-0x000000013F79D000-memory.dmp	xmrig
behavioral1/memory/624-67-0x000000013FA20000-0x000000013FD6D000-memory.dmp	xmrig
behavioral1/files/0x0005000000019261-81.dat	xmrig
behavioral1/memory/2976-83-0x000000013F870000-0x000000013FBBD000-memory.dmp	xmrig
behavioral1/memory/1640-77-0x000000013FE30000-0x000000014017D000-memory.dmp	xmrig
behavioral1/memory/684-119-0x000000013F9B0000-0x000000013FCFD000-memory.dmp	xmrig
behavioral1/memory/3036-113-0x000000013F6D0000-0x000000013FA1D000-memory.dmp	xmrig
behavioral1/files/0x00050000000193a4-121.dat	xmrig
behavioral1/files/0x0005000000019379-111.dat	xmrig
behavioral1/files/0x000500000001939d-117.dat	xmrig
behavioral1/memory/3000-101-0x000000013FFC0000-0x000000014030D000-memory.dmp	xmrig
behavioral1/files/0x0005000000019284-99.dat	xmrig
behavioral1/memory/2904-107-0x000000013F6F0000-0x000000013FA3D000-memory.dmp	xmrig
behavioral1/files/0x00050000000192a9-105.dat	xmrig
behavioral1/memory/2988-95-0x000000013FCC0000-0x000000014000D000-memory.dmp	xmrig
behavioral1/files/0x0005000000019279-93.dat	xmrig
behavioral1/files/0x000500000001926a-88.dat	xmrig
behavioral1/files/0x000500000001925e-75.dat	xmrig
behavioral1/memory/2384-84-0x000000013F2E0000-0x000000013F62D000-memory.dmp	xmrig
behavioral1/files/0x000500000001922c-70.dat	xmrig
behavioral1/memory/580-62-0x000000013FAE0000-0x000000013FE2D000-memory.dmp	xmrig
behavioral1/memory/1012-49-0x000000013F040000-0x000000013F38D000-memory.dmp	xmrig
behavioral1/memory/2940-126-0x000000013F470000-0x000000013F7BD000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2888	KOLrgHM.exe
2800	hNTSWMq.exe
2916	DthuNKr.exe
2796	vPBTCHw.exe
1948	fxTJmJg.exe
2596	pEusMXR.exe
1944	VzBrLVV.exe
1012	WifXFBC.exe
2856	lBGxXBR.exe
580	RafCsFb.exe
624	neYJDCr.exe
2384	GlnzGgL.exe
1640	IBGmPuR.exe
2976	SzJlSwi.exe
2940	KMDNmXg.exe
2988	XeXswpF.exe
3000	YFJTAsV.exe
2904	UtTACQq.exe
3036	jUcnLdT.exe
684	gZZPOxr.exe
1568	wUyPKmL.exe

Loads dropped DLL 21 IoCs

pid	Process
2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\WifXFBC.exe	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SzJlSwi.exe	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UtTACQq.exe	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jUcnLdT.exe	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KOLrgHM.exe	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hNTSWMq.exe	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fxTJmJg.exe	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pEusMXR.exe	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gZZPOxr.exe	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vPBTCHw.exe	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VzBrLVV.exe	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lBGxXBR.exe	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\neYJDCr.exe	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KMDNmXg.exe	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XeXswpF.exe	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YFJTAsV.exe	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wUyPKmL.exe	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DthuNKr.exe	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RafCsFb.exe	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GlnzGgL.exe	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IBGmPuR.exe	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2888	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2824 wrote to memory of 2888	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2824 wrote to memory of 2888	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2824 wrote to memory of 2800	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2824 wrote to memory of 2800	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2824 wrote to memory of 2800	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2824 wrote to memory of 2916	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2824 wrote to memory of 2916	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2824 wrote to memory of 2916	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2824 wrote to memory of 2796	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2824 wrote to memory of 2796	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2824 wrote to memory of 2796	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2824 wrote to memory of 1948	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2824 wrote to memory of 1948	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2824 wrote to memory of 1948	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2824 wrote to memory of 2596	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2824 wrote to memory of 2596	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2824 wrote to memory of 2596	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2824 wrote to memory of 1944	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2824 wrote to memory of 1944	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2824 wrote to memory of 1944	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2824 wrote to memory of 1012	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2824 wrote to memory of 1012	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2824 wrote to memory of 1012	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2824 wrote to memory of 580	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2824 wrote to memory of 580	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2824 wrote to memory of 580	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2824 wrote to memory of 2856	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2824 wrote to memory of 2856	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2824 wrote to memory of 2856	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2824 wrote to memory of 624	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2824 wrote to memory of 624	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2824 wrote to memory of 624	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2824 wrote to memory of 2384	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2824 wrote to memory of 2384	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2824 wrote to memory of 2384	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2824 wrote to memory of 1640	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2824 wrote to memory of 1640	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2824 wrote to memory of 1640	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2824 wrote to memory of 2976	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2824 wrote to memory of 2976	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2824 wrote to memory of 2976	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2824 wrote to memory of 2940	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2824 wrote to memory of 2940	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2824 wrote to memory of 2940	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2824 wrote to memory of 2988	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2824 wrote to memory of 2988	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2824 wrote to memory of 2988	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2824 wrote to memory of 3000	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2824 wrote to memory of 3000	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2824 wrote to memory of 3000	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2824 wrote to memory of 2904	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2824 wrote to memory of 2904	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2824 wrote to memory of 2904	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2824 wrote to memory of 3036	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2824 wrote to memory of 3036	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2824 wrote to memory of 3036	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2824 wrote to memory of 684	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2824 wrote to memory of 684	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2824 wrote to memory of 684	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2824 wrote to memory of 1568	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2824 wrote to memory of 1568	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2824 wrote to memory of 1568	2824	2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-25_eedb06beb565c89538a1e90db99cb907_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\System\KOLrgHM.exe
  C:\Windows\System\KOLrgHM.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\hNTSWMq.exe
  C:\Windows\System\hNTSWMq.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\DthuNKr.exe
  C:\Windows\System\DthuNKr.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System\vPBTCHw.exe
  C:\Windows\System\vPBTCHw.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\fxTJmJg.exe
  C:\Windows\System\fxTJmJg.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\pEusMXR.exe
  C:\Windows\System\pEusMXR.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\VzBrLVV.exe
  C:\Windows\System\VzBrLVV.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\WifXFBC.exe
  C:\Windows\System\WifXFBC.exe
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\System\RafCsFb.exe
  C:\Windows\System\RafCsFb.exe
  2⤵
  - Executes dropped EXE
  PID:580
- C:\Windows\System\lBGxXBR.exe
  C:\Windows\System\lBGxXBR.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\neYJDCr.exe
  C:\Windows\System\neYJDCr.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\GlnzGgL.exe
  C:\Windows\System\GlnzGgL.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System\IBGmPuR.exe
  C:\Windows\System\IBGmPuR.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System\SzJlSwi.exe
  C:\Windows\System\SzJlSwi.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System\KMDNmXg.exe
  C:\Windows\System\KMDNmXg.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\XeXswpF.exe
  C:\Windows\System\XeXswpF.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System\YFJTAsV.exe
  C:\Windows\System\YFJTAsV.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\UtTACQq.exe
  C:\Windows\System\UtTACQq.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\jUcnLdT.exe
  C:\Windows\System\jUcnLdT.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System\gZZPOxr.exe
  C:\Windows\System\gZZPOxr.exe
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\System\wUyPKmL.exe
  C:\Windows\System\wUyPKmL.exe
  2⤵
  - Executes dropped EXE
  PID:1568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DthuNKr.exe

Filesize
5.7MB

MD5
a22df35524a5cecc1f8f83c0aa501aca

SHA1
59b0c912545d0a77eb8ec402324dae1a85275ea1

SHA256
9856c0de3e309ca2c4cf716e0bffa822588d492b8958cee4b3bdb8a0524060b8

SHA512
0bfd3327e362317295bf84bcbe1fb3c55aa8d1af37f43379bb514ca959e087531c96a94359e33bb2b2a321ae308857cb5c22652e877484035cb2d7347f0fcf66

Download Submit
C:\Windows\system\GlnzGgL.exe

Filesize
5.7MB

MD5
ec53cc9ae78cdcad26a52bb8ecd57fe7

SHA1
171980f63774da1e74c345333ac8b2b86878e44d

SHA256
76dbef443981f0fc51a7e8b84483400bbaf422c0db83ff5cd083b31b2d1552fe

SHA512
45b815e7edeef14aee6d39f43723af64dfa98c7bb74916288c7204bbe671214528a497c22d5d368e61157451657f2b6a62a7f4923832b2214a3e7a1b059dfadc

Download Submit
C:\Windows\system\IBGmPuR.exe

Filesize
5.7MB

MD5
543f15fec2b59b08393078a9604ae84f

SHA1
cfd59e13644bedef146c6dc1c9380d279c3ebe52

SHA256
8bb6ac4e5452b3bbe5388e1d3508f8fc4822d268c620ab08d65d9cc8a9c1fc2c

SHA512
ddab27538929e153a85be6bab8223070f4fdc701d7e94b25538dca36b3ad0387dd1cc94576a7a77985c1d094fa6083907e4ca9fab8f8061538732b63a9d70e01

Download Submit
C:\Windows\system\KMDNmXg.exe

Filesize
5.7MB

MD5
a108cb6ecfad342b40e45a83ab4d47e2

SHA1
c48e6121fb04417e7ca6cf27335ca88d71ead218

SHA256
c772ce09f6063bf716a1a6c7e2e6289a6c10c3c67a7416f052a22073b1f2807c

SHA512
ec97ea602a9a65c06c8c1623251be68a1fd50d494b442bb0413714ceae0cfa2d3a653c83e2420a8602a23aaf185bfa5fbd0561140ec46e989fc246cdcd73bf0f

Download Submit
C:\Windows\system\SzJlSwi.exe

Filesize
5.7MB

MD5
daf314e99f472d1e7b8156fe69b78444

SHA1
98ece347f90ff7e6e66689e0906869a7008f07a2

SHA256
c68fe50fa365705339cad3e6aecae045ba230993e4dd1f8187027f134406e2cd

SHA512
ff2a2962408a2e991d772bcb67ae59ded703dfa0dd66ac64acbfeee3e5f98fbb90297af28f4e16886607837396d41e4ab8720e13ffe0604bdd9475f87104b08c

Download Submit
C:\Windows\system\UtTACQq.exe

Filesize
5.7MB

MD5
456166ff3d5e02e50be23cf45e55b916

SHA1
f114e1d54124467eb06bb8c1d9f85fb9cf6f1596

SHA256
a24462a17e611e0e72d453b49a6caf256dd3c924b12c2e5795286cac6197a6f3

SHA512
018651d959a02159415ed3ee36fd300a224646fe5db45fb462f5c0584045baedf4634596119498ede664b99c5fa588d21bef3e2699b315885eb0820da827bc03

Download Submit
C:\Windows\system\WifXFBC.exe

Filesize
5.7MB

MD5
8c2e7d1a233d5240f452bcad4d261a14

SHA1
28cfda7d054a58440f1ff7ab8e332176e69d1070

SHA256
353a3fbc0a69cba7b82c414c006bb54818cf7d7d23781f3efd4b774385d948a3

SHA512
04553913ecc3f733f411583ca5120c0b21f3c9b9f1087da2c57c6f2a8e84a5eb44b2ebb06d203c802964ee5002e6a994d0aeb7cb1318fce9ab679a2ff2f6f07a

Download Submit
C:\Windows\system\XeXswpF.exe

Filesize
5.7MB

MD5
b4351c8a6046f3760d15e5cf72cca160

SHA1
4dcd267c1b827617b92ede7d6414404257ff0992

SHA256
3d9f651f386959dc78e5a9d637fe8bb751132c598dc4aab2303a36dc8bc9dd7f

SHA512
d1ed2e768dcf55a0f5452bebb6b669a00bc5b67468c57892a54db25a74237407e561915df69c6c50110cb35c60b1e7ed1dd6b01b9fc9097918255d0b76b1889d

Download Submit
C:\Windows\system\YFJTAsV.exe

Filesize
5.7MB

MD5
7c2d7819dc77f471aac3d65819872db0

SHA1
f48ef4da293c890e265eb34909871118bfb9a603

SHA256
6f112fcfa2db95f8b61abef905ef04ed71d1b22db8b21f4248af95c2ab4f3ad9

SHA512
17c25dce27d7f688e9d3bd92e432cafe78cce0fa3dc6d87ce0d1a6bf85bd116c5503308703ff4a045506cbbf1b71efbbdd152b8eed6eb60b4ebfdec63fcaa334

Download Submit
C:\Windows\system\fxTJmJg.exe

Filesize
5.7MB

MD5
fd099a8e620d63a6127f8f0458130d3f

SHA1
03ec7429c8adc5df310880c0e8875f64c54ebaf2

SHA256
b4788cd95a90d10712d35c4fed4ea541dc8aed9e9657b10954e9a1063fbb0252

SHA512
ba9bbeb3cc5b0ffb3176a543ada58f35f058102be6e4ae688c9a7f5b9da3c75495bb1455aed3b1a27faf20aa0f7b665c6a94f9fd5c17547852e7a353b7f00892

Download Submit
C:\Windows\system\gZZPOxr.exe

Filesize
5.7MB

MD5
ef50ccf3b5710d6de31f12d646710416

SHA1
95358baa2abb821d2b9846252fc6ea1e56a9377b

SHA256
e0e30bb64b4583f00cf1c0f2c2c128fd231209cc511817d5606c1ef35b8bb924

SHA512
c048ede76965c456381c59cbf14c7febfa8a764953104124dd6424d7dd744dbb5f3c2028db3a6481d437ed698e1047720e82ce86875eb09ec9aad840c62edfc7

Download Submit
C:\Windows\system\jUcnLdT.exe

Filesize
5.7MB

MD5
0fb1433fff962d68ceb7a4b9cde14e96

SHA1
e617f01f11630cc8da13528c7e2bc211b1ec6d3b

SHA256
2d4b9c92ff5c96eb972ccdb371cbcb1b7b9966ca9aec66e5bbd95d5e67a1b7fe

SHA512
7ff72e2b3727d0f44d38015fd2db5a5055281131e1589ee00516335ee46ee592c96edc235f0127b9ed4faf3328f9d139d1c6653d8276de540ea233a2fff83c0b

Download Submit
\Windows\system\KOLrgHM.exe

Filesize
5.7MB

MD5
a7618f15ed3887ee0daf43fec5acf9c0

SHA1
1b40e6103aa3fd1de0036fa79ea89e23e89b4a67

SHA256
1709e550716a602567fe45e700474e6889bf9ac6ad8ee43dae9053e0cf52792f

SHA512
eaeb95f564b1601d973244d9e67c69b4dd81cc1a707d8e608d562d4c71297304ef442c8fbb013508ef1b15bf62ed111b9b7c84385c347bffb88d944e0fd588df

Download Submit
\Windows\system\RafCsFb.exe

Filesize
5.7MB

MD5
b628875c57df654940cb32d977bf6d1c

SHA1
abdc1678a4c65681ca330978c06b0a2bc6ba2164

SHA256
09fc6c00fc809b9d3acc67cc150e6df3f5b1d4bbbfc7b18230b9449eb1b58a4b

SHA512
57657c287c1c057b7bcf60644ae433d327aecbcbad18dddda5282add62ce1904d5b0fdc95524bc4421d4b766ec300de75a5d87c01c451cc3d0d278246d9fc5b5

Download Submit
\Windows\system\VzBrLVV.exe

Filesize
5.7MB

MD5
08888cb58bde5d3359abffb91facd0ff

SHA1
adbda006badab4b4fdb7450e01865fa0f3742aec

SHA256
e271c9e64ebb57a8a59fc9b50ac5a7444174113482094b32b3109e274164c8b1

SHA512
cf04415a49ad6364c741244e5f6bae782dd642ac065e3fbdf53f0ccb8989f437c39fa99503a51f873cf5785bdb257d8c565d3e756a4dd7269cd5c360fb7335de

Download Submit
\Windows\system\hNTSWMq.exe

Filesize
5.7MB

MD5
70a5af4017665cb0196a14b0bc5b48af

SHA1
027a5678176fc747b9c8a0520deeefa72a72ea27

SHA256
7d064e41405ad623e6f2340fcf385b45169bf32423d4de0d706604a14b8802c3

SHA512
f6df9f6b61fb59c1c978c429859deba2a255b99e2a19b2f356108a4b6d6e89ca994654822466a9dbe7fa7dd51ea72dc25536900e458fedc78b52b2fd18d42a22

Download Submit
\Windows\system\lBGxXBR.exe

Filesize
5.7MB

MD5
46aa1c920241c28405c9406b1a34bf9c

SHA1
2b9b4f7313957edb08fdac6c65d2f4681dcb584e

SHA256
64a9180dc56363802568cc75cd1797b1e18cff8c7e402ebf00321c42d05fa644

SHA512
6317313d73f7ac8afc23cb38ff9a591e7e695d583b37d95f712224e84e734b90af0a3bcd350ef53b8c7247aa8fbb4dddace37a324f8dda917604f742ce5c56dc

Download Submit
\Windows\system\neYJDCr.exe

Filesize
5.7MB

MD5
dc3befba26941eca98aad23a4393528c

SHA1
a4fa91744fa5aa477ebdea56fe63a879729fb821

SHA256
253adde1fba7e8869488e7243407a400ec893f1fd96cae876c1a625b83ebd973

SHA512
7be1f55e6a2603944ad9858cdb88e2fb5730090ed18b290c6e5f4dedcc8a64e3859fe19c8ea82d072e967b74124a9936e79712ae81741c8fc322c1b905e444e9

Download Submit
\Windows\system\pEusMXR.exe

Filesize
5.7MB

MD5
c7d56aabd8c1335bda9b15141477be6f

SHA1
d43522b36a3ae33facfea878f86637f43f47207a

SHA256
59b1ee513d3508da38d79bf6f2daeecd4ab5142cd93f7b5901aedb009ef39715

SHA512
caf0fcfaedb0acecc694efb12bf5b92549883179388ba9dc837fa691720a7e0ee04c2d83ee6dd8212cb73dc11a01e20c518b5bbad506781cbd308b6d9db59331

Download Submit
\Windows\system\vPBTCHw.exe

Filesize
5.7MB

MD5
45fb81a0def5199c78edb94941e6a0c6

SHA1
a5cfcb741ef888f76553f5e3b3ba352443d1c225

SHA256
2afd491504d3ec69d7e2b2cf159a617ba0a0728621d182dcc100d9365ef86023

SHA512
bb4009bb07175da1334499e48257746aec77e65794dc5f13c460e107ff139b66ce93374dd2f62a5ca879dca9024add40ad469e5b545e707c5bf3d7ed956db48f

Download Submit
\Windows\system\wUyPKmL.exe

Filesize
5.7MB

MD5
434b059399b16cc62e92200c1d131825

SHA1
de4beed2377210fc62fa3fc296b0fd430d112714

SHA256
4b771e1fd41a4d8f7d29326f43b681ba7a789f27ec27cfd813c87594ec23009e

SHA512
063226c24fb0bdd668e737d4621d16c15eea93bd1dfcefeb27bd707f9f26c2e92ca4c035e48fa404d489db0f856cd57fceff916fdf73d0bb880f5ddc28a3dde2

Download Submit
memory/580-62-0x000000013FAE0000-0x000000013FE2D000-memory.dmp

Filesize
3.3MB

Download
memory/624-67-0x000000013FA20000-0x000000013FD6D000-memory.dmp

Filesize
3.3MB

Download
memory/684-119-0x000000013F9B0000-0x000000013FCFD000-memory.dmp

Filesize
3.3MB

Download
memory/1012-49-0x000000013F040000-0x000000013F38D000-memory.dmp

Filesize
3.3MB

Download
memory/1640-77-0x000000013FE30000-0x000000014017D000-memory.dmp

Filesize
3.3MB

Download
memory/1944-43-0x000000013F600000-0x000000013F94D000-memory.dmp

Filesize
3.3MB

Download
memory/1948-30-0x000000013FC80000-0x000000013FFCD000-memory.dmp

Filesize
3.3MB

Download
memory/2384-84-0x000000013F2E0000-0x000000013F62D000-memory.dmp

Filesize
3.3MB

Download
memory/2596-37-0x000000013F770000-0x000000013FABD000-memory.dmp

Filesize
3.3MB

Download
memory/2796-25-0x000000013FC30000-0x000000013FF7D000-memory.dmp

Filesize
3.3MB

Download
memory/2800-12-0x000000013FC90000-0x000000013FFDD000-memory.dmp

Filesize
3.3MB

Download
memory/2824-1-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/2824-0-0x000000013F990000-0x000000013FCDD000-memory.dmp

Filesize
3.3MB

Download
memory/2856-64-0x000000013F450000-0x000000013F79D000-memory.dmp

Filesize
3.3MB

Download
memory/2888-7-0x000000013F740000-0x000000013FA8D000-memory.dmp

Filesize
3.3MB

Download
memory/2904-107-0x000000013F6F0000-0x000000013FA3D000-memory.dmp

Filesize
3.3MB

Download
memory/2916-19-0x000000013F100000-0x000000013F44D000-memory.dmp

Filesize
3.3MB

Download
memory/2940-126-0x000000013F470000-0x000000013F7BD000-memory.dmp

Filesize
3.3MB

Download
memory/2976-83-0x000000013F870000-0x000000013FBBD000-memory.dmp

Filesize
3.3MB

Download
memory/2988-95-0x000000013FCC0000-0x000000014000D000-memory.dmp

Filesize
3.3MB

Download
memory/3000-101-0x000000013FFC0000-0x000000014030D000-memory.dmp

Filesize
3.3MB

Download
memory/3036-113-0x000000013F6D0000-0x000000013FA1D000-memory.dmp

Filesize
3.3MB

Download