cobaltstrike | 36d3ad330a98fd0813a8232f5c51f03a0da94d8c55f06a3a1c300dac0d44e5b0

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

3aa3c29b65a1960f18a911afdb677fa4
SHA1

b2d83e156f361e6457e459a8559eb8d9314d96be
SHA256

36d3ad330a98fd0813a8232f5c51f03a0da94d8c55f06a3a1c300dac0d44e5b0
SHA512

db5541743112d1347bf6d438d441032ca5e595494decea4f458d20fa79f531c895b5fcd7b3c4d733eb5080536431df1eb290230c05a7f05bd8bf6e0a63d6e771
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUG:j+R56utgpPF8u/7G

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b1b-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7a-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b79-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-24.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-30.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-39.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-42.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-46.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-60.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b76-63.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-78.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-95.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-96.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-109.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-124.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-121.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-110.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-107.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-101.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-83.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-66.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral2/memory/4300-0-0x00007FF75D600000-0x00007FF75D94D000-memory.dmp	xmrig
behavioral2/files/0x000c000000023b1b-5.dat	xmrig
behavioral2/files/0x000a000000023b7a-10.dat	xmrig
behavioral2/files/0x000a000000023b79-12.dat	xmrig
behavioral2/memory/3680-7-0x00007FF6BFBA0000-0x00007FF6BFEED000-memory.dmp	xmrig
behavioral2/memory/2512-15-0x00007FF675570000-0x00007FF6758BD000-memory.dmp	xmrig
behavioral2/memory/2960-19-0x00007FF70F5E0000-0x00007FF70F92D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b7b-24.dat	xmrig
behavioral2/files/0x000a000000023b7c-30.dat	xmrig
behavioral2/memory/1524-31-0x00007FF778EA0000-0x00007FF7791ED000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b7d-39.dat	xmrig
behavioral2/files/0x000a000000023b7f-42.dat	xmrig
behavioral2/files/0x000a000000023b7e-46.dat	xmrig
behavioral2/memory/3600-54-0x00007FF67CA90000-0x00007FF67CDDD000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b80-60.dat	xmrig
behavioral2/files/0x000b000000023b76-63.dat	xmrig
behavioral2/files/0x000a000000023b82-78.dat	xmrig
behavioral2/files/0x000a000000023b88-95.dat	xmrig
behavioral2/files/0x000a000000023b85-96.dat	xmrig
behavioral2/files/0x000a000000023b89-109.dat	xmrig
behavioral2/memory/2332-122-0x00007FF6D49D0000-0x00007FF6D4D1D000-memory.dmp	xmrig
behavioral2/memory/4648-125-0x00007FF7445D0000-0x00007FF74491D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b8b-124.dat	xmrig
behavioral2/files/0x000a000000023b8a-121.dat	xmrig
behavioral2/memory/740-119-0x00007FF6C8B60000-0x00007FF6C8EAD000-memory.dmp	xmrig
behavioral2/memory/1620-116-0x00007FF6F7730000-0x00007FF6F7A7D000-memory.dmp	xmrig
behavioral2/memory/3396-111-0x00007FF7ED980000-0x00007FF7EDCCD000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b87-110.dat	xmrig
behavioral2/memory/4968-108-0x00007FF755E00000-0x00007FF75614D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b86-107.dat	xmrig
behavioral2/memory/468-104-0x00007FF77B140000-0x00007FF77B48D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b84-101.dat	xmrig
behavioral2/memory/4320-99-0x00007FF61CB90000-0x00007FF61CEDD000-memory.dmp	xmrig
behavioral2/memory/4616-79-0x00007FF665FE0000-0x00007FF66632D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b83-83.dat	xmrig
behavioral2/memory/2344-84-0x00007FF680640000-0x00007FF68098D000-memory.dmp	xmrig
behavioral2/memory/2096-67-0x00007FF71E7C0000-0x00007FF71EB0D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b81-66.dat	xmrig
behavioral2/memory/3672-61-0x00007FF6D7E80000-0x00007FF6D81CD000-memory.dmp	xmrig
behavioral2/memory/3732-64-0x00007FF7262B0000-0x00007FF7265FD000-memory.dmp	xmrig
behavioral2/memory/1008-51-0x00007FF6F4690000-0x00007FF6F49DD000-memory.dmp	xmrig
behavioral2/memory/1228-43-0x00007FF64F4C0000-0x00007FF64F80D000-memory.dmp	xmrig
behavioral2/memory/2308-25-0x00007FF7A5230000-0x00007FF7A557D000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3680	yCyTUSx.exe
2512	wGhmtFI.exe
2960	KRlfXJT.exe
2308	uUMsTMm.exe
1524	XYAgPec.exe
1228	byxbEzD.exe
1008	mrthcYP.exe
3600	FheOEpr.exe
3672	nDYHMjJ.exe
3732	NuLIQwj.exe
2096	RTgrDPG.exe
4616	yxSpxVB.exe
2344	UfwbQRC.exe
468	hjRJudD.exe
4320	sHaoacQ.exe
4968	aUUEvdC.exe
3396	wvESEvN.exe
1620	sATrZnz.exe
740	sDaNYqM.exe
2332	BfTXRsV.exe
4648	yqTyGPk.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\wvESEvN.exe	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BfTXRsV.exe	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wGhmtFI.exe	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mrthcYP.exe	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hjRJudD.exe	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UfwbQRC.exe	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aUUEvdC.exe	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KRlfXJT.exe	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XYAgPec.exe	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nDYHMjJ.exe	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yxSpxVB.exe	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sHaoacQ.exe	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sATrZnz.exe	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yqTyGPk.exe	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yCyTUSx.exe	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uUMsTMm.exe	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\byxbEzD.exe	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sDaNYqM.exe	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FheOEpr.exe	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NuLIQwj.exe	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RTgrDPG.exe	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 3680	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4300 wrote to memory of 3680	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4300 wrote to memory of 2512	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4300 wrote to memory of 2512	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4300 wrote to memory of 2960	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4300 wrote to memory of 2960	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4300 wrote to memory of 2308	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4300 wrote to memory of 2308	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4300 wrote to memory of 1524	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4300 wrote to memory of 1524	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4300 wrote to memory of 1228	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4300 wrote to memory of 1228	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4300 wrote to memory of 1008	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4300 wrote to memory of 1008	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4300 wrote to memory of 3600	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4300 wrote to memory of 3600	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4300 wrote to memory of 3672	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4300 wrote to memory of 3672	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4300 wrote to memory of 3732	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4300 wrote to memory of 3732	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4300 wrote to memory of 2096	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4300 wrote to memory of 2096	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4300 wrote to memory of 4616	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4300 wrote to memory of 4616	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4300 wrote to memory of 2344	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4300 wrote to memory of 2344	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4300 wrote to memory of 468	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4300 wrote to memory of 468	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4300 wrote to memory of 4320	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4300 wrote to memory of 4320	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4300 wrote to memory of 4968	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4300 wrote to memory of 4968	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4300 wrote to memory of 3396	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4300 wrote to memory of 3396	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4300 wrote to memory of 1620	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4300 wrote to memory of 1620	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4300 wrote to memory of 740	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4300 wrote to memory of 740	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4300 wrote to memory of 2332	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4300 wrote to memory of 2332	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4300 wrote to memory of 4648	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4300 wrote to memory of 4648	4300	2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-25_3aa3c29b65a1960f18a911afdb677fa4_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\System\yCyTUSx.exe
  C:\Windows\System\yCyTUSx.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System\wGhmtFI.exe
  C:\Windows\System\wGhmtFI.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\KRlfXJT.exe
  C:\Windows\System\KRlfXJT.exe
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\System\uUMsTMm.exe
  C:\Windows\System\uUMsTMm.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System\XYAgPec.exe
  C:\Windows\System\XYAgPec.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\byxbEzD.exe
  C:\Windows\System\byxbEzD.exe
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\System\mrthcYP.exe
  C:\Windows\System\mrthcYP.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\System\FheOEpr.exe
  C:\Windows\System\FheOEpr.exe
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Windows\System\nDYHMjJ.exe
  C:\Windows\System\nDYHMjJ.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System\NuLIQwj.exe
  C:\Windows\System\NuLIQwj.exe
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Windows\System\RTgrDPG.exe
  C:\Windows\System\RTgrDPG.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\yxSpxVB.exe
  C:\Windows\System\yxSpxVB.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\UfwbQRC.exe
  C:\Windows\System\UfwbQRC.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\hjRJudD.exe
  C:\Windows\System\hjRJudD.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\sHaoacQ.exe
  C:\Windows\System\sHaoacQ.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System\aUUEvdC.exe
  C:\Windows\System\aUUEvdC.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System\wvESEvN.exe
  C:\Windows\System\wvESEvN.exe
  2⤵
  - Executes dropped EXE
  PID:3396
- C:\Windows\System\sATrZnz.exe
  C:\Windows\System\sATrZnz.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System\sDaNYqM.exe
  C:\Windows\System\sDaNYqM.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System\BfTXRsV.exe
  C:\Windows\System\BfTXRsV.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\yqTyGPk.exe
  C:\Windows\System\yqTyGPk.exe
  2⤵
  - Executes dropped EXE
  PID:4648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BfTXRsV.exe

Filesize
5.7MB

MD5
86d1d8e4ac7c16bc1389e0144e062c02

SHA1
147e7a432ade6ee882e3f5232cc823dfda832d23

SHA256
6bfcacd149a690adcff340cd7a3b32043f601469abf39759bd1501b4516bcaa5

SHA512
1a4fd8f40e96e859f04b9414a36ef2b003a3b87d309c9a8e8cf8a02de752823bc5a354deeb2bbefdfd490463fad58e025e071a84499c08185dc631653d79956e

Download Submit
C:\Windows\System\FheOEpr.exe

Filesize
5.7MB

MD5
e772fa61b5242df3d1a49a546808eb1b

SHA1
2ce731827a588991a293dd5b8b2dc4825f2da6fe

SHA256
ed1ba427e08641761dcc36d6f203f6b39ef3eec57a671427051c1b8fba6438f5

SHA512
6bb9b3486f8800a4abcec0d452d7e1095ceb262b5589a7eaf018311379b0ef086e87a8b1744cf876675f5c63931ea95f2b26075fb034bd324f5467303dccf5a5

Download Submit
C:\Windows\System\KRlfXJT.exe

Filesize
5.7MB

MD5
232058a5eb4619a4b01cc0fe67c5cee9

SHA1
83deb1eda505cfd8de08b2d2934194c4a93dfcc7

SHA256
b750ccdcf3e7cf02a344cdfa8045efc2f5cdf7c0d36e5cc18691d329edb11b8f

SHA512
ab7424c181bc3f7a6836cabfa923c6c7c6b87f42ec607f8c15793288b1818cdfc67854e7b956c6d4f6144d483c2c6a37abdbc9c6c962d7f95632ff9e935e5e63

Download Submit
C:\Windows\System\NuLIQwj.exe

Filesize
5.7MB

MD5
ad5f25a5f7edb7572973458e4cf087eb

SHA1
7fb66ffb20fef1a09b30eee725339e67cac1c01a

SHA256
e5f772637890691b84bd5409cd8e49c3c62a7b28dc94d04a871628ecb572df85

SHA512
f45069f72cdd7078f15dcbfbcc23e0c394d0f9289e6750da89ec3b48721cc94c00261086834afbbd06cd1bac02c64e54af33ec9856381d7e3a2725bba6834d79

Download Submit
C:\Windows\System\RTgrDPG.exe

Filesize
5.7MB

MD5
9cdf3ff3c529bd194b1fa11a3deedd25

SHA1
471d19e7f43ecd583dc71ba7c7fe5f68dd7c5f8d

SHA256
39b92c390eb834fb641c6ace64bca0088bd743a4f591ab4783fdfa9e81464854

SHA512
a56a2f0414871a1fa767063997a551eefd889d2a292445dd1b04936713eff2fa1acbabd57c0420314807303560faab838931d6013624d84360ae24de8311bd8c

Download Submit
C:\Windows\System\UfwbQRC.exe

Filesize
5.7MB

MD5
67d02edd9cea386e4841bca0c25597b6

SHA1
1506a4b4d9200b1666ff524839008fee2c355d6d

SHA256
e4d0685d12b8c51159592c7438586b9873998319dac96898cb27012c8bd30a84

SHA512
2c37dd9b4c33d1b4d95477c8c8b3c9e0674877c15b072fc64b4e079bc01f2b825fc3aa7de2a92bb647895d4f76dbcb0ac56521cf8d46906949992e9bd05dc8fa

Download Submit
C:\Windows\System\XYAgPec.exe

Filesize
5.7MB

MD5
9d47db0d875f1c4b08b0e6e310b1339b

SHA1
77e741425f8aba60781e4f8755a60d35e9b6bbbd

SHA256
9317528b54c679cdc72b7d98b9a1ec991d3f6af6561ab41db6f2fbfd0dc225df

SHA512
bab6756aa9b4c5281a63d74bd5996b96f168165725a03c2a92bd5a0ecadc75062960aad480a2b9779ddeb5b4acd9c29d457eac78218fabfdfbd570ee1fb62007

Download Submit
C:\Windows\System\aUUEvdC.exe

Filesize
5.7MB

MD5
68e7267f375b2b83e708e93314eee154

SHA1
930ae494b66aeff43651e6da7eb9012410e51d5d

SHA256
30f124606aa083b42509552a7976a3b62c8608d2bcf78d0c977a384342f462d6

SHA512
95ffda13696e4da2a75408651934965cccdc095f96257c0d414da942a9c1df10581410aff70e48f6cdd49599ca6b160b47613bae89ae756d0d2a64a5b04adf55

Download Submit
C:\Windows\System\byxbEzD.exe

Filesize
5.7MB

MD5
3d6b66be509b73b45ad02968e65d695b

SHA1
9e9b5cb4a9afadfbdbed0e8045901b946d250531

SHA256
7eecddd767c30b55d985161ffcb0ccec7818909fe1a76b11c1fcf2b57bcc8c20

SHA512
97d404eb2190cc4f611cb7d6c2f5c7a0e54fccded6a5a2896e898e763a0340b62e63d3f9c467c57bfb323b4bd2f74bce1269d3d5d6e5121ddd70bb402d9c2c2d

Download Submit
C:\Windows\System\hjRJudD.exe

Filesize
5.7MB

MD5
6b996a427513769344c8b949fa490c21

SHA1
ad2293cf405e5c0dddbba41e3af2c42feb9916c8

SHA256
a8e8066934b2ae78027f9116078bdb1c437c9ccd25dda216aa383b02a6b9c22b

SHA512
7f5a96f22aea80f247d1881cdcc3397f31c5dff87543fe902cc5e47bf0ba43556623cd66c3ce07dbeb80e24bdf449e5b91058cdbe9bf190213df6ff34a005c69

Download Submit
C:\Windows\System\mrthcYP.exe

Filesize
5.7MB

MD5
22f2c96d43a001e1ba29f7c9723f1a68

SHA1
41fcca03ef3cf2f13992fb88880c08a917993d27

SHA256
a245469fd8bd84659ea89d5b706b23ade3de834336708172fedbb52a0786e412

SHA512
0aef9c1d7213b515b96fe59ad246a281c792f7d8fd476821a237e07a6bcd0d709fb321a7853232d9d94d8da9b2b66fdfea96c3b70fb83457010efd6ac8794b82

Download Submit
C:\Windows\System\nDYHMjJ.exe

Filesize
5.7MB

MD5
353bc522a7fd26923f94913f7cbd9dcb

SHA1
eab76e4dc46b0e43ad0f68aa5d50c206489c9863

SHA256
7a420ceff47b4afc82ac9778500bb8f259ba253a85bfc64952174b3f63fbe1c5

SHA512
fc07ed41233c0e04b01874f61dedec38b87e40cec2a8cc2c0c47fe2a70e28968942d1826f4540ce900f55b4c38d901da98805f6d8b49d36b192c703a14f7b18d

Download Submit
C:\Windows\System\sATrZnz.exe

Filesize
5.7MB

MD5
565bde3568342885d9489fb135c83384

SHA1
3aad85571e6c9031f26e326636e01df5fab30847

SHA256
05ecbf007b1e6f8f1cf70d6f69a675059f0ea1ec648e788466b248f32292b633

SHA512
a33a4e4d8de5ab08a5905e0b51372c3face1693c99f9e2a5c9f5c634248c9d27a386af485721d7fb977a9ee8cf7728f0cab1b8c1a590ca663af7ef67d0cb821f

Download Submit
C:\Windows\System\sDaNYqM.exe

Filesize
5.7MB

MD5
ceaa09424ba0af47c5bf9c67573f6e69

SHA1
692b0738670b4771ad4f165f94af643ecb95a506

SHA256
d8aa29f59aec22e935d44c2f4fb17ebca07bb5c9602b97768d5d595f526685e6

SHA512
6ded2828d4d974ab637cf6617ed2430e14c8207a07142effac6bd972c710b625096ac3a4196ccab0767b0129ffc5ca32e731c9b1e5bb0a32df59a9d61f50fb90

Download Submit
C:\Windows\System\sHaoacQ.exe

Filesize
5.7MB

MD5
ed7db74c0d3e2194d6d8b476159a6e93

SHA1
a97de0437ff96ca9068652eaec999d6d9aaaf70f

SHA256
223d9dd07b23dfa7e52828718e99ae489bfa282a394bbff9901b6c840d86d0dc

SHA512
160e5bcabcd49e5e702a280fdbe8ee9e9dee65532f5f6b5306cadf8101c76c92e5bba499005401b093538d0b093019d5ee372af60c4e496c0c6ac6e4a5291b19

Download Submit
C:\Windows\System\uUMsTMm.exe

Filesize
5.7MB

MD5
8060a3a29e9fe2681a7096cba9a62003

SHA1
d93576357534a20c6be57164580a6f804d08624a

SHA256
7ea4ac56658378b99eb508e6f530101277048511d4f7b26558c1b02d4d277fd6

SHA512
31490200edd01687697df831b9ddb47ff5e5af33e21d0a6a65e185e25b24b1b78715b1d2e6ed1ef01b6e1a88c783e762b08bf771809d48d1afbc8b6b1bfaac6c

Download Submit
C:\Windows\System\wGhmtFI.exe

Filesize
5.7MB

MD5
a863da31ccacecff988cb06bfa7fc278

SHA1
533b2a52b2405561fe8732c1d16a8f54b67c75f7

SHA256
ea24b01c93ac47f039dc14cb78d64d17d5e6d635ded2cfd603fa341a5ddc81ae

SHA512
43038d10af729c0260f36c2f5e8a04d1f5f0316ff139ac1d6709176d1918616f432b3ed3e7cb61513404e6466aa263e2bf36b6f63699fa95d74361fa509afc96

Download Submit
C:\Windows\System\wvESEvN.exe

Filesize
5.7MB

MD5
a1a3d9114e34ce72c20f814467c52b40

SHA1
8b3b627403f188816d56b7006e94673a7a0cd0c3

SHA256
442eda51630a7d7c4512eec5210543a996649405c10f904f69a0718fd7827faa

SHA512
ef8132da140ca9d6423fd369e04f60816a0a3e819e9e900cc59a493933cc755d477b2294561fa14b696b7084dd0859b7bad5aff4e7eb0f93cb8ab9179cf7d980

Download Submit
C:\Windows\System\yCyTUSx.exe

Filesize
5.7MB

MD5
718bfce259fec069d04bf2286bd6750f

SHA1
8bc7a9ad90b5f2bccd8777710a1cc267862933c0

SHA256
e49d38b8748051a60ee78af45490cb616de3c1484658b5d5325996c9511ea4f3

SHA512
1de4383f13cf7d3be49b98e413a75444656b17513595650622733ad775de19b4d88adde38a5067868051d49da60915a20b84059816ec16e0134a00fbef0058bb

Download Submit
C:\Windows\System\yqTyGPk.exe

Filesize
5.7MB

MD5
f7fbcd116a4c93097a5152dfef33c1a2

SHA1
f6342496db65b34e0ffc9a8a74422fef0c86f093

SHA256
ed406d68dd2133152defc39bc4116df5fbbf1b9ab0c64836fe3e6b40d0d4f694

SHA512
ff5b73b4c92568b3bbd52ac74fe3cff99d0cb713f14035725dc646531e60b139ca3d34c3dece14cf9f774aaf0f67e8035e3ec7a1ccb598d92ebff9274c088a1d

Download Submit
C:\Windows\System\yxSpxVB.exe

Filesize
5.7MB

MD5
2d6ebb9478aa8f835639a88c5802d053

SHA1
dae4868042a260c9c1a3679731449646a852509b

SHA256
b4d58bb5823912d44e05bdadee4fe26f46f6e6dadd319d8d56d0fffdf25d7b2c

SHA512
ae95e5305644f8dcabd610ec1808534965bf4b70600158e2ebeb3020d57c17af2a490504912a551f2796355f14b6c6c473b8254fc55d5a2c5300f07c6c90bff9

Download Submit
memory/468-104-0x00007FF77B140000-0x00007FF77B48D000-memory.dmp

Filesize
3.3MB

Download
memory/740-119-0x00007FF6C8B60000-0x00007FF6C8EAD000-memory.dmp

Filesize
3.3MB

Download
memory/1008-51-0x00007FF6F4690000-0x00007FF6F49DD000-memory.dmp

Filesize
3.3MB

Download
memory/1228-43-0x00007FF64F4C0000-0x00007FF64F80D000-memory.dmp

Filesize
3.3MB

Download
memory/1524-31-0x00007FF778EA0000-0x00007FF7791ED000-memory.dmp

Filesize
3.3MB

Download
memory/1620-116-0x00007FF6F7730000-0x00007FF6F7A7D000-memory.dmp

Filesize
3.3MB

Download
memory/2096-67-0x00007FF71E7C0000-0x00007FF71EB0D000-memory.dmp

Filesize
3.3MB

Download
memory/2308-25-0x00007FF7A5230000-0x00007FF7A557D000-memory.dmp

Filesize
3.3MB

Download
memory/2332-122-0x00007FF6D49D0000-0x00007FF6D4D1D000-memory.dmp

Filesize
3.3MB

Download
memory/2344-84-0x00007FF680640000-0x00007FF68098D000-memory.dmp

Filesize
3.3MB

Download
memory/2512-15-0x00007FF675570000-0x00007FF6758BD000-memory.dmp

Filesize
3.3MB

Download
memory/2960-19-0x00007FF70F5E0000-0x00007FF70F92D000-memory.dmp

Filesize
3.3MB

Download
memory/3396-111-0x00007FF7ED980000-0x00007FF7EDCCD000-memory.dmp

Filesize
3.3MB

Download
memory/3600-54-0x00007FF67CA90000-0x00007FF67CDDD000-memory.dmp

Filesize
3.3MB

Download
memory/3672-61-0x00007FF6D7E80000-0x00007FF6D81CD000-memory.dmp

Filesize
3.3MB

Download
memory/3680-7-0x00007FF6BFBA0000-0x00007FF6BFEED000-memory.dmp

Filesize
3.3MB

Download
memory/3732-64-0x00007FF7262B0000-0x00007FF7265FD000-memory.dmp

Filesize
3.3MB

Download
memory/4300-0-0x00007FF75D600000-0x00007FF75D94D000-memory.dmp

Filesize
3.3MB

Download
memory/4300-1-0x000001F601C90000-0x000001F601CA0000-memory.dmp

Filesize
64KB

Download
memory/4320-99-0x00007FF61CB90000-0x00007FF61CEDD000-memory.dmp

Filesize
3.3MB

Download
memory/4616-79-0x00007FF665FE0000-0x00007FF66632D000-memory.dmp

Filesize
3.3MB

Download
memory/4648-125-0x00007FF7445D0000-0x00007FF74491D000-memory.dmp

Filesize
3.3MB

Download
memory/4968-108-0x00007FF755E00000-0x00007FF75614D000-memory.dmp

Filesize
3.3MB

Download