cobaltstrike | c1bdb8848944bfc298c6c63f7186bb066a0142519df18694629204050cd8675d

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

f8de5f54e127ecb017cb4866866d0ec6
SHA1

c9795dd7e81b6a665009c915a6b5a4ad74c4be1c
SHA256

c1bdb8848944bfc298c6c63f7186bb066a0142519df18694629204050cd8675d
SHA512

44457c53c521013c4647c4bd8b9aaa28019de27bf8329791fc3d0c18875d378559311c9a9d4bb8173d21ff7c443c51fef78a35030ae3e4e578bfe54901c143e1
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUL:j+R56utgpPF8u/7L

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023bd3-12.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bd7-16.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bd9-21.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0e-47.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdf-49.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0f-60.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bde-44.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdd-35.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bdc-39.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023b5b-6.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c10-65.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bcc-72.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c12-77.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c13-80.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c18-86.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c19-95.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c1a-102.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c2c-108.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c32-112.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c33-115.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c34-124.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral2/memory/3240-0-0x00007FF7ACDE0000-0x00007FF7AD12D000-memory.dmp	xmrig
behavioral2/memory/3224-7-0x00007FF692D30000-0x00007FF69307D000-memory.dmp	xmrig
behavioral2/memory/2800-13-0x00007FF70FA60000-0x00007FF70FDAD000-memory.dmp	xmrig
behavioral2/files/0x0009000000023bd3-12.dat	xmrig
behavioral2/files/0x000e000000023bd7-16.dat	xmrig
behavioral2/files/0x0008000000023bd9-21.dat	xmrig
behavioral2/memory/4572-23-0x00007FF631820000-0x00007FF631B6D000-memory.dmp	xmrig
behavioral2/memory/3872-37-0x00007FF68A560000-0x00007FF68A8AD000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c0e-47.dat	xmrig
behavioral2/files/0x0008000000023bdf-49.dat	xmrig
behavioral2/memory/1380-61-0x00007FF741AD0000-0x00007FF741E1D000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c0f-60.dat	xmrig
behavioral2/memory/4420-57-0x00007FF7C8520000-0x00007FF7C886D000-memory.dmp	xmrig
behavioral2/memory/1644-52-0x00007FF7A50B0000-0x00007FF7A53FD000-memory.dmp	xmrig
behavioral2/memory/2680-50-0x00007FF658F10000-0x00007FF65925D000-memory.dmp	xmrig
behavioral2/memory/5008-45-0x00007FF65CAE0000-0x00007FF65CE2D000-memory.dmp	xmrig
behavioral2/files/0x0008000000023bde-44.dat	xmrig
behavioral2/files/0x0008000000023bdd-35.dat	xmrig
behavioral2/files/0x0008000000023bdc-39.dat	xmrig
behavioral2/memory/2376-29-0x00007FF667DA0000-0x00007FF6680ED000-memory.dmp	xmrig
behavioral2/files/0x000c000000023b5b-6.dat	xmrig
behavioral2/files/0x0008000000023c10-65.dat	xmrig
behavioral2/memory/1128-67-0x00007FF70A0B0000-0x00007FF70A3FD000-memory.dmp	xmrig
behavioral2/memory/2380-73-0x00007FF651EA0000-0x00007FF6521ED000-memory.dmp	xmrig
behavioral2/files/0x0009000000023bcc-72.dat	xmrig
behavioral2/files/0x0008000000023c12-77.dat	xmrig
behavioral2/files/0x0008000000023c13-80.dat	xmrig
behavioral2/memory/2052-82-0x00007FF63BB00000-0x00007FF63BE4D000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c18-86.dat	xmrig
behavioral2/files/0x0008000000023c19-95.dat	xmrig
behavioral2/memory/2820-97-0x00007FF62DC60000-0x00007FF62DFAD000-memory.dmp	xmrig
behavioral2/memory/4956-93-0x00007FF6927B0000-0x00007FF692AFD000-memory.dmp	xmrig
behavioral2/memory/3424-88-0x00007FF6FC8F0000-0x00007FF6FCC3D000-memory.dmp	xmrig
behavioral2/memory/2124-103-0x00007FF6E4290000-0x00007FF6E45DD000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c1a-102.dat	xmrig
behavioral2/files/0x0008000000023c2c-108.dat	xmrig
behavioral2/files/0x0008000000023c32-112.dat	xmrig
behavioral2/files/0x0008000000023c33-115.dat	xmrig
behavioral2/memory/2516-111-0x00007FF7947C0000-0x00007FF794B0D000-memory.dmp	xmrig
behavioral2/memory/3192-118-0x00007FF7CBB30000-0x00007FF7CBE7D000-memory.dmp	xmrig
behavioral2/memory/4952-121-0x00007FF718DE0000-0x00007FF71912D000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c34-124.dat	xmrig
behavioral2/memory/1136-126-0x00007FF692B00000-0x00007FF692E4D000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3224	jzJCHic.exe
2800	aoIUCSt.exe
4572	FpvqVsA.exe
2376	ncBRQIV.exe
1644	hETaWEs.exe
3872	CpZwGty.exe
5008	fiRSNmB.exe
2680	aOKaDLA.exe
4420	GzYHvjR.exe
1380	WlTCZcJ.exe
1128	ffcUPJB.exe
2380	JTNLREg.exe
2052	lqIXVxD.exe
3424	FdIfBIN.exe
4956	EUASfLo.exe
2820	MWccGYe.exe
2124	kIPBpda.exe
2516	wqCJzqv.exe
3192	HVBueac.exe
4952	iQCpBXS.exe
1136	lxIfWYk.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\fiRSNmB.exe	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JTNLREg.exe	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MWccGYe.exe	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kIPBpda.exe	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jzJCHic.exe	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aoIUCSt.exe	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ncBRQIV.exe	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hETaWEs.exe	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HVBueac.exe	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iQCpBXS.exe	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FdIfBIN.exe	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FpvqVsA.exe	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CpZwGty.exe	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aOKaDLA.exe	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ffcUPJB.exe	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wqCJzqv.exe	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lxIfWYk.exe	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GzYHvjR.exe	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WlTCZcJ.exe	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lqIXVxD.exe	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EUASfLo.exe	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 3224	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3240 wrote to memory of 3224	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3240 wrote to memory of 2800	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3240 wrote to memory of 2800	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3240 wrote to memory of 4572	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3240 wrote to memory of 4572	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3240 wrote to memory of 2376	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3240 wrote to memory of 2376	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3240 wrote to memory of 1644	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3240 wrote to memory of 1644	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3240 wrote to memory of 3872	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3240 wrote to memory of 3872	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3240 wrote to memory of 5008	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3240 wrote to memory of 5008	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3240 wrote to memory of 2680	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3240 wrote to memory of 2680	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3240 wrote to memory of 4420	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3240 wrote to memory of 4420	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3240 wrote to memory of 1380	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3240 wrote to memory of 1380	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3240 wrote to memory of 1128	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3240 wrote to memory of 1128	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3240 wrote to memory of 2380	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3240 wrote to memory of 2380	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3240 wrote to memory of 2052	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3240 wrote to memory of 2052	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3240 wrote to memory of 3424	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3240 wrote to memory of 3424	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3240 wrote to memory of 4956	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3240 wrote to memory of 4956	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3240 wrote to memory of 2820	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3240 wrote to memory of 2820	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3240 wrote to memory of 2124	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3240 wrote to memory of 2124	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3240 wrote to memory of 2516	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3240 wrote to memory of 2516	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3240 wrote to memory of 3192	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3240 wrote to memory of 3192	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3240 wrote to memory of 4952	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3240 wrote to memory of 4952	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3240 wrote to memory of 1136	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3240 wrote to memory of 1136	3240	2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-25_f8de5f54e127ecb017cb4866866d0ec6_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\System\jzJCHic.exe
  C:\Windows\System\jzJCHic.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System\aoIUCSt.exe
  C:\Windows\System\aoIUCSt.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\FpvqVsA.exe
  C:\Windows\System\FpvqVsA.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\ncBRQIV.exe
  C:\Windows\System\ncBRQIV.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System\hETaWEs.exe
  C:\Windows\System\hETaWEs.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\CpZwGty.exe
  C:\Windows\System\CpZwGty.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System\fiRSNmB.exe
  C:\Windows\System\fiRSNmB.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\aOKaDLA.exe
  C:\Windows\System\aOKaDLA.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\GzYHvjR.exe
  C:\Windows\System\GzYHvjR.exe
  2⤵
  - Executes dropped EXE
  PID:4420
- C:\Windows\System\WlTCZcJ.exe
  C:\Windows\System\WlTCZcJ.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System\ffcUPJB.exe
  C:\Windows\System\ffcUPJB.exe
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\System\JTNLREg.exe
  C:\Windows\System\JTNLREg.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\lqIXVxD.exe
  C:\Windows\System\lqIXVxD.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System\FdIfBIN.exe
  C:\Windows\System\FdIfBIN.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System\EUASfLo.exe
  C:\Windows\System\EUASfLo.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System\MWccGYe.exe
  C:\Windows\System\MWccGYe.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\kIPBpda.exe
  C:\Windows\System\kIPBpda.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System\wqCJzqv.exe
  C:\Windows\System\wqCJzqv.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\System\HVBueac.exe
  C:\Windows\System\HVBueac.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System\iQCpBXS.exe
  C:\Windows\System\iQCpBXS.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System\lxIfWYk.exe
  C:\Windows\System\lxIfWYk.exe
  2⤵
  - Executes dropped EXE
  PID:1136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CpZwGty.exe

Filesize
5.7MB

MD5
3cfa6aac3a8345d6bdf9cd66477ffaea

SHA1
c12825518c695ad18ac920c480e1664ff68adbc4

SHA256
fc0c6f5e462328b1da943801758b7c7f98db2563e91024e90cb2371c7fe2ca26

SHA512
f5ef1f7b9bafae69acbd58f8032d014539d5893718863f6d3ee1f0ffb4dbff5161d0cc8fd23d10ddef3469c04a434ca71899a1e16cdc67d898c94a7276045804

Download Submit
C:\Windows\System\EUASfLo.exe

Filesize
5.7MB

MD5
acd59cd2a1ea6d8b17865a21d3d22714

SHA1
45b005669b7124f8c37f40af3130c425f5448dc4

SHA256
a3125d97223ec993d491dbbebf698066320788f5bcfaf1785956c27d3f15fcb7

SHA512
2fe52d6f66b02f952f373d00a586669e2453b99e94d534547eec7d03e93d15d2281365fb2af4ab54de2286c463a051a07f3239927c450a7ca7256d31a051999e

Download Submit
C:\Windows\System\FdIfBIN.exe

Filesize
5.7MB

MD5
6e98c98c0290798da3ec1ef571de46ca

SHA1
5ce95cd98d8f8e6e4f4fc0cc9caf6d88a2410905

SHA256
a4242fa8a63760011968dcfb8cb487b236658ad33d0a7ee22a40238da25c6df2

SHA512
e9c6af400b38991374651ec369ecf53db0227c34796e442a19a1bb69b5ed5d592d4fa4564892bfae40533961a48d9aa125f59abf7c0616598963ea64f75de19d

Download Submit
C:\Windows\System\FpvqVsA.exe

Filesize
5.7MB

MD5
ddf59b92e9a442d318804d17049904be

SHA1
0c37d23b58d3f2dbd2fff9e721fb0e273eaa1eaf

SHA256
37ab1169b5b5298b150cd936c74197eedc853b57e03ae47239d0ac66624fc9c7

SHA512
446c7a866a1bd1afee79c4d31d77c2d3cd9c390cf585291ad84d1bfdcc1544eca732d7aeb4a8adea224272b2bb165bb35e6fe036cb905504da3f997f655926a8

Download Submit
C:\Windows\System\GzYHvjR.exe

Filesize
5.7MB

MD5
46e71ede962f22632782e577547d42fa

SHA1
2c586805ea92566973997a79a6ff4e58377133a0

SHA256
225376d6a0a3559ff03e8da2242d7f977ed7e3b613e11a6cdbb66e7b5c4ebd3f

SHA512
3d13b380598124c76568d936689cfaed76862ef760224e739ad1d4e3b237df0ea155b027007891d8b0c429ddcaa8712dd802d30fb786fb277c081de1282e9ac3

Download Submit
C:\Windows\System\HVBueac.exe

Filesize
5.7MB

MD5
0b1ba5264cd0b5dd2d86a9bec4f04943

SHA1
b605254bb08e6ec4c3c88e25838c1368eee58065

SHA256
929738dc94e6ede5320c37780a99e81cb8d70f481b612df5173d17b7fb673ced

SHA512
bb5a73360ad665f0e92a7fa2e8f323173ab156cd8bdd706c1c8294f2c81072690f452a0d624673c3caf441bbb15e847541f91665182420297213c6b22f1ef2dd

Download Submit
C:\Windows\System\JTNLREg.exe

Filesize
5.7MB

MD5
f2af57af1501fb4203bd538b1a4558af

SHA1
6b4557a92f9316fbf73b138d5aaa1a914136897a

SHA256
2dfcd30742e6b1083e41455828568be2f72ca7d816f486c25e6f933ceb093f01

SHA512
2ab757698c0b095cf225a0726694fbe8b05323972d5cc92b5f9b16d3a8c3263b3c29717d08a0dff01e5c9c86492ac479530c468d35a8448a026795df58c75e68

Download Submit
C:\Windows\System\MWccGYe.exe

Filesize
5.7MB

MD5
3b1a13a5733d3ba922d1a5ca2de01351

SHA1
3685aea8436cc2307353cf7d4d2ac6eed3c9997a

SHA256
32bda9868a8dc7864af5980031d513b9ecf776b8cd02c8c96679349f022070c3

SHA512
ef2869fabb2253ce4d596e26d4347425896faf45f34842c6ea47760501270441d19f69b375e2c9a3f5489891944ed400a2365f1a9a3e1d154a0fc5ffe2221a89

Download Submit
C:\Windows\System\WlTCZcJ.exe

Filesize
5.7MB

MD5
2ab3355749b800c4106680571891cf46

SHA1
034816b19944ea3c101e5e382622a3bbe73ad450

SHA256
0ad5a5da021e2c281873df1b66f7bde799fc51be91e5cb91309f186a4ce59770

SHA512
dac6363097a24e14a7955b7136ca019811bdc8a1cee628f8f7fea44182bc88835c31b87a285fe8f67a6d04b52f6fbd3161786b8091e6294401f4ae05dcbdad1b

Download Submit
C:\Windows\System\aOKaDLA.exe

Filesize
5.7MB

MD5
406acc9e430172104dbdc2c46a71b648

SHA1
62f2c4da74de8a6c795d29746272e3a35db92f7b

SHA256
187cdf7e82a6b5d520e163a9758bbef86f00e067ad3379a8dd76f33cc8617a72

SHA512
431a787894246dfc21b447939374ba8a92fc3bee30d2a35052854c9b45b4c536e1745cfe756209821e0f2fcc2167353d6587d0af2eba3f14b00e77267056a333

Download Submit
C:\Windows\System\aoIUCSt.exe

Filesize
5.7MB

MD5
e54cd5191584eb30ad8dc5d838f94f07

SHA1
f42b63f2e688d654cfc2706391970ba79ea96e35

SHA256
42f14e76a499f5ca18d83c0b8b448f39f67fd695869e2ce71e89296f1fbe29ba

SHA512
a69958ec70efc02b2ac5715f9178e972a9c49983f5aaa3d0d05ffd5a13ed5fd98c1d3e606c71d454db9260f15003257793f2faff45413ad18f8588aa79136850

Download Submit
C:\Windows\System\ffcUPJB.exe

Filesize
5.7MB

MD5
458791a72be677b74e26b1f754f3fd83

SHA1
01d3e32e634193a0d20521d2d8013e2ed717b8b1

SHA256
64916ef769ad592373be96251631f8e5625f702ac004891d8e919ed0b13b19dc

SHA512
6bb6edb02a5092c14a2940a0d4bf14d8e67fefd4d035db60c131998331e5dfd9ce47a1eeeb03e09893cdb4c40fc5a3a50ce1092d89090368742f3958f2191419

Download Submit
C:\Windows\System\fiRSNmB.exe

Filesize
5.7MB

MD5
c908a9922d3c0dd5bfa005187bf314bf

SHA1
32004c0ded7c80efde63c647d310006a9669a13b

SHA256
111032913737b53764ed668e928a588178acfb99dea23cad8f2b7728fcd35ba5

SHA512
e555fc9f9a0bece0b70e451f104efdeaa51a098f5031cfd8cf395ccae344d23a13e7a7d7daf0ff238abacf446c3587eb6f611bd730c784674722aac938027349

Download Submit
C:\Windows\System\hETaWEs.exe

Filesize
5.7MB

MD5
bf687e2caea21671f072f137e57ce0e1

SHA1
e150fb0516d79989e9961b8adedd0e87a63cb37c

SHA256
ca0db6fc8d1355b43b33da59766ffde1208e0b44c2a49c6a77d20c0335167d3a

SHA512
ca8f06afd019d516c01e47177f9cf2b579cfa11d74c16553304ea3952d4b1ac9ca01c75c4488c07d62fb5e0a6d8fc27243f2e7163c147b540e7af761ab7a9043

Download Submit
C:\Windows\System\iQCpBXS.exe

Filesize
5.7MB

MD5
53675f0996790ca4176567e9a68ab158

SHA1
d44648fe90948d03b3cb3032898dedcbad0c60b8

SHA256
b99934da5249e1e9b6b70ea3ccf910be81ea9b174d2de14ff1fc0c73e2b83fa0

SHA512
0dc575e47ae43cbb0b4b60218909763781548f260e95763aef6f8eb4d05cf9bb3bf4554a47f35a7c33944352d08112b5de3c0348f3dd50bdfd6176e9d053899c

Download Submit
C:\Windows\System\jzJCHic.exe

Filesize
5.7MB

MD5
2263b5e8408dc29670b640f1d4505507

SHA1
b9f66a9855987ca65b13b5a539b4f09e57270dcb

SHA256
47b4d98fc23bd3d9af764d41da69418f67347d2947c737d0c68c154821341fb0

SHA512
d3f6ee31d2a541e8e4adc62ab7eecf28ae9b74dfc270541cda354ce788587f72dba1dbe2db077e3f161b54ca7ad856ece208da36c6509bec070966adfeef799d

Download Submit
C:\Windows\System\kIPBpda.exe

Filesize
5.7MB

MD5
d22fb070f777f965a48d331defd967f6

SHA1
4948ba242533ff0a8fbbb62613fd8ac2c31fc770

SHA256
80dcc0ec9b3f9af5c46600a454780c6b7935d23b27c0c402a3bad2e1671b937f

SHA512
43cb0ab90f988d9dcd21ede243523052633745aa1d7d81d09797ae23ac751b68a1e9bc40ce3cc7c7ff6c8bd369a46cbc576c99c8e03cc1a0ed1b3f7f2f38e154

Download Submit
C:\Windows\System\lqIXVxD.exe

Filesize
5.7MB

MD5
c9a8c4e52620784dfbdf173b2cd01a33

SHA1
31ea8d81b5d769f439e1f856dd0d1dd3b6550d4a

SHA256
cea86a5c6d936c8a54318586ea46d2a4ca80b5ed4c8c170b75265ece0b532214

SHA512
83d846897b28f0612c2c54fd7169ec4edbb9224e1d9d2bbb2a291e1927869f320a1d6d12afa600c0bbc8282fd03a6778dffb1cffe723774688768dee08ba3395

Download Submit
C:\Windows\System\lxIfWYk.exe

Filesize
5.7MB

MD5
7c442839870a81dac32336e1fc09bf6a

SHA1
d562f550dcc96c7b327208b51915395fec8c80a5

SHA256
f09183bf5409bb1fd934f2388f5f4e2b81c2742637a489485585bce45cba5d5c

SHA512
679bef88f9568de72fb7c7eb7407cf1cefeefc344b62911c21f7d4ffff55f4ff698cc2b031c8932e4dbd81bb59b7cde81582dd436a2c905282f99eaafe971c30

Download Submit
C:\Windows\System\ncBRQIV.exe

Filesize
5.7MB

MD5
debf4df3949e157b5053b991b5bf7217

SHA1
f00ae019017fb7265f5a76d1f653970d13732848

SHA256
ecca39fd560cd596fa95f4c6478b46be109618ebd5dc23b4fd1c26718c20acc5

SHA512
9c6b2241fdeeb1b9b46db0f311fcb2a2040aa5aa9bb87371664e84655e7610a739dca40e0c0b32e4dd4e4a4cad5f2a6bd161a7343895682f17462afd242d2577

Download Submit
C:\Windows\System\wqCJzqv.exe

Filesize
5.7MB

MD5
eacf474adf75a020bdeddba9d7b47746

SHA1
51bdff3dab6a35a1636fbab5c40ac786ee151a33

SHA256
30f14d8ba117b1d120d75141a37f5678f295bdfe453aa3d450e7a71fcf1da502

SHA512
009e7b5075a1d0f6a28b72213846d3906066b5fff3445ed936a312cc119855265f2c4c71f32733755ca8b5173aab462fcd571e785664aee21ada1c3fb166be81

Download Submit
memory/1128-67-0x00007FF70A0B0000-0x00007FF70A3FD000-memory.dmp

Filesize
3.3MB

Download
memory/1136-126-0x00007FF692B00000-0x00007FF692E4D000-memory.dmp

Filesize
3.3MB

Download
memory/1380-61-0x00007FF741AD0000-0x00007FF741E1D000-memory.dmp

Filesize
3.3MB

Download
memory/1644-52-0x00007FF7A50B0000-0x00007FF7A53FD000-memory.dmp

Filesize
3.3MB

Download
memory/2052-82-0x00007FF63BB00000-0x00007FF63BE4D000-memory.dmp

Filesize
3.3MB

Download
memory/2124-103-0x00007FF6E4290000-0x00007FF6E45DD000-memory.dmp

Filesize
3.3MB

Download
memory/2376-29-0x00007FF667DA0000-0x00007FF6680ED000-memory.dmp

Filesize
3.3MB

Download
memory/2380-73-0x00007FF651EA0000-0x00007FF6521ED000-memory.dmp

Filesize
3.3MB

Download
memory/2516-111-0x00007FF7947C0000-0x00007FF794B0D000-memory.dmp

Filesize
3.3MB

Download
memory/2680-50-0x00007FF658F10000-0x00007FF65925D000-memory.dmp

Filesize
3.3MB

Download
memory/2800-13-0x00007FF70FA60000-0x00007FF70FDAD000-memory.dmp

Filesize
3.3MB

Download
memory/2820-97-0x00007FF62DC60000-0x00007FF62DFAD000-memory.dmp

Filesize
3.3MB

Download
memory/3192-118-0x00007FF7CBB30000-0x00007FF7CBE7D000-memory.dmp

Filesize
3.3MB

Download
memory/3224-7-0x00007FF692D30000-0x00007FF69307D000-memory.dmp

Filesize
3.3MB

Download
memory/3240-1-0x000001C21D780000-0x000001C21D790000-memory.dmp

Filesize
64KB

Download
memory/3240-0-0x00007FF7ACDE0000-0x00007FF7AD12D000-memory.dmp

Filesize
3.3MB

Download
memory/3424-88-0x00007FF6FC8F0000-0x00007FF6FCC3D000-memory.dmp

Filesize
3.3MB

Download
memory/3872-37-0x00007FF68A560000-0x00007FF68A8AD000-memory.dmp

Filesize
3.3MB

Download
memory/4420-57-0x00007FF7C8520000-0x00007FF7C886D000-memory.dmp

Filesize
3.3MB

Download
memory/4572-23-0x00007FF631820000-0x00007FF631B6D000-memory.dmp

Filesize
3.3MB

Download
memory/4952-121-0x00007FF718DE0000-0x00007FF71912D000-memory.dmp

Filesize
3.3MB

Download
memory/4956-93-0x00007FF6927B0000-0x00007FF692AFD000-memory.dmp

Filesize
3.3MB

Download
memory/5008-45-0x00007FF65CAE0000-0x00007FF65CE2D000-memory.dmp

Filesize
3.3MB

Download