cobaltstrike | 9400dfcfc009ca5ace1bca56e2d9982cfde7b28525857c87c60e37755642f0d0

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2025, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

90e9ffc724afba2a6cdbeb44ea2b84eb
SHA1

59b19947089f61bd37a583eb40e4953a8d666c95
SHA256

9400dfcfc009ca5ace1bca56e2d9982cfde7b28525857c87c60e37755642f0d0
SHA512

7de3f79fbf126f5b50c3a2534e77fb5fca3db65391df505a983da6aedf4e014917a99e9c54e6d447dd98f9609dbdef0440e7ec92f25967e2d311396a52958349
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUI:j+R56utgpPF8u/7I

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023ca3-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-35.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ca4-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-46.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-113.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001e748-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-124.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral2/memory/4892-0-0x00007FF675EE0000-0x00007FF67622D000-memory.dmp	xmrig
behavioral2/files/0x0008000000023ca3-5.dat	xmrig
behavioral2/memory/212-7-0x00007FF6C8B70000-0x00007FF6C8EBD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ca8-10.dat	xmrig
behavioral2/files/0x0007000000023ca7-12.dat	xmrig
behavioral2/memory/1296-13-0x00007FF6DB640000-0x00007FF6DB98D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023caa-23.dat	xmrig
behavioral2/memory/4084-25-0x00007FF687820000-0x00007FF687B6D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cab-29.dat	xmrig
behavioral2/memory/3748-31-0x00007FF789730000-0x00007FF789A7D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cac-35.dat	xmrig
behavioral2/files/0x0008000000023ca4-41.dat	xmrig
behavioral2/memory/3352-42-0x00007FF6CB680000-0x00007FF6CB9CD000-memory.dmp	xmrig
behavioral2/memory/4188-39-0x00007FF7844B0000-0x00007FF7847FD000-memory.dmp	xmrig
behavioral2/memory/2096-19-0x00007FF6272A0000-0x00007FF6275ED000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cad-46.dat	xmrig
behavioral2/memory/3548-49-0x00007FF7018E0000-0x00007FF701C2D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cae-52.dat	xmrig
behavioral2/memory/2284-55-0x00007FF7C2BE0000-0x00007FF7C2F2D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023caf-60.dat	xmrig
behavioral2/memory/2140-61-0x00007FF6E03C0000-0x00007FF6E070D000-memory.dmp	xmrig
behavioral2/memory/3084-66-0x00007FF6B6850000-0x00007FF6B6B9D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb0-65.dat	xmrig
behavioral2/files/0x0007000000023cb1-70.dat	xmrig
behavioral2/memory/3812-73-0x00007FF61DD60000-0x00007FF61E0AD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb2-76.dat	xmrig
behavioral2/memory/1436-79-0x00007FF6354F0000-0x00007FF63583D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb3-83.dat	xmrig
behavioral2/memory/4336-84-0x00007FF774EE0000-0x00007FF77522D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb4-90.dat	xmrig
behavioral2/memory/4368-91-0x00007FF7DF020000-0x00007FF7DF36D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb5-95.dat	xmrig
behavioral2/memory/4520-97-0x00007FF6D3760000-0x00007FF6D3AAD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb7-101.dat	xmrig
behavioral2/files/0x0007000000023cb8-107.dat	xmrig
behavioral2/memory/5112-109-0x00007FF7D2630000-0x00007FF7D297D000-memory.dmp	xmrig
behavioral2/memory/4516-103-0x00007FF66CF30000-0x00007FF66D27D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb9-113.dat	xmrig
behavioral2/files/0x000200000001e748-117.dat	xmrig
behavioral2/memory/3128-121-0x00007FF63DD90000-0x00007FF63E0DD000-memory.dmp	xmrig
behavioral2/memory/4756-118-0x00007FF6718A0000-0x00007FF671BED000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cbc-124.dat	xmrig
behavioral2/memory/4416-126-0x00007FF663A10000-0x00007FF663D5D000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
212	HeWFagv.exe
1296	HNvmiWw.exe
2096	ufxpnvA.exe
4084	GGqXcSi.exe
3748	ETDdFKw.exe
4188	bWXVUMa.exe
3352	nftzDmZ.exe
3548	piTKFQb.exe
2284	dwgbGzY.exe
2140	KivdPGM.exe
3084	VVqSbQv.exe
3812	ISycLGy.exe
1436	GlYzSql.exe
4336	bvYlgBY.exe
4368	tACPBjG.exe
4520	wSlsoBe.exe
4516	EHUJmWs.exe
5112	izNpoXe.exe
4756	rzIwRMH.exe
3128	sGSJGOe.exe
4416	RqmIkqe.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\HNvmiWw.exe	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GGqXcSi.exe	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\piTKFQb.exe	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rzIwRMH.exe	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ufxpnvA.exe	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ETDdFKw.exe	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nftzDmZ.exe	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dwgbGzY.exe	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wSlsoBe.exe	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\izNpoXe.exe	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KivdPGM.exe	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VVqSbQv.exe	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ISycLGy.exe	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bvYlgBY.exe	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HeWFagv.exe	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bWXVUMa.exe	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GlYzSql.exe	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tACPBjG.exe	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EHUJmWs.exe	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sGSJGOe.exe	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RqmIkqe.exe	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 212	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4892 wrote to memory of 212	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4892 wrote to memory of 1296	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4892 wrote to memory of 1296	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4892 wrote to memory of 2096	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4892 wrote to memory of 2096	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4892 wrote to memory of 4084	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4892 wrote to memory of 4084	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4892 wrote to memory of 3748	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4892 wrote to memory of 3748	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4892 wrote to memory of 4188	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4892 wrote to memory of 4188	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4892 wrote to memory of 3352	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4892 wrote to memory of 3352	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4892 wrote to memory of 3548	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4892 wrote to memory of 3548	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4892 wrote to memory of 2284	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4892 wrote to memory of 2284	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4892 wrote to memory of 2140	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4892 wrote to memory of 2140	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4892 wrote to memory of 3084	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4892 wrote to memory of 3084	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4892 wrote to memory of 3812	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4892 wrote to memory of 3812	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4892 wrote to memory of 1436	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4892 wrote to memory of 1436	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4892 wrote to memory of 4336	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4892 wrote to memory of 4336	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4892 wrote to memory of 4368	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4892 wrote to memory of 4368	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4892 wrote to memory of 4520	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4892 wrote to memory of 4520	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4892 wrote to memory of 4516	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4892 wrote to memory of 4516	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4892 wrote to memory of 5112	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4892 wrote to memory of 5112	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4892 wrote to memory of 4756	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4892 wrote to memory of 4756	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4892 wrote to memory of 3128	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4892 wrote to memory of 3128	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4892 wrote to memory of 4416	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4892 wrote to memory of 4416	4892	2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-26_90e9ffc724afba2a6cdbeb44ea2b84eb_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\System\HeWFagv.exe
  C:\Windows\System\HeWFagv.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System\HNvmiWw.exe
  C:\Windows\System\HNvmiWw.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System\ufxpnvA.exe
  C:\Windows\System\ufxpnvA.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\GGqXcSi.exe
  C:\Windows\System\GGqXcSi.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System\ETDdFKw.exe
  C:\Windows\System\ETDdFKw.exe
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Windows\System\bWXVUMa.exe
  C:\Windows\System\bWXVUMa.exe
  2⤵
  - Executes dropped EXE
  PID:4188
- C:\Windows\System\nftzDmZ.exe
  C:\Windows\System\nftzDmZ.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System\piTKFQb.exe
  C:\Windows\System\piTKFQb.exe
  2⤵
  - Executes dropped EXE
  PID:3548
- C:\Windows\System\dwgbGzY.exe
  C:\Windows\System\dwgbGzY.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\KivdPGM.exe
  C:\Windows\System\KivdPGM.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\VVqSbQv.exe
  C:\Windows\System\VVqSbQv.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System\ISycLGy.exe
  C:\Windows\System\ISycLGy.exe
  2⤵
  - Executes dropped EXE
  PID:3812
- C:\Windows\System\GlYzSql.exe
  C:\Windows\System\GlYzSql.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\bvYlgBY.exe
  C:\Windows\System\bvYlgBY.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System\tACPBjG.exe
  C:\Windows\System\tACPBjG.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System\wSlsoBe.exe
  C:\Windows\System\wSlsoBe.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\EHUJmWs.exe
  C:\Windows\System\EHUJmWs.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System\izNpoXe.exe
  C:\Windows\System\izNpoXe.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\rzIwRMH.exe
  C:\Windows\System\rzIwRMH.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\sGSJGOe.exe
  C:\Windows\System\sGSJGOe.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System\RqmIkqe.exe
  C:\Windows\System\RqmIkqe.exe
  2⤵
  - Executes dropped EXE
  PID:4416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EHUJmWs.exe

Filesize
5.7MB

MD5
5d5f8570b2efa04ff702dfdfe7f6547c

SHA1
464576b08972610b4bdb7f6fdb464332095bc384

SHA256
566aad79cace6e5e0fda0540f719447a1048d348fdb0cade694ccbd81a0936ca

SHA512
b1bfea87910f174ba8e780a30b4c9fdf5ba4a794884a34f0a5628b1cfeee4d22bade282a1c2d2faf4ad653bd08f27734154ebf9013fdd0d09438499191cabbaf

Download Submit
C:\Windows\System\ETDdFKw.exe

Filesize
5.7MB

MD5
edd891c831b29b59ea8a88c2cfd21b5a

SHA1
af0b5598159979c28caa9014b7f7e57ddfefb772

SHA256
c01e81fde2e8c1709d1772dc8d6bbab50f5ab2c57ec0badd04ab558f326d8b00

SHA512
0ce560f27096df787e83e8ea60c4e53d43c1f83bddce421d19ec3cd93d49bb7e8a13d1f73713c94d28b8183137dfd176b0ea41ea913ab8f1b6f3edb9b18678ff

Download Submit
C:\Windows\System\GGqXcSi.exe

Filesize
5.7MB

MD5
f26f04b5d53d7a7f8096ba76eb55d232

SHA1
c5656f0a0b8b8773e6a9c029538ddd24f94490d9

SHA256
d9d57d8e71708095a49e20641937b20cd571abb99c61cd3e99c82144f28743f2

SHA512
bc4335dcb0ef70f883ed43c6fb25fa0326075a7e14fa57f6225b13680749bb026ded0a43686ff7ccb4814207e1a9f5661835b7d87d32d84a92d2bcdff2185826

Download Submit
C:\Windows\System\GlYzSql.exe

Filesize
5.7MB

MD5
e6e30d6f0b8009449d7d6fef02fe3f02

SHA1
1b9868dd309ff820f67612a4a25787a1648d4452

SHA256
710ac95a2ec9b171221dd5785ae731cfddb7b8feb9279219df624297bdcb588f

SHA512
ba96f0e777dc3f9a5e7e9c926a3ec1f65741ccddc3119fbd150b2d84794813ae5f681fb92b7eb524dfb7f21afbe976c0b8eca4f8154101a8eadff9c6f0648ced

Download Submit
C:\Windows\System\HNvmiWw.exe

Filesize
5.7MB

MD5
b24126f52004c0a17c69bf2eda44b794

SHA1
e881c6b24c3ea466e283c10e0df662c3748b0f47

SHA256
1e640317bf8e6e90a77dc012f3e3a8cb9890b52e3febc524d8d8b23e47bb0d71

SHA512
a6beaafcf9e8a58b6fb243220fa723e8f0250bf531b2e071c42297d5d58c22987344b8726cb5dd819398c6de79292d84abbc8eeac6fca9448900d8d4deb0312f

Download Submit
C:\Windows\System\HeWFagv.exe

Filesize
5.7MB

MD5
e60d5693c402d78722e6caf5c3035395

SHA1
4856c4fccbdee898d5002922980c1c30394888dc

SHA256
df128a156dea0f397cacbe03ed43eb7ffdad297d65bb7d9670a5fc3c1602cb11

SHA512
56420c627ecb652f42cbaedf17b8be8d7627ab4bda0a1b6549777a9f01a3c88387d8a536c053815fef868af3b4c9a1784c704a2e64db0ffd7596d41a648e9fb8

Download Submit
C:\Windows\System\ISycLGy.exe

Filesize
5.7MB

MD5
188895cecd9446641364e56899e150fa

SHA1
61575259726fa279903106357f8497199dbaace8

SHA256
e493a18167f6f17d02bb9e33c3a72b717a2bf1e2f828ea344039a07d098730c9

SHA512
886379a7989731e40f257c77d0689f84a239d58195ef747b0008f86dbdb92a23fb59bf91a705cdc6b8dcfa5ef0c379b1da95f96798dd8d4bfe27ffda9774a787

Download Submit
C:\Windows\System\KivdPGM.exe

Filesize
5.7MB

MD5
1e023ee0f5820ebef27a0dbd213e2bb0

SHA1
c9e1f9525ba42cb95a9c71b5264206116b501223

SHA256
7a6550012bc10caaeab56912250c78ea02132dfc67c95b0cd37fd344c5aa4391

SHA512
c15b08bbf5ada6e3b7517fc653fb57acb775e218a2e5d16d7546da5fd3b179d57db772f273673c2ad80bd1004f42c3d29a5b1737c8f528adca13dcf77da82c17

Download Submit
C:\Windows\System\RqmIkqe.exe

Filesize
5.7MB

MD5
43989c49082445e48922741f3d1c6705

SHA1
62be7953179f912d98b0513f1b6e29364a0c671e

SHA256
70c1d0f9fedf4d657847eb0ae48a28f2b34dbaa02cb1a7b28f44580b01bc44e1

SHA512
438f8aa3e8cab77b0f650fbbe536057c054e54149a55bbb7b07f00588dddc89f1630dd6f203d7fe935a9091ee4baaec160b011160040e7e3b3f24f030951a150

Download Submit
C:\Windows\System\VVqSbQv.exe

Filesize
5.7MB

MD5
b49a371f28cdb201bfa5db2cd219d424

SHA1
4aa7dfb23e764cfce7e3d889af681eb52ce89f4d

SHA256
e7f4a312412a246d795e4f65587469dde79d1af7a97cf31264b0fb0e82b41065

SHA512
b3c474319ee82eb9dece2e59b0a1e15635515b6a379a747192f053801cf965e52f7adec758c56875d93e9759f633373001e685a064c6c8e4d6b701ddb6798a68

Download Submit
C:\Windows\System\bWXVUMa.exe

Filesize
5.7MB

MD5
f090e1a1a898e911336b4080deb9701c

SHA1
9df395175d72f50840bc562f820b3ea941ee21ec

SHA256
4a34feb46df4bb2add1eb9c6714bc2d7fe2cf063de3378e9da3de594a3f917e0

SHA512
dac4a3766edf643ad9812c3b2221ca6501e367dc065e34d60e04437a9b5ceeeb099cb69cc8a16d6c23d2599734596cc182ffd04407294c666191c0005714137a

Download Submit
C:\Windows\System\bvYlgBY.exe

Filesize
5.7MB

MD5
d9236a6bda14e0979f53c42a742a3cff

SHA1
55b753577657d04ed37b0ea96be1f24542d59c1e

SHA256
6488384ff49a9dd6c8bc05e1c97f3dc489d57444ed01a88a820a6b33469005b8

SHA512
1bc1a76f993ce7fb79e656b4610b162a79b5c61adfbf6845766f4881af731d5044d2a2efa2c696d69feb0185cd9af21dbc199e1cfae2e0483e54c14ce9d45318

Download Submit
C:\Windows\System\dwgbGzY.exe

Filesize
5.7MB

MD5
0ed86dd57d5e9cec7211c562eead5fd9

SHA1
ac249de653554001876b30f3b6f8ac1412798aa8

SHA256
62b8ca6259d14572f310698afd2e43f30e2e1411939dd2a89f03784049459916

SHA512
22aa2b4f8504108f9fbdb47c796f60cdc8d75a31c278d1929b6d4fe1ef5881301f9f7153149c461ad3ed255fa7559011d4f5929d41459be3b8dac55ac1be32e5

Download Submit
C:\Windows\System\izNpoXe.exe

Filesize
5.7MB

MD5
e71c3b4a7c672e4259a4152917c1f650

SHA1
5fe4462f3980032d9ec2ecd78da96e5ff3016df9

SHA256
f42017521bf0d12da9b100dcbbb6e96b7e7704d9374fc900d0229ac834db7c2f

SHA512
90f78498675aa8474773256aff5678a46d96348acdbadb8d81512eb8e78142cd80da0ae579e5a20deb8a0d212b7cd3db3603e642a69dc4ceb57d8824f6c767dc

Download Submit
C:\Windows\System\nftzDmZ.exe

Filesize
5.7MB

MD5
46938e603afd013a4ff1def54c78938b

SHA1
d20246c7b64b3da9e2c2a5a720e67d38c69bef92

SHA256
b43567beead137972ce8f65df842ae5551096a187b9fd4266d626819c9ba5d89

SHA512
0e522eca84ff8566e45863794eba48b8a6896f8bb4751ad22262c9571f754ad05d3a1395bb638509ccc5bc31b6549170d3b0e16a328625988cf508430995288f

Download Submit
C:\Windows\System\piTKFQb.exe

Filesize
5.7MB

MD5
450f0939577a0f89564426e12cec3882

SHA1
c929b4d1442d994588af4060f9b22b404474f9a9

SHA256
357a8933b2a52da268466d185143836b51b5ee9dfc446bf686703b8a14ce3c89

SHA512
7093620b1a965e69eeb33a3dd9a516138ded133a1791db9f2ca483910a8e995108fe6c47c0f45e572f7085012fec457df9dc3a1178d1bdb0088235b2e401ba1e

Download Submit
C:\Windows\System\rzIwRMH.exe

Filesize
5.7MB

MD5
00fd85c10f49c0db2acade2d2a3e2604

SHA1
1d1d1f811bbdc5c4c5906c5d175124a0b407f160

SHA256
93e65b8ee0eee528f4a169ff87ed44f88ee471c9fb243722d82e6458f18827d5

SHA512
a275970589e23f7cafc46a3bd0e22b7306364ba7acfef70db6ff4e45b31b0041f236de103b182906999e37e065408725451404999eabbe5fc188fc5c20d3bb3d

Download Submit
C:\Windows\System\sGSJGOe.exe

Filesize
5.7MB

MD5
3f7f3589e0e94997d5861614502e5225

SHA1
5ba3f55735291462ef3bc6fedc6aaf3c2955bcd3

SHA256
62460fb38703b46b080d009dcd1b8350df48fbb4ea9e25cd705f0111507de615

SHA512
a68b2dfcd2a36151df077e0930976006963313b05ae4f6422f9832e6922bc51a8e38d98a4f0e5e0c0c674d574579949bf4d8ed9293fbd90d14980fa498bf6a85

Download Submit
C:\Windows\System\tACPBjG.exe

Filesize
5.7MB

MD5
fef02164b1809cf2855e77043ac466d1

SHA1
273156d5611f4577c7f9e8c003cc5adeb57e90d7

SHA256
16a7f34ac98f64a0bea9094a5e6e4257e7f01479cfe8f429e9c7ab2b3e7061a8

SHA512
b9c6fc996f757e7780bd87dd648b99cddc9caa5e38b28eb134e74ca625dab1e3eba7ba66b7198c4eeb91840f4e8fa56f180a2ed340bab3590d6e2516f8f3960c

Download Submit
C:\Windows\System\ufxpnvA.exe

Filesize
5.7MB

MD5
42ffed73bbad32752519ee9909fac169

SHA1
fb5c556ecf17bd4f5e7bd2adc1d8417c3a90e0d8

SHA256
872e521bc2ca8bb8244786cfbe8ed56349394e81d0a676e8ccf3b702514226b0

SHA512
d7c4254d9b10cd4976f61c18d9d75222838b9e551cf3970770a176cb2ddeb2aa3b28f0f68d56b143e1ae84b8d94d0322c5e50cd10a8c10697675a0228de41bcb

Download Submit
C:\Windows\System\wSlsoBe.exe

Filesize
5.7MB

MD5
6069d051d274d4219923b777c4d5a56c

SHA1
3f2acfce88ef9e30c1d59e3238244b869844b64c

SHA256
8b40d210856757bba8057134e2ab9075ffb39b2100f478566f69e3090fda0aac

SHA512
69177dd9f29b3b55c61943c287386706fbde449c4e811b5d741887d7ac802b4be56cd55e9169221ce325a24d7a0d814795b191bbb08e66810357347c3cce73f6

Download Submit
memory/212-7-0x00007FF6C8B70000-0x00007FF6C8EBD000-memory.dmp

Filesize
3.3MB

Download
memory/1296-13-0x00007FF6DB640000-0x00007FF6DB98D000-memory.dmp

Filesize
3.3MB

Download
memory/1436-79-0x00007FF6354F0000-0x00007FF63583D000-memory.dmp

Filesize
3.3MB

Download
memory/2096-19-0x00007FF6272A0000-0x00007FF6275ED000-memory.dmp

Filesize
3.3MB

Download
memory/2140-61-0x00007FF6E03C0000-0x00007FF6E070D000-memory.dmp

Filesize
3.3MB

Download
memory/2284-55-0x00007FF7C2BE0000-0x00007FF7C2F2D000-memory.dmp

Filesize
3.3MB

Download
memory/3084-66-0x00007FF6B6850000-0x00007FF6B6B9D000-memory.dmp

Filesize
3.3MB

Download
memory/3128-121-0x00007FF63DD90000-0x00007FF63E0DD000-memory.dmp

Filesize
3.3MB

Download
memory/3352-42-0x00007FF6CB680000-0x00007FF6CB9CD000-memory.dmp

Filesize
3.3MB

Download
memory/3548-49-0x00007FF7018E0000-0x00007FF701C2D000-memory.dmp

Filesize
3.3MB

Download
memory/3748-31-0x00007FF789730000-0x00007FF789A7D000-memory.dmp

Filesize
3.3MB

Download
memory/3812-73-0x00007FF61DD60000-0x00007FF61E0AD000-memory.dmp

Filesize
3.3MB

Download
memory/4084-25-0x00007FF687820000-0x00007FF687B6D000-memory.dmp

Filesize
3.3MB

Download
memory/4188-39-0x00007FF7844B0000-0x00007FF7847FD000-memory.dmp

Filesize
3.3MB

Download
memory/4336-84-0x00007FF774EE0000-0x00007FF77522D000-memory.dmp

Filesize
3.3MB

Download
memory/4368-91-0x00007FF7DF020000-0x00007FF7DF36D000-memory.dmp

Filesize
3.3MB

Download
memory/4416-126-0x00007FF663A10000-0x00007FF663D5D000-memory.dmp

Filesize
3.3MB

Download
memory/4516-103-0x00007FF66CF30000-0x00007FF66D27D000-memory.dmp

Filesize
3.3MB

Download
memory/4520-97-0x00007FF6D3760000-0x00007FF6D3AAD000-memory.dmp

Filesize
3.3MB

Download
memory/4756-118-0x00007FF6718A0000-0x00007FF671BED000-memory.dmp

Filesize
3.3MB

Download
memory/4892-1-0x000001AF7A4E0000-0x000001AF7A4F0000-memory.dmp

Filesize
64KB

Download
memory/4892-0-0x00007FF675EE0000-0x00007FF67622D000-memory.dmp

Filesize
3.3MB

Download
memory/5112-109-0x00007FF7D2630000-0x00007FF7D297D000-memory.dmp

Filesize
3.3MB

Download