cobaltstrike | a51bd89927a55b4dc19fa90747f529b6a82f628161cdc9465afdc7b0d4489122

Analysis

max time kernel
136s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/01/2025, 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

8313ad1f16568686f1320b0976939d41
SHA1

0323a7f3c9b4cf7e49de70f442f9242235550200
SHA256

a51bd89927a55b4dc19fa90747f529b6a82f628161cdc9465afdc7b0d4489122
SHA512

5ba2ee909ca2ebdd5dc7c6f92025f4a75b57617b54f0c37eda711fa3166c6b33a2dddfddff8ef1028146fb5e8ae0471f745c512db2d3b1bf7a14841c8af65d16
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUw:j+R56utgpPF8u/7w

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x00080000000120f9-5.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016ab9-8.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016c56-15.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016c73-20.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016cc5-29.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016ce7-33.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d2e-46.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d1d-41.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d36-48.dat	cobalt_reflective_dll
behavioral1/files/0x00090000000165a7-59.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000175e7-66.dat	cobalt_reflective_dll
behavioral1/files/0x001400000001866f-73.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018669-72.dat	cobalt_reflective_dll
behavioral1/files/0x0011000000018682-81.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018731-104.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001878c-121.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018742-111.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018781-117.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186f8-99.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186f2-93.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001868b-88.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 42 IoCs

miner

resource	yara_rule
behavioral1/memory/2020-0-0x000000013F2A0000-0x000000013F5ED000-memory.dmp	xmrig
behavioral1/files/0x00080000000120f9-5.dat	xmrig
behavioral1/memory/2224-7-0x000000013FCE0000-0x000000014002D000-memory.dmp	xmrig
behavioral1/files/0x0008000000016ab9-8.dat	xmrig
behavioral1/memory/2088-13-0x000000013FB20000-0x000000013FE6D000-memory.dmp	xmrig
behavioral1/files/0x0008000000016c56-15.dat	xmrig
behavioral1/files/0x0008000000016c73-20.dat	xmrig
behavioral1/memory/2380-25-0x000000013FBE0000-0x000000013FF2D000-memory.dmp	xmrig
behavioral1/memory/2404-19-0x000000013F1C0000-0x000000013F50D000-memory.dmp	xmrig
behavioral1/files/0x0007000000016cc5-29.dat	xmrig
behavioral1/files/0x0007000000016ce7-33.dat	xmrig
behavioral1/memory/2724-35-0x000000013F960000-0x000000013FCAD000-memory.dmp	xmrig
behavioral1/memory/3016-37-0x000000013F080000-0x000000013F3CD000-memory.dmp	xmrig
behavioral1/files/0x0008000000016d2e-46.dat	xmrig
behavioral1/files/0x0007000000016d1d-41.dat	xmrig
behavioral1/memory/2836-50-0x000000013FFF0000-0x000000014033D000-memory.dmp	xmrig
behavioral1/files/0x0008000000016d36-48.dat	xmrig
behavioral1/memory/2720-47-0x000000013F240000-0x000000013F58D000-memory.dmp	xmrig
behavioral1/memory/2432-55-0x000000013FDB0000-0x00000001400FD000-memory.dmp	xmrig
behavioral1/files/0x00090000000165a7-59.dat	xmrig
behavioral1/files/0x00060000000175e7-66.dat	xmrig
behavioral1/memory/2832-61-0x000000013F780000-0x000000013FACD000-memory.dmp	xmrig
behavioral1/files/0x001400000001866f-73.dat	xmrig
behavioral1/files/0x0006000000018669-72.dat	xmrig
behavioral1/memory/2844-67-0x000000013F6A0000-0x000000013F9ED000-memory.dmp	xmrig
behavioral1/files/0x0011000000018682-81.dat	xmrig
behavioral1/files/0x0005000000018731-104.dat	xmrig
behavioral1/files/0x000500000001878c-121.dat	xmrig
behavioral1/memory/2916-124-0x000000013FD10000-0x000000014005D000-memory.dmp	xmrig
behavioral1/memory/840-119-0x000000013FB70000-0x000000013FEBD000-memory.dmp	xmrig
behavioral1/memory/1432-113-0x000000013F930000-0x000000013FC7D000-memory.dmp	xmrig
behavioral1/files/0x0005000000018742-111.dat	xmrig
behavioral1/files/0x0005000000018781-117.dat	xmrig
behavioral1/memory/2888-101-0x000000013F3F0000-0x000000013F73D000-memory.dmp	xmrig
behavioral1/files/0x00050000000186f8-99.dat	xmrig
behavioral1/memory/1956-107-0x000000013FA70000-0x000000013FDBD000-memory.dmp	xmrig
behavioral1/memory/2884-95-0x000000013FF80000-0x00000001402CD000-memory.dmp	xmrig
behavioral1/files/0x00050000000186f2-93.dat	xmrig
behavioral1/memory/644-89-0x000000013F7B0000-0x000000013FAFD000-memory.dmp	xmrig
behavioral1/files/0x000500000001868b-88.dat	xmrig
behavioral1/memory/1908-86-0x000000013FF90000-0x00000001402DD000-memory.dmp	xmrig
behavioral1/memory/2716-126-0x000000013FFD0000-0x000000014031D000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2224	icUByoH.exe
2088	luYglKX.exe
2404	JuYInsu.exe
2380	DcMpqAx.exe
3016	XpnqxGc.exe
2724	QcARdja.exe
2836	BZjyVVA.exe
2720	TTmdsIE.exe
2432	VFAwZVQ.exe
2832	hrHjvaN.exe
2844	TmcqyHC.exe
2012	RDtBLTO.exe
2716	zTqtZWm.exe
1908	wIGrcjO.exe
644	eWMzoje.exe
2884	uVasqpe.exe
2888	UMKCVXD.exe
1956	AsuueJH.exe
1432	PFJJQmX.exe
840	ZViQVHk.exe
2916	ROhKtkX.exe

Loads dropped DLL 21 IoCs

pid	Process
2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\XpnqxGc.exe	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BZjyVVA.exe	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wIGrcjO.exe	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uVasqpe.exe	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\icUByoH.exe	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RDtBLTO.exe	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UMKCVXD.exe	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZViQVHk.exe	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\luYglKX.exe	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TTmdsIE.exe	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zTqtZWm.exe	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PFJJQmX.exe	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ROhKtkX.exe	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AsuueJH.exe	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JuYInsu.exe	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DcMpqAx.exe	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QcARdja.exe	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VFAwZVQ.exe	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hrHjvaN.exe	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TmcqyHC.exe	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eWMzoje.exe	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2224	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2020 wrote to memory of 2224	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2020 wrote to memory of 2224	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2020 wrote to memory of 2088	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2020 wrote to memory of 2088	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2020 wrote to memory of 2088	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2020 wrote to memory of 2404	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2020 wrote to memory of 2404	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2020 wrote to memory of 2404	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2020 wrote to memory of 2380	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2020 wrote to memory of 2380	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2020 wrote to memory of 2380	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2020 wrote to memory of 3016	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2020 wrote to memory of 3016	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2020 wrote to memory of 3016	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2020 wrote to memory of 2724	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2020 wrote to memory of 2724	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2020 wrote to memory of 2724	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2020 wrote to memory of 2836	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2020 wrote to memory of 2836	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2020 wrote to memory of 2836	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2020 wrote to memory of 2720	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2020 wrote to memory of 2720	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2020 wrote to memory of 2720	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2020 wrote to memory of 2432	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2020 wrote to memory of 2432	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2020 wrote to memory of 2432	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2020 wrote to memory of 2832	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2020 wrote to memory of 2832	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2020 wrote to memory of 2832	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2020 wrote to memory of 2844	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2020 wrote to memory of 2844	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2020 wrote to memory of 2844	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2020 wrote to memory of 2012	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2020 wrote to memory of 2012	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2020 wrote to memory of 2012	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2020 wrote to memory of 1908	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2020 wrote to memory of 1908	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2020 wrote to memory of 1908	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2020 wrote to memory of 2716	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2020 wrote to memory of 2716	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2020 wrote to memory of 2716	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2020 wrote to memory of 644	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2020 wrote to memory of 644	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2020 wrote to memory of 644	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2020 wrote to memory of 2884	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2020 wrote to memory of 2884	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2020 wrote to memory of 2884	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2020 wrote to memory of 2888	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2020 wrote to memory of 2888	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2020 wrote to memory of 2888	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2020 wrote to memory of 1956	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2020 wrote to memory of 1956	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2020 wrote to memory of 1956	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2020 wrote to memory of 1432	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2020 wrote to memory of 1432	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2020 wrote to memory of 1432	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2020 wrote to memory of 840	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2020 wrote to memory of 840	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2020 wrote to memory of 840	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2020 wrote to memory of 2916	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2020 wrote to memory of 2916	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2020 wrote to memory of 2916	2020	2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-26_8313ad1f16568686f1320b0976939d41_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\System\icUByoH.exe
  C:\Windows\System\icUByoH.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System\luYglKX.exe
  C:\Windows\System\luYglKX.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\JuYInsu.exe
  C:\Windows\System\JuYInsu.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System\DcMpqAx.exe
  C:\Windows\System\DcMpqAx.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\XpnqxGc.exe
  C:\Windows\System\XpnqxGc.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\QcARdja.exe
  C:\Windows\System\QcARdja.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\BZjyVVA.exe
  C:\Windows\System\BZjyVVA.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\TTmdsIE.exe
  C:\Windows\System\TTmdsIE.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\VFAwZVQ.exe
  C:\Windows\System\VFAwZVQ.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\hrHjvaN.exe
  C:\Windows\System\hrHjvaN.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\TmcqyHC.exe
  C:\Windows\System\TmcqyHC.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\RDtBLTO.exe
  C:\Windows\System\RDtBLTO.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\wIGrcjO.exe
  C:\Windows\System\wIGrcjO.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\zTqtZWm.exe
  C:\Windows\System\zTqtZWm.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\eWMzoje.exe
  C:\Windows\System\eWMzoje.exe
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Windows\System\uVasqpe.exe
  C:\Windows\System\uVasqpe.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\UMKCVXD.exe
  C:\Windows\System\UMKCVXD.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\AsuueJH.exe
  C:\Windows\System\AsuueJH.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System\PFJJQmX.exe
  C:\Windows\System\PFJJQmX.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\ZViQVHk.exe
  C:\Windows\System\ZViQVHk.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\System\ROhKtkX.exe
  C:\Windows\System\ROhKtkX.exe
  2⤵
  - Executes dropped EXE
  PID:2916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AsuueJH.exe

Filesize
5.7MB

MD5
0bfc322e93ebadb3a2bbd62425f6fa17

SHA1
050595c60b82f065a824469acfdda5a7d8af559f

SHA256
13aa6d84dd66f207e8497f794106b1d52b4cbabe37d4286bc7952e273517525e

SHA512
b1c7635732eabcd0ecf98d824827d2fef86390a5f605141c858048f671f3082d3d6aaba7ab615d641778f5cbf1017acb9c91543e93039237a8fd1ecbc837df6f

Download Submit
C:\Windows\system\BZjyVVA.exe

Filesize
5.7MB

MD5
6b5d9a7f0a267709b5ccf41e062e4bdf

SHA1
83ccf81e52cd205300ef67633a20f243e0fe42cb

SHA256
e3b4892b6fdefb932a885ec385b0f522916771defb73d0c948ea49ed9ffe4193

SHA512
2bee8519228c2dd94c615d62e9e3ca3707f05cc63c9ad85d1de6270f1b1df4b43930c5c9f611731e4034754f15ffa6920b40c6078bc9ba79ea383938dec5aa1d

Download Submit
C:\Windows\system\PFJJQmX.exe

Filesize
5.7MB

MD5
6819019d3ef5b8c01e7f86a21b2b7770

SHA1
fcc5d5b2b994bec492b2fd290100f92737eeadb6

SHA256
13ce8af035c4f06a066980782b4d5fe0a0ce19ce75e6b69243790e2fed8bb637

SHA512
6d86e7aba4798e54fb7c60b22916c74e7c9845e7c0a7e2715932a6b446b6973f26bb6a3d0b8006044ab79ee1c3cc92a196dc054a4a81406fa9d7b6ca278ef0dc

Download Submit
C:\Windows\system\QcARdja.exe

Filesize
5.7MB

MD5
39027ce341d1d2635ab59cb7807e9ded

SHA1
db739c22e65fb914a84a91fe206733ac3bb8454f

SHA256
5e2507c471bf4b555c01fbf7603fb4e2fac66fb1e193d55af552a47e7983cf27

SHA512
7f422fc23844721e05020c2a32a5de41c99af890c74add28fa3398b6216cd8044ad96af10dc218700c5843c116b5cc4b8c23a5a0cd4dc1aa8f77ff6b2a862785

Download Submit
C:\Windows\system\RDtBLTO.exe

Filesize
5.7MB

MD5
7810a91012bf6d8c6d586c9c4518176c

SHA1
90e97e7117f4b401c63dc20c82143ae96fe66202

SHA256
f2f0cff6aaa5b2e1d247a0e7edae14d839827426d0d396c5fe3dd564f9a8b59b

SHA512
68b69306c8bef4e8c7869f0de00a61603c09038b19c4cf9dea827b0b2aa6360829cab7e24579725df8ed2af8c57fb9005f0ee095bd11a05db91f59ca7c5170e3

Download Submit
C:\Windows\system\TTmdsIE.exe

Filesize
5.7MB

MD5
8143895e3fe397d4bc3e047c64be5e00

SHA1
fd255bc8b9ab26c992e0e205a298a82bc4f9cbbd

SHA256
cf90f1861db7cb709b6077629385889091c7c3d7baa857ce641992fc06c81de4

SHA512
11a74eb0afa9185cdc0611dc223a5e5d421e49f0a92c9c104058be457aef1f46e6c71d8ecf7625a96cf6cd6bdcd45de67971d6a44c822b32d12e40aea1a5d2cf

Download Submit
C:\Windows\system\TmcqyHC.exe

Filesize
5.7MB

MD5
ae082a17aad4f7aa4cb1f6c748730973

SHA1
a1a7d0e2234726f6620e68338995efdeaea127ae

SHA256
96629312983c214e9c46092928fc6b175bd68bb52a926dda731498352c9502ad

SHA512
fa17777c5dff8bca8e08fc229ae7249f97836f22ec89c4ba572f94ff1ffd287af1ad62ababe81e70fa9b9fe439d8e7f50bfc92c168044ec0c72b03a721a1d518

Download Submit
C:\Windows\system\UMKCVXD.exe

Filesize
5.7MB

MD5
cfa9731f842ebf90cb56dafae694ad44

SHA1
5ceeb27c72b6ff7499768b30a101065aa0770af6

SHA256
b1ec31ec29fe8bcc43f0d5258d7ece1c54f57f5734e1ebbfd31c567337e57d5f

SHA512
7c0012338a3da767f09c33a352672491e013dd9fe76373855a0b74e3911e3cd7961193f02cef8c858d8b7562c490687d3167361335987ab985b425655dfdde30

Download Submit
C:\Windows\system\XpnqxGc.exe

Filesize
5.7MB

MD5
6a5c6367828e9e1bf6e05e0d5a1e4d14

SHA1
2e2233ebf128151c3be5f758d8c84b8f976195ae

SHA256
e00f7025af5b0700424bb4d771a3c53966d53f9c91a84a3f9f451a8978bed06c

SHA512
96f6658357c6f78ca91a1f5e72fbc2f34f79b50fc0f3a3a2a52305e31e47ba6182eb3b49edddc171a28a692065097a8497ab1d2048d4e70b20ccd13cae388fe9

Download Submit
C:\Windows\system\ZViQVHk.exe

Filesize
5.7MB

MD5
4252a3318bb58c3c988d8587c03541d6

SHA1
e5cbc38bae00efe9523b5718aedac123f04ac2f1

SHA256
6606ffe73cceb7da0ca423983cda5e45254eb59105ee152dadd2cfc23e22bc6c

SHA512
5ee48a6599ec956c0efe8eb93b9540006e3f8aaf75f6622801e7b0ab8833cde828665637faf15dde62fa60111950b08256db9390f1e6e96263e2ad5c1531059f

Download Submit
C:\Windows\system\eWMzoje.exe

Filesize
5.7MB

MD5
fcd88ce0f6aee6ec66e0a22afa618777

SHA1
f63563d0d78c4bae4faf228f37da2a002dfe7ff2

SHA256
a6d034c043895e6b1923410dfa50ed3b46a7e1fc9017d7a5022c5aa2df995c55

SHA512
02919a643dadccdde75ba36e02587f53946afa0bea135dc5aa37bd50b1c785497a7e0eea5987763445d6a5021710826fd3d86a2bacc76512c569d5542bcc51e4

Download Submit
C:\Windows\system\hrHjvaN.exe

Filesize
5.7MB

MD5
a70ea8372d7d6c93c510e719c540197e

SHA1
b7aeec589e3450a47150942276d93a8ad7f7a24f

SHA256
6043e70e17dae8f5aaee1bafca4b7f99ea44e373feca69a1758bfa4ac5576f29

SHA512
5f9d14e9172171a1f4c33ba2d1bd08bb8087951b0c2f2d8841872409b6cda7cb549bb19960f6ea445c11fcb1205a8efe44bb09e076e27944cb2b1bf393a02ba6

Download Submit
C:\Windows\system\icUByoH.exe

Filesize
5.7MB

MD5
f90135f81e3ecb8d21ac97cf16e51704

SHA1
6c07f094ffdaad6e7c8fd338f34549eb9c5d1ba7

SHA256
c6c51b9be336304b261b128304119afb029f81c37981d008eccd108150e32f16

SHA512
93030dc34a90cba3d3ab02232430f6fb75a21468a2589ddf797915545d5a5788aa15853e8cafeb832b9205b27dfb08d33d890125810fbd6457f75ba30a568417

Download Submit
C:\Windows\system\uVasqpe.exe

Filesize
5.7MB

MD5
619f9821f0c971c20af40b645b88997b

SHA1
75805c046db2d83358b6d206441e3534d7dd6da9

SHA256
faefc19430ef239d6be9b41b5b928f0463ffaa2da185e0e5058156eda0a48597

SHA512
7a90b378faef0bf5882418fb9f0e1491b86969cecc0fd5bc68c367ed880c93f26eca936635197e9e3128aad23e0759a66c76056c968b1b2878615c5d1b7ff2f8

Download Submit
C:\Windows\system\zTqtZWm.exe

Filesize
5.7MB

MD5
c88e45f60892c34f16c2569915fbe836

SHA1
5ee2656a4f0c1b61e3127a891808510f84e022b7

SHA256
3903a965da67641be56166227047cbc6050b60157451ed11249cc95f80979afe

SHA512
966fa980645762ff94a93ecedcfdbee49d824bd40737dde7dff260049a23d1024eb4f328d4cc5be13cb8a41913211ddb6c821ce280deaca2bda1d06c0421bbaa

Download Submit
\Windows\system\DcMpqAx.exe

Filesize
5.7MB

MD5
8ff6ab00474604e5058b4441dbdac4bc

SHA1
6104145ad9281f936861ca3a7add64885a6ece9f

SHA256
c0edf29ef6f24fd47f7356233cfd9d7f1a786e5ce21e3dbfb77f80f777d0192b

SHA512
68a9d5c3261363633f9bb246329e5965353cd76253cb93a9424278f38ff16ce8b798bbf0cd6ce3d287082a92e4750477ce541ccd515f12a453132425ff1f9009

Download Submit
\Windows\system\JuYInsu.exe

Filesize
5.7MB

MD5
682863d1633d4a98e87e43be0fdfdfaa

SHA1
8b6d5e28675a035669b04a12d0aa35c40c1e86ec

SHA256
e53c216a00e94b19c1d1a117f84c5e99673b82e10eaa91f6b3606531ea51fb53

SHA512
7c5f8a0ed01a173b4f332972c85125d31d208589ac3dfc100ec94bd0ee21013a987df9e8a42f867a8c8f3f0e2eba8116386c9f79182655d5ebd148b56e3c112c

Download Submit
\Windows\system\ROhKtkX.exe

Filesize
5.7MB

MD5
e3b587a8dedf396a8dff7a10642fcb61

SHA1
219b23a4f11577aaed9a639a51c04fe4c90b5173

SHA256
20588193c6e6b0771ed2f87f4dd988b899c4cd5d62623fc1309faa59cbbc1609

SHA512
47020c9a16ec07e3ebe9d27e7771e42870e5680092df5aeaa0de33178cb3c5f7c8afa3226bd9878f1b0a7f23abfb9b4e98782d899604bb9aa222001bd50ca4e0

Download Submit
\Windows\system\VFAwZVQ.exe

Filesize
5.7MB

MD5
af0b3b21c4d747bd14f99acdb2dfc9d0

SHA1
ce5396d3e26fe48912718ae5aff154e61b1920fb

SHA256
dfb90207cadcb67db0531abb35d7d1d63f022812b1cea3d4a4e601e0a5345a39

SHA512
c8b05d38ad6aa1890446404c2d9285dd5367d33cfe899e52e89bfa17ac74484977ba4332d560e32085b75d041887d3883c5eee291b0068c8802975bd9f788216

Download Submit
\Windows\system\luYglKX.exe

Filesize
5.7MB

MD5
d245b06ae5d536ceffbccd8c7f4f59db

SHA1
07bef10faf5fb30e4d350f2ccedfadc6e151f721

SHA256
6f16aa11b5d3df7280e67f0275fa43697e632ce1eb55fce1c2a6c1f96b7fb4c5

SHA512
e2fc5c282437168ee3ccc95033b04da1dc9b50df2cb575527653057bbb4157a11c9d72b8fa6288aa80fd5e78d6ac26ef0e4c7907f356a2fe5b683439529294ba

Download Submit
\Windows\system\wIGrcjO.exe

Filesize
5.7MB

MD5
cc4f93a3871dcb26a6d19e13f34af420

SHA1
5b34441be518cd06652431e3a9212e2dd71ba0fb

SHA256
529956c34ee24ee92d826319028defb6ce618505884ca7403d632c7d908860c6

SHA512
5dc643524572bbe3b8fb8a939fa7131944c1890060a42217ad2ea605a88f2069b34b1b110f17de551eeecb39398a2e3169e09268275a53c1de249a828a5ab8ce

Download Submit
memory/644-89-0x000000013F7B0000-0x000000013FAFD000-memory.dmp

Filesize
3.3MB

Download
memory/840-119-0x000000013FB70000-0x000000013FEBD000-memory.dmp

Filesize
3.3MB

Download
memory/1432-113-0x000000013F930000-0x000000013FC7D000-memory.dmp

Filesize
3.3MB

Download
memory/1908-86-0x000000013FF90000-0x00000001402DD000-memory.dmp

Filesize
3.3MB

Download
memory/1956-107-0x000000013FA70000-0x000000013FDBD000-memory.dmp

Filesize
3.3MB

Download
memory/2020-1-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/2020-0-0x000000013F2A0000-0x000000013F5ED000-memory.dmp

Filesize
3.3MB

Download
memory/2088-13-0x000000013FB20000-0x000000013FE6D000-memory.dmp

Filesize
3.3MB

Download
memory/2224-7-0x000000013FCE0000-0x000000014002D000-memory.dmp

Filesize
3.3MB

Download
memory/2380-25-0x000000013FBE0000-0x000000013FF2D000-memory.dmp

Filesize
3.3MB

Download
memory/2404-19-0x000000013F1C0000-0x000000013F50D000-memory.dmp

Filesize
3.3MB

Download
memory/2432-55-0x000000013FDB0000-0x00000001400FD000-memory.dmp

Filesize
3.3MB

Download
memory/2716-126-0x000000013FFD0000-0x000000014031D000-memory.dmp

Filesize
3.3MB

Download
memory/2720-47-0x000000013F240000-0x000000013F58D000-memory.dmp

Filesize
3.3MB

Download
memory/2724-35-0x000000013F960000-0x000000013FCAD000-memory.dmp

Filesize
3.3MB

Download
memory/2832-61-0x000000013F780000-0x000000013FACD000-memory.dmp

Filesize
3.3MB

Download
memory/2836-50-0x000000013FFF0000-0x000000014033D000-memory.dmp

Filesize
3.3MB

Download
memory/2844-67-0x000000013F6A0000-0x000000013F9ED000-memory.dmp

Filesize
3.3MB

Download
memory/2884-95-0x000000013FF80000-0x00000001402CD000-memory.dmp

Filesize
3.3MB

Download
memory/2888-101-0x000000013F3F0000-0x000000013F73D000-memory.dmp

Filesize
3.3MB

Download
memory/2916-124-0x000000013FD10000-0x000000014005D000-memory.dmp

Filesize
3.3MB

Download
memory/3016-37-0x000000013F080000-0x000000013F3CD000-memory.dmp

Filesize
3.3MB

Download