cobaltstrike | 77f5872bf8bec8776942b47f8d14bf4120731cae6b580525fc1f0836ec61682e

Analysis

max time kernel
139s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

ad36f9b84524a06fdacaeed214806c8a
SHA1

85ec3f874ac7380511c9a46b45d20e2718f6b686
SHA256

77f5872bf8bec8776942b47f8d14bf4120731cae6b580525fc1f0836ec61682e
SHA512

bfe5bb92d56f5bb6a666ce9f376418679ca65914e2067dc60efd5f4b2ac83a656258cd493180fcbf201f1a8c89721164b09da1430a539a00702675ada1ce5219
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUA:j+R56utgpPF8u/7A

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b97-6.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-29.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9f-35.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba1-47.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba2-50.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bb1-64.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bbf-70.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bc5-96.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc1-93.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bc0-90.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bba-81.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023baa-60.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b98-41.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bc7-100.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bca-107.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bcb-113.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bcc-120.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bcd-125.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral2/memory/804-0-0x00007FF74AA20000-0x00007FF74AD6D000-memory.dmp	xmrig
behavioral2/files/0x000c000000023b97-6.dat	xmrig
behavioral2/memory/4180-7-0x00007FF7DAB50000-0x00007FF7DAE9D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b9b-12.dat	xmrig
behavioral2/files/0x000a000000023b9c-11.dat	xmrig
behavioral2/memory/4948-13-0x00007FF7812B0000-0x00007FF7815FD000-memory.dmp	xmrig
behavioral2/memory/2376-19-0x00007FF716350000-0x00007FF71669D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b9d-23.dat	xmrig
behavioral2/memory/3288-25-0x00007FF6169E0000-0x00007FF616D2D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b9e-29.dat	xmrig
behavioral2/memory/4016-31-0x00007FF79D4E0000-0x00007FF79D82D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b9f-35.dat	xmrig
behavioral2/memory/2916-37-0x00007FF6607D0000-0x00007FF660B1D000-memory.dmp	xmrig
behavioral2/files/0x000b000000023ba1-47.dat	xmrig
behavioral2/files/0x000b000000023ba2-50.dat	xmrig
behavioral2/files/0x000e000000023bb1-64.dat	xmrig
behavioral2/files/0x0009000000023bbf-70.dat	xmrig
behavioral2/memory/2472-91-0x00007FF6CC570000-0x00007FF6CC8BD000-memory.dmp	xmrig
behavioral2/memory/4932-97-0x00007FF680F60000-0x00007FF6812AD000-memory.dmp	xmrig
behavioral2/files/0x000e000000023bc5-96.dat	xmrig
behavioral2/memory/936-94-0x00007FF622480000-0x00007FF6227CD000-memory.dmp	xmrig
behavioral2/files/0x0009000000023bc1-93.dat	xmrig
behavioral2/files/0x0009000000023bc0-90.dat	xmrig
behavioral2/memory/1420-86-0x00007FF6D2E80000-0x00007FF6D31CD000-memory.dmp	xmrig
behavioral2/memory/3384-82-0x00007FF661640000-0x00007FF66198D000-memory.dmp	xmrig
behavioral2/files/0x0008000000023bba-81.dat	xmrig
behavioral2/memory/4496-79-0x00007FF738870000-0x00007FF738BBD000-memory.dmp	xmrig
behavioral2/memory/2620-61-0x00007FF7B0D20000-0x00007FF7B106D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023baa-60.dat	xmrig
behavioral2/memory/2876-58-0x00007FF75C9F0000-0x00007FF75CD3D000-memory.dmp	xmrig
behavioral2/memory/3884-52-0x00007FF79FD10000-0x00007FF7A005D000-memory.dmp	xmrig
behavioral2/memory/1820-43-0x00007FF73EBD0000-0x00007FF73EF1D000-memory.dmp	xmrig
behavioral2/files/0x000b000000023b98-41.dat	xmrig
behavioral2/files/0x0008000000023bc7-100.dat	xmrig
behavioral2/files/0x0008000000023bca-107.dat	xmrig
behavioral2/memory/3380-115-0x00007FF7C8DD0000-0x00007FF7C911D000-memory.dmp	xmrig
behavioral2/files/0x0008000000023bcb-113.dat	xmrig
behavioral2/memory/4644-121-0x00007FF6A4040000-0x00007FF6A438D000-memory.dmp	xmrig
behavioral2/files/0x0008000000023bcc-120.dat	xmrig
behavioral2/memory/2648-109-0x00007FF6612C0000-0x00007FF66160D000-memory.dmp	xmrig
behavioral2/memory/5040-103-0x00007FF6FA6A0000-0x00007FF6FA9ED000-memory.dmp	xmrig
behavioral2/files/0x0008000000023bcd-125.dat	xmrig
behavioral2/memory/2856-126-0x00007FF65EF90000-0x00007FF65F2DD000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4180	UFnAJoY.exe
4948	uvVwmXf.exe
2376	uHRGXgU.exe
3288	dmDHyJn.exe
4016	Cartrdx.exe
2916	PJfpMRr.exe
1820	zIzxiyP.exe
3884	RnZdKXC.exe
2876	XgvEQkl.exe
2620	XAkRxAa.exe
4496	RKBGWti.exe
3384	OprCRQT.exe
1420	XQVdjBa.exe
2472	CEurtCj.exe
936	FHlmVIz.exe
4932	rpkawHG.exe
5040	AWfdYin.exe
2648	cmGiMwq.exe
3380	UphYVvb.exe
4644	dZKREMS.exe
2856	PjMTGAv.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\RnZdKXC.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RKBGWti.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CEurtCj.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rpkawHG.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zIzxiyP.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XgvEQkl.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UphYVvb.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UFnAJoY.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PJfpMRr.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XAkRxAa.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OprCRQT.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FHlmVIz.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PjMTGAv.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dZKREMS.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uvVwmXf.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uHRGXgU.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dmDHyJn.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Cartrdx.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XQVdjBa.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AWfdYin.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cmGiMwq.exe	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 4180	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 804 wrote to memory of 4180	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 804 wrote to memory of 4948	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 804 wrote to memory of 4948	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 804 wrote to memory of 2376	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 804 wrote to memory of 2376	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 804 wrote to memory of 3288	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 804 wrote to memory of 3288	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 804 wrote to memory of 4016	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 804 wrote to memory of 4016	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 804 wrote to memory of 2916	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 804 wrote to memory of 2916	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 804 wrote to memory of 1820	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 804 wrote to memory of 1820	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 804 wrote to memory of 3884	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 804 wrote to memory of 3884	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 804 wrote to memory of 2876	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 804 wrote to memory of 2876	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 804 wrote to memory of 2620	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 804 wrote to memory of 2620	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 804 wrote to memory of 4496	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 804 wrote to memory of 4496	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 804 wrote to memory of 3384	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 804 wrote to memory of 3384	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 804 wrote to memory of 1420	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 804 wrote to memory of 1420	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 804 wrote to memory of 2472	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 804 wrote to memory of 2472	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 804 wrote to memory of 936	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 804 wrote to memory of 936	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 804 wrote to memory of 4932	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 804 wrote to memory of 4932	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 804 wrote to memory of 5040	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 804 wrote to memory of 5040	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 804 wrote to memory of 2648	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 804 wrote to memory of 2648	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 804 wrote to memory of 3380	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 804 wrote to memory of 3380	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 804 wrote to memory of 4644	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 804 wrote to memory of 4644	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 804 wrote to memory of 2856	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 804 wrote to memory of 2856	804	2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-27_ad36f9b84524a06fdacaeed214806c8a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\System\UFnAJoY.exe
  C:\Windows\System\UFnAJoY.exe
  2⤵
  - Executes dropped EXE
  PID:4180
- C:\Windows\System\uvVwmXf.exe
  C:\Windows\System\uvVwmXf.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System\uHRGXgU.exe
  C:\Windows\System\uHRGXgU.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System\dmDHyJn.exe
  C:\Windows\System\dmDHyJn.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System\Cartrdx.exe
  C:\Windows\System\Cartrdx.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System\PJfpMRr.exe
  C:\Windows\System\PJfpMRr.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System\zIzxiyP.exe
  C:\Windows\System\zIzxiyP.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System\RnZdKXC.exe
  C:\Windows\System\RnZdKXC.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\System\XgvEQkl.exe
  C:\Windows\System\XgvEQkl.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\XAkRxAa.exe
  C:\Windows\System\XAkRxAa.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\RKBGWti.exe
  C:\Windows\System\RKBGWti.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\OprCRQT.exe
  C:\Windows\System\OprCRQT.exe
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Windows\System\XQVdjBa.exe
  C:\Windows\System\XQVdjBa.exe
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\System\CEurtCj.exe
  C:\Windows\System\CEurtCj.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\FHlmVIz.exe
  C:\Windows\System\FHlmVIz.exe
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\System\rpkawHG.exe
  C:\Windows\System\rpkawHG.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System\AWfdYin.exe
  C:\Windows\System\AWfdYin.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\cmGiMwq.exe
  C:\Windows\System\cmGiMwq.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\UphYVvb.exe
  C:\Windows\System\UphYVvb.exe
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\System\dZKREMS.exe
  C:\Windows\System\dZKREMS.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System\PjMTGAv.exe
  C:\Windows\System\PjMTGAv.exe
  2⤵
  - Executes dropped EXE
  PID:2856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AWfdYin.exe

Filesize
5.7MB

MD5
74b379d24f842dba3a8d3b91b0301230

SHA1
94f5729289e1222a89fb32f83c02e80b5dc99bf3

SHA256
11e0ae3ba9715250062f331ad266dbe6c21ab34cc0b4c11a37ba4a6ae32ec271

SHA512
aa7a4df99530b6850a78b29b65d9973b438d4e04731d15c232b1d958eba7f8dcd3b85bc19ddeb2884cc15f22bbef2ad7eb2ac061ed6d3246121b9d62cfe4eae5

Download Submit
C:\Windows\System\CEurtCj.exe

Filesize
5.7MB

MD5
d711bb2707aa3626d77845d5600d32aa

SHA1
21cf4a2805e52ccd2272c0196ffdb695fb1b6418

SHA256
56dcd57d8ea30755f4848c25c43e8d5bd14951c8bbcdf29329a81c477a844082

SHA512
53f11d5c0ddafe77f9cff8cabd53a04d617f1511fa5ffe61b80401842f037c1451de85fe1a3a867b9737b62ef55e948c02eec2dceb925985131a493a8ddbae45

Download Submit
C:\Windows\System\Cartrdx.exe

Filesize
5.7MB

MD5
b31d5f53e8ada05095a8c81c3eee7363

SHA1
32370c1287cb00471663fa3073a8ee844eb6e0d4

SHA256
2bc6a21339dc117cbf3a9ef3ddc2f0ae9e6a21d6668cf5bb848d4253468848bc

SHA512
730d2901d1a011645f5b04434dbbf6a5974f12cb275b8fb2962d9de2228056c19468c1b3920937988609b2d9ba69c5a529a6f8e59a058741b8606c82e4764e83

Download Submit
C:\Windows\System\FHlmVIz.exe

Filesize
5.7MB

MD5
501b27f8a6cdabaf56374f62fc91fd0f

SHA1
fbac9c79cfb076c2e1f57b368655634134682cc0

SHA256
4452186d4e2ae680eea3d40ecd01982f7807c5ae04ad731af7ca3186910d238e

SHA512
d6f224e826485d2dd2a3ce123c4390b0d1ee0f0d0ebc31477ff6c74829ca2d69fc2287f7570ada95b1ac39eeeaad263fbfca3a83df011b619618d0fa8bcacc39

Download Submit
C:\Windows\System\OprCRQT.exe

Filesize
5.7MB

MD5
6ab88d7e43d8f8edc244a67482374611

SHA1
b3e23e588e912f1b910319c62e731198ee5e0de6

SHA256
716b62b4168480f7c695905e0b2e0ed7bedd243aa62933f4a0ab0637eafca0e0

SHA512
afe84b4d79516129f9bf665285fbdfc9eec08367ed304aa8b4f2732d0b271b26281955e59256d76de8ec83de23140c0d91b8a3342930b21ce8aa7d05d95270dc

Download Submit
C:\Windows\System\PJfpMRr.exe

Filesize
5.7MB

MD5
a7fbeb1b2cad912a7466037fff847372

SHA1
80e88cd637b25c049aa4ab3abec12e6fa5c46246

SHA256
2e3a8fac2aef8a4fe8f1371fa68e87a98cb1ad9386d4515455aba93b0a1bd6a6

SHA512
d5c94104e21b7456a41fc97876387105848c67cfcac6f596a7d7f0f0a1a5bea344d2e1ca1a06bf8017bf7d77346f30cf23a891267c2fbc3ee7df0fe28d470cb4

Download Submit
C:\Windows\System\PjMTGAv.exe

Filesize
5.7MB

MD5
717159a048dbb32ff6c8acecf63a4608

SHA1
d413595530393b5d34f97452c8f0628455b6d0a6

SHA256
2c4369c2c4395851ff1d987bdd8417ceb843db252eebd417f9c78c5da0cb155a

SHA512
31d1adf793aa26760dae7179a089823369941dceb3e60ab4256a8a2fe9510899c9a8ebf225789150cc0c6ab9a0d54cc6bd3e9de34466e8914292a30c8683d389

Download Submit
C:\Windows\System\RKBGWti.exe

Filesize
5.7MB

MD5
639b3f74e3127303fe006d73fcd1b5eb

SHA1
e1f81381af70b5bc56c9ada3a809f7fd2726f37a

SHA256
aab1c2835f200a641bbfd7b64dc7e4ba890c4b415ffe5a673f1d0ba4b38ee24a

SHA512
a6f75879b6666f02f59511956c26bcbe43002c39f328ca532a151756cfe83fac23caef82c43fb22ee5c05471456abb08f6c87e34d399bd297d9720fcde2d9381

Download Submit
C:\Windows\System\RnZdKXC.exe

Filesize
5.7MB

MD5
6ec656ce74d62d4a87f76f82c1fa98f7

SHA1
dfad6213435102b0d0f9c22c1ca6dcc1fbc97cbe

SHA256
6ed67f36cc535f25236f7cd9ce61d90c8709d45e09e94fb516041af69dc336b4

SHA512
42a8403ef9128b718c96ff5823754bdac138ede96a68e45390b38fb3b087b0cf6bcb96e47fb7a89fea2dac73bf7921cd0c04fa059eab563925421e7370eda66f

Download Submit
C:\Windows\System\UFnAJoY.exe

Filesize
5.7MB

MD5
59b241f62f4042fb70d374a0f1e1d3eb

SHA1
5d16ae3c2bf024dda9b014f49fc3e66606cb8a11

SHA256
098ef0e00d63542959bc89a03739b14cb9dc2b0c1f90fcf7e5b9b9524ab171d4

SHA512
0a192bd96b365546b27bb5c361a6533cde1527a4544f542460a891e36a9d0183a8f74b8b6d8529f13feb4ccef394db36faedbb795a07c614a78453b917e495d3

Download Submit
C:\Windows\System\UphYVvb.exe

Filesize
5.7MB

MD5
a5c89e54b9eb9a65b1597bd44bcb270b

SHA1
5ffaad8fbef34b2eb810156af3323adac747c64f

SHA256
88e914a6627fbe249b1d0820ab037be894060f0cc617e65e6abc9b631ac9b6b4

SHA512
8ba7de0b92138e9acf419d4a41445519a3b2a54f9c2107dcb9586335b370e14e8a4d0d639eed345f471b3c6e08d2093f328b503413986cb43a336e0634ac05fb

Download Submit
C:\Windows\System\XAkRxAa.exe

Filesize
5.7MB

MD5
aebbd302f61698f386179645e65120cd

SHA1
d450fdebb5f24d56dff51fdbe8c6d67f2c87d038

SHA256
d94f5fcb73c0a5b4bd1b7c55a4a851073cfd9649118752a09f1c0b175e3ffc1d

SHA512
fed7af898f32ce1c6988b001054c8a598ad9d3aebbf02389bed39f2cb64f32328f86a1608d3c7f1a94fb5afae47e9b55d8c3e5ff26976683ed3fd6e67f3653d6

Download Submit
C:\Windows\System\XQVdjBa.exe

Filesize
5.7MB

MD5
e69824b05a26d86222eeca99250ba35b

SHA1
2f468e047f2b7337e0b11cd7271aeb7323786ed5

SHA256
3f40d6d192497a8770a06bd042717d8fda3945c785017bfa65194b0d23eb196b

SHA512
78ff5fdaade922dc31227deb03f86f056271e8bbef54f38b781c712694c7d61abde215b8300f95507fc1468c388787aea47f42a10998d89ed3ea53070777d1a8

Download Submit
C:\Windows\System\XgvEQkl.exe

Filesize
5.7MB

MD5
7b2b7474b60185d0c493ebd5d02aa5ae

SHA1
180d53b9d2bcebb9c7456345b7fc3492e431ad84

SHA256
011d61ec5a180a7df376a624e954e3b4529d6683324f5e6fe9576a693069a845

SHA512
fa704e6abaa23d25b9640b27b297e1cdc2e42225ed6dc3b7a9a4f697e95a6dd16935b44eb9d3731e40618c285980e02d995c1fa58d6e0237b31fd10611ad1670

Download Submit
C:\Windows\System\cmGiMwq.exe

Filesize
5.7MB

MD5
8007b9e06964604e8897df12aeef5c77

SHA1
b28a6df3b5fa8accd45705ac7abc732d14dba280

SHA256
16ede94fb5eec43b35702c735b10e39a81cd16f113775f41291a694e2c5c5c8b

SHA512
fbf106b63dd3789e9301ca0e935a6ffa3b6d53aaf2240fc88d8f45bde39593014dbd07a9bbf0e7241bac2283ba81c4db53890873124696e922c391674351c15b

Download Submit
C:\Windows\System\dZKREMS.exe

Filesize
5.7MB

MD5
dda247536a94d0d99aa3fda3d90a0087

SHA1
a769c436a8f1bc94cf1363761d9441a04dfde4b9

SHA256
df3cab7fd3c517773863fcf9c138af4f2aa92ef49cbe59c49b0563629b878cfc

SHA512
98ef0c4ccd1a3073416f3887294dffd12fd929ec20cb6fcfd474214856ef6fcb1c8df496de7858aefedb4e7e27794c7fcd7675d0310f94d868d3369d9fa070fe

Download Submit
C:\Windows\System\dmDHyJn.exe

Filesize
5.7MB

MD5
d15378727a473850b2e270d137fdd931

SHA1
d653e24c05295fd63168c1300947eb6bb492f675

SHA256
88799cb7ba42034867b44258ff44d7125a2cb09b412731fc53fba2279a7bd156

SHA512
5a2038a4af2592a3441414c2ec5b8ed4de8a69adbfa63f5b3e60c67560afbf0b09cb532ae8782403442e6cf88b16fb4d01b71c731825dc93acae2b106e243c5e

Download Submit
C:\Windows\System\rpkawHG.exe

Filesize
5.7MB

MD5
0d1524165fe241a80a22d6d436d31975

SHA1
797cda596d6115c6621997e3f6c84912f45f938b

SHA256
e2f9dd8cb0702ab3080685e2abae61a374be2016e020066ef24d01c3463fe77e

SHA512
4714070cfffb8043ea19ab83c17ed3c0348ea9d4aa0422c991b1343d49398e0533ed5104dc4915bf9cdd82d639ef0e58f6a0305bd87140722ac208bc1f4d4532

Download Submit
C:\Windows\System\uHRGXgU.exe

Filesize
5.7MB

MD5
d78e26de0b1a80c42c21554b5ea35518

SHA1
61d96eeef59c2b3488e20f61c2426538186f9955

SHA256
c7e84af4a4b8083d7f1ea54fc8ae352cc2e6281cb01cb0f58864e36d87961dfc

SHA512
6ee1202f9d5d053c1e3fa4511815b0c1023df653491f19deeeb1635a9551f8a5da950125c00954abe25b51695fbda9699d3294bff32783fb5898461c3e262034

Download Submit
C:\Windows\System\uvVwmXf.exe

Filesize
5.7MB

MD5
ec3c91554ff3b2968232e985013c48ba

SHA1
f1d153606e0135850a3d4f691eac015de29b97b4

SHA256
f2920b86ac82327c2b63181828157b5914d8b183da49e4acd1c777b4ebde15a6

SHA512
9d934bdcbc92cc29ce30a4f5a19b245cce8f1707f84f500a55952fe2b8485ebe17ca977cd74b212f5a9494c508a5ab3354d4335345c284c26738a856503912bf

Download Submit
C:\Windows\System\zIzxiyP.exe

Filesize
5.7MB

MD5
576061ba338cd4ab5a27c954af2b65ed

SHA1
42b5359079a49d0bfe56abe4b28246f3b351f050

SHA256
8ce14c719e708d81a183ac24a21f7109fc82a5813a58582a079b23aa27c5ecef

SHA512
ec983e86f68ac6d3b3da0054c388f352d37670eca19a51084bf82b0ae44f5af3b908eb17825177974a4e6ad44aa37855b412daf43252af7dc785bba3450abc98

Download Submit
memory/804-0-0x00007FF74AA20000-0x00007FF74AD6D000-memory.dmp

Filesize
3.3MB

Download
memory/804-1-0x0000029754700000-0x0000029754710000-memory.dmp

Filesize
64KB

Download
memory/936-94-0x00007FF622480000-0x00007FF6227CD000-memory.dmp

Filesize
3.3MB

Download
memory/1420-86-0x00007FF6D2E80000-0x00007FF6D31CD000-memory.dmp

Filesize
3.3MB

Download
memory/1820-43-0x00007FF73EBD0000-0x00007FF73EF1D000-memory.dmp

Filesize
3.3MB

Download
memory/2376-19-0x00007FF716350000-0x00007FF71669D000-memory.dmp

Filesize
3.3MB

Download
memory/2472-91-0x00007FF6CC570000-0x00007FF6CC8BD000-memory.dmp

Filesize
3.3MB

Download
memory/2620-61-0x00007FF7B0D20000-0x00007FF7B106D000-memory.dmp

Filesize
3.3MB

Download
memory/2648-109-0x00007FF6612C0000-0x00007FF66160D000-memory.dmp

Filesize
3.3MB

Download
memory/2856-126-0x00007FF65EF90000-0x00007FF65F2DD000-memory.dmp

Filesize
3.3MB

Download
memory/2876-58-0x00007FF75C9F0000-0x00007FF75CD3D000-memory.dmp

Filesize
3.3MB

Download
memory/2916-37-0x00007FF6607D0000-0x00007FF660B1D000-memory.dmp

Filesize
3.3MB

Download
memory/3288-25-0x00007FF6169E0000-0x00007FF616D2D000-memory.dmp

Filesize
3.3MB

Download
memory/3380-115-0x00007FF7C8DD0000-0x00007FF7C911D000-memory.dmp

Filesize
3.3MB

Download
memory/3384-82-0x00007FF661640000-0x00007FF66198D000-memory.dmp

Filesize
3.3MB

Download
memory/3884-52-0x00007FF79FD10000-0x00007FF7A005D000-memory.dmp

Filesize
3.3MB

Download
memory/4016-31-0x00007FF79D4E0000-0x00007FF79D82D000-memory.dmp

Filesize
3.3MB

Download
memory/4180-7-0x00007FF7DAB50000-0x00007FF7DAE9D000-memory.dmp

Filesize
3.3MB

Download
memory/4496-79-0x00007FF738870000-0x00007FF738BBD000-memory.dmp

Filesize
3.3MB

Download
memory/4644-121-0x00007FF6A4040000-0x00007FF6A438D000-memory.dmp

Filesize
3.3MB

Download
memory/4932-97-0x00007FF680F60000-0x00007FF6812AD000-memory.dmp

Filesize
3.3MB

Download
memory/4948-13-0x00007FF7812B0000-0x00007FF7815FD000-memory.dmp

Filesize
3.3MB

Download
memory/5040-103-0x00007FF6FA6A0000-0x00007FF6FA9ED000-memory.dmp

Filesize
3.3MB

Download