cobaltstrike | 7083139c3a76cf948d1ac3af587c1f2a8a0a0904fc8c36c5d385cf3d93a49f20

Analysis

max time kernel
135s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

fdb3611a949daf79025656b7e9e5a966
SHA1

ce74574afe855719e11b4c33841ea6cdfc59e4cd
SHA256

7083139c3a76cf948d1ac3af587c1f2a8a0a0904fc8c36c5d385cf3d93a49f20
SHA512

e3197f3970ce12b20ceb8700edbb27e0a9854e06f8c0c708b37ff5738a37ad709bb572ee826e03cc3b99273d3835d0f59b32f7e3a97354aaae5df4e32b12a0fe
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUY:j+R56utgpPF8u/7Y

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b43-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-26.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-42.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-39.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-32.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023baa-93.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba5-100.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba7-117.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba8-118.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba6-116.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9f-110.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba9-107.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba2-103.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba1-101.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba3-99.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-94.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba4-86.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba0-77.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-68.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral2/memory/1396-0-0x00007FF7C5FB0000-0x00007FF7C62FD000-memory.dmp	xmrig
behavioral2/files/0x000c000000023b43-5.dat	xmrig
behavioral2/files/0x000a000000023b98-10.dat	xmrig
behavioral2/memory/4428-7-0x00007FF795660000-0x00007FF7959AD000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b97-11.dat	xmrig
behavioral2/memory/3196-13-0x00007FF75D980000-0x00007FF75DCCD000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b99-26.dat	xmrig
behavioral2/memory/2200-33-0x00007FF65C3D0000-0x00007FF65C71D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b9c-42.dat	xmrig
behavioral2/files/0x000a000000023b9b-39.dat	xmrig
behavioral2/files/0x000a000000023b9a-32.dat	xmrig
behavioral2/memory/1272-28-0x00007FF739260000-0x00007FF7395AD000-memory.dmp	xmrig
behavioral2/memory/1780-23-0x00007FF63C000000-0x00007FF63C34D000-memory.dmp	xmrig
behavioral2/memory/3412-71-0x00007FF7D22A0000-0x00007FF7D25ED000-memory.dmp	xmrig
behavioral2/files/0x000a000000023baa-93.dat	xmrig
behavioral2/files/0x000a000000023ba5-100.dat	xmrig
behavioral2/memory/952-102-0x00007FF614910000-0x00007FF614C5D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023ba7-117.dat	xmrig
behavioral2/memory/400-124-0x00007FF6BB750000-0x00007FF6BBA9D000-memory.dmp	xmrig
behavioral2/memory/964-126-0x00007FF7A55B0000-0x00007FF7A58FD000-memory.dmp	xmrig
behavioral2/memory/2012-122-0x00007FF7D36B0000-0x00007FF7D39FD000-memory.dmp	xmrig
behavioral2/memory/4436-119-0x00007FF6BF120000-0x00007FF6BF46D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023ba8-118.dat	xmrig
behavioral2/files/0x000a000000023ba6-116.dat	xmrig
behavioral2/memory/5012-114-0x00007FF6DEFE0000-0x00007FF6DF32D000-memory.dmp	xmrig
behavioral2/memory/980-113-0x00007FF639970000-0x00007FF639CBD000-memory.dmp	xmrig
behavioral2/memory/936-111-0x00007FF6C8350000-0x00007FF6C869D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b9f-110.dat	xmrig
behavioral2/memory/3620-108-0x00007FF6A0030000-0x00007FF6A037D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023ba9-107.dat	xmrig
behavioral2/files/0x000a000000023ba2-103.dat	xmrig
behavioral2/files/0x000a000000023ba1-101.dat	xmrig
behavioral2/files/0x000a000000023ba3-99.dat	xmrig
behavioral2/memory/4676-97-0x00007FF6205C0000-0x00007FF62090D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b9e-94.dat	xmrig
behavioral2/memory/856-89-0x00007FF6F81B0000-0x00007FF6F84FD000-memory.dmp	xmrig
behavioral2/files/0x000a000000023ba4-86.dat	xmrig
behavioral2/memory/1328-79-0x00007FF6D5EA0000-0x00007FF6D61ED000-memory.dmp	xmrig
behavioral2/memory/4420-73-0x00007FF69F1A0000-0x00007FF69F4ED000-memory.dmp	xmrig
behavioral2/files/0x000a000000023ba0-77.dat	xmrig
behavioral2/memory/4740-95-0x00007FF6E6610000-0x00007FF6E695D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b9d-68.dat	xmrig
behavioral2/memory/1068-104-0x00007FF7CEA40000-0x00007FF7CED8D000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4428	VjCIyWF.exe
3196	nZZxluj.exe
1780	ZDOWkFb.exe
1272	cacKxaS.exe
2200	VCXJSTo.exe
4420	AkExERZ.exe
980	MCXuyXN.exe
3412	KGRuJUO.exe
4740	yFbDjrr.exe
936	rVhSoQg.exe
1328	gTDnCNP.exe
952	ayUBEdc.exe
5012	pcCyJLl.exe
1068	PKnYXjA.exe
856	XisQNRj.exe
964	CVUOkRG.exe
2012	noMbRdw.exe
400	FTUKiBm.exe
4436	dzzfmPc.exe
3620	hgzmJWj.exe
4676	eLpyTak.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\noMbRdw.exe	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hgzmJWj.exe	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VjCIyWF.exe	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gTDnCNP.exe	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pcCyJLl.exe	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CVUOkRG.exe	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cacKxaS.exe	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MCXuyXN.exe	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rVhSoQg.exe	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ayUBEdc.exe	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XisQNRj.exe	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FTUKiBm.exe	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KGRuJUO.exe	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yFbDjrr.exe	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PKnYXjA.exe	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dzzfmPc.exe	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nZZxluj.exe	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZDOWkFb.exe	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VCXJSTo.exe	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AkExERZ.exe	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eLpyTak.exe	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 4428	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1396 wrote to memory of 4428	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1396 wrote to memory of 3196	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1396 wrote to memory of 3196	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1396 wrote to memory of 1780	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1396 wrote to memory of 1780	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1396 wrote to memory of 1272	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1396 wrote to memory of 1272	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1396 wrote to memory of 2200	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1396 wrote to memory of 2200	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1396 wrote to memory of 4420	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1396 wrote to memory of 4420	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1396 wrote to memory of 980	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1396 wrote to memory of 980	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1396 wrote to memory of 3412	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1396 wrote to memory of 3412	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1396 wrote to memory of 4740	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1396 wrote to memory of 4740	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1396 wrote to memory of 936	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1396 wrote to memory of 936	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1396 wrote to memory of 1328	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1396 wrote to memory of 1328	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1396 wrote to memory of 952	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1396 wrote to memory of 952	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1396 wrote to memory of 5012	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1396 wrote to memory of 5012	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1396 wrote to memory of 1068	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1396 wrote to memory of 1068	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1396 wrote to memory of 856	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1396 wrote to memory of 856	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1396 wrote to memory of 964	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1396 wrote to memory of 964	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1396 wrote to memory of 2012	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1396 wrote to memory of 2012	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1396 wrote to memory of 400	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1396 wrote to memory of 400	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1396 wrote to memory of 4436	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1396 wrote to memory of 4436	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1396 wrote to memory of 3620	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1396 wrote to memory of 3620	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1396 wrote to memory of 4676	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1396 wrote to memory of 4676	1396	2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-27_fdb3611a949daf79025656b7e9e5a966_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\System\VjCIyWF.exe
  C:\Windows\System\VjCIyWF.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System\nZZxluj.exe
  C:\Windows\System\nZZxluj.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System\ZDOWkFb.exe
  C:\Windows\System\ZDOWkFb.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\System\cacKxaS.exe
  C:\Windows\System\cacKxaS.exe
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\System\VCXJSTo.exe
  C:\Windows\System\VCXJSTo.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\System\AkExERZ.exe
  C:\Windows\System\AkExERZ.exe
  2⤵
  - Executes dropped EXE
  PID:4420
- C:\Windows\System\MCXuyXN.exe
  C:\Windows\System\MCXuyXN.exe
  2⤵
  - Executes dropped EXE
  PID:980
- C:\Windows\System\KGRuJUO.exe
  C:\Windows\System\KGRuJUO.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System\yFbDjrr.exe
  C:\Windows\System\yFbDjrr.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System\rVhSoQg.exe
  C:\Windows\System\rVhSoQg.exe
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\System\gTDnCNP.exe
  C:\Windows\System\gTDnCNP.exe
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\System\ayUBEdc.exe
  C:\Windows\System\ayUBEdc.exe
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Windows\System\pcCyJLl.exe
  C:\Windows\System\pcCyJLl.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\PKnYXjA.exe
  C:\Windows\System\PKnYXjA.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\XisQNRj.exe
  C:\Windows\System\XisQNRj.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System\CVUOkRG.exe
  C:\Windows\System\CVUOkRG.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System\noMbRdw.exe
  C:\Windows\System\noMbRdw.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\FTUKiBm.exe
  C:\Windows\System\FTUKiBm.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\dzzfmPc.exe
  C:\Windows\System\dzzfmPc.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System\hgzmJWj.exe
  C:\Windows\System\hgzmJWj.exe
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Windows\System\eLpyTak.exe
  C:\Windows\System\eLpyTak.exe
  2⤵
  - Executes dropped EXE
  PID:4676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AkExERZ.exe

Filesize
5.7MB

MD5
c33f21ef2ac13aab8af2b6776319c8aa

SHA1
3444fe43e0ceb96eb5fc848f6d260b9d91d94d44

SHA256
36d9a49ada3f73aa8e9875e508796b0a7a0df103a1b9ddee3a3394f560508457

SHA512
01ff7ccc85d4f381c5de5d40291353731c3b126b47b26688a20ea17cedab52bc175a1ba1b741eced8ed5eecb2c6f7516742b95e92611a3366f26714b8b70a4aa

Download Submit
C:\Windows\System\CVUOkRG.exe

Filesize
5.7MB

MD5
bb80379d182072034c239dde35a20e73

SHA1
ac8b227c1329a258f673e066c4bbeb119a3f9a33

SHA256
aa1e37ae44635d185ba38dc76a848180afa179d8f4b67c1fbb50928f60f2121e

SHA512
aacdc61ed3b9ffcbbc6bdbcad6223f4fe826010d8d828a37626f572cf92909468835cb587c3223863a80ad832d3cce008add97e4abf13ae970aa3d715bc4b18e

Download Submit
C:\Windows\System\FTUKiBm.exe

Filesize
5.7MB

MD5
9123b276a901b45beb31875eb3b340a1

SHA1
ba268e0a053e5bb3ab1c3b3c388a363fb38366fb

SHA256
9c5a3cedee3bfcbd2a974d22e77869375e0f2bc2c729d9308a0b177142739236

SHA512
440b42cc90174782072115c5758d56c1879540062739dd3b9f7e4a29efe172d35187e6e01f3cdf2fb1632359c2f6170969c3d5d756619b5e1bc9af122223afd6

Download Submit
C:\Windows\System\KGRuJUO.exe

Filesize
5.7MB

MD5
b589dd9922dec558f60f4b7ba04c7835

SHA1
13a8250834cafd34822c6901921c878689f56826

SHA256
1c74c1574421b0c24e10230697ef031f3a376032259f54ff5686bced59d3ceb6

SHA512
4348b579e18b0c6a9015c74c2f026448b707b451e3c92941f6737bb8ecc126c0c1b7831228d5608902723c3b7eb99ccf8684c2eec7c51410d55e14d1de1f56e6

Download Submit
C:\Windows\System\MCXuyXN.exe

Filesize
5.7MB

MD5
332e01bfffcd47022bb211a0ff1ae670

SHA1
9c8eed3eacd442386996c396da4e7b0bba77b690

SHA256
d98b51e768dbdbdbe44d6ef0449400a6212293d303f9be89d8748f05598e136d

SHA512
aa10911903b4ce76349d7c846a66dc732fcb08cb53726953ce6922089d4c74f7e0eb1a397137f10930eb389bdbab9554b3a579a84e806bffb14874b15171a972

Download Submit
C:\Windows\System\PKnYXjA.exe

Filesize
5.7MB

MD5
a36e2ffe889314365ced9587a4f9a29d

SHA1
38b7dc4af7c94d2dc7acb5ad3108e35b40cc5be0

SHA256
ae243a9c994fa2546e1fde36511ce66e9618daa6ef0b26f3de62149319ef7c4d

SHA512
246c0d2815215a3adf3b95b166007b62d60b7fc7299d53ab6dbfa23aa714b12275e6cc7183077db9984280a228a9d1700df32ec11b8f7c060bc200452d9b931f

Download Submit
C:\Windows\System\VCXJSTo.exe

Filesize
5.7MB

MD5
ecc146fff5a7f7e8aa804b36ab21ff95

SHA1
e7337127de94af106834690a4e6d9c1e8469bc94

SHA256
0cc41d6ec1f57a608ac986cc599bb61bf1ce534c3259890659bd1a7072812a2a

SHA512
3d7caf1977a644df0a51e408b50d694219bfb4a3fa8bee5a0fe9807f64e5c89fa4c56aa911bd00f7614a92960440734f4fc5b1b1d284e61b3a840dcb7415f227

Download Submit
C:\Windows\System\VjCIyWF.exe

Filesize
5.7MB

MD5
bbfb629732b75b2989c56e8ff2101030

SHA1
543727bf97df3319db5174e6656f67ab55242548

SHA256
c2a88a170ec74dd5784a2b46f91b12c07d860debd1b3c61c5e1e4da7b0dde538

SHA512
b171bbc4d3bbffe5c4c92525cbaec8793ef0af0d69a5e40f57d223c0ce5143501a6b8be1e147a8e5563bf9d137e3af873dc0fa057d8f9a003d81fc4d08cdde17

Download Submit
C:\Windows\System\XisQNRj.exe

Filesize
5.7MB

MD5
a5fed7f841e1a760908f4f9bd175d9cd

SHA1
965b676031f4aeea59d71e6d13f9c4d7edb64008

SHA256
8e0ca1f9825ec07657422164e3a56f79a660692383056a6b159d43af2ba1dde1

SHA512
51564f2992fcb6214c26315cbde80cb8e82e7db3b774cc96c06dbb07b5daef35325c05c76215e7eb0bf4df8aae1f08229e1906fd560b9463b34a70bb83dd4b0c

Download Submit
C:\Windows\System\ZDOWkFb.exe

Filesize
5.7MB

MD5
4401972e28f2d8149e5a78486088ace3

SHA1
b92d72e10c7209d5a4f4178ea512e6ca852f1363

SHA256
0ae8e813a9c55d413ae31799d7580369c02eb9226717854ada0238a215617b0a

SHA512
e5cc849cf978467ba9c71df1555b7c8164f292ef6095e6aeb5f3233ddef7ee465c7c0f4a882a826f46acebe6c25eba9026f8c8066c4115c44d889b50a97ec339

Download Submit
C:\Windows\System\ayUBEdc.exe

Filesize
5.7MB

MD5
9a1c475f8aa6b45b676e6e2041e1b6d9

SHA1
99461d5c6cf67971c760a5405b9b251314b61860

SHA256
9246f0a5e0096217a33d43e9652cc27568c26fe27d7bab854710b8e3cde9355d

SHA512
b96fcad06a3d2c0920e1e0acae7f787feb00aad3b81dc1227fb63060c641f653837c5f866e801eb7c1068636fe29ab79f8fca72bad6253bf32ffa95f7ac0fdcf

Download Submit
C:\Windows\System\cacKxaS.exe

Filesize
5.7MB

MD5
40855c16fb5d6b764f72c6d5e7e136e5

SHA1
1da6e406c61c3992ac2c94688d0ceae209140bfe

SHA256
48ff9d9b80d18a45dc021f31588282b537dce2f55832097da24217dbd4b9e133

SHA512
e65977ada1b60635d93716e049ab63112b6f9b9eb5d370b1c027557a930422e766fcc63867784a1da9f27a27f40c7d782757fedaeedf3dbb350f2436fef26acd

Download Submit
C:\Windows\System\dzzfmPc.exe

Filesize
5.7MB

MD5
9f19367d2eba54f4dc47fb605c1226a5

SHA1
d86ab310e81988ae520291797cfae9308b6ffbb0

SHA256
37176fd82d3fb36014920f1520dddab0dab9bdc69cc9fb9e0d8671713cba75eb

SHA512
3bee22dc6999e0181cdc80529bd501558948a322b0b48455aed019b10c2187869443abac7441219423ae257283a75f25224f5df44e4aaa51a132dcac92419ed9

Download Submit
C:\Windows\System\eLpyTak.exe

Filesize
5.7MB

MD5
6fb61b6060505901f9f3a6dcbf3aa74e

SHA1
633b04fa60373991c4ab17cd04a8890b2276a19c

SHA256
6ef049b59bf22c213525d210c728c1e554c9420b8fa0009f3521e1856253f7df

SHA512
426cf098ee775a837b5ef7b194d20d268cddcc485a4637726d21cb7eee99cf09d3f95c434a32bd340b4b1302abc3ba6d83acd4bdaefdb812e25b3dc4464a5e9d

Download Submit
C:\Windows\System\gTDnCNP.exe

Filesize
5.7MB

MD5
919aa091776a8581a67683e35ef69e6c

SHA1
ef44090fee2a611a5cac7b0f9dde233665cfa866

SHA256
34812d2a4888fd5a14dd4df74581de74a2956e28b9e54c7c17a5f2cac2a1f48f

SHA512
73cad3a511d830ccea2aaaf5cde168c094eb64c1fdf599045b896310051432cfdcad847d4751d262e8a742b04de0d2cce7594da4cde2acc19f7993725b9f783f

Download Submit
C:\Windows\System\hgzmJWj.exe

Filesize
5.7MB

MD5
78d3a906cb10bc47de0625babf244733

SHA1
7365b3baead3d5b2093fea24c251a808b3cac2dd

SHA256
d10a3609c23d58ceb21d8a436924998c3a8b9b4b2d52626577cbf8f7a09915c8

SHA512
9e3c81d20d5588224ee452088d94ecfbc57528f3285564ce0857c1082c8359e1e1e15d77f597f8e721dfcafefd8241528712efea694812ad884aee7405a78c42

Download Submit
C:\Windows\System\nZZxluj.exe

Filesize
5.7MB

MD5
816cc7776e0cab1b7547145d89f223f0

SHA1
488b0ad10dac9b14d863c57c785a52273f625cd0

SHA256
a65e5dede491edec92f2586aac9d6c6f4a2048203d3572a64f7e9a8dea7945c6

SHA512
75b6bc33b75e7525d685c2e1d9579a4836ef4a199ba6281d7111bd1c0c926eceb1069b6353c5eeda9e22a64ed0698be4b31cf3898716b300c58a64ae72b85c0a

Download Submit
C:\Windows\System\noMbRdw.exe

Filesize
5.7MB

MD5
f7ea3dc06dd75fd79266f016a96ec305

SHA1
0ad9ea24708d32a84ea756d89b0ffc464775f2b1

SHA256
bfb488309f1a699d860a0b77c526ccb14d98536a310fab9861c5500e17962993

SHA512
eb6c092151983197333cbfc69185967b7312a3583b77423b13223ef600c8a9b0525ba8052e915b3c0b58e4661b9929d23c08440a07ba276be3828a85607d55cd

Download Submit
C:\Windows\System\pcCyJLl.exe

Filesize
5.7MB

MD5
9451c8c7fe0fdaa51645e620c5b768a1

SHA1
de3713c7cf95eff92b1367af00709436ea7f9317

SHA256
5eb725755719bee7cea7c1b1c25f0e11ddcbe420c30770db799957ce443026ba

SHA512
4c8f2eb015015dbb231c1223782954aa608578392a88b96a4aeb93132c43e15ea70defd32d0891d3381238bbd3ac687e4522a1efd114da6209d709d683dc03f2

Download Submit
C:\Windows\System\rVhSoQg.exe

Filesize
5.7MB

MD5
c851557618c6c3167ddfb7eb0ad0fd4d

SHA1
3dfd91ce3c161dd2d2361e7a125d351b1f64ba1a

SHA256
6aa5f2f8853e911c90bee252ebcfc9a53db98acdbfc99c712c3480995ebae528

SHA512
28c1c4005dcce28131cdb716603ce2556090f096254e74167a032eb150898e6b62d6b86c9526b02c0f0d4bcbe800b6bc50a4004203fdccac44e9bb8e40b4c259

Download Submit
C:\Windows\System\yFbDjrr.exe

Filesize
5.7MB

MD5
6444a8ad665233624ec7dd69a6b66e61

SHA1
a1570bcfd790e356fd4a6765a242a1de8c03a4b6

SHA256
a9a29410ff8232beb72874c0e4011b762713ac1e90810264dc54242dbca4f4bc

SHA512
0597ddd5999d73a849ac0dcf02fcc10f087fc20a06e90a22cd1706b4f262ce7f411cf9288a305d5f00d4e82519e6f78c85e018f7282d09a5faaca12514563de0

Download Submit
memory/400-124-0x00007FF6BB750000-0x00007FF6BBA9D000-memory.dmp

Filesize
3.3MB

Download
memory/856-89-0x00007FF6F81B0000-0x00007FF6F84FD000-memory.dmp

Filesize
3.3MB

Download
memory/936-111-0x00007FF6C8350000-0x00007FF6C869D000-memory.dmp

Filesize
3.3MB

Download
memory/952-102-0x00007FF614910000-0x00007FF614C5D000-memory.dmp

Filesize
3.3MB

Download
memory/964-126-0x00007FF7A55B0000-0x00007FF7A58FD000-memory.dmp

Filesize
3.3MB

Download
memory/980-113-0x00007FF639970000-0x00007FF639CBD000-memory.dmp

Filesize
3.3MB

Download
memory/1068-104-0x00007FF7CEA40000-0x00007FF7CED8D000-memory.dmp

Filesize
3.3MB

Download
memory/1272-28-0x00007FF739260000-0x00007FF7395AD000-memory.dmp

Filesize
3.3MB

Download
memory/1328-79-0x00007FF6D5EA0000-0x00007FF6D61ED000-memory.dmp

Filesize
3.3MB

Download
memory/1396-1-0x000001C2D72E0000-0x000001C2D72F0000-memory.dmp

Filesize
64KB

Download
memory/1396-0-0x00007FF7C5FB0000-0x00007FF7C62FD000-memory.dmp

Filesize
3.3MB

Download
memory/1780-23-0x00007FF63C000000-0x00007FF63C34D000-memory.dmp

Filesize
3.3MB

Download
memory/2012-122-0x00007FF7D36B0000-0x00007FF7D39FD000-memory.dmp

Filesize
3.3MB

Download
memory/2200-33-0x00007FF65C3D0000-0x00007FF65C71D000-memory.dmp

Filesize
3.3MB

Download
memory/3196-13-0x00007FF75D980000-0x00007FF75DCCD000-memory.dmp

Filesize
3.3MB

Download
memory/3412-71-0x00007FF7D22A0000-0x00007FF7D25ED000-memory.dmp

Filesize
3.3MB

Download
memory/3620-108-0x00007FF6A0030000-0x00007FF6A037D000-memory.dmp

Filesize
3.3MB

Download
memory/4420-73-0x00007FF69F1A0000-0x00007FF69F4ED000-memory.dmp

Filesize
3.3MB

Download
memory/4428-7-0x00007FF795660000-0x00007FF7959AD000-memory.dmp

Filesize
3.3MB

Download
memory/4436-119-0x00007FF6BF120000-0x00007FF6BF46D000-memory.dmp

Filesize
3.3MB

Download
memory/4676-97-0x00007FF6205C0000-0x00007FF62090D000-memory.dmp

Filesize
3.3MB

Download
memory/4740-95-0x00007FF6E6610000-0x00007FF6E695D000-memory.dmp

Filesize
3.3MB

Download
memory/5012-114-0x00007FF6DEFE0000-0x00007FF6DF32D000-memory.dmp

Filesize
3.3MB

Download