4d6538879d361640785635c60c842f1fd02adfb98c6001e9a24df3099e0d089a

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
21/03/2025, 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
Size

10.8MB
MD5

a41bac0a92629d690e57c6c6bc9d242b
SHA1

b3da913ab3acbcdd569a35a3a5629124e26cd331
SHA256

4d6538879d361640785635c60c842f1fd02adfb98c6001e9a24df3099e0d089a
SHA512

ac70c8e0b0a02139e251651a72ae12f41bcc2d911d88d6f3c8f080529dd59a39e7431c5fb00b3a247d322df354786ae2f2596ec16b5e272317bdeae465654473
SSDEEP

196608:I+D5q1SGs2yRwtkpqShRBhRhhRQhRWhRfhRFhR+hRV:DAkLRLRrRMRCRpRHRaRV

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gmfpLYKg = "c:\\Windows\\System32\\gmfpLYKg.exe"	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EcSt = "c:\\Windows\\System32\\EcSt.exe"	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "c:\\Windows\\System32\\.exe"	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe

Drops desktop.ini file(s) 9 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\desktop.ini	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\gmfpLYKg.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	\??\c:\Windows\System32\EcSt.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	\??\c:\Windows\System32\.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcfr.dll.mui	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Fakaofo.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_s.png.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Media Player\wmpconfig.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClientsideProviders.resources.dll	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Design.Resources.dll.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_settings.png.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\settings.js.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Santiago.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationBuildTasks.resources.dll	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromaprint_plugin.dll	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Media Player\de-DE\wmpnetwk.exe.mui.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\settings.js	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgaussianblur_plugin.dll	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\skin.catalog	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_orange.png.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClient.resources.dll.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\libdummy_plugin.dll.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Internet Explorer\D3DCompiler_47.dll	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java_crw_demo.dll	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Media Player\WMPDMCCore.dll	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Media Player\it-IT\WMPSideShowGadget.exe.mui	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\5.png	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\logo.png	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\Chagos.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.exe.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\timeZones.js	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\alt-rt.jar.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\DMR_48.png.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\service.js	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\orb.idl	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libposterize_plugin.dll.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Macquarie.exe	2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-21_a41bac0a92629d690e57c6c6bc9d242b_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll

Filesize
11.4MB

MD5
9760d3a6a9f1801c91ef1b522c617441

SHA1
8f2e15f03d4cac26e5b303d210b3c773dbd7e435

SHA256
162bfaae8c5594cc9b1c9e9b0884a218478c49a7bec9bc0074b254f35a587031

SHA512
8e7b7ba850cb3464dee3fdbb748fa738592c8aa298156f6f74fa680c597763868497c3f4389c5c04dafeef2e9f6fa4c1b837894ffcaad537b6b06871f9a82855

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads