Analysis
-
max time kernel
150s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
21/03/2025, 08:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
Resource
win7-20250207-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
-
Size
10.4MB
-
MD5
9282b9c6cae1582190963583c43102af
-
SHA1
bb37f1efbf8793e0126dc958851b2bf2f3917235
-
SHA256
761181dec1d22dc212a6592cbe459950cc59101a2a7c503e92ea32eb1f2a85ce
-
SHA512
109c7feb589cb32cec4f10431b509364e5fb0c27075950241cc17c9cb80b27ee3c98e6157c25d21192fa82a433b9edff903ffdb2d7a31ea47fd3da1159014038
-
SSDEEP
196608:I+D5q1SGs2yRwtkpqShRBhRhhRQhRWhRkhRWhRw:DAkLRLRrRMRCR4RCRw
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tLeC = "c:\\Windows\\System32\\tLeC.exe" 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QjMjLixw = "c:\\Windows\\System32\\QjMjLixw.exe" 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ETdEUhfc = "c:\\Windows\\System32\\ETdEUhfc.exe" 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Program Files\desktop.ini 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created \??\c:\Windows\System32\ETdEUhfc.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created \??\c:\Windows\System32\tLeC.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created \??\c:\Windows\System32\QjMjLixw.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\PREVIEW.GIF 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\SplashWideTile.scale-200_contrast-black.png 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-100_contrast-white.png 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black.png.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-20_altform-unplated.png.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomSetupDisambig_RoomScale.jpg.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-white_scale-100.png.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Threading.AccessControl.dll 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ppd.xrm-ms.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bn-BD\View3d\3DViewerProductDescription-universal.xml.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_altform-unplated_contrast-black.png 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-32_altform-unplated.png 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Input.Manipulations.resources.dll 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white.png 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailLargeTile.scale-100.png.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotBe.snippets.ps1xml.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.DataSetExtensions.dll.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\1850_40x40x32.png.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-100.png 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Microsoft.Apps.People.BackgroundTasks.winmd.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.exe.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-200_contrast-black.png.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-400.png.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationFramework.resources.dll 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\8px.png 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_altform-unplated_contrast-black.png 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-125_contrast-white.png 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_altform-unplated.png.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libhqdn3d_plugin.dll 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-36_altform-lightunplated.png.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File opened for modification C:\Program Files\7-Zip\History.txt 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\AdeModule.dll 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-200_contrast-white.png.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-black_scale-100.png 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-math-l1-1-0.dll.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\vlc.mo.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-125.png.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\LargeTile.scale-200.png 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.dll.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Native.dll.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\WideTile.scale-125.png 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Linq.dll.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYMK.TTF 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-80_altform-colorize.png.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-256_altform-unplated.png 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms.exe 2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-21_9282b9c6cae1582190963583c43102af_cobalt-strike_ezcob_poet-rat_sliver_snatch.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
PID:5756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.2MB
MD595147624975e7ce0e5aed7d1ac9fe382
SHA1a5f4ebff3323c9f19992b23f516bed084c2193e6
SHA256740314d60a5c9117514a2d51e2f7881deb4bed778ce49235c2fa25f5e14fe868
SHA512e8a2ef38c4556c16b783fb8520094a432900e2826aa758c954af37d286fa25d022f329b22bdae076b320d2a3223fadd21a5ab73f5700a65e902f718c4c475421