561904f7b07ff182cd9e15ff15567341644a4756bb50854cafe9ce8192d5fda6

Analysis

max time kernel
146s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
Size

9.8MB
MD5

48667d0bf92ec8eb90045aaccb4fa65a
SHA1

7a3c1967556b8a8eb00a982fe3a6797f12219023
SHA256

561904f7b07ff182cd9e15ff15567341644a4756bb50854cafe9ce8192d5fda6
SHA512

acc29e23bfa633aa0e20cd0e6a6df58f30bfe4d6a7ad2d8970bce90bcd7ac89be8bb3062c7146b7e8773ad365263ec5a206a8e01c8468fcbedfb86ebc7fdf646
SSDEEP

196608:I+D5q1SGs2yRwtkpqShRBhR3hREhRbhR2hRn:DAkLRLRxRYRtRiRn

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1204	Process not Found

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cg = "c:\\Windows\\System32\\Cg.exe"	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qEEuwZEKr = "c:\\Windows\\System32\\qEEuwZEKr.exe"	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "c:\\Windows\\System32\\.exe"	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe

Drops desktop.ini file(s) 9 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\desktop.ini	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\Cg.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	\??\c:\Windows\System32\qEEuwZEKr.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	\??\c:\Windows\System32\.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\Filters.xml.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\LINEAR_RGB.pf	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.sig.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\.eclipseproduct	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libugly_resampler_plugin.dll	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Mendoza.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\librist_plugin.dll.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Lima.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssv.dll.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_ja.jar	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Azores.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libequalizer_plugin.dll.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Journal\it-IT\Journal.exe.mui	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_settings.png	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\bin\instrument.dll.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libprefetch_plugin.dll	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_s.png.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Amman	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_zh_CN.jar	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Makassar	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-docked.png	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\af.pak.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\rt.jar.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libmpgv_plugin.dll.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\drag.png.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\PST8PDT	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Reunion	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\vlc.mo	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_h264_plugin.dll.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\gadget.xml	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\weather.css.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ca.pak.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qatar	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\bckgzm.exe.mui	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JAWTAccessBridge-64.dll.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_zh_CN.jar.exe	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_fr.properties	2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_48667d0bf92ec8eb90045aaccb4fa65a_cobalt-strike_poet-rat_sliver_snatch.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll

Filesize
10.5MB

MD5
2fcdec7d1bc6173c34d7caf709992012

SHA1
da8fe6966aff7e523ce67a57064d540e67c3fdb3

SHA256
a971c1abd217e6e81d9d21693ff36b35936a8f21d26ebeca270e05a72a1375b7

SHA512
79d8840899e5dfeabc751dcc82720a105e126b409ab8dd394381712c8c100fafdeaf1a813c43a496c29dda4a43b2fa03e865ad51a5578d01b60b474ca1281eb5

Download Submit
\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll

Filesize
10.5MB

MD5
2bb94f8c44c4e0038d7a4e6d8fcaa7f5

SHA1
24f22dded0d637744e0569271e38596a6b5387c9

SHA256
c4d2b56d174b65587207b77abaca49e80696d4e6ae03a2c2fac7b3a67183d013

SHA512
35693f0d03ff67558b4c2a82c347e4a62e6b5c520fd1f5cb01ae1a61fb49a1756986bb1b346b05b70de06e6b0c2444ec9548bd8627e9d9641f0a00e9eaee6985

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads