97b28ee4fb0d8f90a93210be04e39c935476c9541469a1f79fce6096baf88fdd

Analysis

max time kernel
124s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
Size

10.7MB
MD5

217413ee1e51eedd5ba489deb60a89f6
SHA1

df1a2daff479f787403978542fffcf3708a1abc6
SHA256

97b28ee4fb0d8f90a93210be04e39c935476c9541469a1f79fce6096baf88fdd
SHA512

899fb06a124a253b0c19819ea4936dbeba60f28516e0ea038badc6eac5cbc36d8324405b23012935f5f2b605f4d3643f94816e372d8464af2a11c67f9f10995a
SSDEEP

196608:I+D5q1SGs2yRwtkpqShRBhR3hRbhRmhRBhR1hRq:DAkLRLRxRtRSRLR3Rq

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Erm = "c:\\Windows\\System32\\Erm.exe"	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UUfIbCV = "c:\\Windows\\System32\\UUfIbCV.exe"	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kFUcY = "c:\\Windows\\System32\\kFUcY.exe"	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\desktop.ini	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\Erm.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	\??\c:\Windows\System32\UUfIbCV.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	\??\c:\Windows\System32\kFUcY.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Tar.dll.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql70.xsl	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART1.BDR.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEDAO.DLL	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\star_qtr.png	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\mesa3d.md.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\ReachFramework.resources.dll.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\SmallTile.scale-200.png.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookWideTile.scale-150.png.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail-Dark.scale-100.png	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-30.png.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHEV.DLL	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Mozilla Firefox\libEGL.dll.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libcdg_plugin.dll.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\SourceAppService.winmd.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\j2pkcs11.dll	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-white_scale-200.png	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.dll.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCacheMini.scale-200.png	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.png.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\vlc.mo.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\MedTile.scale-125.png.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.winmd	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_contrast-black.png	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-36_altform-unplated.png.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-16_altform-lightunplated.png.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-200.png	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Fur.jpg	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchSmallTile.contrast-white_scale-200.png.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NetworkInformation.dll	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-150.HCWhite.png	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk-1.8\bin\serialver.exe.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\eula.dll	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\concrt140.dll	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\WideTile.scale-200.png	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Json.dll.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatializer_plugin.dll.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\orcl7.xsl.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_5_Loud.m4a.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32_altform-unplated_contrast-white.png.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.AppContext.dll	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.dll	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\resources.pri.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-32.png.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\MedTile.scale-200.png.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationCore.resources.dll	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.targetsize-24_altform-unplated.png	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linessimple.dotx.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Inquire.dll.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\liblogger_plugin.dll	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalMedTile.scale-125_contrast-black.png	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated.png	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\7739_20x20x32.png.exe	2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-31_217413ee1e51eedd5ba489deb60a89f6_cobalt-strike_poet-rat_sliver_snatch.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll.exe

Filesize
11.3MB

MD5
5b09668c0fb478bd5f3aaacded85ac8f

SHA1
2fd8b64fdb0e01d9ff59864c0d9d80288c3f7e58

SHA256
73f09b0d18931e4510309366cf1dc82d58d20a80f8a8ef6491c08f6944af5841

SHA512
2dcc3ba2d4d9c975c759fc29fcbe4b33e999afe3b000ba6a7a4bbb1617d403e929d054a89e3f268d27a49a7bc653c65dbb7297b2d0b9ba03f7b71604323d8af9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads