e34688337188b0f3b100478d1f8d851df92fac8ee8cd45f341a5975affe57c6d

Analysis

max time kernel
144s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
Size

9.9MB
MD5

f37a98a2c85d7320a9ed6d27e1b62b24
SHA1

6892c0a632d00c56e8cacca734e50ec9f36ce140
SHA256

e34688337188b0f3b100478d1f8d851df92fac8ee8cd45f341a5975affe57c6d
SHA512

495b39cca67baad5e4de54cca71bfd17fb2420a0a57112e933cbfbd2b66aa108bd1b07a3b8da292d77992f687714c762e8f47d66d72fbedf41e91142d6c60ba1
SSDEEP

196608:I+D5q1SGs2yRwtkpqShRBhR3hRbhRJhR2hR7:DAkLRLRxRtRDRiR7

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\siNdhX = "c:\\Windows\\System32\\siNdhX.exe"	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "c:\\Windows\\System32\\.exe"	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GUz = "c:\\Windows\\System32\\GUz.exe"	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\desktop.ini	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\siNdhX.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	\??\c:\Windows\System32\.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	\??\c:\Windows\System32\GUz.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msmdsrvi.rll	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96.png	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\AppxSignature.p7x.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\xbox_live_logo_black.png.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\LargeTile.scale-125.png	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_search_for_friends_v1.png	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_ar.json	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-phn.xrm-ms	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-400.png	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\Xbox360PurchaseHostPage.html.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-200_contrast-white.png	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-64_altform-unplated.png.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\ReachFramework.resources.dll	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\af-ZA\View3d\3DViewerProductDescription-universal.xml.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-unplated_contrast-black.png	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp6.scale-100.png	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-36.png.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\vk_swiftshader.dll.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black.png	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-400.png.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-256_contrast-white.png	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-100.png.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsFormsIntegration.resources.dll.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\LargeTile.scale-125.png.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_contrast-white.png	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clretwrc.dll.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClient.resources.dll.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DocumentFormat.OpenXml.dll.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\Json\EmailAction-AdaptiveCard.json.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\ThirdPartyNotices\ThirdPartyNotices.html	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\MedTile.scale-100.png.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\SuggestionsService\FavoriteLight.png.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationCore.resources.dll.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchSmallTile.contrast-black_scale-200.png.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-100.png.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlDocument.dll	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\concrt140.dll	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Lollipop.png.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-24_contrast-white.png.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.boot.tree.dat.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXPSRV.DLL.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedAppList.scale-200.png	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\xlsrvintl.dll	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailLargeTile.scale-100.png	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeMediumTile.scale-100.png	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\SmallTile.scale-125.png.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\MyOffice.winmd	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSmallTile.scale-100.png	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\manifest.xml	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_6_Loud.m4a.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-48.png.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-20_altform-unplated.png.exe	2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-31_f37a98a2c85d7320a9ed6d27e1b62b24_cobalt-strike_poet-rat_sliver_snatch.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll.exe

Filesize
10.6MB

MD5
463d0518237511fa6d0cb1aabc910dd6

SHA1
bc55ba10f5ab24a21f93d7470c94ba55f1d2c54d

SHA256
75ee75a833842efecf0044b5e8f19723aa84dc0f8dc3819d0f07af9df8bb0b30

SHA512
22de577095b049c0e1a4b5e8d76e78a44c5aa8937a94e434295f52ec5434e9acb35cb3da8f5e18b9095a017fb565dc6acdbfe53a44db9e7e4ee7e1b956e37f22

Download Submit
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

Filesize
10.6MB

MD5
1e89bb0686125d91d37680e7e67f3217

SHA1
21ccbb5a263154f138f04c37833f863407c6a9eb

SHA256
cd50f9322ff8cdd91067fbfcf50c81193f56cdeb87debc023464d03d85257ef2

SHA512
8b9e284caa782b9147fd2d6045f8eede2e2303f95d3147ede0c576be03d9156fc26342f518b0d6464af81afdf014ab83c275208f1b04ce371cc68d5ec9e8e33e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads