105777247cf3bafe07e3226553e2af052e4efb152aba509eb62aed393725c6dc

General

Target

2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe
Size

5.8MB
MD5

30aeba9f1d4fbdc0c6b91cab736c497f
SHA1

e8f4022a76de554691c479507732fafad8f7252d
SHA256

105777247cf3bafe07e3226553e2af052e4efb152aba509eb62aed393725c6dc
SHA512

41bff9766d85a627250891f6d063f5385f4aa5499a92c3d915cfc5943ad4435acda5d212f5e53f49868cf685735f19b9da88423c1fcb577594c700e1283f49cf
SSDEEP

49152:vzlnEcO3Cgrb/TbvO90d7HjmAFd4A64nsfJa/pJMBMvDF/4q4auspdkgKKhdvZfg:63CE/Xx4LKhdkSESp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1288	ChromeUpdateTaskMachinCore.exe

Loads dropped DLL 2 IoCs

pid	Process
2792	cmd.exe
2792	cmd.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe	2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2412	2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2868	2412	2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe	28
PID 2412 wrote to memory of 2868	2412	2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe	28
PID 2412 wrote to memory of 2868	2412	2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe	28
PID 2412 wrote to memory of 2792	2412	2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe	30
PID 2412 wrote to memory of 2792	2412	2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe	30
PID 2412 wrote to memory of 2792	2412	2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe	30
PID 2792 wrote to memory of 1288	2792	cmd.exe	32
PID 2792 wrote to memory of 1288	2792	cmd.exe	32
PID 2792 wrote to memory of 1288	2792	cmd.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe"
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\system32\schtasks.exe
  C:\Windows\system32\schtasks.exe /CREATE /XML C:\Users\Admin\AppData\Local\Temp\mbRCP /F /TN ChromeUpdateTaskMachinCore
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2868
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe
    "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"
    3⤵
    - Executes dropped EXE
    PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mbRCP

Filesize
1KB

MD5
e05369c9acb1244c3c764d0170c14cfc

SHA1
d5731a0b1a8c0070e5c5fa77816142175a049432

SHA256
3b92689de15f88b9d6747a2c0121507feeb75c211e717331214976cc8772f2b7

SHA512
bf25f95723b71e611524b057d24ea172e2e9f816796c17d15384da8c731224d3b990a9728104c3c0bb61ea4a597e6a5163874af4c77d0b2789b9e97abaf8422c

Download Submit
\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe

Filesize
5.8MB

MD5
24435a638917deff7773f3974b141046

SHA1
0b9df73aba105e77ab0ad94c6fa3804b39b69e5d

SHA256
446491592a6920c291749def121428f1ba2547607a1f2460047249c916961dc0

SHA512
af9457e6725aa7f295dc3899fa3c47615a387af4a9d6235bdd4de6f66532c16a1350f2641a5302b6bd6f739dd458bf9acbef100c59454b5afb73246c108a5eb4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads