105777247cf3bafe07e3226553e2af052e4efb152aba509eb62aed393725c6dc

Analysis

max time kernel
147s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/06/2024, 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe
Size

5.8MB
MD5

30aeba9f1d4fbdc0c6b91cab736c497f
SHA1

e8f4022a76de554691c479507732fafad8f7252d
SHA256

105777247cf3bafe07e3226553e2af052e4efb152aba509eb62aed393725c6dc
SHA512

41bff9766d85a627250891f6d063f5385f4aa5499a92c3d915cfc5943ad4435acda5d212f5e53f49868cf685735f19b9da88423c1fcb577594c700e1283f49cf
SSDEEP

49152:vzlnEcO3Cgrb/TbvO90d7HjmAFd4A64nsfJa/pJMBMvDF/4q4auspdkgKKhdvZfg:63CE/Xx4LKhdkSESp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
232	ChromeUpdateTaskMachinCore.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe	2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
936	2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe
936	2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 3016	936	2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe	84
PID 936 wrote to memory of 3016	936	2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe	84
PID 936 wrote to memory of 3656	936	2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe	86
PID 936 wrote to memory of 3656	936	2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe	86
PID 3656 wrote to memory of 232	3656	cmd.exe	88
PID 3656 wrote to memory of 232	3656	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-19_30aeba9f1d4fbdc0c6b91cab736c497f_poet-rat_snatch.exe"
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:936
- C:\Windows\system32\schtasks.exe
  C:\Windows\system32\schtasks.exe /CREATE /XML C:\Users\Admin\AppData\Local\Temp\jAYAHy /F /TN ChromeUpdateTaskMachinCore
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3016
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe
    "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"
    3⤵
    - Executes dropped EXE
    PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe

Filesize
5.8MB

MD5
98c350cae27f23679bd5c6310bbcb07f

SHA1
c982d077225be48a800f6b0287d1d05bb6be04ec

SHA256
5644b020e97c8df198cd2c8fc27e36984ad88417dde6a1e76e1fb4711f453f0c

SHA512
6d782542b19de47adf0b6b084c7a54a2ce8c2f5c87a275eaba2ccfe15c5bf7d631868e8410b2dea678fb54466d1d603619cfbf26f5aaa3ef2ad67c2b86add196

Download Submit
C:\Users\Admin\AppData\Local\Temp\jAYAHy

Filesize
1KB

MD5
d020efe5e1fbecc868c3bbfeb6cc8ea5

SHA1
c68915b3b5aec1e8eb5bef6e9f7e7b8fd5416a6b

SHA256
b4dfb6dba7bc3f47b2ab7ae9abfad2310a899fccd6cad086391457d56a7cfd5c

SHA512
c4e0f40f76fa3343f3220fdd26b5c327e4662d97d4f75b24e64c0349fddf457428d1c9c840edb828308a776d10acd49ee4e572269bcdb602ef95a736aec17184

Download Submit