d0a4e9a4d5f555b88124d4811ce28b2d8f39d84fb615d6d43c80b72bd966a9bb

Analysis

max time kernel
95s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-23_ea39944f0d6314a20a56029845e02a4a_poet-rat_snatch.exe
Size

5.8MB
MD5

ea39944f0d6314a20a56029845e02a4a
SHA1

59f0ec70218086e979fac6eaa2f0a8e8a00f87ed
SHA256

d0a4e9a4d5f555b88124d4811ce28b2d8f39d84fb615d6d43c80b72bd966a9bb
SHA512

a0dac17d1a9bb8b6305d7fc85fb3d1f35417eb6ad51ed3e150efdc9b5af367884c0d9a8af1d154194f3452f88101b037aa9419cc039159990e05e138ab7b7839
SSDEEP

49152:vzVnEQO3Cgrb/TbvO90d7HjmAFd4A64nsfJK/pJcBMfDF/4q4quspdkg6KhdvZfE:23C0/3x4rKhd0TEiN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4716	ChromeUpdateTaskMachinCore.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe	2024-08-23_ea39944f0d6314a20a56029845e02a4a_poet-rat_snatch.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2024-08-23_ea39944f0d6314a20a56029845e02a4a_poet-rat_snatch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2024-08-23_ea39944f0d6314a20a56029845e02a4a_poet-rat_snatch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	2024-08-23_ea39944f0d6314a20a56029845e02a4a_poet-rat_snatch.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3916	2024-08-23_ea39944f0d6314a20a56029845e02a4a_poet-rat_snatch.exe
3916	2024-08-23_ea39944f0d6314a20a56029845e02a4a_poet-rat_snatch.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 4760	3916	2024-08-23_ea39944f0d6314a20a56029845e02a4a_poet-rat_snatch.exe	87
PID 3916 wrote to memory of 4760	3916	2024-08-23_ea39944f0d6314a20a56029845e02a4a_poet-rat_snatch.exe	87
PID 3916 wrote to memory of 3104	3916	2024-08-23_ea39944f0d6314a20a56029845e02a4a_poet-rat_snatch.exe	90
PID 3916 wrote to memory of 3104	3916	2024-08-23_ea39944f0d6314a20a56029845e02a4a_poet-rat_snatch.exe	90
PID 3104 wrote to memory of 4716	3104	cmd.exe	92
PID 3104 wrote to memory of 4716	3104	cmd.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-08-23_ea39944f0d6314a20a56029845e02a4a_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-23_ea39944f0d6314a20a56029845e02a4a_poet-rat_snatch.exe"
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\system32\schtasks.exe
  C:\Windows\system32\schtasks.exe /CREATE /XML C:\Users\Admin\AppData\Local\Temp\GGxtGxUiX /F /TN ChromeUpdateTaskMachinCore
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4760
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe
    "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"
    3⤵
    - Executes dropped EXE
    PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe

Filesize
5.8MB

MD5
20a107e92b29e17c42ac07e7723f20b2

SHA1
75162694cda93b904a38897f93a0619a3c83cd44

SHA256
258b62deffde8736d985a70b135e184be0f714cebdb5d6a79bec7fdaeade2ceb

SHA512
3192d6703248f93e042499b9b809595f6128ed91d92ebad348c4d100118e0109beb6c5ba8d95582896d59e07f1f51f43809e35eac578f993ca113a87dcf5de58

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGxtGxUiX

Filesize
1KB

MD5
ca6b088a8930f44a4a1630219a320726

SHA1
34ccfc2b776dcb4bdccf38799c38ac95c52ce807

SHA256
1e34e95eae04e12c1ebecbf19e1eb774280a1a85afbc0feaa202757c0dbeb829

SHA512
8ce083b3b141eb80a51ed808d57ce0852a3e6453a8c607b01fa51b474b311096a12b8c3e115cdc866cdb9f5890414e2ed2a276e8d62b7495924e3c1a4e816e1e

Download Submit