b8e2f21878a60ba548f965444cc63ab169ec3e485bfc52fe31ff5ba897cdfa25

Analysis

max time kernel
95s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-02_581df2068c5535d0429b4e137e93638f_poet-rat_snatch.exe
Size

5.5MB
MD5

581df2068c5535d0429b4e137e93638f
SHA1

b9e830ea94331e7de2af3068b5976318fe8783ae
SHA256

b8e2f21878a60ba548f965444cc63ab169ec3e485bfc52fe31ff5ba897cdfa25
SHA512

4711f9b3c3d48cceacb0c3df7dba90fe1da3fbff156ef205fd2b86d900c1059768c847e2c9d7ad4a9b44958488f546bbebc831bf709a93345badc03568d97f61
SSDEEP

49152:WZuofzpBRenRLWZemECXQx2jqhwWUgp+35EM3qqFip52Zn5wSb:W3leRd7CPqhwWGEugpAQSb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1680	WMIC.exe
Token: SeSecurityPrivilege	1680	WMIC.exe
Token: SeTakeOwnershipPrivilege	1680	WMIC.exe
Token: SeLoadDriverPrivilege	1680	WMIC.exe
Token: SeSystemProfilePrivilege	1680	WMIC.exe
Token: SeSystemtimePrivilege	1680	WMIC.exe
Token: SeProfSingleProcessPrivilege	1680	WMIC.exe
Token: SeIncBasePriorityPrivilege	1680	WMIC.exe
Token: SeCreatePagefilePrivilege	1680	WMIC.exe
Token: SeBackupPrivilege	1680	WMIC.exe
Token: SeRestorePrivilege	1680	WMIC.exe
Token: SeShutdownPrivilege	1680	WMIC.exe
Token: SeDebugPrivilege	1680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1680	WMIC.exe
Token: SeRemoteShutdownPrivilege	1680	WMIC.exe
Token: SeUndockPrivilege	1680	WMIC.exe
Token: SeManageVolumePrivilege	1680	WMIC.exe
Token: 33	1680	WMIC.exe
Token: 34	1680	WMIC.exe
Token: 35	1680	WMIC.exe
Token: 36	1680	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1680	WMIC.exe
Token: SeSecurityPrivilege	1680	WMIC.exe
Token: SeTakeOwnershipPrivilege	1680	WMIC.exe
Token: SeLoadDriverPrivilege	1680	WMIC.exe
Token: SeSystemProfilePrivilege	1680	WMIC.exe
Token: SeSystemtimePrivilege	1680	WMIC.exe
Token: SeProfSingleProcessPrivilege	1680	WMIC.exe
Token: SeIncBasePriorityPrivilege	1680	WMIC.exe
Token: SeCreatePagefilePrivilege	1680	WMIC.exe
Token: SeBackupPrivilege	1680	WMIC.exe
Token: SeRestorePrivilege	1680	WMIC.exe
Token: SeShutdownPrivilege	1680	WMIC.exe
Token: SeDebugPrivilege	1680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1680	WMIC.exe
Token: SeRemoteShutdownPrivilege	1680	WMIC.exe
Token: SeUndockPrivilege	1680	WMIC.exe
Token: SeManageVolumePrivilege	1680	WMIC.exe
Token: 33	1680	WMIC.exe
Token: 34	1680	WMIC.exe
Token: 35	1680	WMIC.exe
Token: 36	1680	WMIC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 1264	4900	2024-09-02_581df2068c5535d0429b4e137e93638f_poet-rat_snatch.exe	97
PID 4900 wrote to memory of 1264	4900	2024-09-02_581df2068c5535d0429b4e137e93638f_poet-rat_snatch.exe	97
PID 1264 wrote to memory of 3832	1264	wscript.exe	98
PID 1264 wrote to memory of 3832	1264	wscript.exe	98
PID 3832 wrote to memory of 1680	3832	cmd.exe	100
PID 3832 wrote to memory of 1680	3832	cmd.exe	100
PID 3832 wrote to memory of 4544	3832	cmd.exe	101
PID 3832 wrote to memory of 4544	3832	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\2024-09-02_581df2068c5535d0429b4e137e93638f_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-02_581df2068c5535d0429b4e137e93638f_poet-rat_snatch.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\AppData\Local\Temp\VNCfkiwgXI.vbs C:\Users\Admin\AppData\Local\Temp\VNCfkiwgXI.bat
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VNCfkiwgXI.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get Model
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1680
  - - C:\Windows\system32\findstr.exe
      findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
      4⤵
      PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VNCfkiwgXI.bat

Filesize
4.6MB

MD5
9bf5c2275136e0fe6e236d18ff8c67a0

SHA1
8744929dc3121c624ef833391becef5d4dfb4475

SHA256
e1cce1a593323581b628fa0534445aaca9f7a55ccc5146d351da92dddeffb089

SHA512
049fb0ef4da1c415ac7ac55c648b4926e6ad2f4ff77dc1021f06081dfa12e6f2c87fe6b7c1c40de4dd52ae717b16b6e95fdf7496f4640c145fee80c023c31a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\VNCfkiwgXI.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit