5e77c4173f4d62c743f2bfdc62171a6683f7d96c2cb4e07c74501ccdcfd51648

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-08_843e4ded288cb6c2d49354d9720c9c20_poet-rat_snatch.exe
Size

5.7MB
MD5

843e4ded288cb6c2d49354d9720c9c20
SHA1

3684943f072c15f9a921eea43b90725bd49d6494
SHA256

5e77c4173f4d62c743f2bfdc62171a6683f7d96c2cb4e07c74501ccdcfd51648
SHA512

6ddfadf72dd858a89df92a8a417a753e1c1e6646c2e5f317d98eba835b5fe0928d8b8dd04082ccceafb4689b4c164e3e0e2a4f2b2de07bcd2d1bb21f0923adce
SSDEEP

49152:IcsPfKNi61VBb06GTDmWCWuAatNBCHdZvAI5wKKjb5EALmqqFGamVb7ptxedfs3k:/TVoAKdZvEEueQa2p4f2k

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	wscript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	raw.githubusercontent.com
12	raw.githubusercontent.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
4964	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3760	wmic.exe
1556	wmic.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4548	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3544	2024-09-08_843e4ded288cb6c2d49354d9720c9c20_poet-rat_snatch.exe
3544	2024-09-08_843e4ded288cb6c2d49354d9720c9c20_poet-rat_snatch.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2464	wmic.exe
Token: SeSecurityPrivilege	2464	wmic.exe
Token: SeTakeOwnershipPrivilege	2464	wmic.exe
Token: SeLoadDriverPrivilege	2464	wmic.exe
Token: SeSystemProfilePrivilege	2464	wmic.exe
Token: SeSystemtimePrivilege	2464	wmic.exe
Token: SeProfSingleProcessPrivilege	2464	wmic.exe
Token: SeIncBasePriorityPrivilege	2464	wmic.exe
Token: SeCreatePagefilePrivilege	2464	wmic.exe
Token: SeBackupPrivilege	2464	wmic.exe
Token: SeRestorePrivilege	2464	wmic.exe
Token: SeShutdownPrivilege	2464	wmic.exe
Token: SeDebugPrivilege	2464	wmic.exe
Token: SeSystemEnvironmentPrivilege	2464	wmic.exe
Token: SeRemoteShutdownPrivilege	2464	wmic.exe
Token: SeUndockPrivilege	2464	wmic.exe
Token: SeManageVolumePrivilege	2464	wmic.exe
Token: 33	2464	wmic.exe
Token: 34	2464	wmic.exe
Token: 35	2464	wmic.exe
Token: 36	2464	wmic.exe
Token: SeIncreaseQuotaPrivilege	2464	wmic.exe
Token: SeSecurityPrivilege	2464	wmic.exe
Token: SeTakeOwnershipPrivilege	2464	wmic.exe
Token: SeLoadDriverPrivilege	2464	wmic.exe
Token: SeSystemProfilePrivilege	2464	wmic.exe
Token: SeSystemtimePrivilege	2464	wmic.exe
Token: SeProfSingleProcessPrivilege	2464	wmic.exe
Token: SeIncBasePriorityPrivilege	2464	wmic.exe
Token: SeCreatePagefilePrivilege	2464	wmic.exe
Token: SeBackupPrivilege	2464	wmic.exe
Token: SeRestorePrivilege	2464	wmic.exe
Token: SeShutdownPrivilege	2464	wmic.exe
Token: SeDebugPrivilege	2464	wmic.exe
Token: SeSystemEnvironmentPrivilege	2464	wmic.exe
Token: SeRemoteShutdownPrivilege	2464	wmic.exe
Token: SeUndockPrivilege	2464	wmic.exe
Token: SeManageVolumePrivilege	2464	wmic.exe
Token: 33	2464	wmic.exe
Token: 34	2464	wmic.exe
Token: 35	2464	wmic.exe
Token: 36	2464	wmic.exe
Token: SeIncreaseQuotaPrivilege	3760	wmic.exe
Token: SeSecurityPrivilege	3760	wmic.exe
Token: SeTakeOwnershipPrivilege	3760	wmic.exe
Token: SeLoadDriverPrivilege	3760	wmic.exe
Token: SeSystemProfilePrivilege	3760	wmic.exe
Token: SeSystemtimePrivilege	3760	wmic.exe
Token: SeProfSingleProcessPrivilege	3760	wmic.exe
Token: SeIncBasePriorityPrivilege	3760	wmic.exe
Token: SeCreatePagefilePrivilege	3760	wmic.exe
Token: SeBackupPrivilege	3760	wmic.exe
Token: SeRestorePrivilege	3760	wmic.exe
Token: SeShutdownPrivilege	3760	wmic.exe
Token: SeDebugPrivilege	3760	wmic.exe
Token: SeSystemEnvironmentPrivilege	3760	wmic.exe
Token: SeRemoteShutdownPrivilege	3760	wmic.exe
Token: SeUndockPrivilege	3760	wmic.exe
Token: SeManageVolumePrivilege	3760	wmic.exe
Token: 33	3760	wmic.exe
Token: 34	3760	wmic.exe
Token: 35	3760	wmic.exe
Token: 36	3760	wmic.exe
Token: SeIncreaseQuotaPrivilege	3760	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 2464	3544	2024-09-08_843e4ded288cb6c2d49354d9720c9c20_poet-rat_snatch.exe	84
PID 3544 wrote to memory of 2464	3544	2024-09-08_843e4ded288cb6c2d49354d9720c9c20_poet-rat_snatch.exe	84
PID 3544 wrote to memory of 4548	3544	2024-09-08_843e4ded288cb6c2d49354d9720c9c20_poet-rat_snatch.exe	87
PID 3544 wrote to memory of 4548	3544	2024-09-08_843e4ded288cb6c2d49354d9720c9c20_poet-rat_snatch.exe	87
PID 3544 wrote to memory of 3760	3544	2024-09-08_843e4ded288cb6c2d49354d9720c9c20_poet-rat_snatch.exe	90
PID 3544 wrote to memory of 3760	3544	2024-09-08_843e4ded288cb6c2d49354d9720c9c20_poet-rat_snatch.exe	90
PID 3544 wrote to memory of 1556	3544	2024-09-08_843e4ded288cb6c2d49354d9720c9c20_poet-rat_snatch.exe	92
PID 3544 wrote to memory of 1556	3544	2024-09-08_843e4ded288cb6c2d49354d9720c9c20_poet-rat_snatch.exe	92
PID 3544 wrote to memory of 4964	3544	2024-09-08_843e4ded288cb6c2d49354d9720c9c20_poet-rat_snatch.exe	96
PID 3544 wrote to memory of 4964	3544	2024-09-08_843e4ded288cb6c2d49354d9720c9c20_poet-rat_snatch.exe	96
PID 3544 wrote to memory of 3804	3544	2024-09-08_843e4ded288cb6c2d49354d9720c9c20_poet-rat_snatch.exe	102
PID 3544 wrote to memory of 3804	3544	2024-09-08_843e4ded288cb6c2d49354d9720c9c20_poet-rat_snatch.exe	102
PID 3804 wrote to memory of 628	3804	wscript.exe	103
PID 3804 wrote to memory of 628	3804	wscript.exe	103
PID 628 wrote to memory of 2224	628	cmd.exe	105
PID 628 wrote to memory of 2224	628	cmd.exe	105
PID 628 wrote to memory of 2256	628	cmd.exe	106
PID 628 wrote to memory of 2256	628	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-09-08_843e4ded288cb6c2d49354d9720c9c20_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-08_843e4ded288cb6c2d49354d9720c9c20_poet-rat_snatch.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Windows\System32\Wbem\wmic.exe
  wmic diskdrive get model
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\system32\reg.exe
  reg query HKLM\SYSTEM\ControlSet001\Services\USBSTOR
  2⤵
  - Modifies registry key
  PID:4548
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:3760
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1556
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  PID:4964
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\AppData\Local\Temp\e1rqDhJxAB.vbs C:\Users\Admin\AppData\Local\Temp\e1rqDhJxAB.bat
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e1rqDhJxAB.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get Model
      4⤵
      PID:2224
  - - C:\Windows\system32\findstr.exe
      findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
      4⤵
      PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e1rqDhJxAB.bat

Filesize
5.0MB

MD5
7273dc3ca52d2a2a412e46c76affb3e7

SHA1
5565d83f9f80a3f7ed89e0b8b684216206e1c954

SHA256
1b49f290e6191ad8bdb185b3f87925503385b43202c1728c08fadf0b23f69010

SHA512
501be38127ca73d51cca2c926b45e9b32a648afcbaae316d96d2536420f109c0982e55a2b332d0fe1e8ce38504df58afb433d92ca5981b29521daec5eb336b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1rqDhJxAB.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit