Overview

overview

8

Static

static

3

2024-09-13...ch.exe

windows7-x64

8

2024-09-13...ch.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-09-13_c097e06be926f7496a7c58896b9692a4_hijackloader_poet-rat_snatch

  • Size

    8.1MB

  • Sample

    240913-qqta4asdmk

  • MD5

    c097e06be926f7496a7c58896b9692a4

  • SHA1

    8efebbfced6fd53f9d0f3850408bbdbf88c23d2b

  • SHA256

    b5d0b945169391a9d4df8fa698472e0a7a6a51a25ac4f583db4e5b96e52c78cc

  • SHA512

    c4ce0633aab7c017ab61d85e6e2837530bf8834ddcad5f9fdd4ecaaf20c8b2553fe08be416c460d5c746810e50b829f9bafbd46e26ab4179530458d224c40baf

  • SSDEEP

    98304:PsMhTgTfuJENBHvu4PxMCURCAgTs7UHloh6K7jMy3MPm:kMxMuobUUI7Uw6KXMyY

Score
8/10
defense_evasiondiscoveryexecutionpersistenceprivilege_escalation

Malware Config

Targets

    • Target

      2024-09-13_c097e06be926f7496a7c58896b9692a4_hijackloader_poet-rat_snatch

    • Size

      8.1MB

    • MD5

      c097e06be926f7496a7c58896b9692a4

    • SHA1

      8efebbfced6fd53f9d0f3850408bbdbf88c23d2b

    • SHA256

      b5d0b945169391a9d4df8fa698472e0a7a6a51a25ac4f583db4e5b96e52c78cc

    • SHA512

      c4ce0633aab7c017ab61d85e6e2837530bf8834ddcad5f9fdd4ecaaf20c8b2553fe08be416c460d5c746810e50b829f9bafbd46e26ab4179530458d224c40baf

    • SSDEEP

      98304:PsMhTgTfuJENBHvu4PxMCURCAgTs7UHloh6K7jMy3MPm:kMxMuobUUI7Uw6KXMyY

    Score
    8/10
    defense_evasiondiscoverypersistenceprivilege_escalationexecution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Discovery

Network Service Discovery

1
T1046

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks