glupteba | 74439b64c299dca464dbc4557a4821225567dd301e32c7c367f31c0858e4a7be

General

Target

2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Size

8.3MB
MD5

bbc984e453abf2fe658869b284a52dbf
SHA1

67efe0a521434db39b9cc93c714f126d3691a8a3
SHA256

74439b64c299dca464dbc4557a4821225567dd301e32c7c367f31c0858e4a7be
SHA512

0d39e250e3fe12a8c69b98ffa55935a2b215d08997aa2205408ded8c572a2293829b497658e5b3af9ec70aad88edd04e209359abee6afd71d15f018ce555a170
SSDEEP

98304:0kIhs4Oy515t3t/lsWbb0HEY8b/1qhZytTD5iq:0kws4RlzPwOshwN

Score

10^/10

glupteba discovery dropper evasion loader persistence privilege_escalation rootkit

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 1 IoCs

Processes:

resource	yara_rule
C:\Windows\rss\csrss.exe	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3084 netsh.exe
Executes dropped EXE 2 IoCs

Processes:

csrss.exeinjector.exe

pid process

4360 csrss.exe
4764 injector.exe

pid	process
3084	netsh.exe

pid	process
4360	csrss.exe
4764	injector.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

62 raw.githubusercontent.com
63 raw.githubusercontent.com
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe

flow	ioc
62	raw.githubusercontent.com
63	raw.githubusercontent.com

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe

description	ioc	process
File opened for modification	C:\Windows\rss	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
File created	C:\Windows\rss\csrss.exe	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.execsrss.exe2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

csrss.exe2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3912 schtasks.exe
5060 schtasks.exe

pid	process
3912	schtasks.exe
5060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exeinjector.execsrss.exe

pid	process
2024	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
2024	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
3016	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
3016	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
3016	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
3016	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
3016	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
3016	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
3016	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
3016	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
3016	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
3016	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4360	csrss.exe
4360	csrss.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4360	csrss.exe
4360	csrss.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe
4764	injector.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	2024	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Token: SeImpersonatePrivilege	2024	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
Token: SeSystemEnvironmentPrivilege	4360	csrss.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.execmd.execsrss.exe

description	pid	process	target process
PID 3016 wrote to memory of 2092	3016	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe	cmd.exe
PID 3016 wrote to memory of 2092	3016	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe	cmd.exe
PID 2092 wrote to memory of 3084	2092	cmd.exe	netsh.exe
PID 2092 wrote to memory of 3084	2092	cmd.exe	netsh.exe
PID 3016 wrote to memory of 4360	3016	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe	csrss.exe
PID 3016 wrote to memory of 4360	3016	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe	csrss.exe
PID 3016 wrote to memory of 4360	3016	2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe	csrss.exe
PID 4360 wrote to memory of 4764	4360	csrss.exe	injector.exe
PID 4360 wrote to memory of 4764	4360	csrss.exe	injector.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024
- C:\Users\Admin\AppData\Local\Temp\2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-09-26_bbc984e453abf2fe658869b284a52dbf_poet-rat_snatch.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3084
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe ""
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Manipulates WinMonFS driver.
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5060
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:236
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4764
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\rss\csrss.exe

Filesize
8.3MB

MD5
bbc984e453abf2fe658869b284a52dbf

SHA1
67efe0a521434db39b9cc93c714f126d3691a8a3

SHA256
74439b64c299dca464dbc4557a4821225567dd301e32c7c367f31c0858e4a7be

SHA512
0d39e250e3fe12a8c69b98ffa55935a2b215d08997aa2205408ded8c572a2293829b497658e5b3af9ec70aad88edd04e209359abee6afd71d15f018ce555a170

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads