Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2024 00:44
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe
Resource
win7-20240903-en
General
-
Target
2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe
-
Size
10.5MB
-
MD5
737fb056093df619a87969db45379c80
-
SHA1
82702168b2cffe8c88405b4cb9f6ddf67e0997da
-
SHA256
e1a2f6f904d28fe6d650536a835e2f505ed865d24e9cbcf7008dd7ad3269221f
-
SHA512
1d1a398301e52f1660ce770fa9ddcf25b114e003ef5d9e5b83719af5a6f0158a1ac57536c403a9d89f0a8908f16ef471115b39e67e38f525fd9a0031dfd439ae
-
SSDEEP
98304:UW3DPzlu4JkukPMoej+ZDLbE5wDMrd+s71Kq:LD7lu4JgMoejoLI5wQMU
Malware Config
Signatures
-
Detects MeshAgent payload 1 IoCs
Processes:
resource yara_rule C:\Users\AppData\Local\svchost\svchost.exe family_meshagent -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 4244 powershell.exe 5056 powershell.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Microsoft\ImagePath = "\"C:\\Users\\AppData\\Local\\svchost\\svchost.exe\" --meshServiceName=\"Microsoft\"" svchost.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exesvchost.exesvchost.exepid process 2404 svchost.exe 4544 svchost.exe 4316 svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 64 IoCs
Processes:
svchost.exesvchost.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\ntasn1.pdb svchost.exe File opened for modification C:\Windows\System32\bcryptprimitives.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\sechost.pdb svchost.exe File opened for modification C:\Windows\System32\ntdll.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\DLL\kernel32.pdb svchost.exe File opened for modification C:\Windows\System32\dll\win32u.pdb svchost.exe File opened for modification C:\Windows\System32\dll\msvcrt.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\msvcrt.pdb svchost.exe File opened for modification C:\Windows\System32\dll\ntasn1.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\win32u.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\msvcp_win.pdb svchost.exe File opened for modification C:\Windows\System32\dbghelp.pdb svchost.exe File opened for modification C:\Windows\System32\dll\ucrtbase.pdb svchost.exe File opened for modification C:\Windows\System32\DLL\iphlpapi.pdb svchost.exe File opened for modification C:\Windows\System32\DLL\dbgcore.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\DLL\bcrypt.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\ntasn1.pdb svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\4D13E5EDA61C350945D5E8F5200F1B47F25D4BF3 svchost.exe File opened for modification C:\Windows\System32\symbols\dll\msvcp_win.pdb svchost.exe File opened for modification C:\Windows\System32\msvcrt.pdb svchost.exe File opened for modification C:\Windows\System32\shcore.pdb svchost.exe File opened for modification C:\Windows\System32\dll\ntasn1.pdb svchost.exe File opened for modification C:\Windows\System32\ntdll.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\DLL\iphlpapi.pdb svchost.exe File opened for modification C:\Windows\System32\gdiplus.pdb svchost.exe File opened for modification C:\Windows\System32\dll\Kernel.Appcore.pdb svchost.exe File opened for modification C:\Windows\System32\dll\sechost.pdb svchost.exe File opened for modification C:\Windows\System32\gdiplus.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\DLL\iphlpapi.pdb svchost.exe File opened for modification C:\Windows\System32\kernelbase.pdb svchost.exe File opened for modification C:\Windows\System32\dll\shell32.pdb svchost.exe File opened for modification C:\Windows\System32\ole32.pdb svchost.exe File opened for modification C:\Windows\System32\dll\ole32.pdb svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\System32\kernel32.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\gdi32full.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys svchost.exe File opened for modification C:\Windows\System32\dll\crypt32.pdb svchost.exe File opened for modification C:\Windows\System32\dll\ole32.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\rpcrt4.pdb svchost.exe File opened for modification C:\Windows\System32\dll\msvcp_win.pdb svchost.exe File opened for modification C:\Windows\System32\ws2_32.pdb svchost.exe File opened for modification C:\Windows\System32\combase.pdb svchost.exe File opened for modification C:\Windows\System32\comctl32.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\gdiplus.pdb svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\4D13E5EDA61C350945D5E8F5200F1B47F25D4BF3 svchost.exe File opened for modification C:\Windows\System32\MeshService64.pdb svchost.exe File opened for modification C:\Windows\System32\dll\ws2_32.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\shell32.pdb svchost.exe File opened for modification C:\Windows\System32\bcrypt.pdb svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\80F4EBC7FBE918362C89B5522B5C18642FAB3C35 svchost.exe File opened for modification C:\Windows\System32\symbols\dll\ntdll.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\DLL\kernel32.pdb svchost.exe File opened for modification C:\Windows\System32\advapi32.pdb svchost.exe File opened for modification C:\Windows\System32\DLL\dbgcore.pdb svchost.exe File opened for modification C:\Windows\System32\dll\msvcrt.pdb svchost.exe File opened for modification C:\Windows\System32\dll\crypt32.pdb svchost.exe File opened for modification C:\Windows\System32\dll\kernelbase.pdb svchost.exe File opened for modification C:\Windows\System32\user32.pdb svchost.exe File opened for modification C:\Windows\System32\gdi32.pdb svchost.exe File opened for modification C:\Windows\System32\gdi32full.pdb svchost.exe File opened for modification C:\Windows\System32\win32u.pdb svchost.exe -
Modifies data under HKEY_USERS 53 IoCs
Processes:
powershell.exesvchost.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133723898994403957" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe -
Processes:
2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exe2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exepid process 4612 powershell.exe 4612 powershell.exe 4244 powershell.exe 4244 powershell.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exepowershell.exepowershell.exewmic.exewmic.exewmic.exedescription pid process Token: SeDebugPrivilege 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe Token: SeDebugPrivilege 4612 powershell.exe Token: SeDebugPrivilege 4244 powershell.exe Token: SeAssignPrimaryTokenPrivilege 5100 wmic.exe Token: SeIncreaseQuotaPrivilege 5100 wmic.exe Token: SeSecurityPrivilege 5100 wmic.exe Token: SeTakeOwnershipPrivilege 5100 wmic.exe Token: SeLoadDriverPrivilege 5100 wmic.exe Token: SeSystemtimePrivilege 5100 wmic.exe Token: SeBackupPrivilege 5100 wmic.exe Token: SeRestorePrivilege 5100 wmic.exe Token: SeShutdownPrivilege 5100 wmic.exe Token: SeSystemEnvironmentPrivilege 5100 wmic.exe Token: SeUndockPrivilege 5100 wmic.exe Token: SeManageVolumePrivilege 5100 wmic.exe Token: SeAssignPrimaryTokenPrivilege 5100 wmic.exe Token: SeIncreaseQuotaPrivilege 5100 wmic.exe Token: SeSecurityPrivilege 5100 wmic.exe Token: SeTakeOwnershipPrivilege 5100 wmic.exe Token: SeLoadDriverPrivilege 5100 wmic.exe Token: SeSystemtimePrivilege 5100 wmic.exe Token: SeBackupPrivilege 5100 wmic.exe Token: SeRestorePrivilege 5100 wmic.exe Token: SeShutdownPrivilege 5100 wmic.exe Token: SeSystemEnvironmentPrivilege 5100 wmic.exe Token: SeUndockPrivilege 5100 wmic.exe Token: SeManageVolumePrivilege 5100 wmic.exe Token: SeAssignPrimaryTokenPrivilege 3880 wmic.exe Token: SeIncreaseQuotaPrivilege 3880 wmic.exe Token: SeSecurityPrivilege 3880 wmic.exe Token: SeTakeOwnershipPrivilege 3880 wmic.exe Token: SeLoadDriverPrivilege 3880 wmic.exe Token: SeSystemtimePrivilege 3880 wmic.exe Token: SeBackupPrivilege 3880 wmic.exe Token: SeRestorePrivilege 3880 wmic.exe Token: SeShutdownPrivilege 3880 wmic.exe Token: SeSystemEnvironmentPrivilege 3880 wmic.exe Token: SeUndockPrivilege 3880 wmic.exe Token: SeManageVolumePrivilege 3880 wmic.exe Token: SeAssignPrimaryTokenPrivilege 3880 wmic.exe Token: SeIncreaseQuotaPrivilege 3880 wmic.exe Token: SeSecurityPrivilege 3880 wmic.exe Token: SeTakeOwnershipPrivilege 3880 wmic.exe Token: SeLoadDriverPrivilege 3880 wmic.exe Token: SeSystemtimePrivilege 3880 wmic.exe Token: SeBackupPrivilege 3880 wmic.exe Token: SeRestorePrivilege 3880 wmic.exe Token: SeShutdownPrivilege 3880 wmic.exe Token: SeSystemEnvironmentPrivilege 3880 wmic.exe Token: SeUndockPrivilege 3880 wmic.exe Token: SeManageVolumePrivilege 3880 wmic.exe Token: SeAssignPrimaryTokenPrivilege 3772 wmic.exe Token: SeIncreaseQuotaPrivilege 3772 wmic.exe Token: SeSecurityPrivilege 3772 wmic.exe Token: SeTakeOwnershipPrivilege 3772 wmic.exe Token: SeLoadDriverPrivilege 3772 wmic.exe Token: SeSystemtimePrivilege 3772 wmic.exe Token: SeBackupPrivilege 3772 wmic.exe Token: SeRestorePrivilege 3772 wmic.exe Token: SeShutdownPrivilege 3772 wmic.exe Token: SeSystemEnvironmentPrivilege 3772 wmic.exe Token: SeUndockPrivilege 3772 wmic.exe Token: SeManageVolumePrivilege 3772 wmic.exe Token: SeAssignPrimaryTokenPrivilege 3772 wmic.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exesvchost.exesvchost.exedescription pid process target process PID 3264 wrote to memory of 4612 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe powershell.exe PID 3264 wrote to memory of 4612 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe powershell.exe PID 3264 wrote to memory of 4244 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe powershell.exe PID 3264 wrote to memory of 4244 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe powershell.exe PID 3264 wrote to memory of 2404 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe svchost.exe PID 3264 wrote to memory of 2404 3264 2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe svchost.exe PID 4544 wrote to memory of 5100 4544 svchost.exe wmic.exe PID 4544 wrote to memory of 5100 4544 svchost.exe wmic.exe PID 4544 wrote to memory of 3880 4544 svchost.exe wmic.exe PID 4544 wrote to memory of 3880 4544 svchost.exe wmic.exe PID 4544 wrote to memory of 3772 4544 svchost.exe wmic.exe PID 4544 wrote to memory of 3772 4544 svchost.exe wmic.exe PID 4544 wrote to memory of 1180 4544 svchost.exe wmic.exe PID 4544 wrote to memory of 1180 4544 svchost.exe wmic.exe PID 4544 wrote to memory of 2176 4544 svchost.exe wmic.exe PID 4544 wrote to memory of 2176 4544 svchost.exe wmic.exe PID 4544 wrote to memory of 1856 4544 svchost.exe wmic.exe PID 4544 wrote to memory of 1856 4544 svchost.exe wmic.exe PID 4316 wrote to memory of 808 4316 svchost.exe wmic.exe PID 4316 wrote to memory of 808 4316 svchost.exe wmic.exe PID 4316 wrote to memory of 4436 4316 svchost.exe wmic.exe PID 4316 wrote to memory of 4436 4316 svchost.exe wmic.exe PID 4316 wrote to memory of 1884 4316 svchost.exe wmic.exe PID 4316 wrote to memory of 1884 4316 svchost.exe wmic.exe PID 4316 wrote to memory of 5048 4316 svchost.exe wmic.exe PID 4316 wrote to memory of 5048 4316 svchost.exe wmic.exe PID 4316 wrote to memory of 3268 4316 svchost.exe wmic.exe PID 4316 wrote to memory of 3268 4316 svchost.exe wmic.exe PID 4316 wrote to memory of 5056 4316 svchost.exe powershell.exe PID 4316 wrote to memory of 5056 4316 svchost.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-03_737fb056093df619a87969db45379c80_poet-rat_snatch.exe"1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "((Get-WMIObject -ClassName Win32_ComputerSystem).Username).Split('\')[1]"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "Add-MpPreference -ExclusionExtension '.exe' -Force"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4244 -
C:\Users\AppData\Local\svchost\svchost.exeC:\Users\\AppData\Local\svchost\svchost.exe -install2⤵
- Sets service image path in registry
- Executes dropped EXE
PID:2404
-
C:\Users\AppData\Local\svchost\svchost.exe"C:\Users\AppData\Local\svchost\svchost.exe" --meshServiceName="Microsoft"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5100 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3880 -
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3772 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:1180
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:2176
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1856
-
C:\Users\AppData\Local\svchost\svchost.exe"C:\Users\AppData\Local\svchost\svchost.exe" --meshServiceName="Microsoft"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:808
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:4436
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1884
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:5048
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:3268
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1KB
MD59fd2ab8d8464245af4bd0c32050b550e
SHA1000417ac42c7f17434946571a95f74baec153ca7
SHA256e5e21171532631873c188b53516e679f08a49655ce2a2e376dcd3a7384ef3c04
SHA512c1530182a8a0ffb59b01a79a8ce6627bee3c67296d2003baa5377a309f219f718caee9f90baff52c36d54093ced82111f210a2c6209e4f06b5cc5f9b3cfc1345
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
131KB
MD55fd5f585aecb169188c49fd0c26a290c
SHA11a9436d446e751d399d5b13612d3f30c438f051a
SHA256665a95dd9759ce03ae94a53b527694e07bc58fa08a181b3802ea7c1f8a4df2be
SHA512aeaca91b8446f8662cdd54ccb0d8bfadd4689a4f3012b24b8f0f271dfc140a137d2113ee4c77ecbf94749057ded4819e632d4e1c99fc4d158015267ee2f3386f
-
Filesize
5.3MB
MD55b6be6790ee80859332624deae0567b2
SHA18597c1a83eb2490cf20026acd20bfbd539fc4b7f
SHA2569ae2520522990491e6325e94ee1e6cedf931cfc0af2e6a9d1e0f760ab9b47bad
SHA512a8214f8f4148b55de1fef4e72a06211e5840ced5a134b319be7d4d25e77d0edded5f26b8cbfa86c8b5df9067b6f7c9ddac1d709231f1fe70d4867570e907cbb6
-
Filesize
22KB
MD590f91efb0b6cc632ea6b2bb3a6d5fb40
SHA1e46a39e7252e086f34d64c3d720442cd325de506
SHA2567db6fa16d92fa026ba88337e51623caea566a78eb275af77905286a533792fc9
SHA512f511124b19a4f05e09f253f5f63e991694565247f9c09430368f53d5466ecb8822811107c7c0a9e91e8d1b0ff85bfa37a243b0635eb893c8fae39ea8152c3928
-
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\4D13E5EDA61C350945D5E8F5200F1B47F25D4BF3
Filesize1KB
MD51d4694d8cfb642234e094e2cc3189d3f
SHA13033dba5ddea5215ad9849983794c06ebc3518c2
SHA256b65c38dff69c258e4bd1ee02d2a2c52ee824526d2c6d1f363acabaebda2ce1f4
SHA512d0fe62e0a6043409e9c354504563b0c2f6ff713bfab0cd8a0e50422fb73a42fb5b88cae9de396df388ca8d6d66852266bd8ed063b38076e87dca9b002464cb09
-
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\7DF32C3D6039845D99F9F43AAC4CB10C18B56A0C
Filesize1KB
MD5a171bca270f574c55fc1b09e770db2c6
SHA1cee0a3febd2043afe7e4c29014ce9f04fb726bf9
SHA256de8e035bd213cc876beb3d9625bce354524af49a922d2e2598cd4bcdf64924b0
SHA51213eb7695b78c0c8f4b502ebaa9edc868e727988a42fe23adeef32e3e6071b6e26c38535af026be1cca5b598c2e0e61ab7e4b8bd3f7cafd14fc99343a5dec2769