Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2024 10:02

General

  • Target

    2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe

  • Size

    9.1MB

  • MD5

    7d31b20c88ee1938102f889b63f4105b

  • SHA1

    1bbad6d8ee432927a6ae5e300a9d5a70bbe03fad

  • SHA256

    f007f850a708b041bf4b8d6d97c59a004b57232d3642d9292cb349abb183dc5f

  • SHA512

    d854b299772ab46cd677e6814a84711e8c2e447963e61a31cfe188995c7fd84f756ab0fec0b298e314a7f139e790c56bd5418a98737c84978cbc530e4c457789

  • SSDEEP

    98304:GHxMZDJ1TRpxYVX9u2IazANfQhZytTD5iqE:sxEvYjVzANIhwN

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 1 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
  • Modifies boot configuration data using bcdedit 14 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Possible attempt to disable PatchGuard 2 TTPs

    Rootkits can use kernel patching to embed themselves in an operating system.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 13 IoCs
  • Windows security modification 2 TTPs 7 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Manipulates WinMon driver. 1 IoCs

    Roottkits write to WinMon to hide PIDs from being detected.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 3 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2696
    • C:\Users\Admin\AppData\Local\Temp\2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch.exe"
      2⤵
      • Windows security bypass
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3024
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • Modifies data under HKEY_USERS
          PID:1840
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Manipulates WinMon driver.
        • Manipulates WinMonFS driver.
        • System Location Discovery: System Language Discovery
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:300
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2224
        • C:\Windows\system32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:536
          • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
            "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies system certificate store
            • Suspicious use of WriteProcessMemory
            PID:2068
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:2492
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1828
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:932
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:688
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:2972
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1716
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1688
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1872
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1956
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:2364
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:2524
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -timeout 0
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1132
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1352
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2116
          • C:\Windows\system32\bcdedit.exe
            C:\Windows\Sysnative\bcdedit.exe /v
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:1616
          • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
            4⤵
            • Executes dropped EXE
            PID:2156
          • C:\Windows\system32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2332
    • C:\Windows\system32\makecab.exe
      "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241003100216.log C:\Windows\Logs\CBS\CbsPersist_20241003100216.cab
      1⤵
      • Drops file in Windows directory
      PID:2684

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

      Filesize

      8.3MB

      MD5

      fd2727132edd0b59fa33733daa11d9ef

      SHA1

      63e36198d90c4c2b9b09dd6786b82aba5f03d29a

      SHA256

      3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

      SHA512

      3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

    • C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

      Filesize

      492KB

      MD5

      fafbf2197151d5ce947872a4b0bcbe16

      SHA1

      a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

      SHA256

      feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

      SHA512

      acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

    • C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

      Filesize

      94KB

      MD5

      d98e78fd57db58a11f880b45bb659767

      SHA1

      ab70c0d3bd9103c07632eeecee9f51d198ed0e76

      SHA256

      414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

      SHA512

      aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

    • C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

      Filesize

      1.7MB

      MD5

      13aaafe14eb60d6a718230e82c671d57

      SHA1

      e039dd924d12f264521b8e689426fb7ca95a0a7b

      SHA256

      f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

      SHA512

      ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

    • C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

      Filesize

      5.3MB

      MD5

      1afff8d5352aecef2ecd47ffa02d7f7d

      SHA1

      8b115b84efdb3a1b87f750d35822b2609e665bef

      SHA256

      c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

      SHA512

      e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

    • \Users\Admin\AppData\Local\Temp\dbghelp.dll

      Filesize

      1.5MB

      MD5

      f0616fa8bc54ece07e3107057f74e4db

      SHA1

      b33995c4f9a004b7d806c4bb36040ee844781fca

      SHA256

      6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

      SHA512

      15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

    • \Users\Admin\AppData\Local\Temp\osloader.exe

      Filesize

      591KB

      MD5

      e2f68dc7fbd6e0bf031ca3809a739346

      SHA1

      9c35494898e65c8a62887f28e04c0359ab6f63f5

      SHA256

      b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

      SHA512

      26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

    • \Users\Admin\AppData\Local\Temp\symsrv.dll

      Filesize

      163KB

      MD5

      5c399d34d8dc01741269ff1f1aca7554

      SHA1

      e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

      SHA256

      e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

      SHA512

      8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

    • \Windows\rss\csrss.exe

      Filesize

      9.1MB

      MD5

      7d31b20c88ee1938102f889b63f4105b

      SHA1

      1bbad6d8ee432927a6ae5e300a9d5a70bbe03fad

      SHA256

      f007f850a708b041bf4b8d6d97c59a004b57232d3642d9292cb349abb183dc5f

      SHA512

      d854b299772ab46cd677e6814a84711e8c2e447963e61a31cfe188995c7fd84f756ab0fec0b298e314a7f139e790c56bd5418a98737c84978cbc530e4c457789

    • memory/2068-14-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

    • memory/2068-28-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB