14baff3432b17a4aeb9e97e12a779b4b28107900810e7dbb4a709399532af6cf

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2024 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-05_542f8a07beb7f434bbb6fb8fe891e7bd_ngrbot_poet-rat_snatch.exe
Size

9.9MB
MD5

542f8a07beb7f434bbb6fb8fe891e7bd
SHA1

2364d3fe48f856fb38da604d8adb2b4682761428
SHA256

14baff3432b17a4aeb9e97e12a779b4b28107900810e7dbb4a709399532af6cf
SHA512

0eda0f6acac38b79bb32a7df740caff44d44045e1f699dfe68601d6e97ceecb3c3193232509980b2c2b0216c20092647b1166305508b9399a9f3ff483a46d5d7
SSDEEP

98304:Mc5+vJLzwnZ7sF1xIwIF0hjeDUKPE7EUnBv/Zm2qpbV:McoBz4Z7+8rGjeDUiEomibV

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-10-05_542f8a07beb7f434bbb6fb8fe891e7bd_ngrbot_poet-rat_snatch.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	2024-10-05_542f8a07beb7f434bbb6fb8fe891e7bd_ngrbot_poet-rat_snatch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2024-10-05_542f8a07beb7f434bbb6fb8fe891e7bd_ngrbot_poet-rat_snatch.exe

description pid process

Token: SeDebugPrivilege 2732 2024-10-05_542f8a07beb7f434bbb6fb8fe891e7bd_ngrbot_poet-rat_snatch.exe

description	pid	process
Token: SeDebugPrivilege	2732	2024-10-05_542f8a07beb7f434bbb6fb8fe891e7bd_ngrbot_poet-rat_snatch.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

2024-10-05_542f8a07beb7f434bbb6fb8fe891e7bd_ngrbot_poet-rat_snatch.exe

description	pid	process	target process
PID 2732 wrote to memory of 2380	2732	2024-10-05_542f8a07beb7f434bbb6fb8fe891e7bd_ngrbot_poet-rat_snatch.exe	attrib.exe
PID 2732 wrote to memory of 2380	2732	2024-10-05_542f8a07beb7f434bbb6fb8fe891e7bd_ngrbot_poet-rat_snatch.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2380 attrib.exe

pid	process
2380	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-05_542f8a07beb7f434bbb6fb8fe891e7bd_ngrbot_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-05_542f8a07beb7f434bbb6fb8fe891e7bd_ngrbot_poet-rat_snatch.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\2024-10-05_542f8a07beb7f434bbb6fb8fe891e7bd_ngrbot_poet-rat_snatch.exe
  2⤵
  - Views/modifies file attributes
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads