Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 01:43

General

  • Target

    2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe

  • Size

    8.3MB

  • MD5

    cc3900283ad1f0510359ead309e8debf

  • SHA1

    3f01dbc84e7e8e72349076989f1494424a9d1eb5

  • SHA256

    d7b9db3f4ed6992d352248122cbc286a32a3555648b33115f6fe8672aa7bc8fe

  • SHA512

    3503ac7a0988f52b20639e59f687bd002fac53c301704407b6f4d655b3212f9e041a040f6ebe41d0b53f9dc69381a93b69be4b9349106a8adde42a2e0b46e434

  • SSDEEP

    49152:MjFPJxCznE3RyDkyDHCHx0B2ZIvTa3DhwNcg+2gRhzY5Eaa9nllkCTmrg9JWZw10:MxWz8H1ZIvIPgEaa9nTF9kl3

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Drops file in Drivers directory 64 IoCs
  • Manipulates Digital Signatures 4 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

    Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

  • Drops startup file 1 IoCs
  • Indicator Removal: Clear Windows Event Logs 1 TTPs 64 IoCs

    Clear Windows Event Logs to hide the activity of an intrusion.

  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Modifies termsrv.dll 1 TTPs 1 IoCs

    Commonly used to allow simultaneous RDP sessions.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe"
    1⤵
    • Drops file in Drivers directory
    • Manipulates Digital Signatures
    • Boot or Logon Autostart Execution: Print Processors
    • Drops startup file
    • Indicator Removal: Clear Windows Event Logs
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Modifies termsrv.dll
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4092
    • C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /for=norealvolume /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:2284
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Java\jdk-1.8\README.txt

    Filesize

    363B

    MD5

    8d0d9af608e122e3e2cd0712d6d33d7e

    SHA1

    2563fc07c8e4f074e5bcca7be50e3045f34ff3f0

    SHA256

    0252d98b5e81efbb710488135fc298b2e4f521aa0384e9ce5fb0a604f3e357f5

    SHA512

    90a431f7cdabc8fa12c59783fc7524f316d61ab4ff806dc88093680f4a44ef4fe62337b270a99e03dc5b1f5439a36e2a8472ffb7b7499186d227dc24763d50fc

  • C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

    Filesize

    279KB

    MD5

    7efcf0111eb7a22aec8410d6a427b328

    SHA1

    d6828e7c4fb2789da55899e69c6197eaf4017b88

    SHA256

    7a83319f41c626818556e406b5b664aa4c102cb851269e9becbe3041bde4368a

    SHA512

    c1526e7bfe3c9f5d9ea9ab0f18d555e01f107ec56123ab83b8677ac24da57e206fb02a0148d2ae08ceba6ec4c10f42a46b0093e2324c0d723f09ec1fd4f43d97

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

    Filesize

    1.7MB

    MD5

    c606bd7c9c733dd27f74157c34e51742

    SHA1

    aab92689723449fbc3e123fb614dd536a74b74d4

    SHA256

    606390649012b31b5d83630f1186562e4b1ce4023d8870d8c29eb62e7e0769e0

    SHA512

    5f8fabe3d9753413d1aedcc76b9568c50dd25a5a6aeacd1ce88aecc28c0ba96dac80177679d380708213a0997946e49383bdaca7114c8c9526a24ed999194e38

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp140.dll

    Filesize

    613KB

    MD5

    c1b066f9e3e2f3a6785161a8c7e0346a

    SHA1

    8b3b943e79c40bc81fdac1e038a276d034bbe812

    SHA256

    99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

    SHA512

    36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140.dll

    Filesize

    83KB

    MD5

    1453290db80241683288f33e6dd5e80e

    SHA1

    29fb9af50458df43ef40bfc8f0f516d0c0a106fd

    SHA256

    2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

    SHA512

    4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91