General
-
Target
2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch
-
Size
8.3MB
-
Sample
241018-bz5m6a1gnl
-
MD5
cc3900283ad1f0510359ead309e8debf
-
SHA1
3f01dbc84e7e8e72349076989f1494424a9d1eb5
-
SHA256
d7b9db3f4ed6992d352248122cbc286a32a3555648b33115f6fe8672aa7bc8fe
-
SHA512
3503ac7a0988f52b20639e59f687bd002fac53c301704407b6f4d655b3212f9e041a040f6ebe41d0b53f9dc69381a93b69be4b9349106a8adde42a2e0b46e434
-
SSDEEP
49152:MjFPJxCznE3RyDkyDHCHx0B2ZIvTa3DhwNcg+2gRhzY5Eaa9nllkCTmrg9JWZw10:MxWz8H1ZIvIPgEaa9nTF9kl3
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch
-
Size
8.3MB
-
MD5
cc3900283ad1f0510359ead309e8debf
-
SHA1
3f01dbc84e7e8e72349076989f1494424a9d1eb5
-
SHA256
d7b9db3f4ed6992d352248122cbc286a32a3555648b33115f6fe8672aa7bc8fe
-
SHA512
3503ac7a0988f52b20639e59f687bd002fac53c301704407b6f4d655b3212f9e041a040f6ebe41d0b53f9dc69381a93b69be4b9349106a8adde42a2e0b46e434
-
SSDEEP
49152:MjFPJxCznE3RyDkyDHCHx0B2ZIvTa3DhwNcg+2gRhzY5Eaa9nllkCTmrg9JWZw10:MxWz8H1ZIvIPgEaa9nTF9kl3
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Drivers directory
-
Manipulates Digital Signatures
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
-
Boot or Logon Autostart Execution: Print Processors
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
-
Drops startup file
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Modifies termsrv.dll
Commonly used to allow simultaneous RDP sessions.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
3Clear Windows Event Logs
1File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1