Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
2024-10-27_9418a4d67b5c1570f0079aba775484a2_poet-rat_snatch
-
Size
14.7MB
-
Sample
241027-2a3els1pdj
-
MD5
9418a4d67b5c1570f0079aba775484a2
-
SHA1
1ded85ff12c294e691c981f54ab5ac5f42520b9d
-
SHA256
a0d0c4de97d4555c4276488fff2c2a44520a084782b77993410c4ec458187cde
-
SHA512
88a9c5ff1f12d1df5d96d3e41d9cc5207cc86ff0045963b143937f9fa2b5a643303d113f88630678e6a7fc20b987a4b2e959476374fb999b2de71ffbbf8a2c34
-
SSDEEP
98304:bGerAJorRnGqDhPIPkCEe9HWhL9fuu48E9ZyV9rjeq+DgVOHD:bDRGqD7bC9ZIN+EVGD
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-27_9418a4d67b5c1570f0079aba775484a2_poet-rat_snatch.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-27_9418a4d67b5c1570f0079aba775484a2_poet-rat_snatch.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
2024-10-27_9418a4d67b5c1570f0079aba775484a2_poet-rat_snatch
-
Size
14.7MB
-
MD5
9418a4d67b5c1570f0079aba775484a2
-
SHA1
1ded85ff12c294e691c981f54ab5ac5f42520b9d
-
SHA256
a0d0c4de97d4555c4276488fff2c2a44520a084782b77993410c4ec458187cde
-
SHA512
88a9c5ff1f12d1df5d96d3e41d9cc5207cc86ff0045963b143937f9fa2b5a643303d113f88630678e6a7fc20b987a4b2e959476374fb999b2de71ffbbf8a2c34
-
SSDEEP
98304:bGerAJorRnGqDhPIPkCEe9HWhL9fuu48E9ZyV9rjeq+DgVOHD:bDRGqD7bC9ZIN+EVGD
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2