4e2cc5a128e810bff607d9387cde16624c6188c0b8206668f99aa95659783122

Analysis

max time kernel
108s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2025 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
Size

13.5MB
MD5

065a35ee72de722e6c34bf2895982311
SHA1

a35cb06ce4a6c914a6c1c60a9e1ca7dabe464241
SHA256

4e2cc5a128e810bff607d9387cde16624c6188c0b8206668f99aa95659783122
SHA512

38f8982c85f43c07afeadb1c572c21e74f7017197955d26528e5425f8f8070090ed3ea3624fc30d2e2de0d00d93aa9c09fa33704d1dc099ed85c6ffa0caada6b
SSDEEP

196608:I+D5q1SGs2yRwtkpqShRBhR3hREhRQhRShRPhR+hRbhR9hRuhRz:DAkLRLRxRYRMR2RZRaRtRPRKRz

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tOeIG = "c:\\Windows\\System32\\tOeIG.exe"	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NJI = "c:\\Windows\\System32\\NJI.exe"	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "c:\\Windows\\System32\\.exe"	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\desktop.ini	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\tOeIG.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	\??\c:\Windows\System32\NJI.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	\??\c:\Windows\System32\.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\lib\resources.jar.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-400_contrast-white.png.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\MedTile.scale-200.png.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationProvider.resources.dll.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office15\pidgenx.dll.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Microsoft.Office.PolicyTips.dll	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-100.png.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_scale-100.png	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-60_altform-unplated.png	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_contrast-white.png	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-time-l1-1-0.dll	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Timer10Sec.targetsize-24.png.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-200_contrast-white.png.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-conio-l1-1-0.dll	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\WinMetadata\Microsoft.UI.Xaml.winmd.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsSplashLogo.scale-140.png	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsFormsIntegration.resources.dll.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\EEINTL.DLL.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Reflection.Extensions.dll.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionSmallTile.scale-400.png.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\ringless_calls\Ringlesscalling_25more_360x120_2x.png	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-96.png	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsBase.resources.dll.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\vlc.mo	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WideTile.scale-100_contrast-black.png	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32.png.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxSignature.p7x.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLogo.scale-100_contrast-black.png	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\Java\jre-1.8\COPYRIGHT.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32_altform-lightunplated.png.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32r.dll	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\net.properties	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black.png.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\vlc.mo	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_star_Loud.m4a.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.scale-400.png.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrespsh.dat	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ShareProvider_CopyLink24x24.scale-125.png.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationFramework.resources.dll	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\LargeTile.scale-125.png	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\wiggle350.png.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\LargeTile.scale-100.png.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-125.png	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Pay.Background.winmd.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\mixer_logo.png.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-100.png	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Xaml.resources.dll	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\FileAssociation.targetsize-48.png	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-150.png.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-24.png.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Example2.Diagnostics.psd1	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms.exe	2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe

C:\Users\Admin\AppData\Local\Temp\2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-18_065a35ee72de722e6c34bf2895982311_poet-rat_snatch.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll.exe

Filesize
14.2MB

MD5
fcdad566457da29dd857dbf45599c0f6

SHA1
b0e9512ce5d3879a9203e4b077ccdd2d879ba764

SHA256
860615d717389fd100b1317bc589c7482c87cb70f63365287bcddb922551ec23

SHA512
2265e6c3d0f3e0e6422290f0e944bd1b884bd7d70e0c77128d055f132b3aca7cecae91646ad285a275cd5f23008c181ffd23385156bff50578faa42f90f662c3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads