6710fd52a418adfb6338960abe79ea7793b15aba5c241776a10ea5d17c397cf3

Analysis

max time kernel
107s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2025 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
Size

12.9MB
MD5

cc3b458540136770be5d5775f0d44f66
SHA1

6253d690cf1aeef7cf0d14395e82ddb347dd5bc6
SHA256

6710fd52a418adfb6338960abe79ea7793b15aba5c241776a10ea5d17c397cf3
SHA512

200493457cf0dd0487514b0d9d344771889a38a88812c606ba5246d1676cdc15d70791e81ef9ba9cb00713f49c7ac0433c7f712d1093ddb7e27001ed08122c67
SSDEEP

196608:I+D5q1SGs2yRwtkpqShRBhR3hREhRFhRVhRihRrhRihREhR3:DAkLRLRxRYRHRXRGR9RGRYR3

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gjen = "c:\\Windows\\System32\\gjen.exe"	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ReeqUn = "c:\\Windows\\System32\\ReeqUn.exe"	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sip = "c:\\Windows\\System32\\Sip.exe"	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\desktop.ini	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\gjen.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	\??\c:\Windows\System32\ReeqUn.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	\??\c:\Windows\System32\Sip.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-200.png.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-72.png.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-100_contrast-black.png.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupMedTile.scale-150.png.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteSmallTile.scale-200.png	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.SapBwProvider.dll	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\az-Latn-AZ\View3d\3DViewerProductDescription-universal.xml.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-white_scale-200.png.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libtcp_plugin.dll.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxSignature.p7x.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEXBE.DLL.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxManifest.xml.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\NoConnection.scale-100.png	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-30_altform-unplated.png	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\MedTile.scale-100.png	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nl.pak.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ppd.xrm-ms	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreWideTile.scale-200.png.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\MedTile.scale-100.png.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationProvider.resources.dll	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msproof7.dll	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W1.png.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-100.png.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Reflection.Primitives.dll.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-80.png.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\Microsoft.PowerShell.PackageManagement.resources.dll.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\LINEAR_RGB.pf	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\en-GB.Calendar.model	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsLargeTile.scale-100.png	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-phn.xrm-ms.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\MOFL.DLL.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwingdi_plugin.dll.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-36_altform-lightunplated.png	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Algorithms.dll.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-20.png.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_altform-unplated_contrast-white.png	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\subscription_intro\multiple-plans.png	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-20_altform-unplated.png	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64_altform-unplated.png	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\msjet.xsl.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.PasswordManager.dll.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.scale-125.png.exe	2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe

C:\Users\Admin\AppData\Local\Temp\2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-18_cc3b458540136770be5d5775f0d44f66_poet-rat_snatch.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll.exe

Filesize
13.6MB

MD5
f06b0c1da982f360fc89da07107d5206

SHA1
1c733063ccfffd88a8b12863138583613b62092f

SHA256
39076505851aaa3dfd50c58f65487f8585d3ceb394b7c33aa214c3bf1fd9c100

SHA512
6984f5ec7a459d6dd5aa23b531213176a05a632c99b2ecc118359b027671412533bf2f5d5a92812d418878137b995dfbb9a180a1a34ad0146a720764ac3ea96d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads