f836e7c3c9aa35de70ffac335dd4f9f97d13c8cb339823bb000f042f5cf9339c

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2025 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
Size

12.1MB
MD5

e5bd5434d2769abba057547204bfb3ab
SHA1

077a23a1bf27660ee455b8ed968676b3686081eb
SHA256

f836e7c3c9aa35de70ffac335dd4f9f97d13c8cb339823bb000f042f5cf9339c
SHA512

03ab956f4cdab003b2246b4d1065e17184aad83ea912f3585f0f5820826c63b0ab148d111eedb70ae69a356644579e79df71fdd0f943ada55a634ea8994a29d2
SSDEEP

196608:I+D5q1SGs2yRwtkpqShRBhR3hREhRwhR/hRLhRehRlhRB:DAkLRLRxRYRsRJRdR6RnRB

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JUlNE = "c:\\Windows\\System32\\JUlNE.exe"	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OIvqzxC = "c:\\Windows\\System32\\OIvqzxC.exe"	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JWE = "c:\\Windows\\System32\\JWE.exe"	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\desktop.ini	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\JUlNE.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	\??\c:\Windows\System32\OIvqzxC.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	\??\c:\Windows\System32\JWE.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\bin\WindowsAccessBridge-64.dll.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\30.png	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-200.png	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Fonts\SkypeAssets-Light.ttf.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-black_scale-100.png.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ul-oob.xrm-ms	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_TileSmallSquare.scale-100.png.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Runtime.WindowsRuntime.UI.Xaml.dll	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-400_contrast-black.png.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\WideTile.scale-100.png	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\PesterThrow.ps1.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationBuildTasks.resources.dll	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosWideTile.scale-100.png.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\EmptyVideoProjectCreations_LightTheme.png	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\SmallTile.scale-100_contrast-black.png.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-200.png.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libvpx_plugin.dll	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-150.png.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-pl.xrm-ms.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\osfsharedimm.dll	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyCalendarSearch.scale-400.png	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\en-US.mail.config	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\PREVIEW.GIF.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_dummy_plugin.dll	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96_contrast-black.png.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-200_contrast-white.png	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\SmallTile.scale-200.png.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\VertexShader.cso	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Filter.png	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymxl.ttf	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\FreeCell.Medium.png.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\proof.en-us.msi.16.en-us.vreg.dat	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libdcp_plugin.dll	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libadaptive_plugin.dll	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-30_altform-unplated.png	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-phn.xrm-ms.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72.png.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-32_altform-unplated_contrast-white.png	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-200.png.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\BLUEPRNT.ELM	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-white_scale-100.png	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\MSFT_PackageManagement.strings.psd1	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-stdio-l1-1-0.dll	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-36.png.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-heap-l1-1-0.dll	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-100_contrast-white.png.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-125_contrast-high.png	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-heap-l1-1-0.dll	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources.pri	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-125.png.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationFramework.resources.dll	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationUI.resources.dll.exe	2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe

C:\Users\Admin\AppData\Local\Temp\2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-18_e5bd5434d2769abba057547204bfb3ab_poet-rat_snatch.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll.exe

Filesize
12.8MB

MD5
475157c0e8dda9fcb544e51ecb2f7b57

SHA1
5bac120c51135aae7e9bcb4cccc62f56c30756e6

SHA256
239260f956106fff1cbb9b732e54fbc101dd21bf7cbb3296def0d048235b4220

SHA512
95007bc350e0e09a47482c7dd0721e32d1eeb00d880eb9219758fde5e83727ce6453c126b104c8c394a83e7df241ca837dc7c9cfb47b1f3bc2e23e11e8f1a2f2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads