751f8e4dd658c351afd7ec0a2136d0e12df32adefac4f0dad39c083a5d7afae6

Analysis

max time kernel
135s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2025 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
Size

13.6MB
MD5

8f2b739d7b5d8fa4ad80044f44c21e12
SHA1

4c7b9c6abb726cdf9974411879b78f1cb6a6436a
SHA256

751f8e4dd658c351afd7ec0a2136d0e12df32adefac4f0dad39c083a5d7afae6
SHA512

9887d4464bdcb033750a5995529f2784322af09c65f6c00bb1cc61ffa262180783da201ee49bdcc7189b03c6132afaaec6cde6775e94f94cdae1a00f31911c48
SSDEEP

196608:I+D5q1SGs2yRwtkpqShRBhR3hREhRQhRShRPhR+hRbhRbhRFhRP:DAkLRLRxRYRMR2RZRaRtRtRHRP

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KZ = "c:\\Windows\\System32\\KZ.exe"	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dEJYiTP = "c:\\Windows\\System32\\dEJYiTP.exe"	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EgmCh = "c:\\Windows\\System32\\EgmCh.exe"	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\desktop.ini	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\KZ.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	\??\c:\Windows\System32\dEJYiTP.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	\??\c:\Windows\System32\EgmCh.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\US_export_policy.jar.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe.config.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32.png.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Controls.Ribbon.resources.dll.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-20.png	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-200.png	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.tree.dat	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-400_contrast-black.png.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-unplated.png	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-30_contrast-white.png.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-125.png.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-125_contrast-white.png.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageMedTile.scale-150_contrast-black.png	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\x86\msvpxenc.dll	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WideTile.scale-200.png	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.dll.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsBadgeLogo.scale-100.png	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\LargeTile.scale-100.png	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Office.dll.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libdeinterlace_plugin.dll.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyShare.scale-150.png.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\PAPYRUS.ELM	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.ServiceModel.Resources.dll	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-256_altform-unplated_contrast-white.png	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationTypes.resources.dll.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vreg\proof.fr-fr.msi.16.fr-fr.vreg.dat.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-unplated_contrast-black.png	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-60_altform-unplated.png	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libvod_rtsp_plugin.dll	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\msoimm.dll	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Spotlight_NFL.png	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClient.resources.dll.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-48_altform-unplated.png	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_contrast-white.png.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCacheMini.scale-200.png	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ppd.xrm-ms.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DcfMsoWrapper.dll.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libjpeg_plugin.dll	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-96_altform-unplated.png	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-200_contrast-white.png	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\en-GB_female_TTS\platform_format.lua	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-math-l1-1-0.dll	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MINSBPROXY.DLL	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_plugin.dll	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\Windows Media Player\uk-UA\wmpnetwk.exe.mui.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-unplated.png.exe	2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe

C:\Users\Admin\AppData\Local\Temp\2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-22_8f2b739d7b5d8fa4ad80044f44c21e12_poet-rat_snatch.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll.exe

Filesize
14.4MB

MD5
025915f8aebb39e6c27a1f8a9aba9fd2

SHA1
0100e3229a9e56b766809864fac39d170d8755aa

SHA256
ee07f12d0d5c1c66a89f0118d99a6a1e891c12b9d9a7dc6cf5f294dd69c3af49

SHA512
4e8698de05e04c8174f1ed7ee55cffccd73c7f39688b59488315837f310387c81c18db8bd27ce3a8065a6fcc818726634e351a829de12c0bff374e2f25762cbb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads