a6b21c396a5e0875875732d93d048176cf9ad78e34e8a08615590bcd90714c96

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/03/2025, 19:34

Target

2025-03-10_5f4ef6304cb9a61dda50aedf6b8c610f_frostygoop_poet-rat_sliver_snatch.exe
Size

4.6MB
MD5

5f4ef6304cb9a61dda50aedf6b8c610f
SHA1

22f8650d837639d5111458bef3c1f2452f4e7ca1
SHA256

a6b21c396a5e0875875732d93d048176cf9ad78e34e8a08615590bcd90714c96
SHA512

a9b9afd3da4520af570df62cecdc8e9e6b31730a71b13fd1ce7f681667be4f5774358cebd7126c3efe39ea8b101f24e39795b91507f936c392e5c44d2548446d
SSDEEP

49152:X/7Fss80KlU0zp+Z9vAaE5FKY/t76oUzrUA/AOiyjrbsn3zvSn9rMPN/u9Mj9ln6:v5sVPV+ZpoUzp/Tknj5BaXOY

Score

7^/10

discovery

Executes dropped EXE 1 IoCs

pid	Process
2848	KhqSZFQxEb.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-10_5f4ef6304cb9a61dda50aedf6b8c610f_frostygoop_poet-rat_sliver_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KhqSZFQxEb.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

pid	Process
2280	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2160	2492	2025-03-10_5f4ef6304cb9a61dda50aedf6b8c610f_frostygoop_poet-rat_sliver_snatch.exe	31
PID 2492 wrote to memory of 2160	2492	2025-03-10_5f4ef6304cb9a61dda50aedf6b8c610f_frostygoop_poet-rat_sliver_snatch.exe	31
PID 2492 wrote to memory of 2160	2492	2025-03-10_5f4ef6304cb9a61dda50aedf6b8c610f_frostygoop_poet-rat_sliver_snatch.exe	31
PID 2492 wrote to memory of 2160	2492	2025-03-10_5f4ef6304cb9a61dda50aedf6b8c610f_frostygoop_poet-rat_sliver_snatch.exe	31
PID 2160 wrote to memory of 2280	2160	cmd.exe	33
PID 2160 wrote to memory of 2280	2160	cmd.exe	33
PID 2160 wrote to memory of 2280	2160	cmd.exe	33
PID 2160 wrote to memory of 2280	2160	cmd.exe	33
PID 2712 wrote to memory of 2848	2712	taskeng.exe	35
PID 2712 wrote to memory of 2848	2712	taskeng.exe	35
PID 2712 wrote to memory of 2848	2712	taskeng.exe	35
PID 2712 wrote to memory of 2848	2712	taskeng.exe	35

C:\Windows\system32\taskeng.exe
taskeng.exe {90B814F6-89F9-4676-A663-62FF2C082328} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Users\Admin\AppData\Roaming\xbZstzVdno\KhqSZFQxEb.exe
  C:\Users\Admin\AppData\Roaming\xbZstzVdno\KhqSZFQxEb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2848