3ee70db5d16cc166ed1b7837aa0f9a8d658127f8d6a7c47f9be83905bcb0ef21

Analysis

max time kernel
148s
max time network
172s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/03/2025, 19:48

Target

2025-03-10_328a0b79e659a926f56bcaffe13ff347_frostygoop_poet-rat_sliver_snatch.exe
Size

681.0MB
MD5

328a0b79e659a926f56bcaffe13ff347
SHA1

f3aded348268faf23a69e04f1db3c9ff9d66ab22
SHA256

3ee70db5d16cc166ed1b7837aa0f9a8d658127f8d6a7c47f9be83905bcb0ef21
SHA512

9e5ab5bf3c038783681f92373d1acb184bcc7bd4e38275632ce6f92fffa5164dbf2d0f0f8bd035119a1f04db9efd87beec833f8a3949e6314657b242e27eca12
SSDEEP

12582912:KXRs1wQfQaEYPxk39eCSiQzVkVZ1F/4I4U7U2NSKT+aGPHkHHgfshdB:2ZZYPY9ehc1F/74QJgGxdB

Score

7^/10

discovery

Executes dropped EXE 1 IoCs

pid	Process
2584	KhqSZFQxEb.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KhqSZFQxEb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-10_328a0b79e659a926f56bcaffe13ff347_frostygoop_poet-rat_sliver_snatch.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

pid	Process
2680	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2812	2692	2025-03-10_328a0b79e659a926f56bcaffe13ff347_frostygoop_poet-rat_sliver_snatch.exe	30
PID 2692 wrote to memory of 2812	2692	2025-03-10_328a0b79e659a926f56bcaffe13ff347_frostygoop_poet-rat_sliver_snatch.exe	30
PID 2692 wrote to memory of 2812	2692	2025-03-10_328a0b79e659a926f56bcaffe13ff347_frostygoop_poet-rat_sliver_snatch.exe	30
PID 2692 wrote to memory of 2812	2692	2025-03-10_328a0b79e659a926f56bcaffe13ff347_frostygoop_poet-rat_sliver_snatch.exe	30
PID 2812 wrote to memory of 2680	2812	cmd.exe	32
PID 2812 wrote to memory of 2680	2812	cmd.exe	32
PID 2812 wrote to memory of 2680	2812	cmd.exe	32
PID 2812 wrote to memory of 2680	2812	cmd.exe	32
PID 2556 wrote to memory of 2584	2556	taskeng.exe	34
PID 2556 wrote to memory of 2584	2556	taskeng.exe	34
PID 2556 wrote to memory of 2584	2556	taskeng.exe	34
PID 2556 wrote to memory of 2584	2556	taskeng.exe	34

C:\Windows\system32\taskeng.exe
taskeng.exe {BFF1F425-1888-49E7-B785-2AA1EEA75A4D} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Roaming\xbZstzVdno\KhqSZFQxEb.exe
  C:\Users\Admin\AppData\Roaming\xbZstzVdno\KhqSZFQxEb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2584