82f55f828618106ecd9f1c44acde2f0eefd566d50edcddb1f5782d1af84846c0

Analysis

max time kernel
135s
max time network
190s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14/03/2025, 01:06

Target

2025-03-14_f154e49cf53a5f16e94fa24b96307efd_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Size

647.4MB
MD5

f154e49cf53a5f16e94fa24b96307efd
SHA1

e889ddd87a48590db240f532ec083325df42dd27
SHA256

82f55f828618106ecd9f1c44acde2f0eefd566d50edcddb1f5782d1af84846c0
SHA512

d0e1e2ff2051fc00d8a89b35e9ba494e1ae582774cc1d3907b827b0b0832c288b87767dde371a280a6fd2d7b2049ea4c01cce4cc79e058f8c87d10cabcf67bc1
SSDEEP

12582912:Yd3gqIRuCRP7l2YW2gc+wvB0KysQOIcOnv7sWcJYR8i9iu4laWMquR0:UIwCpEB2gCvBgsUcVWcg8hnbm0

Score

7^/10

discovery

Executes dropped EXE 1 IoCs

pid	Process
2684	scjFAgqMDG.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-14_f154e49cf53a5f16e94fa24b96307efd_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scjFAgqMDG.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

pid	Process
2884	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2844	2056	2025-03-14_f154e49cf53a5f16e94fa24b96307efd_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	31
PID 2056 wrote to memory of 2844	2056	2025-03-14_f154e49cf53a5f16e94fa24b96307efd_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	31
PID 2056 wrote to memory of 2844	2056	2025-03-14_f154e49cf53a5f16e94fa24b96307efd_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	31
PID 2056 wrote to memory of 2844	2056	2025-03-14_f154e49cf53a5f16e94fa24b96307efd_frostygoop_gcleaner_poet-rat_sliver_snatch.exe	31
PID 2844 wrote to memory of 2884	2844	cmd.exe	33
PID 2844 wrote to memory of 2884	2844	cmd.exe	33
PID 2844 wrote to memory of 2884	2844	cmd.exe	33
PID 2844 wrote to memory of 2884	2844	cmd.exe	33
PID 2632 wrote to memory of 2684	2632	taskeng.exe	35
PID 2632 wrote to memory of 2684	2632	taskeng.exe	35
PID 2632 wrote to memory of 2684	2632	taskeng.exe	35
PID 2632 wrote to memory of 2684	2632	taskeng.exe	35

C:\Windows\system32\taskeng.exe
taskeng.exe {3C7D8240-5848-4C94-953D-811B59110B46} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Roaming\dvrtfBxXgG\scjFAgqMDG.exe
  C:\Users\Admin\AppData\Roaming\dvrtfBxXgG\scjFAgqMDG.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2684