13bdd36f12b047e791ad26cd7bb33ba17fd7404f043fa8db9f6179171fb408bb

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
25/03/2025, 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
Size

14.3MB
MD5

7736bdd0e9bdd1e16172898147a3aed4
SHA1

cf7ccbf3e5632c451ca7d88b77a082adc6373e69
SHA256

13bdd36f12b047e791ad26cd7bb33ba17fd7404f043fa8db9f6179171fb408bb
SHA512

ba07db7fa9086e1124a6f7f6812ce1c0286c3d1f61c243ea558fbe726cd9bf64ececfb64cf94d355a4d0ae99605e9476e8856c237c7170a0beca47469b57666d
SSDEEP

196608:I+D5q1SGs2yRwtkpqShRBhR3hREhRqhRYhRkhRBhRWhRohRBhRKhRG:DAkLRLRxRYR+RkR4RLRCR0RLReRG

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QWYdwHM = "c:\\Windows\\System32\\QWYdwHM.exe"	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorNKSn = "c:\\Windows\\System32\\sorNKSn.exe"	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gaz = "c:\\Windows\\System32\\gaz.exe"	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe

Drops desktop.ini file(s) 9 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\desktop.ini	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\gaz.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	\??\c:\Windows\System32\QWYdwHM.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	\??\c:\Windows\System32\sorNKSn.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-compat.xml_hidden.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Troll.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\icecast.luac	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IPSEventLogMsg.dll.mui	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Lagos	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\jamendo.luac.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\gadget.xml	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Engine.resources.dll	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows NT\TableTextService\it-IT\TableTextService.dll.mui	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jayapura.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssLogo.gif.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\COPYRIGHT	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Bougainville.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4.ssl_1.0.0.v20140827-1444.jar	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-search.jar.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Mozilla Firefox\IA2Marshal.dll	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_bridge_plugin.dll.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\settings.js	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\10.png.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_ja.jar	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libvpx_plugin.dll.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\v8_context_snapshot.bin	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemuxdump_plugin.dll.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\splashscreen.dll.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Jamaica.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous.png.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libasf_plugin.dll.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libsmf_plugin.dll	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_s.png	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Samara.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\chkrzm.exe.mui	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\custom.lua	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\currency.css	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll

Filesize
15.0MB

MD5
998ffad7d2cc37722f7e68d1c83b9c30

SHA1
553f795fd003770dc02211c3cf7b1ef0d69d7b3f

SHA256
0d65aad3bf324bdce1f292ce24e3e51b333e9d890afb2f03598d774caa4e2349

SHA512
91510405165ead2c80bb5d54f970f609fe0fc5618a5851126bd4b61eaa4b9d0d2567b4b34a8d8580f58fa1161366bdde965e71d9142faec0b9ab024862b0547d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads