13bdd36f12b047e791ad26cd7bb33ba17fd7404f043fa8db9f6179171fb408bb

Analysis

max time kernel
109s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2025, 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
Size

14.3MB
MD5

7736bdd0e9bdd1e16172898147a3aed4
SHA1

cf7ccbf3e5632c451ca7d88b77a082adc6373e69
SHA256

13bdd36f12b047e791ad26cd7bb33ba17fd7404f043fa8db9f6179171fb408bb
SHA512

ba07db7fa9086e1124a6f7f6812ce1c0286c3d1f61c243ea558fbe726cd9bf64ececfb64cf94d355a4d0ae99605e9476e8856c237c7170a0beca47469b57666d
SSDEEP

196608:I+D5q1SGs2yRwtkpqShRBhR3hREhRqhRYhRkhRBhRWhRohRBhRKhRG:DAkLRLRxRYR+RkR4RLRCR0RLReRG

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waXH = "c:\\Windows\\System32\\waXH.exe"	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "c:\\Windows\\System32\\.exe"	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gSun = "c:\\Windows\\System32\\gSun.exe"	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\desktop.ini	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\waXH.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	\??\c:\Windows\System32\.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	\??\c:\Windows\System32\gSun.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyCalendarSearch.scale-125.png.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\DirectWriteForwarder.dll.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-unplated.png.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\Office.UI.Xaml.Uci.dll.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\kb-unlocked.png	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.RunTime.Serialization.Resources.dll	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-80_altform-unplated.png	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\PaySquare44x44Logo.targetsize-24_altform-unplated.png	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\SmallTile.scale-200.png.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\informix.xsl	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-256.png.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.winmd	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_autodel_plugin.dll.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-20.png.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-24_altform-unplated_contrast-white.png	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Office.png	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-200_contrast-black.png.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageMedTile.scale-125.png.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-64_contrast-high.png	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ts_plugin.dll.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-200.png.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.dll.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.tree.dat	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.Amo.dll.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookWideTile.scale-150.png	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\CASCADE.INF.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebProxy.dll.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\JumpListNewNote.png	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-unplated.png	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyCalendarSearch-Dark.scale-400.png	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsl.ttf.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\charsets.jar	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART15.BDR	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\eu-ES\View3d\3DViewerProductDescription-universal.xml	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SpreadsheetIQ.ExcelServices.dll	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-white_scale-125.png	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-400.png.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\WideTile.scale-100.png	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-16_altform-unplated.png.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfxwebkit.dll.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Java\jre-1.8\lib\flavormap.properties.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyShare.scale-200.png	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Call_Connecting_Loud.m4a	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-100.png	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsFormsIntegration.resources.dll.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-25_7736bdd0e9bdd1e16172898147a3aed4_poet-rat_sliver_snatch.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll.exe

Filesize
15.0MB

MD5
d755f082b6a8d44d94e7086d3edb8ded

SHA1
a3d3c3690fa9beb4d55d4b37cd50e5f998d28847

SHA256
1f52443378398a15eebafd3b0a7e4e5eacf400b61206eb82946fea1ca10ce968

SHA512
2bc187f9132bedb1f00a9d40221aa0e355ea07f37245cdb5559e2cd5b521513a22ab6e9f5f225303e0192c4d8079d36d4c7b039e93f6fc6c078457380ec09dc1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads