snatch | 5513b157beb22e67e20412c040964d626ca1f1938cb92a8440b3e8e016409941

General

Target

8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
Size

4.8MB
MD5

3b0cbbf271ff15faa0c5424de4a974f9
SHA1

8f50fbedc43a58fef6fe276a60eaf8a9539a8573
SHA256

efc9c817a126690f3d29d2167debeb17b24d2aa677b9fc069e5aed95f5b7400b
SHA512

5ed6b75d2b4f62a20830c03ee9208c683d6ec158677133d77671bad6cc9cbe12b0cc9cc8903b99fb3a7ba293e5f2986dfb6334e6d88d6c9b1af77da56cb75ae0

Score

10^/10

snatch ransomware spyware stealer upx

Malware Config

Signatures

Detecting the common Go functions and variables names used by Snatch ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/532-59-0x0000000000D10000-0x00000000011D5000-memory.dmp	family_snatch
behavioral1/memory/532-60-0x0000000000D10000-0x00000000011D5000-memory.dmp	family_snatch

Snatch Ransomware
Ransomware family generally distributed through RDP bruteforce attacks.
ransomware snatch

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/532-59-0x0000000000D10000-0x00000000011D5000-memory.dmp	upx
behavioral1/memory/532-60-0x0000000000D10000-0x00000000011D5000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO RESTORE YOUR FILES.TXT	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Generic Ransomware Note 64 IoCs

Ransomware often writes a note containing information on how to pay the ransom.

Processes:

yara_rule
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note
generic_ransomware_note

Drops file in Program Files directory 64 IoCs

Processes:

8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\HOW TO RESTORE YOUR FILES.TXT	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Jayapura	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Country.gif	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00261_.WMF	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199279.WMF.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Foundry.xml	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02262_.WMF.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00289_.WMF	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292020.WMF	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10256_.GIF	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File created	C:\Program Files\Java\jre7\HOW TO RESTORE YOUR FILES.TXT	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cayenne.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\2d.x3d	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\INDST_01.MID.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02758U.BMP	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18234_.WMF.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21321_.GIF	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_K_COL.HXK.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR30B.GIF	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSEvents.man.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\HOW TO RESTORE YOUR FILES.TXT	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Toronto	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mauritius.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-9.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00673L.GIF.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14882_.GIF.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\HOW TO RESTORE YOUR FILES.TXT	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21340_.GIF.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_COL.HXT	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic_5.5.0.165303.jar.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\HOW TO RESTORE YOUR FILES.TXT	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\sunec.jar.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Tirane.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01631_.WMF.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10300_.GIF.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15060_.GIF.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+10	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Oslo	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\vlc.mo	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01236_.WMF	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\HOW TO RESTORE YOUR FILES.TXT	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\HOW TO RESTORE YOUR FILES.TXT	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10255_.GIF	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14655_.GIF	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5B.GIF	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\keystore\HOW TO RESTORE YOUR FILES.TXT	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\HOW TO RESTORE YOUR FILES.TXT	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt.sdhvqq	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1484 sc.exe

pid	process
1484	sc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8f50fbedc43a58fef6fe276a60eaf8a9539a8573.execmd.exe

description	pid	process	target process
PID 532 wrote to memory of 940	532	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe	cmd.exe
PID 532 wrote to memory of 940	532	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe	cmd.exe
PID 532 wrote to memory of 940	532	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe	cmd.exe
PID 940 wrote to memory of 1484	940	cmd.exe	sc.exe
PID 940 wrote to memory of 1484	940	cmd.exe	sc.exe
PID 940 wrote to memory of 1484	940	cmd.exe	sc.exe
PID 940 wrote to memory of 1356	940	cmd.exe	findstr.exe
PID 940 wrote to memory of 1356	940	cmd.exe	findstr.exe
PID 940 wrote to memory of 1356	940	cmd.exe	findstr.exe
PID 532 wrote to memory of 1112	532	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe	cmd.exe
PID 532 wrote to memory of 1112	532	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe	cmd.exe
PID 532 wrote to memory of 1112	532	8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
"C:\Users\Admin\AppData\Local\Temp\8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\lujyikb.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\system32\sc.exe
    SC QUERY
    3⤵
    - Launches sc.exe
    PID:1484
- - C:\Windows\system32\findstr.exe
    FINDSTR SERVICE_NAME
    3⤵
    PID:1356
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\tfjfjak.bat
  2⤵
  PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lujyikb.bat

Filesize
43B

MD5
55310bb774fff38cca265dbc70ad6705

SHA1
cb8d76e9fd38a0b253056e5f204dab5441fe932b

SHA256
1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d

SHA512
40e5a5e8454ca3eaac36d732550e2c5d869a235e3bbc4d31c4afa038fe4e06f782fa0885e876ad8119be766477fdcc12c1d5d04d53cf6b324e366b5351fc7cd4

Download Submit
memory/532-59-0x0000000000D10000-0x00000000011D5000-memory.dmp

Filesize
4.8MB

Download
memory/532-60-0x0000000000D10000-0x00000000011D5000-memory.dmp

Filesize
4.8MB

Download
memory/940-54-0x0000000000000000-mapping.dmp

Download
memory/1112-58-0x0000000000000000-mapping.dmp

Download
memory/1356-57-0x0000000000000000-mapping.dmp

Download
memory/1484-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads