Analysis

  • max time kernel
    29s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08/07/2022, 07:16

General

  • Target

    8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe

  • Size

    4.8MB

  • MD5

    3b0cbbf271ff15faa0c5424de4a974f9

  • SHA1

    8f50fbedc43a58fef6fe276a60eaf8a9539a8573

  • SHA256

    efc9c817a126690f3d29d2167debeb17b24d2aa677b9fc069e5aed95f5b7400b

  • SHA512

    5ed6b75d2b4f62a20830c03ee9208c683d6ec158677133d77671bad6cc9cbe12b0cc9cc8903b99fb3a7ba293e5f2986dfb6334e6d88d6c9b1af77da56cb75ae0

Malware Config

Signatures

  • Detecting the common Go functions and variables names used by Snatch ransomware 2 IoCs
  • Snatch Ransomware

    Ransomware family generally distributed through RDP bruteforce attacks.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Generic Ransomware Note 64 IoCs

    Ransomware often writes a note containing information on how to pay the ransom.

  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe
    "C:\Users\Admin\AppData\Local\Temp\8f50fbedc43a58fef6fe276a60eaf8a9539a8573.exe"
    1⤵
    • Drops startup file
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:532
    • C:\Windows\system32\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\lujyikb.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:940
      • C:\Windows\system32\sc.exe
        SC QUERY
        3⤵
        • Launches sc.exe
        PID:1484
      • C:\Windows\system32\findstr.exe
        FINDSTR SERVICE_NAME
        3⤵
          PID:1356
      • C:\Windows\system32\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\tfjfjak.bat
        2⤵
          PID:1112

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\lujyikb.bat

              Filesize

              43B

              MD5

              55310bb774fff38cca265dbc70ad6705

              SHA1

              cb8d76e9fd38a0b253056e5f204dab5441fe932b

              SHA256

              1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d

              SHA512

              40e5a5e8454ca3eaac36d732550e2c5d869a235e3bbc4d31c4afa038fe4e06f782fa0885e876ad8119be766477fdcc12c1d5d04d53cf6b324e366b5351fc7cd4

            • memory/532-59-0x0000000000D10000-0x00000000011D5000-memory.dmp

              Filesize

              4.8MB

            • memory/532-60-0x0000000000D10000-0x00000000011D5000-memory.dmp

              Filesize

              4.8MB