snatch | 81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a

Analysis

max time kernel
191s
max time network
249s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
Size

5.0MB
MD5

6b114c9e97ef3ff022b51a6e0f6b32af
SHA1

92979adf9ca1180cf7c39cb7a02641f7b4e1eff0
SHA256

81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a
SHA512

065cb4bd68bafae39c1c420eaed314def3a7ecff9dddcc5c5ebb0c34c8ad8fb2a3c6ee50c18e6b025da4666210a77384ca6f175dff26061dfbc2a71a981a4466
SSDEEP

98304:7ExhIKfP5bW1gDaogfd9xkGmBjEQX1DXi5VJUsUyuW/Du3TZyZ1GPY:4xhI0P5bW1g+nfHxkGmBjEQX1DXiJUsx

Score

10^/10

snatch ransomware upx

Malware Config

Signatures

Detecting the common Go functions and variables names used by Snatch ransomware 2 IoCs

resource	yara_rule
behavioral2/memory/3216-133-0x0000000000400000-0x0000000000A1D000-memory.dmp	family_snatch
behavioral2/memory/3216-139-0x0000000000400000-0x0000000000A1D000-memory.dmp	family_snatch

Snatch Ransomware
Ransomware family generally distributed through RDP bruteforce attacks.
ransomware snatch

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3216-133-0x0000000000400000-0x0000000000A1D000-memory.dmp	upx
behavioral2/memory/3216-139-0x0000000000400000-0x0000000000A1D000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\HOW TO RESTORE YOUR FILES.TXT	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\ffjcext.zip.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util-lookup_zh_CN.jar	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\HOW TO RESTORE YOUR FILES.TXT	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\core_ja.jar.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ms.pak.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\resources.jar.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\fr.pak	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\HOW TO RESTORE YOUR FILES.TXT	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\HOW TO RESTORE YOUR FILES.TXT	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\HOW TO RESTORE YOUR FILES.TXT	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-text_ja.jar.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\profile.jfc.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\HOW TO RESTORE YOUR FILES.TXT	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\HOW TO RESTORE YOUR FILES.TXT	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\HOW TO RESTORE YOUR FILES.TXT	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-search_ja.jar.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_zh_CN.jar	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_zh_4.4.0.v20140623020002.jar.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\HOW TO RESTORE YOUR FILES.TXT	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\orb.idl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\HOW TO RESTORE YOUR FILES.TXT	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\HOW TO RESTORE YOUR FILES.TXT	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\HOW TO RESTORE YOUR FILES.TXT	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\HOW TO RESTORE YOUR FILES.TXT	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\HOW TO RESTORE YOUR FILES.TXT	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\hijrah-config-umalqura.properties.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation_1.2.100.v20131119-0908.jar	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_ja.jar	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\HOW TO RESTORE YOUR FILES.TXT	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\HOW TO RESTORE YOUR FILES.TXT	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\HOW TO RESTORE YOUR FILES.TXT	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_ja.jar.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\COPYRIGHT.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar.rotexwl	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
732	sc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 4332	3216	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe	83
PID 3216 wrote to memory of 4332	3216	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe	83
PID 3216 wrote to memory of 4332	3216	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe	83
PID 4332 wrote to memory of 732	4332	cmd.exe	85
PID 4332 wrote to memory of 732	4332	cmd.exe	85
PID 4332 wrote to memory of 732	4332	cmd.exe	85
PID 4332 wrote to memory of 2680	4332	cmd.exe	86
PID 4332 wrote to memory of 2680	4332	cmd.exe	86
PID 4332 wrote to memory of 2680	4332	cmd.exe	86
PID 3216 wrote to memory of 3948	3216	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe	87
PID 3216 wrote to memory of 3948	3216	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe	87
PID 3216 wrote to memory of 3948	3216	81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe	87

C:\Users\Admin\AppData\Local\Temp\81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
"C:\Users\Admin\AppData\Local\Temp\81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qcivylyhsl.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\SysWOW64\sc.exe
    SC QUERY
    3⤵
    - Launches sc.exe
    PID:732
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR SERVICE_NAME
    3⤵
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phckwbrjqt.bat
  2⤵
  PID:3948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qcivylyhsl.bat

Filesize
43B

MD5
55310bb774fff38cca265dbc70ad6705

SHA1
cb8d76e9fd38a0b253056e5f204dab5441fe932b

SHA256
1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d

SHA512
40e5a5e8454ca3eaac36d732550e2c5d869a235e3bbc4d31c4afa038fe4e06f782fa0885e876ad8119be766477fdcc12c1d5d04d53cf6b324e366b5351fc7cd4

Download Submit
memory/3216-132-0x0000000000400000-0x0000000000A1D000-memory.dmp

Filesize
6.1MB

Download
memory/3216-133-0x0000000000400000-0x0000000000A1D000-memory.dmp

Filesize
6.1MB

Download
memory/3216-139-0x0000000000400000-0x0000000000A1D000-memory.dmp

Filesize
6.1MB

Download