Analysis

  • max time kernel
    191s
  • max time network
    249s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 18:35

General

  • Target

    81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe

  • Size

    5.0MB

  • MD5

    6b114c9e97ef3ff022b51a6e0f6b32af

  • SHA1

    92979adf9ca1180cf7c39cb7a02641f7b4e1eff0

  • SHA256

    81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a

  • SHA512

    065cb4bd68bafae39c1c420eaed314def3a7ecff9dddcc5c5ebb0c34c8ad8fb2a3c6ee50c18e6b025da4666210a77384ca6f175dff26061dfbc2a71a981a4466

  • SSDEEP

    98304:7ExhIKfP5bW1gDaogfd9xkGmBjEQX1DXi5VJUsUyuW/Du3TZyZ1GPY:4xhI0P5bW1g+nfHxkGmBjEQX1DXiJUsx

Score
10/10

Malware Config

Signatures

  • Detecting the common Go functions and variables names used by Snatch ransomware 2 IoCs
  • Snatch Ransomware

    Ransomware family generally distributed through RDP bruteforce attacks.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe
    "C:\Users\Admin\AppData\Local\Temp\81b79660be9fc60338eb69eaab2e0b9cfdc750fc5a7e05dabb50a3d45a993b7a.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3216
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qcivylyhsl.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4332
      • C:\Windows\SysWOW64\sc.exe
        SC QUERY
        3⤵
        • Launches sc.exe
        PID:732
      • C:\Windows\SysWOW64\findstr.exe
        FINDSTR SERVICE_NAME
        3⤵
          PID:2680
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phckwbrjqt.bat
        2⤵
          PID:3948

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\qcivylyhsl.bat

        Filesize

        43B

        MD5

        55310bb774fff38cca265dbc70ad6705

        SHA1

        cb8d76e9fd38a0b253056e5f204dab5441fe932b

        SHA256

        1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d

        SHA512

        40e5a5e8454ca3eaac36d732550e2c5d869a235e3bbc4d31c4afa038fe4e06f782fa0885e876ad8119be766477fdcc12c1d5d04d53cf6b324e366b5351fc7cd4

      • memory/3216-132-0x0000000000400000-0x0000000000A1D000-memory.dmp

        Filesize

        6.1MB

      • memory/3216-133-0x0000000000400000-0x0000000000A1D000-memory.dmp

        Filesize

        6.1MB

      • memory/3216-139-0x0000000000400000-0x0000000000A1D000-memory.dmp

        Filesize

        6.1MB