Analysis
-
max time kernel
104s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2023 01:35
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20230220-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
sample.exe
-
Size
2.5MB
-
MD5
2bbff2111232d73a93cd435300d0a07e
-
SHA1
b93d633d379052f0a15b0f9c7094829461a86dbb
-
SHA256
3160b4308dd9434ebb99e5747ec90d63722a640d329384b1ed536b59352dace6
-
SHA512
566ebe109cc4550363a4336fb905b8009bd66a1389cc9cfcd79ffbbd59fe957b1f2cbcfb431b9d707e03f78133b802c8367b022421dff6eb71962c5b6d4ea402
-
SSDEEP
49152:B+CUkw0e9xep5A4354qUoJo5DtjDgk9bcnfoEKSMBB90hMhlqTO4rpun4I:4CVG9y5ASUoJo5D5DgmbKfotB902QTOw
Score
10/10
Malware Config
Extracted
Path
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\HOW TO RESTORE YOUR FILES.TXT
Ransom Note
Hello! All your files are encrypted and only we can decrypt them.
Contact us:
[email protected] or [email protected]
Write us if you want to return your files - we can do it very quickly!
The header of letter must contain extension of encrypted files.
We always reply within 24 hours. If not - check spam folder, resend your letter or try send letter from another email service (like protonmail.com).
Attention!
Do not rename or edit encrypted files: you may have permanent data loss.
To prove that we can recover your files, we am ready to decrypt any three files (less than 1Mb) for free (except databases, Excel and backups).
HURRY UP!
If you do not email us in the next 48 hours then your data may be lost permanently.
Signatures
-
Detecting the common Go functions and variables names used by Snatch ransomware 8 IoCs
resource yara_rule behavioral2/memory/1916-162-0x0000000000400000-0x00000000008C6000-memory.dmp family_snatch behavioral2/memory/1916-3681-0x0000000000400000-0x00000000008C6000-memory.dmp family_snatch behavioral2/memory/1916-4419-0x0000000000400000-0x00000000008C6000-memory.dmp family_snatch behavioral2/memory/1916-9556-0x0000000000400000-0x00000000008C6000-memory.dmp family_snatch behavioral2/memory/1916-12391-0x0000000000400000-0x00000000008C6000-memory.dmp family_snatch behavioral2/memory/1916-16930-0x0000000000400000-0x00000000008C6000-memory.dmp family_snatch behavioral2/memory/1916-22102-0x0000000000400000-0x00000000008C6000-memory.dmp family_snatch behavioral2/memory/1916-22107-0x0000000000400000-0x00000000008C6000-memory.dmp family_snatch -
Snatch Ransomware
Ransomware family generally distributed through RDP bruteforce attacks.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (8974) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies extensions of user files 17 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\SelectSave.raw.gdjlosvtnib sample.exe File renamed C:\Users\Admin\Pictures\DismountSplit.raw => C:\Users\Admin\Pictures\DismountSplit.raw.gdjlosvtnib sample.exe File opened for modification C:\Users\Admin\Pictures\DismountSplit.raw.gdjlosvtnib sample.exe File renamed C:\Users\Admin\Pictures\FormatRemove.tif => C:\Users\Admin\Pictures\FormatRemove.tif.gdjlosvtnib sample.exe File opened for modification C:\Users\Admin\Pictures\MeasureRedo.tif.gdjlosvtnib sample.exe File renamed C:\Users\Admin\Pictures\ResolveOptimize.tiff => C:\Users\Admin\Pictures\ResolveOptimize.tiff.gdjlosvtnib sample.exe File renamed C:\Users\Admin\Pictures\MeasureRedo.tif => C:\Users\Admin\Pictures\MeasureRedo.tif.gdjlosvtnib sample.exe File opened for modification C:\Users\Admin\Pictures\FormatRemove.tif.gdjlosvtnib sample.exe File opened for modification C:\Users\Admin\Pictures\ResolveOptimize.tiff.gdjlosvtnib sample.exe File renamed C:\Users\Admin\Pictures\SuspendProtect.raw => C:\Users\Admin\Pictures\SuspendProtect.raw.gdjlosvtnib sample.exe File opened for modification C:\Users\Admin\Pictures\SuspendProtect.raw.gdjlosvtnib sample.exe File opened for modification C:\Users\Admin\Pictures\ResolveOptimize.tiff sample.exe File renamed C:\Users\Admin\Pictures\SkipUnprotect.png => C:\Users\Admin\Pictures\SkipUnprotect.png.gdjlosvtnib sample.exe File opened for modification C:\Users\Admin\Pictures\SkipUnprotect.png.gdjlosvtnib sample.exe File renamed C:\Users\Admin\Pictures\SelectSave.raw => C:\Users\Admin\Pictures\SelectSave.raw.gdjlosvtnib sample.exe File renamed C:\Users\Admin\Pictures\RestoreResize.png => C:\Users\Admin\Pictures\RestoreResize.png.gdjlosvtnib sample.exe File opened for modification C:\Users\Admin\Pictures\RestoreResize.png.gdjlosvtnib sample.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW TO RESTORE YOUR FILES.TXT sample.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO RESTORE YOUR FILES.TXT sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/1916-162-0x0000000000400000-0x00000000008C6000-memory.dmp upx behavioral2/memory/1916-3681-0x0000000000400000-0x00000000008C6000-memory.dmp upx behavioral2/memory/1916-4419-0x0000000000400000-0x00000000008C6000-memory.dmp upx behavioral2/memory/1916-9556-0x0000000000400000-0x00000000008C6000-memory.dmp upx behavioral2/memory/1916-12391-0x0000000000400000-0x00000000008C6000-memory.dmp upx behavioral2/memory/1916-16930-0x0000000000400000-0x00000000008C6000-memory.dmp upx behavioral2/memory/1916-22102-0x0000000000400000-0x00000000008C6000-memory.dmp upx behavioral2/memory/1916-22107-0x0000000000400000-0x00000000008C6000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\HOW TO RESTORE YOUR FILES.TXT sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms sample.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosMedTile.scale-125.png sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\3.rsrc sample.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldThrow.snippets.ps1xml sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\HOW TO RESTORE YOUR FILES.TXT sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-tw\ui-strings.js sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.gdjlosvtnib sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png.gdjlosvtnib sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\6445_48x48x32.png sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-100.png sample.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotBe.snippets.ps1xml sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\RHP_icons_2x.png.gdjlosvtnib sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-text.xml sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-oob.xrm-ms.gdjlosvtnib sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.gdjlosvtnib sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-256_altform-unplated_contrast-high.png sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluEmptyStateDCFiles_280x192.svg.gdjlosvtnib sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\main.css.gdjlosvtnib sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\HOW TO RESTORE YOUR FILES.TXT sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar.gdjlosvtnib sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms.gdjlosvtnib sample.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\TagAlbumDefinitions\HOW TO RESTORE YOUR FILES.TXT sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\AssetLibrary.ico sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_delete_18.svg.gdjlosvtnib sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_checkbox_unselected_18.svg sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\msipc.dll.mui.gdjlosvtnib sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-80.png sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\ui-strings.js sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\ui-strings.js.gdjlosvtnib sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\main-selector.css.gdjlosvtnib sample.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Describe.ps1 sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_contrast-black.png sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_2x.png sample.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-100.png sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-32.png sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif.gdjlosvtnib sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml.gdjlosvtnib sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ppd.xrm-ms sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-100_contrast-black.png sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt.gdjlosvtnib sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub.gdjlosvtnib sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-400_contrast-black.png sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-ma\ui-strings.js sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_zh_CN.jar.gdjlosvtnib sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\PREVIEW.GIF sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\zy______.pfm.gdjlosvtnib sample.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\gd.pak.DATA sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar.gdjlosvtnib sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\BadgeLogo.scale-125.png sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\MedTile.scale-100.png sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-lightunplated_devicefamily-colorfulunplated.png sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\ui-strings.js.gdjlosvtnib sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\ui-strings.js sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-tw\HOW TO RESTORE YOUR FILES.TXT sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\cstm_brand_preview.png sample.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\HOW TO RESTORE YOUR FILES.TXT sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_CN.properties.gdjlosvtnib sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-pl.xrm-ms.gdjlosvtnib sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarLogoExtensions.scale-32.png sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] sample.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 400 sc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1516 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 4608 vssvc.exe Token: SeRestorePrivilege 4608 vssvc.exe Token: SeAuditPrivilege 4608 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1916 wrote to memory of 1544 1916 sample.exe 83 PID 1916 wrote to memory of 1544 1916 sample.exe 83 PID 1544 wrote to memory of 400 1544 cmd.exe 85 PID 1544 wrote to memory of 400 1544 cmd.exe 85 PID 1544 wrote to memory of 2320 1544 cmd.exe 86 PID 1544 wrote to memory of 2320 1544 cmd.exe 86 PID 1916 wrote to memory of 4408 1916 sample.exe 88 PID 1916 wrote to memory of 4408 1916 sample.exe 88 PID 1916 wrote to memory of 5060 1916 sample.exe 96 PID 1916 wrote to memory of 5060 1916 sample.exe 96 PID 5060 wrote to memory of 1516 5060 cmd.exe 98 PID 5060 wrote to memory of 1516 5060 cmd.exe 98 PID 1916 wrote to memory of 4852 1916 sample.exe 101 PID 1916 wrote to memory of 4852 1916 sample.exe 101 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exbbsadtlvksobdmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\system32\sc.exeSC QUERY3⤵
- Launches sc.exe
PID:400
-
-
C:\Windows\system32\findstr.exeFINDSTR SERVICE_NAME3⤵PID:2320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dmadll.bat2⤵PID:4408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xqqygpbrvdxrjbgeyvjr.bat2⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdidrnuwttosilxnron.bat2⤵PID:4852
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4608
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
758B
MD5362c51682bf01718f78792252759ea48
SHA1d2a7021fad7dc0551a9b19274d114fdebd0d24db
SHA2568104414020397799ae6c4f779a8486a8a5c2975f4a5cee250151ccfa9911f8ab
SHA512b6ed4e553e0d414cd83025d9c1a4170c8940744364f8662f5e86fbbe4d60c60471c5bd6d58fe28b9aec04b7d09ad9a688093c1632f22baa66cb0c1969a644154
-
Filesize
43B
MD555310bb774fff38cca265dbc70ad6705
SHA1cb8d76e9fd38a0b253056e5f204dab5441fe932b
SHA2561fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d
SHA51240e5a5e8454ca3eaac36d732550e2c5d869a235e3bbc4d31c4afa038fe4e06f782fa0885e876ad8119be766477fdcc12c1d5d04d53cf6b324e366b5351fc7cd4
-
Filesize
47B
MD52202e846ba05d7f0bb20adbc5249c359
SHA14115d2d15614503456aea14db61d71a756cc7b8c
SHA2560965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f
SHA512cd6ce6d89a8e5f75724405bc2694b706819c3c554b042075d5eb47fdb75653235160ac8a85e7425a49d98f25b3886faaaec5599bcf66d20bf6115dc3af4ba9c7