snatch | cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3

Analysis

max time kernel
166s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
Size

2.2MB
MD5

664351f9e645e79cdf17d8bb859ef8e5
SHA1

6f45ee1f3246318d94368de97648245718de795d
SHA256

cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3
SHA512

ccd49da2df1fdc3e789000709ce871abe6c90c98842040d818c343d04a165eade662433483e1ea1891c43d099616a29dced57d483cdd35d7642ed30ae66995a1
SSDEEP

49152:kZxdq3f7AohAROoPkMrZVOGeBPEwSX+gyJ7I1Pud1w7pVJ9EluMH3opjhKa70I3Q:kOPhAooPkMnoI+gyJuJ7DJSluMHOjhji

Score

10^/10

snatch ransomware upx

Malware Config

Extracted

Path

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\HOW TO RESTORE YOUR FILES.TXT

Ransom Note

Hello! All your files are encrypted, write to me if you want to return your files - I can do it very quickly! Contact me by email: [email protected] or [email protected] The subject line must contain an encryption extension or the name of your company! Do not rename encrypted files, you may lose them forever. You may be a victim of fraud. Free decryption as a guarantee. Send us up to 3 files for free decryption. The total file size should be no more than 1 MB! (not in the archive), and the files should not contain valuable information. (databases, backups, large Excel spreadsheets, etc.) !!! Do not turn off or restart the NAS equipment. This will lead to data loss !!! To contact us, we recommend that you create an email address at protonmail.com or tutanota.com Because gmail and other public email programs can block our messages!

Emails

[email protected]

Signatures

Detecting the common Go functions and variables names used by Snatch ransomware 16 IoCs

resource	yara_rule
behavioral2/memory/2544-8-0x0000000000400000-0x0000000000807000-memory.dmp	family_snatch
behavioral2/memory/2544-778-0x0000000000400000-0x0000000000807000-memory.dmp	family_snatch
behavioral2/memory/2544-859-0x0000000000400000-0x0000000000807000-memory.dmp	family_snatch
behavioral2/memory/2544-901-0x0000000000400000-0x0000000000807000-memory.dmp	family_snatch
behavioral2/memory/2544-1135-0x0000000000400000-0x0000000000807000-memory.dmp	family_snatch
behavioral2/memory/2544-1297-0x0000000000400000-0x0000000000807000-memory.dmp	family_snatch
behavioral2/memory/2544-1359-0x0000000000400000-0x0000000000807000-memory.dmp	family_snatch
behavioral2/memory/2544-2563-0x0000000000400000-0x0000000000807000-memory.dmp	family_snatch
behavioral2/memory/2544-2972-0x0000000000400000-0x0000000000807000-memory.dmp	family_snatch
behavioral2/memory/2544-4733-0x0000000000400000-0x0000000000807000-memory.dmp	family_snatch
behavioral2/memory/2544-5005-0x0000000000400000-0x0000000000807000-memory.dmp	family_snatch
behavioral2/memory/2544-5905-0x0000000000400000-0x0000000000807000-memory.dmp	family_snatch
behavioral2/memory/2544-6315-0x0000000000400000-0x0000000000807000-memory.dmp	family_snatch
behavioral2/memory/2544-7214-0x0000000000400000-0x0000000000807000-memory.dmp	family_snatch
behavioral2/memory/2544-7319-0x0000000000400000-0x0000000000807000-memory.dmp	family_snatch
behavioral2/memory/2544-7320-0x0000000000400000-0x0000000000807000-memory.dmp	family_snatch

Snatch Ransomware
Ransomware family generally distributed through RDP bruteforce attacks.
ransomware snatch
Renames multiple (3317) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2544-0-0x0000000000400000-0x0000000000807000-memory.dmp	upx
behavioral2/memory/2544-8-0x0000000000400000-0x0000000000807000-memory.dmp	upx
behavioral2/memory/2544-778-0x0000000000400000-0x0000000000807000-memory.dmp	upx
behavioral2/memory/2544-859-0x0000000000400000-0x0000000000807000-memory.dmp	upx
behavioral2/memory/2544-901-0x0000000000400000-0x0000000000807000-memory.dmp	upx
behavioral2/memory/2544-1135-0x0000000000400000-0x0000000000807000-memory.dmp	upx
behavioral2/memory/2544-1297-0x0000000000400000-0x0000000000807000-memory.dmp	upx
behavioral2/memory/2544-1359-0x0000000000400000-0x0000000000807000-memory.dmp	upx
behavioral2/memory/2544-2563-0x0000000000400000-0x0000000000807000-memory.dmp	upx
behavioral2/memory/2544-2972-0x0000000000400000-0x0000000000807000-memory.dmp	upx
behavioral2/memory/2544-4733-0x0000000000400000-0x0000000000807000-memory.dmp	upx
behavioral2/memory/2544-5005-0x0000000000400000-0x0000000000807000-memory.dmp	upx
behavioral2/memory/2544-5905-0x0000000000400000-0x0000000000807000-memory.dmp	upx
behavioral2/memory/2544-6315-0x0000000000400000-0x0000000000807000-memory.dmp	upx
behavioral2/memory/2544-7214-0x0000000000400000-0x0000000000807000-memory.dmp	upx
behavioral2/memory/2544-7319-0x0000000000400000-0x0000000000807000-memory.dmp	upx
behavioral2/memory/2544-7320-0x0000000000400000-0x0000000000807000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.INF.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\WATER.INF.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\ICE.INF.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-white_scale-125.png	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ppd.xrm-ms.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ppd.xrm-ms.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\HOW TO RESTORE YOUR FILES.TXT	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\StudentReport.dotx.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\HOW TO RESTORE YOUR FILES.TXT	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-125.png	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\master_preferences.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\SEGOEUISL.TTF	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\DEEPBLUE.INF.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN103.XML.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-ms.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\proof.es-es.msi.16.es-es.vreg.dat.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\HOW TO RESTORE YOUR FILES.TXT	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL020.XML.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\THMBNAIL.PNG	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\vlc.mo.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosWideTile.scale-125.png	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle.map.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-pl.xrm-ms.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OMML2MML.XSL	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ppd.xrm-ms	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxb.ttf.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.VisualElementsManifest.xml	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL.HXS	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-ms.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\msipc.dll.mui	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\HOW TO RESTORE YOUR FILES.TXT	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL119.XML	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\THMBNAIL.PNG.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_scale-200.png	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\HOW TO RESTORE YOUR FILES.TXT	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\HOW TO RESTORE YOUR FILES.TXT	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ppd.xrm-ms.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_scale-125.png	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml.zybvqxefmh	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2900	sc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 5012	2544	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe	91
PID 2544 wrote to memory of 5012	2544	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe	91
PID 2544 wrote to memory of 5012	2544	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe	91
PID 5012 wrote to memory of 2900	5012	cmd.exe	93
PID 5012 wrote to memory of 2900	5012	cmd.exe	93
PID 5012 wrote to memory of 2900	5012	cmd.exe	93
PID 5012 wrote to memory of 2532	5012	cmd.exe	94
PID 5012 wrote to memory of 2532	5012	cmd.exe	94
PID 5012 wrote to memory of 2532	5012	cmd.exe	94
PID 2544 wrote to memory of 1712	2544	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe	95
PID 2544 wrote to memory of 1712	2544	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe	95
PID 2544 wrote to memory of 1712	2544	cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe	95

C:\Users\Admin\AppData\Local\Temp\cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe
"C:\Users\Admin\AppData\Local\Temp\cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiuhuicn.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\SysWOW64\sc.exe
    SC QUERY
    3⤵
    - Launches sc.exe
    PID:2900
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR SERVICE_NAME
    3⤵
    PID:2532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\stscngtkisimcxtv.bat
  2⤵
  PID:1712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\HOW TO RESTORE YOUR FILES.TXT

Filesize
874B

MD5
99c1fda521ae8feecc8d4c5db4177ec1

SHA1
eb2136572c97d8b790bf9e0ecdc91f5658974a19

SHA256
a5859059831097f058ef6eb2a4b6bee3a73cb3f00cd93e7913d34b0279ed81a8

SHA512
b9482013c38927e3dc980af128722ce6200a50a996882f5b67562584bfe13f91f1053e80e88b25a60ea57257d6557bbdea72c0dea65612ca2170ba8a981dbbde

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtiuhuicn.bat

Filesize
43B

MD5
55310bb774fff38cca265dbc70ad6705

SHA1
cb8d76e9fd38a0b253056e5f204dab5441fe932b

SHA256
1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d

SHA512
40e5a5e8454ca3eaac36d732550e2c5d869a235e3bbc4d31c4afa038fe4e06f782fa0885e876ad8119be766477fdcc12c1d5d04d53cf6b324e366b5351fc7cd4

Download Submit
memory/2544-1297-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2544-2972-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2544-778-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2544-859-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2544-901-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2544-1135-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2544-0-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2544-1359-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2544-2563-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2544-8-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2544-4733-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2544-5005-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2544-5905-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2544-6315-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2544-7214-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2544-7319-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2544-7320-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download