snatch | 6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042

Analysis

max time kernel
1s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
Size

2.4MB
MD5

dfb0ba993dbcc53e7c453d59d85372b0
SHA1

a8dfd1c15bebc6252a7d1cecd5783b3d1f5bc2c6
SHA256

6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042
SHA512

75c30c69226af23e81ae3a86e14ad668a93e3c12e8d2bec4978fa1532b1aea1f765091c915240ab517b0c9049d48fc6b631715417a71763268137a5aaf49fa17
SSDEEP

49152:cBreAFa1feMDXhquTYagOLkAdHGo8ZMtQTrlRNulgqjso3OiGoteWrQxBhyYt:SFSlGTOwAdHGoAMtQTBR/qAQOWAWrQ9N

Score

10^/10

snatch ransomware upx

Malware Config

Signatures

Detecting the common Go functions and variables names used by Snatch ransomware 2 IoCs

resource	yara_rule
behavioral2/memory/2272-13629-0x0000000000450000-0x0000000000906000-memory.dmp	family_snatch
behavioral2/memory/2272-20168-0x0000000000450000-0x0000000000906000-memory.dmp	family_snatch

Snatch Ransomware
Ransomware family generally distributed through RDP bruteforce attacks.
ransomware snatch
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2272-0-0x0000000000450000-0x0000000000906000-memory.dmp	upx
behavioral2/memory/2272-13629-0x0000000000450000-0x0000000000906000-memory.dmp	upx
behavioral2/memory/2272-20168-0x0000000000450000-0x0000000000906000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\PCHEALTH\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\ModifiableWindowsApps\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.AdomdClient\13.0.0.0__89845DCD8080CC91\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\9879DE67-52BF-41A3-9E92-CA479C5F25D3\root\vfs\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1036\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bs\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\HOW TO RESTORE YOUR FILES.TXT	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1348	sc.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2336	vssadmin.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 1904	2272	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe	16
PID 2272 wrote to memory of 1904	2272	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe	16
PID 1904 wrote to memory of 1348	1904	cmd.exe	23
PID 1904 wrote to memory of 1348	1904	cmd.exe	23
PID 1904 wrote to memory of 1568	1904	cmd.exe	21
PID 1904 wrote to memory of 1568	1904	cmd.exe	21
PID 2272 wrote to memory of 1840	2272	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe	18
PID 2272 wrote to memory of 1840	2272	6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe	18

C:\Users\Admin\AppData\Local\Temp\6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe
"C:\Users\Admin\AppData\Local\Temp\6516e04cd2987d6f53e1270d2c313b1aafa6fd7d13d73cf41fde8c19c05b3042.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wiigvo.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\system32\findstr.exe
    FINDSTR SERVICE_NAME
    3⤵
    PID:1568
- - C:\Windows\system32\sc.exe
    SC QUERY
    3⤵
    - Launches sc.exe
    PID:1348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ykbggqlymbimgoda.bat
  2⤵
  PID:1840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iptsvh.bat
  2⤵
  PID:812
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soxandbyxcoeg.bat
  2⤵
  PID:1832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact