f288d9f9083016c33cb7d86b24dbf39028c30da1aa5761cf1f280853fde220b5

General

Target

Snickerstream_x64.exe
Size

1.7MB
MD5

e9ffa9faf1a6c090f422146fb1b9e042
SHA1

e63fa4374cf807797b8a22d68fd87a42248a3639
SHA256

f288d9f9083016c33cb7d86b24dbf39028c30da1aa5761cf1f280853fde220b5
SHA512

56c356549e9416edde1f8ce54dafebb390b59ff03932fc74f62bf3eb275bd54bc3603af1fa9f4b576880fc2f1e61e21c50f97674f36ecdeb526b66632c79da69
SSDEEP

49152:ZkK8khWTfDJu4aklg2R6gIjPOtWcypoR+qAkk:ZMfDVmnWgZoR+qA

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid	Process
3924	netsh.exe
820	netsh.exe
1720	netsh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Snickerstream_x64.exe

pid	Process
2732	Snickerstream_x64.exe

Suspicious use of FindShellTrayWindow 49 IoCs

Processes:

Snickerstream_x64.exe

pid	Process
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe

Suspicious use of SendNotifyMessage 49 IoCs

Processes:

Snickerstream_x64.exe

pid	Process
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe
2732	Snickerstream_x64.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Snickerstream_x64.exe

pid	Process
2732	Snickerstream_x64.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Snickerstream_x64.exe

description	pid	Process	procid_target
PID 2732 wrote to memory of 820	2732	Snickerstream_x64.exe	79
PID 2732 wrote to memory of 820	2732	Snickerstream_x64.exe	79
PID 2732 wrote to memory of 1720	2732	Snickerstream_x64.exe	80
PID 2732 wrote to memory of 1720	2732	Snickerstream_x64.exe	80
PID 2732 wrote to memory of 3924	2732	Snickerstream_x64.exe	81
PID 2732 wrote to memory of 3924	2732	Snickerstream_x64.exe	81

C:\Users\Admin\AppData\Local\Temp\Snickerstream_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Snickerstream_x64.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Snickerstream"
  2⤵
  - Modifies Windows Firewall
  PID:820
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Snickerstream" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\Snickerstream_x64.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:1720
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Snickerstream" dir=out action=allow program="C:\Users\Admin\AppData\Local\Temp\Snickerstream_x64.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\settings.ini

Filesize
262B

MD5
185cafe1b4544ad5772fcd5db545f2f7

SHA1
712754b77195d834b0a1935333ef9a1ca09c6b83

SHA256
857af9554c4e365135df511f58d2574acbc687cda7a16dadc440fccf7c5bc989

SHA512
bb0d057b6326470334e3241ba1777a83b1268a3f90d658d2d035fdda40b8abf24bb8e704254a94bbee50c8ae7e384fde2aa7f35e10bdaa881879183d1c132603

Download Submit
C:\Users\Admin\AppData\Local\Temp\settings.ini

Filesize
262B

MD5
0d30d9d7ea0f6004d7b12c0ac1b74c99

SHA1
e5231e9af40ad4969ef20150236b0cf574386c23

SHA256
f9640052f001f20cc25d2412e1b49611a5b20d1bf9bed9b8ec2eb850b27b4d0c

SHA512
5ce31356ba74e4026294e70ca43b0d6bf8ddac7966c4645e6f17f63dca9c25f812a11b43ec24d2a1a27d4c8543f95acdf1daed774f1196fc4fd8b07746f912e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\settings.ini

Filesize
261B

MD5
6beeaea0235c45bceac7e2ed96eecfed

SHA1
d507e976ca852eff9ef632362bfd5e1f5e8aebdb

SHA256
6e8c97d6d45536dfaf005a5c120de7fc2d4325873627c21c3868b45bd5f33f43

SHA512
791ef4c53768ecb632c51ad09e81643f45bb32c9d5cfb0da169bd265d3b7a40baf9aacb7600ac9e246c559ac690da363d3107ea46ad3cc53f3279ea49ffe685a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads