Analysis
-
max time kernel
42s -
max time network
53s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-03-2024 19:50
Static task
static1
Behavioral task
behavioral1
Sample
Snickerstream_x64.exe
Resource
win11-20240221-en
General
-
Target
Snickerstream_x64.exe
-
Size
1.7MB
-
MD5
e9ffa9faf1a6c090f422146fb1b9e042
-
SHA1
e63fa4374cf807797b8a22d68fd87a42248a3639
-
SHA256
f288d9f9083016c33cb7d86b24dbf39028c30da1aa5761cf1f280853fde220b5
-
SHA512
56c356549e9416edde1f8ce54dafebb390b59ff03932fc74f62bf3eb275bd54bc3603af1fa9f4b576880fc2f1e61e21c50f97674f36ecdeb526b66632c79da69
-
SSDEEP
49152:ZkK8khWTfDJu4aklg2R6gIjPOtWcypoR+qAkk:ZMfDVmnWgZoR+qA
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 3924 netsh.exe 820 netsh.exe 1720 netsh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Snickerstream_x64.exepid process 2732 Snickerstream_x64.exe -
Suspicious use of FindShellTrayWindow 49 IoCs
Processes:
Snickerstream_x64.exepid process 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe -
Suspicious use of SendNotifyMessage 49 IoCs
Processes:
Snickerstream_x64.exepid process 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe 2732 Snickerstream_x64.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Snickerstream_x64.exepid process 2732 Snickerstream_x64.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Snickerstream_x64.exedescription pid process target process PID 2732 wrote to memory of 820 2732 Snickerstream_x64.exe netsh.exe PID 2732 wrote to memory of 820 2732 Snickerstream_x64.exe netsh.exe PID 2732 wrote to memory of 1720 2732 Snickerstream_x64.exe netsh.exe PID 2732 wrote to memory of 1720 2732 Snickerstream_x64.exe netsh.exe PID 2732 wrote to memory of 3924 2732 Snickerstream_x64.exe netsh.exe PID 2732 wrote to memory of 3924 2732 Snickerstream_x64.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Snickerstream_x64.exe"C:\Users\Admin\AppData\Local\Temp\Snickerstream_x64.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Snickerstream"2⤵
- Modifies Windows Firewall
PID:820 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Snickerstream" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\Snickerstream_x64.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:1720 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Snickerstream" dir=out action=allow program="C:\Users\Admin\AppData\Local\Temp\Snickerstream_x64.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:3924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262B
MD5185cafe1b4544ad5772fcd5db545f2f7
SHA1712754b77195d834b0a1935333ef9a1ca09c6b83
SHA256857af9554c4e365135df511f58d2574acbc687cda7a16dadc440fccf7c5bc989
SHA512bb0d057b6326470334e3241ba1777a83b1268a3f90d658d2d035fdda40b8abf24bb8e704254a94bbee50c8ae7e384fde2aa7f35e10bdaa881879183d1c132603
-
Filesize
262B
MD50d30d9d7ea0f6004d7b12c0ac1b74c99
SHA1e5231e9af40ad4969ef20150236b0cf574386c23
SHA256f9640052f001f20cc25d2412e1b49611a5b20d1bf9bed9b8ec2eb850b27b4d0c
SHA5125ce31356ba74e4026294e70ca43b0d6bf8ddac7966c4645e6f17f63dca9c25f812a11b43ec24d2a1a27d4c8543f95acdf1daed774f1196fc4fd8b07746f912e2
-
Filesize
261B
MD56beeaea0235c45bceac7e2ed96eecfed
SHA1d507e976ca852eff9ef632362bfd5e1f5e8aebdb
SHA2566e8c97d6d45536dfaf005a5c120de7fc2d4325873627c21c3868b45bd5f33f43
SHA512791ef4c53768ecb632c51ad09e81643f45bb32c9d5cfb0da169bd265d3b7a40baf9aacb7600ac9e246c559ac690da363d3107ea46ad3cc53f3279ea49ffe685a