Analysis

  • max time kernel
    42s
  • max time network
    53s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    23-03-2024 19:50

General

  • Target

    Snickerstream_x64.exe

  • Size

    1.7MB

  • MD5

    e9ffa9faf1a6c090f422146fb1b9e042

  • SHA1

    e63fa4374cf807797b8a22d68fd87a42248a3639

  • SHA256

    f288d9f9083016c33cb7d86b24dbf39028c30da1aa5761cf1f280853fde220b5

  • SHA512

    56c356549e9416edde1f8ce54dafebb390b59ff03932fc74f62bf3eb275bd54bc3603af1fa9f4b576880fc2f1e61e21c50f97674f36ecdeb526b66632c79da69

  • SSDEEP

    49152:ZkK8khWTfDJu4aklg2R6gIjPOtWcypoR+qAkk:ZMfDVmnWgZoR+qA

Score
8/10

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 49 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Snickerstream_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\Snickerstream_x64.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Windows\system32\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Snickerstream"
      2⤵
      • Modifies Windows Firewall
      PID:820
    • C:\Windows\system32\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Snickerstream" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\Snickerstream_x64.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:1720
    • C:\Windows\system32\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Snickerstream" dir=out action=allow program="C:\Users\Admin\AppData\Local\Temp\Snickerstream_x64.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:3924

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\settings.ini

    Filesize

    262B

    MD5

    185cafe1b4544ad5772fcd5db545f2f7

    SHA1

    712754b77195d834b0a1935333ef9a1ca09c6b83

    SHA256

    857af9554c4e365135df511f58d2574acbc687cda7a16dadc440fccf7c5bc989

    SHA512

    bb0d057b6326470334e3241ba1777a83b1268a3f90d658d2d035fdda40b8abf24bb8e704254a94bbee50c8ae7e384fde2aa7f35e10bdaa881879183d1c132603

  • C:\Users\Admin\AppData\Local\Temp\settings.ini

    Filesize

    262B

    MD5

    0d30d9d7ea0f6004d7b12c0ac1b74c99

    SHA1

    e5231e9af40ad4969ef20150236b0cf574386c23

    SHA256

    f9640052f001f20cc25d2412e1b49611a5b20d1bf9bed9b8ec2eb850b27b4d0c

    SHA512

    5ce31356ba74e4026294e70ca43b0d6bf8ddac7966c4645e6f17f63dca9c25f812a11b43ec24d2a1a27d4c8543f95acdf1daed774f1196fc4fd8b07746f912e2

  • C:\Users\Admin\AppData\Local\Temp\settings.ini

    Filesize

    261B

    MD5

    6beeaea0235c45bceac7e2ed96eecfed

    SHA1

    d507e976ca852eff9ef632362bfd5e1f5e8aebdb

    SHA256

    6e8c97d6d45536dfaf005a5c120de7fc2d4325873627c21c3868b45bd5f33f43

    SHA512

    791ef4c53768ecb632c51ad09e81643f45bb32c9d5cfb0da169bd265d3b7a40baf9aacb7600ac9e246c559ac690da363d3107ea46ad3cc53f3279ea49ffe685a