d035b8af9ef110e3c7fab1bf7844345e13b14c3187b084ac4f78c52d79fe5664

General

Target

2024-05-03_6924d2cdc36e0992b763bc4679052793_snatch.exe
Size

8.1MB
MD5

6924d2cdc36e0992b763bc4679052793
SHA1

e3689890f2f9ba156a03a5ee4352cf77c7d59fe6
SHA256

d035b8af9ef110e3c7fab1bf7844345e13b14c3187b084ac4f78c52d79fe5664
SHA512

b0aeefd9d4c3297d45d682d88119770d007c4d013fd8ddc35381bb2056c00916e66f93f631b508d2cfa0976fc3364c7654d8622876e87013cc537faec4b7484b
SSDEEP

98304:JfCx+J+myJPe88J0wFD1UNI4F10gCfpSECKDIQdH+Pfk+tvTNXKFgPFpr1+0Q/:R2I4FGgCfprCeIQdHW5DXe2pr1+

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2092	powershell.exe
4532	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2092	powershell.exe
2092	powershell.exe
4532	powershell.exe
4532	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 2092	208	2024-05-03_6924d2cdc36e0992b763bc4679052793_snatch.exe	85
PID 208 wrote to memory of 2092	208	2024-05-03_6924d2cdc36e0992b763bc4679052793_snatch.exe	85
PID 208 wrote to memory of 2092	208	2024-05-03_6924d2cdc36e0992b763bc4679052793_snatch.exe	85
PID 208 wrote to memory of 4532	208	2024-05-03_6924d2cdc36e0992b763bc4679052793_snatch.exe	91
PID 208 wrote to memory of 4532	208	2024-05-03_6924d2cdc36e0992b763bc4679052793_snatch.exe	91
PID 208 wrote to memory of 4532	208	2024-05-03_6924d2cdc36e0992b763bc4679052793_snatch.exe	91

C:\Users\Admin\AppData\Local\Temp\2024-05-03_6924d2cdc36e0992b763bc4679052793_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-03_6924d2cdc36e0992b763bc4679052793_snatch.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive "(Get-AppxPackage | Where-Object -Property Name -Eq \"SpotifyAB.SpotifyMusic\").InstallLocation"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive "(Get-AppxPackage | Where-Object -Property Name -Eq \"SpotifyAB.SpotifyMusic\").InstallLocation"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
95201d9e44c732d9b261b4b334505d6b

SHA1
d5f3f499ef27920d8a614152191a7e0c2f9c0264

SHA256
baa9a89717f4013b2799bd06490c738246759ecdf7a3200406fad5a443e83669

SHA512
15ddf637b642144dca99e2794cb4ca4d1dfa9d682e7eb42075d9b269dd5a479b5ea86017db142b599a3f022ebb695baf3691305ab17009060b4f64ddd7254282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
8d412dc57dbff39af282733a035d1e39

SHA1
be933a96f238c99a04fa9bebfeee0c63f2296da5

SHA256
b8408ff2b9f1ef903552a2052c47130b82d745a41be13d2c9607b9bb62aa5999

SHA512
e2c1aa68633069dbb2a01bdb5f4de995570b453ead69e34bf94df390cdaeb34361ad7d9a9239af6bee4de0fabe43f4e34b1ed74fb1f2c63b6caaa179169ac63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q5nnacpg.r52.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2092-36-0x0000000007580000-0x000000000759A000-memory.dmp

Filesize
104KB

Download
memory/2092-35-0x0000000007BC0000-0x000000000823A000-memory.dmp

Filesize
6.5MB

Download
memory/2092-7-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/2092-6-0x0000000005580000-0x00000000055E6000-memory.dmp

Filesize
408KB

Download
memory/2092-5-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/2092-0-0x0000000074C7E000-0x0000000074C7F000-memory.dmp

Filesize
4KB

Download
memory/2092-17-0x0000000005CC0000-0x0000000006014000-memory.dmp

Filesize
3.3MB

Download
memory/2092-18-0x0000000006220000-0x000000000623E000-memory.dmp

Filesize
120KB

Download
memory/2092-37-0x0000000007750000-0x0000000007766000-memory.dmp

Filesize
88KB

Download
memory/2092-31-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/2092-21-0x0000000070A90000-0x0000000070ADC000-memory.dmp

Filesize
304KB

Download
memory/2092-32-0x00000000073F0000-0x000000000740E000-memory.dmp

Filesize
120KB

Download
memory/2092-20-0x0000000006800000-0x0000000006832000-memory.dmp

Filesize
200KB

Download
memory/2092-34-0x0000000007420000-0x00000000074C3000-memory.dmp

Filesize
652KB

Download
memory/2092-4-0x0000000005170000-0x0000000005192000-memory.dmp

Filesize
136KB

Download
memory/2092-33-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/2092-19-0x0000000006260000-0x00000000062AC000-memory.dmp

Filesize
304KB

Download
memory/2092-3-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/2092-38-0x0000000007400000-0x000000000740A000-memory.dmp

Filesize
40KB

Download
memory/2092-39-0x00000000077E0000-0x0000000007806000-memory.dmp

Filesize
152KB

Download
memory/2092-42-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/2092-2-0x0000000005690000-0x0000000005CB8000-memory.dmp

Filesize
6.2MB

Download
memory/2092-1-0x0000000002920000-0x0000000002956000-memory.dmp

Filesize
216KB

Download
memory/4532-45-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/4532-46-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/4532-56-0x00000000055E0000-0x0000000005934000-memory.dmp

Filesize
3.3MB

Download
memory/4532-44-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/4532-58-0x0000000070A90000-0x0000000070ADC000-memory.dmp

Filesize
304KB

Download
memory/4532-69-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/4532-68-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/4532-70-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/4532-72-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing