Analysis
-
max time kernel
133s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 03:42
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-23_83958bd6ee281413f61b0d25a2bac065_snatch.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-23_83958bd6ee281413f61b0d25a2bac065_snatch.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-23_83958bd6ee281413f61b0d25a2bac065_snatch.exe
-
Size
8.8MB
-
MD5
83958bd6ee281413f61b0d25a2bac065
-
SHA1
66b6a8b25b9e88d1e1217028e72149b41ba913ba
-
SHA256
c55fe2e800701ca55a3ec1bac9a42931e30dc3a01bbb431508e7ba21e672e64e
-
SHA512
2b5f4144a82b8d156dc021149c671576e015561e0836073ff0ad6b48683dbdfbe3303fd9a600c2f19ee45d4a87307ee1b5f8c0f4e6bee07c36b31c0b104c2121
-
SSDEEP
49152:R65E0e4+nvFs1LIFVU5h6Y2XznaPbJnuNK+8QoEQ3Er2js5E0FTYvNMno+KfQPly:UuN4yyGXb62tPE0FTYWp+KlTvY9poq
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
2024-05-23_83958bd6ee281413f61b0d25a2bac065_snatch.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wp613177943.jpg" 2024-05-23_83958bd6ee281413f61b0d25a2bac065_snatch.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2328 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2668 vssvc.exe Token: SeRestorePrivilege 2668 vssvc.exe Token: SeAuditPrivilege 2668 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
2024-05-23_83958bd6ee281413f61b0d25a2bac065_snatch.exedescription pid process target process PID 3776 wrote to memory of 2328 3776 2024-05-23_83958bd6ee281413f61b0d25a2bac065_snatch.exe vssadmin.exe PID 3776 wrote to memory of 2328 3776 2024-05-23_83958bd6ee281413f61b0d25a2bac065_snatch.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-23_83958bd6ee281413f61b0d25a2bac065_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-23_83958bd6ee281413f61b0d25a2bac065_snatch.exe"1⤵
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /for=norealvolume /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken