36f1589b72c2e30cf37b89d5108fc2d7b0c8a4577904cabeda30cd011d29595b

General

Target

2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe
Size

7.5MB
MD5

a9473b066152203957beae0748ea6fbc
SHA1

ef29c30577a689bfdc8070f5848d76c3ffb96ba4
SHA256

36f1589b72c2e30cf37b89d5108fc2d7b0c8a4577904cabeda30cd011d29595b
SHA512

235023a0565b0699626e9209f6a8bebc425bd3243f9e6829d917b39840fc4353daea4e1637eb2453b9b95634415ae46c1c7e8e20c57a7998d5c9b38dbf6d4c52
SSDEEP

98304:pYBPE1xp/Mlgj/ruEl2/uJqrWnBrrSgNVBuQGQysD:pXpAgjPljFp+gNDuzs

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ipinfo.io

flow	ioc
15	ipinfo.io

Enumerates processes with tasklist 1 TTPs 20 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
2056	tasklist.exe
2256	tasklist.exe
4464	tasklist.exe
2824	tasklist.exe
1292	tasklist.exe
2084	tasklist.exe
1172	tasklist.exe
3896	tasklist.exe
4732	tasklist.exe
908	tasklist.exe
1168	tasklist.exe
856	tasklist.exe
3504	tasklist.exe
4868	tasklist.exe
3324	tasklist.exe
2204	tasklist.exe
4864	tasklist.exe
4368	tasklist.exe
1076	tasklist.exe
3368	tasklist.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2304	wmic.exe
Token: SeSecurityPrivilege	2304	wmic.exe
Token: SeTakeOwnershipPrivilege	2304	wmic.exe
Token: SeLoadDriverPrivilege	2304	wmic.exe
Token: SeSystemProfilePrivilege	2304	wmic.exe
Token: SeSystemtimePrivilege	2304	wmic.exe
Token: SeProfSingleProcessPrivilege	2304	wmic.exe
Token: SeIncBasePriorityPrivilege	2304	wmic.exe
Token: SeCreatePagefilePrivilege	2304	wmic.exe
Token: SeBackupPrivilege	2304	wmic.exe
Token: SeRestorePrivilege	2304	wmic.exe
Token: SeShutdownPrivilege	2304	wmic.exe
Token: SeDebugPrivilege	2304	wmic.exe
Token: SeSystemEnvironmentPrivilege	2304	wmic.exe
Token: SeRemoteShutdownPrivilege	2304	wmic.exe
Token: SeUndockPrivilege	2304	wmic.exe
Token: SeManageVolumePrivilege	2304	wmic.exe
Token: 33	2304	wmic.exe
Token: 34	2304	wmic.exe
Token: 35	2304	wmic.exe
Token: 36	2304	wmic.exe
Token: SeIncreaseQuotaPrivilege	2304	wmic.exe
Token: SeSecurityPrivilege	2304	wmic.exe
Token: SeTakeOwnershipPrivilege	2304	wmic.exe
Token: SeLoadDriverPrivilege	2304	wmic.exe
Token: SeSystemProfilePrivilege	2304	wmic.exe
Token: SeSystemtimePrivilege	2304	wmic.exe
Token: SeProfSingleProcessPrivilege	2304	wmic.exe
Token: SeIncBasePriorityPrivilege	2304	wmic.exe
Token: SeCreatePagefilePrivilege	2304	wmic.exe
Token: SeBackupPrivilege	2304	wmic.exe
Token: SeRestorePrivilege	2304	wmic.exe
Token: SeShutdownPrivilege	2304	wmic.exe
Token: SeDebugPrivilege	2304	wmic.exe
Token: SeSystemEnvironmentPrivilege	2304	wmic.exe
Token: SeRemoteShutdownPrivilege	2304	wmic.exe
Token: SeUndockPrivilege	2304	wmic.exe
Token: SeManageVolumePrivilege	2304	wmic.exe
Token: 33	2304	wmic.exe
Token: 34	2304	wmic.exe
Token: 35	2304	wmic.exe
Token: 36	2304	wmic.exe
Token: SeIncreaseQuotaPrivilege	3244	WMIC.exe
Token: SeSecurityPrivilege	3244	WMIC.exe
Token: SeTakeOwnershipPrivilege	3244	WMIC.exe
Token: SeLoadDriverPrivilege	3244	WMIC.exe
Token: SeSystemProfilePrivilege	3244	WMIC.exe
Token: SeSystemtimePrivilege	3244	WMIC.exe
Token: SeProfSingleProcessPrivilege	3244	WMIC.exe
Token: SeIncBasePriorityPrivilege	3244	WMIC.exe
Token: SeCreatePagefilePrivilege	3244	WMIC.exe
Token: SeBackupPrivilege	3244	WMIC.exe
Token: SeRestorePrivilege	3244	WMIC.exe
Token: SeShutdownPrivilege	3244	WMIC.exe
Token: SeDebugPrivilege	3244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3244	WMIC.exe
Token: SeRemoteShutdownPrivilege	3244	WMIC.exe
Token: SeUndockPrivilege	3244	WMIC.exe
Token: SeManageVolumePrivilege	3244	WMIC.exe
Token: 33	3244	WMIC.exe
Token: 34	3244	WMIC.exe
Token: 35	3244	WMIC.exe
Token: 36	3244	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3244	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4568 wrote to memory of 2304	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	wmic.exe
PID 4568 wrote to memory of 2304	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	wmic.exe
PID 4568 wrote to memory of 2380	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	cmd.exe
PID 4568 wrote to memory of 2380	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	cmd.exe
PID 4568 wrote to memory of 4552	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	cmd.exe
PID 4568 wrote to memory of 4552	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	cmd.exe
PID 4568 wrote to memory of 840	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	cmd.exe
PID 4568 wrote to memory of 840	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	cmd.exe
PID 840 wrote to memory of 3244	840	cmd.exe	WMIC.exe
PID 840 wrote to memory of 3244	840	cmd.exe	WMIC.exe
PID 4568 wrote to memory of 3240	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	cmd.exe
PID 4568 wrote to memory of 3240	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	cmd.exe
PID 3240 wrote to memory of 396	3240	cmd.exe	WMIC.exe
PID 3240 wrote to memory of 396	3240	cmd.exe	WMIC.exe
PID 4568 wrote to memory of 640	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	cmd.exe
PID 4568 wrote to memory of 640	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	cmd.exe
PID 640 wrote to memory of 5088	640	cmd.exe	WMIC.exe
PID 640 wrote to memory of 5088	640	cmd.exe	WMIC.exe
PID 4568 wrote to memory of 3184	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	cmd.exe
PID 4568 wrote to memory of 3184	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	cmd.exe
PID 4568 wrote to memory of 4564	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	cmd.exe
PID 4568 wrote to memory of 4564	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	cmd.exe
PID 4564 wrote to memory of 3000	4564	cmd.exe	curl.exe
PID 4564 wrote to memory of 3000	4564	cmd.exe	curl.exe
PID 4568 wrote to memory of 2056	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 2056	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 3896	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 3896	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 2256	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 2256	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 856	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 856	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 4464	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 4464	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 3504	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 3504	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 4868	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 4868	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 4368	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 4368	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 3324	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 3324	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 2824	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 2824	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 1292	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 1292	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 4732	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 4732	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 908	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 908	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 2204	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 2204	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 2084	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 2084	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 4864	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 4864	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 1168	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 1168	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 1076	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 1076	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 1172	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 1172	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 3368	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe
PID 4568 wrote to memory of 3368	4568	2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_a9473b066152203957beae0748ea6fbc_snatch.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\System32\Wbem\wmic.exe
wmic baseboard get serialnumber
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\system32\cmd.exe
cmd /C "echo %PROCESSOR_ARCHITECTURE%"
2⤵
PID:2380

C:\Windows\system32\cmd.exe
cmd /C ver
2⤵
PID:4552

C:\Windows\system32\cmd.exe
cmd /C "wmic computersystem get model /value"
2⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get model /value
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name /value"
2⤵
- Suspicious use of WriteProcessMemory
PID:3240

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name /value
3⤵
PID:396

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get NumberOfCores /value"
2⤵
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get NumberOfCores /value
3⤵
PID:5088

C:\Windows\system32\cmd.exe
cmd /C "echo %USERNAME%"
2⤵
PID:3184

C:\Windows\system32\cmd.exe
cmd /C "curl ipinfo.io/ip"
2⤵
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\system32\curl.exe
curl ipinfo.io/ip
3⤵
PID:3000

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq MsMpEng.exe"
2⤵
- Enumerates processes with tasklist
PID:2056

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq AdAwareService.exe"
2⤵
- Enumerates processes with tasklist
PID:3896

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq afwServ.exe"
2⤵
- Enumerates processes with tasklist
PID:2256

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq avguard.exe"
2⤵
- Enumerates processes with tasklist
PID:856

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq AVGSvc.exe"
2⤵
- Enumerates processes with tasklist
PID:4464

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq bdagent.exe"
2⤵
- Enumerates processes with tasklist
PID:3504

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq BullGuardCore.exe"
2⤵
- Enumerates processes with tasklist
PID:4868

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq ekrn.exe"
2⤵
- Enumerates processes with tasklist
PID:4368

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq fshoster32.exe"
2⤵
- Enumerates processes with tasklist
PID:3324

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq GDScan.exe"
2⤵
- Enumerates processes with tasklist
PID:2824

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq avp.exe"
2⤵
- Enumerates processes with tasklist
PID:1292

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq K7CrvSvc.exe"
2⤵
- Enumerates processes with tasklist
PID:4732

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq McAPExe.exe"
2⤵
- Enumerates processes with tasklist
PID:908

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq NortonSecurity.exe"
2⤵
- Enumerates processes with tasklist
PID:2204

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq PavFnSvr.exe"
2⤵
- Enumerates processes with tasklist
PID:2084

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq SavService.exe"
2⤵
- Enumerates processes with tasklist
PID:4864

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq EnterpriseService.exe"
2⤵
- Enumerates processes with tasklist
PID:1168

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq WRSA.exe"
2⤵
- Enumerates processes with tasklist
PID:1076

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq ZAPrivacyService.exe"
2⤵
- Enumerates processes with tasklist
PID:1172

C:\Windows\system32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

1

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads