Analysis

  • max time kernel
    140s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 12:00

General

  • Target

    2024-06-03_d96573a782dd67253f1ad02f441a2c48_snatch.exe

  • Size

    5.8MB

  • MD5

    d96573a782dd67253f1ad02f441a2c48

  • SHA1

    a5266ce4643d797092a33b40cd67229f4116661d

  • SHA256

    09dd15bfea206ac721589d5a0cdbce830be59266eaed5f3a9e030d4e5ac01a28

  • SHA512

    a3158e59e9682862a659986ce604eb3eea7c16de43e1854093f14d0b94bd5fa533ee99a4bba11f9c1e7bdff7006ae4dfcb6f6ace06ff7591a9b550f8a58d35c5

  • SSDEEP

    49152:0A0zZoBkqD3dm/VHrb/TpvO90d7HjmAFd4A64nsfJkqKbnVc15nUBMqgCIItmvjp:uZQ3E/Dq9BEeGt8jgWsIVZYE8nL

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-03_d96573a782dd67253f1ad02f441a2c48_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-03_d96573a782dd67253f1ad02f441a2c48_snatch.exe"
    1⤵
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5068
    • C:\Windows\system32\schtasks.exe
      C:\Windows\system32\schtasks.exe /CREATE /XML C:\Users\Admin\AppData\Local\Temp\eGIMc /F /TN ChromeUpdateTaskMachinCore
      2⤵
      • Creates scheduled task(s)
      PID:1624
    • C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3868
      • C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe
        "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"
        3⤵
        • Executes dropped EXE
        • Modifies system certificate store
        PID:3444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe

    Filesize

    5.8MB

    MD5

    3f0278658ad76c109d71df678e149742

    SHA1

    a69294794f92827981795ce9569db2abf41c32fd

    SHA256

    f40944a484f980090925e32778ede3561097ab01ae9fb5963d49d5a870021842

    SHA512

    4524f08ffb36ac19bfdd8eb1b9e44daf2b6f0355df7fdf9887b6d0b98a6e1ff2e4ab4af8ee7df823ce937f162f2016083233c0dd7799fd8ffb97f2f1bf285458

  • C:\Users\Admin\AppData\Local\Temp\eGIMc

    Filesize

    1KB

    MD5

    1bf5076d24d2bd9b2cea3d950f844a7a

    SHA1

    dbb1be5ccc66b7ef0792d35a95a93a1a17b1e636

    SHA256

    d79f2b872feb31a25f8c922621ef3f1342f800a54cd89acb62b9c72e2b2f1da1

    SHA512

    7a1ac5dc0eb4262c9a576cc72e311705c1f90771e4814faae033bf7001837cfd5e11387de548d6a1d6b63801153d5836c10a9d2e4eb0c9b382aa5d3aecc1209c