Overview

overview

10

Static

static

10

2024-06-11...ch.exe

windows7-x64

1

2024-06-11...ch.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/06/2024, 14:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-11_9e0f9c9682693e3a6ea34c01aae9a5a0_ngrbot_snatch.exe

  • Size

    9.5MB

  • MD5

    9e0f9c9682693e3a6ea34c01aae9a5a0

  • SHA1

    5671eb33a457dfad7d9062e0af7b54af6788b23c

  • SHA256

    aa3adfba9a1ceab5ebf0e6acd21db1438215b4a1829faed2dc54a8d85f178aa0

  • SHA512

    a47bcec95bf55ff911220879685f3b0a4dd2619e60df20a9739174cb627dc53a419bcc99fd967ca6bed2efa31f6f941c3203ebd810969ba4390d28709595eb09

  • SSDEEP

    98304:XlFawepI0uNJ8r54t9wTgqU6EgG8OSF8h2n83:jvepI0l4t9w8qMv84u83

Score
9/10
persistence

Malware Config

Signatures

  • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects executables Discord URL observed in first stage droppers 1 IoCs
  • Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
  • Detects executables containing URLs to raw contents of a Github gist 1 IoCs
  • Detects executables containing possible sandbox system UUIDs 1 IoCs
  • Detects executables referencing virtualization MAC addresses 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-11_9e0f9c9682693e3a6ea34c01aae9a5a0_ngrbot_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-11_9e0f9c9682693e3a6ea34c01aae9a5a0_ngrbot_snatch.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Local\Temp\2024-06-11_9e0f9c9682693e3a6ea34c01aae9a5a0_ngrbot_snatch.exe
      2⤵
      • Views/modifies file attributes
      PID:3308
    • C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3412
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
      2⤵
      • Views/modifies file attributes
      PID:1380
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4332 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2668

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
      Filesize

      9.5MB

      MD5

      9e0f9c9682693e3a6ea34c01aae9a5a0

      SHA1

      5671eb33a457dfad7d9062e0af7b54af6788b23c

      SHA256

      aa3adfba9a1ceab5ebf0e6acd21db1438215b4a1829faed2dc54a8d85f178aa0

      SHA512

      a47bcec95bf55ff911220879685f3b0a4dd2619e60df20a9739174cb627dc53a419bcc99fd967ca6bed2efa31f6f941c3203ebd810969ba4390d28709595eb09

      Download Submit