Analysis

  • max time kernel
    138s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    12/06/2024, 18:43

General

  • Target

    2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe

  • Size

    5.8MB

  • MD5

    1f21ecf8a837fed6845de8c080b61026

  • SHA1

    3642dc6fa4811a80cf46589b00853bcbe449b305

  • SHA256

    5910b05502e79fd7c63f8d7dfa9f616b9af17a7e9e9e6aba3401f6f8210d78ac

  • SHA512

    f22d3a878bbfcd2d65b84892bbc32c3e31177e01003d09bdd549c9bacacef3603a5ae58b369e61d52b3c3d9adb7e8e575d418b6034cfea5e394ff5335e488959

  • SSDEEP

    49152:vzlnEcO3Cgrb/TbvO90d7HjmAFd4A64nsfJa/pJMBMvDF/4q4auspdkgKKhdvZfb:63CE/Xx4LKhdkuESpH

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe"
    1⤵
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Windows\system32\schtasks.exe
      C:\Windows\system32\schtasks.exe /CREATE /XML C:\Users\Admin\AppData\Local\Temp\dBDHMfzBkODjMnzX /F /TN ChromeUpdateTaskMachinCore
      2⤵
      • Creates scheduled task(s)
      PID:2084
    • C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe
        "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"
        3⤵
        • Executes dropped EXE
        PID:2764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\dBDHMfzBkODjMnzX

    Filesize

    1KB

    MD5

    e45356149ad95fb6fcb371cb39d27f6c

    SHA1

    ab591ff97745dfc702000a99ded7667d1f04bbc2

    SHA256

    7509806c091e5f4af39271d78e703a1408dc499fe4590e0023fb13277a3d4173

    SHA512

    df7780591c7ffb63d459faf78c35d2e1f9dc8268aa6f99ee5615850e28884bad2fdc3fc6baa2e137caf939dfe9235a7c55615f2460d3a72bae86dd93c519c237

  • \Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe

    Filesize

    5.8MB

    MD5

    e43a912f299f95c0253ecfe21910bc5c

    SHA1

    10e6fc392e5438148249d2f52d3853833eddbc41

    SHA256

    6fa325cd85860afeaf1f0e466901e923a80a211c7566420630491aa6d5796c94

    SHA512

    44b96daccaff39c416efa99e269d6eeca97e34bc40b1f559bb0720b85732c8109f37dcb6d3d960768e3dd0163b10e0194fe0e63b667f7958a41a59b53e5b7183