Analysis
-
max time kernel
138s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 18:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe
-
Size
5.8MB
-
MD5
1f21ecf8a837fed6845de8c080b61026
-
SHA1
3642dc6fa4811a80cf46589b00853bcbe449b305
-
SHA256
5910b05502e79fd7c63f8d7dfa9f616b9af17a7e9e9e6aba3401f6f8210d78ac
-
SHA512
f22d3a878bbfcd2d65b84892bbc32c3e31177e01003d09bdd549c9bacacef3603a5ae58b369e61d52b3c3d9adb7e8e575d418b6034cfea5e394ff5335e488959
-
SSDEEP
49152:vzlnEcO3Cgrb/TbvO90d7HjmAFd4A64nsfJa/pJMBMvDF/4q4auspdkgKKhdvZfb:63CE/Xx4LKhdkuESpH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2764 ChromeUpdateTaskMachinCore.exe -
Loads dropped DLL 2 IoCs
pid Process 2748 cmd.exe 2748 cmd.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2084 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2196 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2084 2196 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe 28 PID 2196 wrote to memory of 2084 2196 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe 28 PID 2196 wrote to memory of 2084 2196 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe 28 PID 2196 wrote to memory of 2748 2196 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe 30 PID 2196 wrote to memory of 2748 2196 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe 30 PID 2196 wrote to memory of 2748 2196 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe 30 PID 2748 wrote to memory of 2764 2748 cmd.exe 32 PID 2748 wrote to memory of 2764 2748 cmd.exe 32 PID 2748 wrote to memory of 2764 2748 cmd.exe 32 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe"1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /CREATE /XML C:\Users\Admin\AppData\Local\Temp\dBDHMfzBkODjMnzX /F /TN ChromeUpdateTaskMachinCore2⤵
- Creates scheduled task(s)
PID:2084
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"3⤵
- Executes dropped EXE
PID:2764
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e45356149ad95fb6fcb371cb39d27f6c
SHA1ab591ff97745dfc702000a99ded7667d1f04bbc2
SHA2567509806c091e5f4af39271d78e703a1408dc499fe4590e0023fb13277a3d4173
SHA512df7780591c7ffb63d459faf78c35d2e1f9dc8268aa6f99ee5615850e28884bad2fdc3fc6baa2e137caf939dfe9235a7c55615f2460d3a72bae86dd93c519c237
-
Filesize
5.8MB
MD5e43a912f299f95c0253ecfe21910bc5c
SHA110e6fc392e5438148249d2f52d3853833eddbc41
SHA2566fa325cd85860afeaf1f0e466901e923a80a211c7566420630491aa6d5796c94
SHA51244b96daccaff39c416efa99e269d6eeca97e34bc40b1f559bb0720b85732c8109f37dcb6d3d960768e3dd0163b10e0194fe0e63b667f7958a41a59b53e5b7183