Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/06/2024, 18:43

General

  • Target

    2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe

  • Size

    5.8MB

  • MD5

    1f21ecf8a837fed6845de8c080b61026

  • SHA1

    3642dc6fa4811a80cf46589b00853bcbe449b305

  • SHA256

    5910b05502e79fd7c63f8d7dfa9f616b9af17a7e9e9e6aba3401f6f8210d78ac

  • SHA512

    f22d3a878bbfcd2d65b84892bbc32c3e31177e01003d09bdd549c9bacacef3603a5ae58b369e61d52b3c3d9adb7e8e575d418b6034cfea5e394ff5335e488959

  • SSDEEP

    49152:vzlnEcO3Cgrb/TbvO90d7HjmAFd4A64nsfJa/pJMBMvDF/4q4auspdkgKKhdvZfb:63CE/Xx4LKhdkuESpH

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe"
    1⤵
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3640
    • C:\Windows\system32\schtasks.exe
      C:\Windows\system32\schtasks.exe /CREATE /XML C:\Users\Admin\AppData\Local\Temp\eGIMc /F /TN ChromeUpdateTaskMachinCore
      2⤵
      • Creates scheduled task(s)
      PID:1444
    • C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3692
      • C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe
        "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"
        3⤵
        • Executes dropped EXE
        PID:4164

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe

    Filesize

    5.8MB

    MD5

    7da2f41732cbfd7b4d48b2272cbe02e6

    SHA1

    e00ebb4810e30f6a4001ce2bfb7de45e15feef66

    SHA256

    dbf71fcb063fe0261ce8d7421d1cb4c3b06673f89087033a578601e5b2564f4e

    SHA512

    ee1ff65e9c39652e40dc5cdfb46a364072b0da13cffef00862996b3f80344da79527765a47adebec551668b6c2f0ef38ea20d459318f0cf9529d8a94ac791b15

  • C:\Users\Admin\AppData\Local\Temp\eGIMc

    Filesize

    1KB

    MD5

    1bf5076d24d2bd9b2cea3d950f844a7a

    SHA1

    dbb1be5ccc66b7ef0792d35a95a93a1a17b1e636

    SHA256

    d79f2b872feb31a25f8c922621ef3f1342f800a54cd89acb62b9c72e2b2f1da1

    SHA512

    7a1ac5dc0eb4262c9a576cc72e311705c1f90771e4814faae033bf7001837cfd5e11387de548d6a1d6b63801153d5836c10a9d2e4eb0c9b382aa5d3aecc1209c