Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 18:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe
-
Size
5.8MB
-
MD5
1f21ecf8a837fed6845de8c080b61026
-
SHA1
3642dc6fa4811a80cf46589b00853bcbe449b305
-
SHA256
5910b05502e79fd7c63f8d7dfa9f616b9af17a7e9e9e6aba3401f6f8210d78ac
-
SHA512
f22d3a878bbfcd2d65b84892bbc32c3e31177e01003d09bdd549c9bacacef3603a5ae58b369e61d52b3c3d9adb7e8e575d418b6034cfea5e394ff5335e488959
-
SSDEEP
49152:vzlnEcO3Cgrb/TbvO90d7HjmAFd4A64nsfJa/pJMBMvDF/4q4auspdkgKKhdvZfb:63CE/Xx4LKhdkuESpH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4164 ChromeUpdateTaskMachinCore.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1444 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3640 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe 3640 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3640 wrote to memory of 1444 3640 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe 85 PID 3640 wrote to memory of 1444 3640 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe 85 PID 3640 wrote to memory of 3692 3640 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe 87 PID 3640 wrote to memory of 3692 3640 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe 87 PID 3692 wrote to memory of 4164 3692 cmd.exe 89 PID 3692 wrote to memory of 4164 3692 cmd.exe 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe"1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /CREATE /XML C:\Users\Admin\AppData\Local\Temp\eGIMc /F /TN ChromeUpdateTaskMachinCore2⤵
- Creates scheduled task(s)
PID:1444
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"3⤵
- Executes dropped EXE
PID:4164
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.8MB
MD57da2f41732cbfd7b4d48b2272cbe02e6
SHA1e00ebb4810e30f6a4001ce2bfb7de45e15feef66
SHA256dbf71fcb063fe0261ce8d7421d1cb4c3b06673f89087033a578601e5b2564f4e
SHA512ee1ff65e9c39652e40dc5cdfb46a364072b0da13cffef00862996b3f80344da79527765a47adebec551668b6c2f0ef38ea20d459318f0cf9529d8a94ac791b15
-
Filesize
1KB
MD51bf5076d24d2bd9b2cea3d950f844a7a
SHA1dbb1be5ccc66b7ef0792d35a95a93a1a17b1e636
SHA256d79f2b872feb31a25f8c922621ef3f1342f800a54cd89acb62b9c72e2b2f1da1
SHA5127a1ac5dc0eb4262c9a576cc72e311705c1f90771e4814faae033bf7001837cfd5e11387de548d6a1d6b63801153d5836c10a9d2e4eb0c9b382aa5d3aecc1209c