Malware Analysis Report

2025-04-14 03:49

Sample ID 240612-xc951svhrg
Target 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch
SHA256 5910b05502e79fd7c63f8d7dfa9f616b9af17a7e9e9e6aba3401f6f8210d78ac
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5910b05502e79fd7c63f8d7dfa9f616b9af17a7e9e9e6aba3401f6f8210d78ac

Threat Level: Shows suspicious behavior

The file 2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 18:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 18:43

Reported

2024-06-12 18:46

Platform

win7-20240508-en

Max time kernel

138s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /CREATE /XML C:\Users\Admin\AppData\Local\Temp\dBDHMfzBkODjMnzX /F /TN ChromeUpdateTaskMachinCore

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"

C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe

"C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:1337 tcp
US 8.8.8.8:53 dist.torproject.org udp
N/A 127.0.0.1:1337 tcp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp

Files

C:\Users\Admin\AppData\Local\Temp\dBDHMfzBkODjMnzX

MD5 e45356149ad95fb6fcb371cb39d27f6c
SHA1 ab591ff97745dfc702000a99ded7667d1f04bbc2
SHA256 7509806c091e5f4af39271d78e703a1408dc499fe4590e0023fb13277a3d4173
SHA512 df7780591c7ffb63d459faf78c35d2e1f9dc8268aa6f99ee5615850e28884bad2fdc3fc6baa2e137caf939dfe9235a7c55615f2460d3a72bae86dd93c519c237

\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe

MD5 e43a912f299f95c0253ecfe21910bc5c
SHA1 10e6fc392e5438148249d2f52d3853833eddbc41
SHA256 6fa325cd85860afeaf1f0e466901e923a80a211c7566420630491aa6d5796c94
SHA512 44b96daccaff39c416efa99e269d6eeca97e34bc40b1f559bb0720b85732c8109f37dcb6d3d960768e3dd0163b10e0194fe0e63b667f7958a41a59b53e5b7183

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 18:43

Reported

2024-06-12 18:46

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_1f21ecf8a837fed6845de8c080b61026_snatch.exe"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /CREATE /XML C:\Users\Admin\AppData\Local\Temp\eGIMc /F /TN ChromeUpdateTaskMachinCore

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"

C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe

"C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp

Files

C:\Users\Admin\AppData\Local\Temp\eGIMc

MD5 1bf5076d24d2bd9b2cea3d950f844a7a
SHA1 dbb1be5ccc66b7ef0792d35a95a93a1a17b1e636
SHA256 d79f2b872feb31a25f8c922621ef3f1342f800a54cd89acb62b9c72e2b2f1da1
SHA512 7a1ac5dc0eb4262c9a576cc72e311705c1f90771e4814faae033bf7001837cfd5e11387de548d6a1d6b63801153d5836c10a9d2e4eb0c9b382aa5d3aecc1209c

C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe

MD5 7da2f41732cbfd7b4d48b2272cbe02e6
SHA1 e00ebb4810e30f6a4001ce2bfb7de45e15feef66
SHA256 dbf71fcb063fe0261ce8d7421d1cb4c3b06673f89087033a578601e5b2564f4e
SHA512 ee1ff65e9c39652e40dc5cdfb46a364072b0da13cffef00862996b3f80344da79527765a47adebec551668b6c2f0ef38ea20d459318f0cf9529d8a94ac791b15