Analysis

  • max time kernel
    93s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 13:37

General

  • Target

    2024-06-13_c340682108b3f0606d81e1e439529f5d_snatch.exe

  • Size

    6.2MB

  • MD5

    c340682108b3f0606d81e1e439529f5d

  • SHA1

    54cb8e5e6e63884eef6c3fb781f67c2f42132dec

  • SHA256

    1c9a7023fab35dbbcb3d1cbedc0c3f8bc8ddb69712764995ccf3df8d1e88f1eb

  • SHA512

    3d4ce17b672d1a470a7ac73925e9bbb652d81d0f1acc1b9144022194096efc3bdab5e1219b815c7596f9e8ad3e75c24c42aba597e186e8718aa1722972873f77

  • SSDEEP

    98304:iPYao7iT3TfeTVQyqUUEOdsaJ8QJlHiFhJFpG:la5T4QotOdiQJluhZ

Score
6/10

Malware Config

Signatures

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_c340682108b3f0606d81e1e439529f5d_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_c340682108b3f0606d81e1e439529f5d_snatch.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:4928
    • C:\Windows\System32\Wbem\wmic.exe
      wmic cpu get Name
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2264
    • C:\Windows\System32\Wbem\wmic.exe
      wmic memorychip get Speed
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4080
    • C:\Windows\system32\cmd.exe
      cmd /c chcp 65001 && ipconfig /all
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4980
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2776
        • C:\Windows\system32\ipconfig.exe
          ipconfig /all
          3⤵
          • Gathers network information
          PID:936
      • C:\Windows\system32\cmd.exe
        cmd /c whoami
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4076
        • C:\Windows\system32\whoami.exe
          whoami
          3⤵
            PID:388

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads