Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 13:37
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_c340682108b3f0606d81e1e439529f5d_snatch.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-06-13_c340682108b3f0606d81e1e439529f5d_snatch.exe
Resource
win10v2004-20240611-en
General
-
Target
2024-06-13_c340682108b3f0606d81e1e439529f5d_snatch.exe
-
Size
6.2MB
-
MD5
c340682108b3f0606d81e1e439529f5d
-
SHA1
54cb8e5e6e63884eef6c3fb781f67c2f42132dec
-
SHA256
1c9a7023fab35dbbcb3d1cbedc0c3f8bc8ddb69712764995ccf3df8d1e88f1eb
-
SHA512
3d4ce17b672d1a470a7ac73925e9bbb652d81d0f1acc1b9144022194096efc3bdab5e1219b815c7596f9e8ad3e75c24c42aba597e186e8718aa1722972873f77
-
SSDEEP
98304:iPYao7iT3TfeTVQyqUUEOdsaJ8QJlHiFhJFpG:la5T4QotOdiQJluhZ
Malware Config
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 api.ipify.org 2 api.ipify.org -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 936 ipconfig.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 2024-06-13_c340682108b3f0606d81e1e439529f5d_snatch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C 2024-06-13_c340682108b3f0606d81e1e439529f5d_snatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 2024-06-13_c340682108b3f0606d81e1e439529f5d_snatch.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2264 wmic.exe Token: SeSecurityPrivilege 2264 wmic.exe Token: SeTakeOwnershipPrivilege 2264 wmic.exe Token: SeLoadDriverPrivilege 2264 wmic.exe Token: SeSystemProfilePrivilege 2264 wmic.exe Token: SeSystemtimePrivilege 2264 wmic.exe Token: SeProfSingleProcessPrivilege 2264 wmic.exe Token: SeIncBasePriorityPrivilege 2264 wmic.exe Token: SeCreatePagefilePrivilege 2264 wmic.exe Token: SeBackupPrivilege 2264 wmic.exe Token: SeRestorePrivilege 2264 wmic.exe Token: SeShutdownPrivilege 2264 wmic.exe Token: SeDebugPrivilege 2264 wmic.exe Token: SeSystemEnvironmentPrivilege 2264 wmic.exe Token: SeRemoteShutdownPrivilege 2264 wmic.exe Token: SeUndockPrivilege 2264 wmic.exe Token: SeManageVolumePrivilege 2264 wmic.exe Token: 33 2264 wmic.exe Token: 34 2264 wmic.exe Token: 35 2264 wmic.exe Token: 36 2264 wmic.exe Token: SeIncreaseQuotaPrivilege 2264 wmic.exe Token: SeSecurityPrivilege 2264 wmic.exe Token: SeTakeOwnershipPrivilege 2264 wmic.exe Token: SeLoadDriverPrivilege 2264 wmic.exe Token: SeSystemProfilePrivilege 2264 wmic.exe Token: SeSystemtimePrivilege 2264 wmic.exe Token: SeProfSingleProcessPrivilege 2264 wmic.exe Token: SeIncBasePriorityPrivilege 2264 wmic.exe Token: SeCreatePagefilePrivilege 2264 wmic.exe Token: SeBackupPrivilege 2264 wmic.exe Token: SeRestorePrivilege 2264 wmic.exe Token: SeShutdownPrivilege 2264 wmic.exe Token: SeDebugPrivilege 2264 wmic.exe Token: SeSystemEnvironmentPrivilege 2264 wmic.exe Token: SeRemoteShutdownPrivilege 2264 wmic.exe Token: SeUndockPrivilege 2264 wmic.exe Token: SeManageVolumePrivilege 2264 wmic.exe Token: 33 2264 wmic.exe Token: 34 2264 wmic.exe Token: 35 2264 wmic.exe Token: 36 2264 wmic.exe Token: SeIncreaseQuotaPrivilege 4080 wmic.exe Token: SeSecurityPrivilege 4080 wmic.exe Token: SeTakeOwnershipPrivilege 4080 wmic.exe Token: SeLoadDriverPrivilege 4080 wmic.exe Token: SeSystemProfilePrivilege 4080 wmic.exe Token: SeSystemtimePrivilege 4080 wmic.exe Token: SeProfSingleProcessPrivilege 4080 wmic.exe Token: SeIncBasePriorityPrivilege 4080 wmic.exe Token: SeCreatePagefilePrivilege 4080 wmic.exe Token: SeBackupPrivilege 4080 wmic.exe Token: SeRestorePrivilege 4080 wmic.exe Token: SeShutdownPrivilege 4080 wmic.exe Token: SeDebugPrivilege 4080 wmic.exe Token: SeSystemEnvironmentPrivilege 4080 wmic.exe Token: SeRemoteShutdownPrivilege 4080 wmic.exe Token: SeUndockPrivilege 4080 wmic.exe Token: SeManageVolumePrivilege 4080 wmic.exe Token: 33 4080 wmic.exe Token: 34 4080 wmic.exe Token: 35 4080 wmic.exe Token: 36 4080 wmic.exe Token: SeIncreaseQuotaPrivilege 4080 wmic.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4928 wrote to memory of 2264 4928 2024-06-13_c340682108b3f0606d81e1e439529f5d_snatch.exe 82 PID 4928 wrote to memory of 2264 4928 2024-06-13_c340682108b3f0606d81e1e439529f5d_snatch.exe 82 PID 4928 wrote to memory of 4080 4928 2024-06-13_c340682108b3f0606d81e1e439529f5d_snatch.exe 86 PID 4928 wrote to memory of 4080 4928 2024-06-13_c340682108b3f0606d81e1e439529f5d_snatch.exe 86 PID 4928 wrote to memory of 4980 4928 2024-06-13_c340682108b3f0606d81e1e439529f5d_snatch.exe 89 PID 4928 wrote to memory of 4980 4928 2024-06-13_c340682108b3f0606d81e1e439529f5d_snatch.exe 89 PID 4980 wrote to memory of 2776 4980 cmd.exe 91 PID 4980 wrote to memory of 2776 4980 cmd.exe 91 PID 4980 wrote to memory of 936 4980 cmd.exe 92 PID 4980 wrote to memory of 936 4980 cmd.exe 92 PID 4928 wrote to memory of 4076 4928 2024-06-13_c340682108b3f0606d81e1e439529f5d_snatch.exe 94 PID 4928 wrote to memory of 4076 4928 2024-06-13_c340682108b3f0606d81e1e439529f5d_snatch.exe 94 PID 4076 wrote to memory of 388 4076 cmd.exe 96 PID 4076 wrote to memory of 388 4076 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_c340682108b3f0606d81e1e439529f5d_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_c340682108b3f0606d81e1e439529f5d_snatch.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\System32\Wbem\wmic.exewmic cpu get Name2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Windows\System32\Wbem\wmic.exewmic memorychip get Speed2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4080
-
-
C:\Windows\system32\cmd.execmd /c chcp 65001 && ipconfig /all2⤵
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2776
-
-
C:\Windows\system32\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:936
-
-
-
C:\Windows\system32\cmd.execmd /c whoami2⤵
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\system32\whoami.exewhoami3⤵PID:388
-
-