854f95cb67d510bdebd52b5da1605f1e6d4ea21860c31fe02f3547af4d5d75ff

Analysis

max time kernel
139s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 20:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-14_e1210186eb6e652329cb4fe569ce3f56_snatch.exe
Size

5.8MB
MD5

e1210186eb6e652329cb4fe569ce3f56
SHA1

e61a8a1b28a03da04b9d75bec7c68c5a376ed531
SHA256

854f95cb67d510bdebd52b5da1605f1e6d4ea21860c31fe02f3547af4d5d75ff
SHA512

dcfc5def322b1b04e44802d485f2c1cb9d946f1178136e570be801b67a430b5d791d2b314982ab80e793d754de84e122d98ac4ddf3589424d4ae39c338900646
SSDEEP

49152:vzlnEcO3Cgrb/TbvO90d7HjmAFd4A64nsfJa/pJMBMvDF/4q4auspdkgKKhdvZf:63CE/Xx4LKhdkmESp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2560	ChromeUpdateTaskMachinCore.exe

Loads dropped DLL 2 IoCs

pid	Process
2996	cmd.exe
2996	cmd.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe	2024-06-14_e1210186eb6e652329cb4fe569ce3f56_snatch.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2024-06-14_e1210186eb6e652329cb4fe569ce3f56_snatch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2024-06-14_e1210186eb6e652329cb4fe569ce3f56_snatch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	2024-06-14_e1210186eb6e652329cb4fe569ce3f56_snatch.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1868	2024-06-14_e1210186eb6e652329cb4fe569ce3f56_snatch.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 1756	1868	2024-06-14_e1210186eb6e652329cb4fe569ce3f56_snatch.exe	28
PID 1868 wrote to memory of 1756	1868	2024-06-14_e1210186eb6e652329cb4fe569ce3f56_snatch.exe	28
PID 1868 wrote to memory of 1756	1868	2024-06-14_e1210186eb6e652329cb4fe569ce3f56_snatch.exe	28
PID 1868 wrote to memory of 2996	1868	2024-06-14_e1210186eb6e652329cb4fe569ce3f56_snatch.exe	30
PID 1868 wrote to memory of 2996	1868	2024-06-14_e1210186eb6e652329cb4fe569ce3f56_snatch.exe	30
PID 1868 wrote to memory of 2996	1868	2024-06-14_e1210186eb6e652329cb4fe569ce3f56_snatch.exe	30
PID 2996 wrote to memory of 2560	2996	cmd.exe	32
PID 2996 wrote to memory of 2560	2996	cmd.exe	32
PID 2996 wrote to memory of 2560	2996	cmd.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-06-14_e1210186eb6e652329cb4fe569ce3f56_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-14_e1210186eb6e652329cb4fe569ce3f56_snatch.exe"
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\system32\schtasks.exe
  C:\Windows\system32\schtasks.exe /CREATE /XML C:\Users\Admin\AppData\Local\Temp\dBDHMfzBkODjMnzX /F /TN ChromeUpdateTaskMachinCore
  2⤵
  - Creates scheduled task(s)
  PID:1756
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe
    "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"
    3⤵
    - Executes dropped EXE
    PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dBDHMfzBkODjMnzX

Filesize
1KB

MD5
e45356149ad95fb6fcb371cb39d27f6c

SHA1
ab591ff97745dfc702000a99ded7667d1f04bbc2

SHA256
7509806c091e5f4af39271d78e703a1408dc499fe4590e0023fb13277a3d4173

SHA512
df7780591c7ffb63d459faf78c35d2e1f9dc8268aa6f99ee5615850e28884bad2fdc3fc6baa2e137caf939dfe9235a7c55615f2460d3a72bae86dd93c519c237

Download Submit
\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe

Filesize
5.8MB

MD5
dad1a650519f386b9580bbc4b9b3bbc8

SHA1
9c37d880a772800d8be4da075b5c2ac4e86d7510

SHA256
e2504ad7718a14f7656253a1b043e025ebc353789b0701ede5ec45d01ebe4763

SHA512
c767dd76beb79b98d6d8345e6fe4985446cefb6fde9afbd8ebfbd292e3ddb88dbc69d16eb12fcf335dc4332e22de5a0217d60497665172db8da72aa97e68b7c0

Download Submit