d7137fa789aa79fa42bac6709c2dbd374f5f2d539b578997ed8158091ff9827b

Analysis

max time kernel
147s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
Size

1.8MB
MD5

54fd872cfaac1a5dc7094c8a4d4b16f8
SHA1

fc86170cbaeb2c04784d0094c890901e7653bbea
SHA256

d7137fa789aa79fa42bac6709c2dbd374f5f2d539b578997ed8158091ff9827b
SHA512

154a85438e18a2df17ba4e1dc2eb0d750dd31e86704514e3fae5360d04d6c3b1dec124067f2181855bb604e896aec8132334f980ab99faf6fbed5b8336985bc4
SSDEEP

24576:S6pQPxQ2JyP2r5mJV91xM7RpbwgIvs7NxqUkHx:SCqm2Jpr0nNM7Dus7Nx2R

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 54 IoCs

pid	Process
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\desktop.ini	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3968-0-0x0000000000400000-0x00000000005BA000-memory.dmp	upx
behavioral2/files/0x000200000002299c-5.dat	upx
behavioral2/memory/3968-1813-0x0000000000400000-0x00000000005BA000-memory.dmp	upx
behavioral2/memory/3968-14084-0x0000000000400000-0x00000000005BA000-memory.dmp	upx
behavioral2/files/0x0001000000021a89-14086.dat	upx
behavioral2/files/0x0001000000021f4c-14091.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-100_contrast-black.png.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-48_altform-unplated.png	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Design.resources.dll	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\libgoom_plugin.dll.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ShareProvider_CopyLink24x24.scale-125.png	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-140.png.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-125.png.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_fr.properties.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PowerPointCombinedFloatieModel.bin	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\WPFT532.CNV.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosStoreLogo.contrast-black.png.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailLargeTile.scale-100.png	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100.png.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-200.png.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_scale-100.png.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\WordCapabilities.json	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\en-GB.mail.config	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookLargeTile.scale-100.png	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.CoreLib.dll.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\LargeTile.scale-200.png	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-150.png	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSO0127.ACL.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsymk.ttf	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\RADIAL.INF.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\resources.pri.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_uk.json.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-oob.xrm-ms	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\msipc.dll.mui	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsusf_plugin.dll	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansRegular.ttf.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\jfr\default.jfc	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ppd.xrm-ms	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.scale-200.png	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\SmallTile.scale-125.png	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-oob.xrm-ms.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\HAMMER.WAV	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\1px.png.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks_heif.winmd	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\SLATE.ELM	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\sendingDark.gif.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch.scale-200.png.exe	2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-18_54fd872cfaac1a5dc7094c8a4d4b16f8_snatch.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:3968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll

Filesize
1.8MB

MD5
a04631798258549d3106fb1ddc6b89c7

SHA1
f94f628d61bf0c37aea7b310dd93bcda26b37e51

SHA256
0c01bda9cbde091b3e10b0e85e0185fdb2a4348fde86d32c73a867f6d7b318e0

SHA512
9b4f9af9a16d6bacde85c950e347b1ead6d5c5d044e110255bfd714ac67e3ed1cc2c0312ebcfaa9b471565fe6c29f7b7ed3c3e7c474fb1c4ea85ff5076c3d65b

Download Submit
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

Filesize
1.8MB

MD5
078aa850b359764562c03484836b188a

SHA1
84148f5315876654023f022cbe72371d60c85f1b

SHA256
db66644dfcdd224b898a2c00a7b3bafad27261f374a7b7c6181d7052ce3cb16c

SHA512
55d7d843b3fde1a9f4fb19eda7a778cdc197b6ff61762caae4c66748037c86e6e851f8e8ad1fae929520432d1a341d953f545c530386a7f23310f3afb3d9558b

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
1.8MB

MD5
993f46c6b6bf1ed586ce3afb96d493dc

SHA1
a0028945d446da203cd8c737a6952d146680407e

SHA256
c20d9d5672fa40eba181f3bf7b04c858b058291624e975813045bc2cf4507dcb

SHA512
0c6be89489225ee18d626da0a341dbbe35ddf51c6a6a7c37fd66f34a0962174b3df9e22720c9e34ae5dd0eee5a68909a4374a6240592cbd30ce931ab7408cce8

Download Submit
memory/3968-0-0x0000000000400000-0x00000000005BA000-memory.dmp

Filesize
1.7MB

Download
memory/3968-1813-0x0000000000400000-0x00000000005BA000-memory.dmp

Filesize
1.7MB

Download
memory/3968-14084-0x0000000000400000-0x00000000005BA000-memory.dmp

Filesize
1.7MB

Download