09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138

Analysis

max time kernel
94s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Snake.exe
Size

3.7MB
MD5

d659325ea3491708820a2beffe9362b8
SHA1

6e7f725401c33332beb2383a6802a7e4b2db30a9
SHA256

09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138
SHA512

958f4a72530703131be2f25dc906ab7fc8ee174e9cbd13f9c976af7e986593b56a768e0413e6a85d06f2bdc057ac7d9617f6c25cbf8f13cc2f8348bcf441eeb5
SSDEEP

24576:9ypcVmmyK+Y8J0r1dpvZlGhiUTPQOMoezwFnKS1yb0zrs7HjeAzgeJENrud9qcju:ecV8Ytr1dhrwierOjeAzAruTqQt02+

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml	Snake.exe
File opened for modification	C:\Program Files\Crashpad\metadata	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png	Snake.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md	Snake.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-phn.xrm-ms	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-phn.xrm-ms	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSO0127.ACL	Snake.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml	Snake.exe
File opened for modification	C:\Program Files\ConvertFromTrace.xlsb	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL089.XML	Snake.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ppd.xrm-ms	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-ms	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-oob.xrm-ms	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-oob.xrm-ms	Snake.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml	Snake.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\da.pak	Snake.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg	Snake.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\classlist	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ppd.xrm-ms	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linessimple.dotx	Snake.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	Snake.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc.did	Snake.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-phn.xrm-ms	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN001.XML	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC.HXS	Snake.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ppd.xrm-ms	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-ms	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\orcl7.xsl	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-80.png	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML	Snake.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_200_percent.pak	Snake.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar	Snake.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\sound.properties	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\MSIPCEvents.man	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ppd.xrm-ms	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms	Snake.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	Snake.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ml.pak	Snake.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\tzmappings	Snake.exe
File opened for modification	C:\Program Files\Java\jre-1.8\Welcome.html	Snake.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml	Snake.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Snake.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4050598569-1597076380-177084960-1000\{3A4B8582-EBC5-46BF-BCBC-D1C9052E96F0}	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1368	Snake.exe
1368	Snake.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3436	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1272	vssvc.exe
Token: SeRestorePrivilege	1272	vssvc.exe
Token: SeAuditPrivilege	1272	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3436	OpenWith.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Snake.exe
"C:\Users\Admin\AppData\Local\Temp\Snake.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1368

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3436

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit