snatch | 17c184859f0ba6c44db4b486aeb091ad2dae5f6078816a9b03bc71ad78d97d41

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2025, 21:58 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
Size

2.4MB
MD5

bfaeb628eb811839395ca7bf5ef866a5
SHA1

0146e8ec67756f5ec6d349dc6ac6a1633f360341
SHA256

17c184859f0ba6c44db4b486aeb091ad2dae5f6078816a9b03bc71ad78d97d41
SHA512

cc19310cedebb89891bda9e29b85b6196eee6f50897c73e32d1b4f4b3a0c057fee7363e713e3514eac9eeab1e02b441817ea9ce49169d123db46e7c47f83ca1e
SSDEEP

49152:33j638rQukLXGqRYv+RlbImz4vX9f+pRLftA4n5JxJutIp0C+TYfuosy7WVYpVJe:3KJ3RSmzIX9W/LftT5Jx4IpOTYfuosyM

Score

10^/10

snatch credential_access defense_evasion discovery execution impact ransomware spyware stealer upx

Malware Config

Signatures

Detecting the common Go functions and variables names used by Snatch ransomware 3 IoCs

resource	yara_rule
behavioral2/memory/816-8483-0x0000000000B60000-0x0000000001016000-memory.dmp	family_snatch
behavioral2/memory/816-8500-0x0000000000B60000-0x0000000001016000-memory.dmp	family_snatch
behavioral2/memory/816-20291-0x0000000000B60000-0x0000000001016000-memory.dmp	family_snatch

Snatch Ransomware
Ransomware family generally distributed through RDP bruteforce attacks.
ransomware snatch
Snatch family
snatch
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (8102) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO RESTORE YOUR FILES.TXT	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW TO RESTORE YOUR FILES.TXT	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/816-2-0x0000000000B60000-0x0000000001016000-memory.dmp	upx
behavioral2/memory/816-8483-0x0000000000B60000-0x0000000001016000-memory.dmp	upx
behavioral2/memory/816-8500-0x0000000000B60000-0x0000000001016000-memory.dmp	upx
behavioral2/memory/816-20291-0x0000000000B60000-0x0000000001016000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.yhlgaopimd	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms.yhlgaopimd	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_contrast-high.png	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_SmallTile.scale-200.png	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\ui-strings.js.yhlgaopimd	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\HOW TO RESTORE YOUR FILES.TXT	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\HOW TO RESTORE YOUR FILES.TXT	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms.yhlgaopimd	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\convertpdf-selector.js	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\id.pak.DATA.yhlgaopimd	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\ui-strings.js.yhlgaopimd	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\HOW TO RESTORE YOUR FILES.TXT	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\HOW TO RESTORE YOUR FILES.TXT	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\x86\HOW TO RESTORE YOUR FILES.TXT	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Microsoft.Support.SDK\Assets\VALoading.png	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\LargeTile.scale-200.png	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RDCNotificationClient.appx	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\AppStore_icon.svg.yhlgaopimd	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-fr_fr_2x.gif.yhlgaopimd	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-180.png.yhlgaopimd	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\HOW TO RESTORE YOUR FILES.TXT	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\HOW TO RESTORE YOUR FILES.TXT	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\resources.jar.yhlgaopimd	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.yhlgaopimd	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms.yhlgaopimd	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xsl	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\de-de\ui-strings.js	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-unplated_contrast-black.png	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-16_altform-unplated.png	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare310x310Logo.scale-200_contrast-white.png	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-256_altform-lightunplated.png	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-40_contrast-black.png	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Line_White@1x.png.yhlgaopimd	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sv-se\ui-strings.js	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sr-Cyrl-BA.pak.DATA.yhlgaopimd	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\HOW TO RESTORE YOUR FILES.TXT	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\MedTile.scale-125_contrast-white.png	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\it_get.svg	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nb-no\ui-strings.js.yhlgaopimd	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\main.css	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\es-419.pak.yhlgaopimd	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-sl\HOW TO RESTORE YOUR FILES.TXT	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-80.png.yhlgaopimd	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\ui-strings.js	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\HOW TO RESTORE YOUR FILES.TXT	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\HOW TO RESTORE YOUR FILES.TXT	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-oob.xrm-ms.yhlgaopimd	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-125.png	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-72_contrast-black.png	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\ui-strings.js	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\HOW TO RESTORE YOUR FILES.TXT	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ppd.xrm-ms.yhlgaopimd	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-30_altform-unplated.png	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionSmallTile.scale-150.png	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3616	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
4220	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2028	vssvc.exe
Token: SeRestorePrivilege	2028	vssvc.exe
Token: SeAuditPrivilege	2028	vssvc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 1648	816	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe	83
PID 816 wrote to memory of 1648	816	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe	83
PID 1648 wrote to memory of 3616	1648	cmd.exe	85
PID 1648 wrote to memory of 3616	1648	cmd.exe	85
PID 1648 wrote to memory of 1580	1648	cmd.exe	86
PID 1648 wrote to memory of 1580	1648	cmd.exe	86
PID 816 wrote to memory of 1516	816	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe	87
PID 816 wrote to memory of 1516	816	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe	87
PID 816 wrote to memory of 3872	816	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe	96
PID 816 wrote to memory of 3872	816	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe	96
PID 3872 wrote to memory of 4220	3872	cmd.exe	98
PID 3872 wrote to memory of 4220	3872	cmd.exe	98
PID 816 wrote to memory of 2216	816	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe	101
PID 816 wrote to memory of 2216	816	JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfaeb628eb811839395ca7bf5ef866a5.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dmxvgrliyyq.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\system32\sc.exe
    SC QUERY
    3⤵
    - Launches sc.exe
    PID:3616
- - C:\Windows\system32\findstr.exe
    FINDSTR SERVICE_NAME
    3⤵
    PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dokygyxvwaatqrl.bat
  2⤵
  PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khbecrvcfobkoox.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cfsudyn.bat
  2⤵
  PID:2216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

69.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

69.31.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

69.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

69.31.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

30.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

30.243.111.52.in-addr.arpa
8.8.8.8:53

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Crashpad\reports\HOW TO RESTORE YOUR FILES.TXT

Filesize
1KB

MD5
10b249845fedf9528d16de30d071f9d1

SHA1
d50aff3a228b2dc935f3362d5aae0dee1dbd017d

SHA256
d6f681398080b92fa4dbe601f3b63637b972eb04e340d08668d3a1d6d79a1a57

SHA512
c817ed36476c7e388c390a299e64d55b636c4f834cfb702bb58355d42f1c824966360da444b2b33a87d70c0b547adab18b2afb410c9d13af48436bf8e9a2d96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmxvgrliyyq.bat

Filesize
43B

MD5
55310bb774fff38cca265dbc70ad6705

SHA1
cb8d76e9fd38a0b253056e5f204dab5441fe932b

SHA256
1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d

SHA512
40e5a5e8454ca3eaac36d732550e2c5d869a235e3bbc4d31c4afa038fe4e06f782fa0885e876ad8119be766477fdcc12c1d5d04d53cf6b324e366b5351fc7cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\khbecrvcfobkoox.bat

Filesize
47B

MD5
2202e846ba05d7f0bb20adbc5249c359

SHA1
4115d2d15614503456aea14db61d71a756cc7b8c

SHA256
0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f

SHA512
cd6ce6d89a8e5f75724405bc2694b706819c3c554b042075d5eb47fdb75653235160ac8a85e7425a49d98f25b3886faaaec5599bcf66d20bf6115dc3af4ba9c7

Download Submit
memory/816-2-0x0000000000B60000-0x0000000001016000-memory.dmp

Filesize
4.7MB

Download
memory/816-8483-0x0000000000B60000-0x0000000001016000-memory.dmp

Filesize
4.7MB

Download
memory/816-8500-0x0000000000B60000-0x0000000001016000-memory.dmp

Filesize
4.7MB

Download
memory/816-20291-0x0000000000B60000-0x0000000001016000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.