TT Transmitted Copy TRVTT2127468.exe

General
Target

TT Transmitted Copy TRVTT2127468.exe

Filesize

819KB

Completed

27-07-2021 18:00

Score
10 /10
MD5

427992e6cc9f399060c003ae46389403

SHA1

07cfcd1b19481ddf586f4b84a1d4a6aef2da722a

SHA256

c441b0de54cee442566129507b4f3f0dbcbe6eb42ff24936c6e180a3d93fcdb0

Malware Config

Extracted

Family snakekeylogger
Credentials

Protocol: smtp

Host: us2.smtp.mailhostbox.com

Port: 587

Username: admin@evapimlogs.com

Password: BkKMmzZ1

Signatures 11

Filter: none

Collection
Credential Access
  • Snake Keylogger

    Description

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/1016-124-0x0000000000400000-0x000000000046A000-memory.dmpfamily_snakekeylogger
    behavioral2/memory/1016-125-0x000000000046457E-mapping.dmpfamily_snakekeylogger
    behavioral2/memory/1016-130-0x00000000056D0000-0x0000000005BCE000-memory.dmpfamily_snakekeylogger
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    14checkip.dyndns.org
  • Suspicious use of SetThreadContext
    TT Transmitted Copy TRVTT2127468.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3264 set thread context of 10163264TT Transmitted Copy TRVTT2127468.exeTT Transmitted Copy TRVTT2127468.exe
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    39481016WerFault.exeTT Transmitted Copy TRVTT2127468.exe
  • Suspicious behavior: EnumeratesProcesses
    TT Transmitted Copy TRVTT2127468.exeWerFault.exe

    Reported IOCs

    pidprocess
    1016TT Transmitted Copy TRVTT2127468.exe
    3948WerFault.exe
    3948WerFault.exe
    3948WerFault.exe
    3948WerFault.exe
    3948WerFault.exe
    3948WerFault.exe
    3948WerFault.exe
    3948WerFault.exe
    3948WerFault.exe
    3948WerFault.exe
    3948WerFault.exe
    3948WerFault.exe
    3948WerFault.exe
    3948WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    TT Transmitted Copy TRVTT2127468.exeWerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1016TT Transmitted Copy TRVTT2127468.exe
    Token: SeRestorePrivilege3948WerFault.exe
    Token: SeBackupPrivilege3948WerFault.exe
    Token: SeDebugPrivilege3948WerFault.exe
  • Suspicious use of WriteProcessMemory
    TT Transmitted Copy TRVTT2127468.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3264 wrote to memory of 10163264TT Transmitted Copy TRVTT2127468.exeTT Transmitted Copy TRVTT2127468.exe
    PID 3264 wrote to memory of 10163264TT Transmitted Copy TRVTT2127468.exeTT Transmitted Copy TRVTT2127468.exe
    PID 3264 wrote to memory of 10163264TT Transmitted Copy TRVTT2127468.exeTT Transmitted Copy TRVTT2127468.exe
    PID 3264 wrote to memory of 10163264TT Transmitted Copy TRVTT2127468.exeTT Transmitted Copy TRVTT2127468.exe
    PID 3264 wrote to memory of 10163264TT Transmitted Copy TRVTT2127468.exeTT Transmitted Copy TRVTT2127468.exe
    PID 3264 wrote to memory of 10163264TT Transmitted Copy TRVTT2127468.exeTT Transmitted Copy TRVTT2127468.exe
    PID 3264 wrote to memory of 10163264TT Transmitted Copy TRVTT2127468.exeTT Transmitted Copy TRVTT2127468.exe
    PID 3264 wrote to memory of 10163264TT Transmitted Copy TRVTT2127468.exeTT Transmitted Copy TRVTT2127468.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\TT Transmitted Copy TRVTT2127468.exe
    "C:\Users\Admin\AppData\Local\Temp\TT Transmitted Copy TRVTT2127468.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:3264
    • C:\Users\Admin\AppData\Local\Temp\TT Transmitted Copy TRVTT2127468.exe
      "{path}"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1016
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 1468
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:3948
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/1016-131-0x0000000006860000-0x0000000006861000-memory.dmp

                      • memory/1016-130-0x00000000056D0000-0x0000000005BCE000-memory.dmp

                      • memory/1016-125-0x000000000046457E-mapping.dmp

                      • memory/1016-124-0x0000000000400000-0x000000000046A000-memory.dmp

                      • memory/3264-121-0x00000000051A0000-0x000000000569E000-memory.dmp

                      • memory/3264-120-0x0000000008570000-0x0000000008571000-memory.dmp

                      • memory/3264-119-0x00000000052A0000-0x00000000052A2000-memory.dmp

                      • memory/3264-122-0x0000000006E20000-0x0000000006ECF000-memory.dmp

                      • memory/3264-123-0x000000000AEE0000-0x000000000AF82000-memory.dmp

                      • memory/3264-118-0x0000000005030000-0x0000000005031000-memory.dmp

                      • memory/3264-117-0x0000000005060000-0x0000000005061000-memory.dmp

                      • memory/3264-116-0x00000000056A0000-0x00000000056A1000-memory.dmp

                      • memory/3264-114-0x0000000000730000-0x0000000000731000-memory.dmp