Analysis
-
max time kernel
55s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 15:47
Static task
static1
Behavioral task
behavioral1
Sample
ede697a91e18c73baf01ca677aa33917.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
ede697a91e18c73baf01ca677aa33917.exe
Resource
win10v20210410
General
-
Target
ede697a91e18c73baf01ca677aa33917.exe
-
Size
634KB
-
MD5
ede697a91e18c73baf01ca677aa33917
-
SHA1
699f96d0a34bfacd78a8530f507769d5d18dccc5
-
SHA256
1e2785c94e1501731c09b13b6f8156548704a36dd5b220efab73c06ed4fd6bfc
-
SHA512
7725d2f003a2aeecfe85dff03654b60ea80914ea39b369d6314443600750f4e13ab04a1c7a0925314e1013af034c0c4640dc3f98b9034851cff6b91c3c518bd9
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
bh-16.webhostbox.net - Port:
587 - Username:
whesilolog@miratechs.gq - Password:
7213575aceACE@#$
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral1/memory/1632-62-0x00000000002A0000-0x00000000002AB000-memory.dmp CustAttr -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ede697a91e18c73baf01ca677aa33917.exedescription pid process target process PID 1632 set thread context of 856 1632 ede697a91e18c73baf01ca677aa33917.exe ede697a91e18c73baf01ca677aa33917.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1864 856 WerFault.exe ede697a91e18c73baf01ca677aa33917.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
ede697a91e18c73baf01ca677aa33917.exeWerFault.exepid process 856 ede697a91e18c73baf01ca677aa33917.exe 1864 WerFault.exe 1864 WerFault.exe 1864 WerFault.exe 1864 WerFault.exe 1864 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ede697a91e18c73baf01ca677aa33917.exeWerFault.exedescription pid process Token: SeDebugPrivilege 856 ede697a91e18c73baf01ca677aa33917.exe Token: SeDebugPrivilege 1864 WerFault.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exedescription pid process target process PID 1632 wrote to memory of 856 1632 ede697a91e18c73baf01ca677aa33917.exe ede697a91e18c73baf01ca677aa33917.exe PID 1632 wrote to memory of 856 1632 ede697a91e18c73baf01ca677aa33917.exe ede697a91e18c73baf01ca677aa33917.exe PID 1632 wrote to memory of 856 1632 ede697a91e18c73baf01ca677aa33917.exe ede697a91e18c73baf01ca677aa33917.exe PID 1632 wrote to memory of 856 1632 ede697a91e18c73baf01ca677aa33917.exe ede697a91e18c73baf01ca677aa33917.exe PID 1632 wrote to memory of 856 1632 ede697a91e18c73baf01ca677aa33917.exe ede697a91e18c73baf01ca677aa33917.exe PID 1632 wrote to memory of 856 1632 ede697a91e18c73baf01ca677aa33917.exe ede697a91e18c73baf01ca677aa33917.exe PID 1632 wrote to memory of 856 1632 ede697a91e18c73baf01ca677aa33917.exe ede697a91e18c73baf01ca677aa33917.exe PID 1632 wrote to memory of 856 1632 ede697a91e18c73baf01ca677aa33917.exe ede697a91e18c73baf01ca677aa33917.exe PID 1632 wrote to memory of 856 1632 ede697a91e18c73baf01ca677aa33917.exe ede697a91e18c73baf01ca677aa33917.exe PID 856 wrote to memory of 1864 856 ede697a91e18c73baf01ca677aa33917.exe WerFault.exe PID 856 wrote to memory of 1864 856 ede697a91e18c73baf01ca677aa33917.exe WerFault.exe PID 856 wrote to memory of 1864 856 ede697a91e18c73baf01ca677aa33917.exe WerFault.exe PID 856 wrote to memory of 1864 856 ede697a91e18c73baf01ca677aa33917.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ede697a91e18c73baf01ca677aa33917.exe"C:\Users\Admin\AppData\Local\Temp\ede697a91e18c73baf01ca677aa33917.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ede697a91e18c73baf01ca677aa33917.exe"C:\Users\Admin\AppData\Local\Temp\ede697a91e18c73baf01ca677aa33917.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 11003⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/856-65-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/856-66-0x000000000041F89E-mapping.dmp
-
memory/856-67-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/856-69-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/1632-59-0x0000000001170000-0x0000000001171000-memory.dmpFilesize
4KB
-
memory/1632-61-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/1632-62-0x00000000002A0000-0x00000000002AB000-memory.dmpFilesize
44KB
-
memory/1632-63-0x0000000005A90000-0x0000000005AF8000-memory.dmpFilesize
416KB
-
memory/1632-64-0x0000000000460000-0x0000000000486000-memory.dmpFilesize
152KB
-
memory/1864-70-0x0000000000000000-mapping.dmp
-
memory/1864-71-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB