templezx.exe

General
Target

templezx.exe

Filesize

563KB

Completed

27-07-2021 15:24

Score
10/10
MD5

2b1679e8ba0a15c211922ced9909c89e

SHA1

e1ea8f4ecd4b01f87275d3bd13c101facfbe9408

SHA256

70351038cf49fc5bf127e4f7df1c563ec036293cbc00010ade2364e0ee311a27

Malware Config

Extracted

Family snakekeylogger
Credentials

Protocol: smtp

Host: mail.bundabergtrophies.com.au

Port: 587

Username: admin@bundabergtrophies.com.au

Password: nKlnBbMZLI

Signatures 8

Filter: none

  • Snake Keylogger

    Description

    Keylogger and Infostealer first seen in November 2020.

  • CustAttr .NET packer

    Description

    Detects CustAttr .NET packer in memory.

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1680-63-0x0000000000370000-0x000000000037B000-memory.dmpCustAttr
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    5checkip.dyndns.org
  • Suspicious use of SetThreadContext
    templezx.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1680 set thread context of 6721680templezx.exetemplezx.exe
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    552672WerFault.exetemplezx.exe
  • Suspicious behavior: EnumeratesProcesses
    templezx.exeWerFault.exe

    Reported IOCs

    pidprocess
    672templezx.exe
    552WerFault.exe
    552WerFault.exe
    552WerFault.exe
    552WerFault.exe
    552WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    templezx.exeWerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege672templezx.exe
    Token: SeDebugPrivilege552WerFault.exe
  • Suspicious use of WriteProcessMemory
    templezx.exetemplezx.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1680 wrote to memory of 6721680templezx.exetemplezx.exe
    PID 1680 wrote to memory of 6721680templezx.exetemplezx.exe
    PID 1680 wrote to memory of 6721680templezx.exetemplezx.exe
    PID 1680 wrote to memory of 6721680templezx.exetemplezx.exe
    PID 1680 wrote to memory of 6721680templezx.exetemplezx.exe
    PID 1680 wrote to memory of 6721680templezx.exetemplezx.exe
    PID 1680 wrote to memory of 6721680templezx.exetemplezx.exe
    PID 1680 wrote to memory of 6721680templezx.exetemplezx.exe
    PID 1680 wrote to memory of 6721680templezx.exetemplezx.exe
    PID 672 wrote to memory of 552672templezx.exeWerFault.exe
    PID 672 wrote to memory of 552672templezx.exeWerFault.exe
    PID 672 wrote to memory of 552672templezx.exeWerFault.exe
    PID 672 wrote to memory of 552672templezx.exeWerFault.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\templezx.exe
    "C:\Users\Admin\AppData\Local\Temp\templezx.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Users\Admin\AppData\Local\Temp\templezx.exe
      "C:\Users\Admin\AppData\Local\Temp\templezx.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:672
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 1148
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:552
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/552-71-0x0000000000000000-mapping.dmp

                          • memory/552-72-0x00000000003B0000-0x00000000003B1000-memory.dmp

                          • memory/672-67-0x000000000041F89E-mapping.dmp

                          • memory/672-68-0x0000000000400000-0x0000000000424000-memory.dmp

                          • memory/672-70-0x00000000020D0000-0x00000000020D1000-memory.dmp

                          • memory/672-66-0x0000000000400000-0x0000000000424000-memory.dmp

                          • memory/1680-60-0x0000000000070000-0x0000000000071000-memory.dmp

                          • memory/1680-62-0x00000000045B0000-0x00000000045B1000-memory.dmp

                          • memory/1680-63-0x0000000000370000-0x000000000037B000-memory.dmp

                          • memory/1680-64-0x00000000057F0000-0x0000000005856000-memory.dmp

                          • memory/1680-65-0x0000000000540000-0x0000000000566000-memory.dmp