Analysis
-
max time kernel
22s -
max time network
167s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 13:07
Static task
static1
Behavioral task
behavioral1
Sample
invoice.02 Nazih El Chouli.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
invoice.02 Nazih El Chouli.exe
Resource
win10v20210410
General
-
Target
invoice.02 Nazih El Chouli.exe
-
Size
31KB
-
MD5
5898734f512fe21e26447c8b28fe802f
-
SHA1
eefb6ef334e0ae3fe1316256831a087d412f6008
-
SHA256
fb04731280999bb99a45d6473b6fd1d8a9cad45654ee21d7a5ca89b8a6a7e41e
-
SHA512
5f1dbfdc7fd4f091b4a531a1101256ff697cf68d46a231cb08919236de97230d7d26ebe5a34142fcc738a737421b12b5589da180581c32e3cedddc8511a75841
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
Smtp.vivaldi.net - Port:
587 - Username:
samueln@vivaldi.net - Password:
DU5DwYRUQdyQQCt
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
suricata: ET MALWARE DTLoader Binary Request M2
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 checkip.dyndns.org 13 freegeoip.app 14 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
invoice.02 Nazih El Chouli.exedescription pid process target process PID 1092 set thread context of 584 1092 invoice.02 Nazih El Chouli.exe invoice.02 Nazih El Chouli.exe -
Processes:
invoice.02 Nazih El Chouli.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 invoice.02 Nazih El Chouli.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 invoice.02 Nazih El Chouli.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
invoice.02 Nazih El Chouli.exepid process 584 invoice.02 Nazih El Chouli.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
invoice.02 Nazih El Chouli.exeinvoice.02 Nazih El Chouli.exedescription pid process Token: SeDebugPrivilege 1092 invoice.02 Nazih El Chouli.exe Token: SeDebugPrivilege 584 invoice.02 Nazih El Chouli.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
invoice.02 Nazih El Chouli.exedescription pid process target process PID 1092 wrote to memory of 584 1092 invoice.02 Nazih El Chouli.exe invoice.02 Nazih El Chouli.exe PID 1092 wrote to memory of 584 1092 invoice.02 Nazih El Chouli.exe invoice.02 Nazih El Chouli.exe PID 1092 wrote to memory of 584 1092 invoice.02 Nazih El Chouli.exe invoice.02 Nazih El Chouli.exe PID 1092 wrote to memory of 584 1092 invoice.02 Nazih El Chouli.exe invoice.02 Nazih El Chouli.exe PID 1092 wrote to memory of 584 1092 invoice.02 Nazih El Chouli.exe invoice.02 Nazih El Chouli.exe PID 1092 wrote to memory of 584 1092 invoice.02 Nazih El Chouli.exe invoice.02 Nazih El Chouli.exe PID 1092 wrote to memory of 584 1092 invoice.02 Nazih El Chouli.exe invoice.02 Nazih El Chouli.exe PID 1092 wrote to memory of 584 1092 invoice.02 Nazih El Chouli.exe invoice.02 Nazih El Chouli.exe PID 1092 wrote to memory of 584 1092 invoice.02 Nazih El Chouli.exe invoice.02 Nazih El Chouli.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice.02 Nazih El Chouli.exe"C:\Users\Admin\AppData\Local\Temp\invoice.02 Nazih El Chouli.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\invoice.02 Nazih El Chouli.exe"C:\Users\Admin\AppData\Local\Temp\invoice.02 Nazih El Chouli.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/584-65-0x000000000041F82E-mapping.dmp
-
memory/584-64-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/584-66-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/584-68-0x0000000004940000-0x0000000004941000-memory.dmpFilesize
4KB
-
memory/1092-60-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB
-
memory/1092-62-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB
-
memory/1092-63-0x0000000004120000-0x0000000004127000-memory.dmpFilesize
28KB