Analysis
-
max time kernel
52s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 16:07
Static task
static1
Behavioral task
behavioral1
Sample
ede697a91e18c73baf01ca677aa33917.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ede697a91e18c73baf01ca677aa33917.exe
Resource
win10v20210410
General
-
Target
ede697a91e18c73baf01ca677aa33917.exe
-
Size
634KB
-
MD5
ede697a91e18c73baf01ca677aa33917
-
SHA1
699f96d0a34bfacd78a8530f507769d5d18dccc5
-
SHA256
1e2785c94e1501731c09b13b6f8156548704a36dd5b220efab73c06ed4fd6bfc
-
SHA512
7725d2f003a2aeecfe85dff03654b60ea80914ea39b369d6314443600750f4e13ab04a1c7a0925314e1013af034c0c4640dc3f98b9034851cff6b91c3c518bd9
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
bh-16.webhostbox.net - Port:
587 - Username:
whesilolog@miratechs.gq - Password:
7213575aceACE@#$
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral2/memory/3156-121-0x0000000005160000-0x000000000516B000-memory.dmp CustAttr -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ede697a91e18c73baf01ca677aa33917.exedescription pid process target process PID 3156 set thread context of 3996 3156 ede697a91e18c73baf01ca677aa33917.exe ede697a91e18c73baf01ca677aa33917.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3656 3996 WerFault.exe ede697a91e18c73baf01ca677aa33917.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
ede697a91e18c73baf01ca677aa33917.exeWerFault.exepid process 3996 ede697a91e18c73baf01ca677aa33917.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe 3656 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ede697a91e18c73baf01ca677aa33917.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3996 ede697a91e18c73baf01ca677aa33917.exe Token: SeRestorePrivilege 3656 WerFault.exe Token: SeBackupPrivilege 3656 WerFault.exe Token: SeDebugPrivilege 3656 WerFault.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ede697a91e18c73baf01ca677aa33917.exedescription pid process target process PID 3156 wrote to memory of 3996 3156 ede697a91e18c73baf01ca677aa33917.exe ede697a91e18c73baf01ca677aa33917.exe PID 3156 wrote to memory of 3996 3156 ede697a91e18c73baf01ca677aa33917.exe ede697a91e18c73baf01ca677aa33917.exe PID 3156 wrote to memory of 3996 3156 ede697a91e18c73baf01ca677aa33917.exe ede697a91e18c73baf01ca677aa33917.exe PID 3156 wrote to memory of 3996 3156 ede697a91e18c73baf01ca677aa33917.exe ede697a91e18c73baf01ca677aa33917.exe PID 3156 wrote to memory of 3996 3156 ede697a91e18c73baf01ca677aa33917.exe ede697a91e18c73baf01ca677aa33917.exe PID 3156 wrote to memory of 3996 3156 ede697a91e18c73baf01ca677aa33917.exe ede697a91e18c73baf01ca677aa33917.exe PID 3156 wrote to memory of 3996 3156 ede697a91e18c73baf01ca677aa33917.exe ede697a91e18c73baf01ca677aa33917.exe PID 3156 wrote to memory of 3996 3156 ede697a91e18c73baf01ca677aa33917.exe ede697a91e18c73baf01ca677aa33917.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ede697a91e18c73baf01ca677aa33917.exe"C:\Users\Admin\AppData\Local\Temp\ede697a91e18c73baf01ca677aa33917.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ede697a91e18c73baf01ca677aa33917.exe"C:\Users\Admin\AppData\Local\Temp\ede697a91e18c73baf01ca677aa33917.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 14483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ede697a91e18c73baf01ca677aa33917.exe.logMD5
c3cc52ccca9ff2b6fa8d267fc350ca6b
SHA1a68d4028333296d222e4afd75dea36fdc98d05f3
SHA2563125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e
SHA512b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7
-
memory/3156-121-0x0000000005160000-0x000000000516B000-memory.dmpFilesize
44KB
-
memory/3156-117-0x0000000004BC0000-0x0000000004BC1000-memory.dmpFilesize
4KB
-
memory/3156-118-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/3156-119-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/3156-120-0x0000000004D20000-0x000000000521E000-memory.dmpFilesize
4MB
-
memory/3156-114-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/3156-122-0x0000000006E90000-0x0000000006EF8000-memory.dmpFilesize
416KB
-
memory/3156-123-0x0000000006F10000-0x0000000006F36000-memory.dmpFilesize
152KB
-
memory/3156-116-0x0000000005220000-0x0000000005221000-memory.dmpFilesize
4KB
-
memory/3996-125-0x000000000041F89E-mapping.dmp
-
memory/3996-124-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3996-131-0x0000000005400000-0x00000000058FE000-memory.dmpFilesize
4MB