Analysis
-
max time kernel
126s -
max time network
128s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
18-10-2021 07:28
Static task
static1
Behavioral task
behavioral1
Sample
2BABA new file.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
2BABA new file.exe
Resource
win10-en-20211014
General
-
Target
2BABA new file.exe
-
Size
449KB
-
MD5
1a403d5b4db5509524bfd552afbc96f1
-
SHA1
39a3ca238648f4f86741d6b94a190e0379aa7307
-
SHA256
82b5be618f705ff7761c43590eb7dc89a2387512757dcc0df9290f29801b8f41
-
SHA512
8de7ab3405bd1160fe09affac878ec8c252853cc6904d784ab1bcb4a5a1f43263ff917727149badcff74ac60443390b66dd5fe2c6400dd2d0805f39bcf5a0099
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.algodontekstil.com - Port:
587 - Username:
[email protected] - Password:
Alg001453
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
2BABA new file.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 2BABA new file.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 2BABA new file.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
2BABA new file.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2BABA new file.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2BABA new file.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2BABA new file.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 freegeoip.app 12 checkip.dyndns.org 14 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
2BABA new file.exepowershell.exepowershell.exepid process 1420 2BABA new file.exe 3968 powershell.exe 516 powershell.exe 3968 powershell.exe 516 powershell.exe 516 powershell.exe 3968 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
2BABA new file.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1420 2BABA new file.exe Token: SeDebugPrivilege 516 powershell.exe Token: SeDebugPrivilege 3968 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2BABA new file.exedescription pid process target process PID 1420 wrote to memory of 3968 1420 2BABA new file.exe powershell.exe PID 1420 wrote to memory of 3968 1420 2BABA new file.exe powershell.exe PID 1420 wrote to memory of 3968 1420 2BABA new file.exe powershell.exe PID 1420 wrote to memory of 516 1420 2BABA new file.exe powershell.exe PID 1420 wrote to memory of 516 1420 2BABA new file.exe powershell.exe PID 1420 wrote to memory of 516 1420 2BABA new file.exe powershell.exe -
outlook_office_path 1 IoCs
Processes:
2BABA new file.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2BABA new file.exe -
outlook_win_path 1 IoCs
Processes:
2BABA new file.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2BABA new file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2BABA new file.exe"C:\Users\Admin\AppData\Local\Temp\2BABA new file.exe"1⤵
- Windows security modification
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2BABA new file.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2BABA new file.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
8fd8786b441ad9c235c2507f6d35a6d0
SHA1899eb544764e1eafb3bf90f2954257aae2a11859
SHA256a849c13fe0e200964e31ec8d120f07c56f6cf78fefc9bdec56db5cfc4cfbc304
SHA512ca8cf2fe25dfe94b227271d5b94e6763b0af826ced0325d156f95ecb51bc3f48bb052ba73e14fb565cfbe9e52db260fc50f8034b76a7c49de53343dc0f15bf48
-
memory/516-153-0x00000000079C0000-0x00000000079C1000-memory.dmpFilesize
4KB
-
memory/516-136-0x0000000001210000-0x0000000001211000-memory.dmpFilesize
4KB
-
memory/516-197-0x0000000001213000-0x0000000001214000-memory.dmpFilesize
4KB
-
memory/516-139-0x0000000006B00000-0x0000000006B01000-memory.dmpFilesize
4KB
-
memory/516-194-0x000000007E4F0000-0x000000007E4F1000-memory.dmpFilesize
4KB
-
memory/516-184-0x0000000008910000-0x0000000008911000-memory.dmpFilesize
4KB
-
memory/516-156-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/516-125-0x0000000000000000-mapping.dmp
-
memory/516-149-0x0000000006BC0000-0x0000000006BC1000-memory.dmpFilesize
4KB
-
memory/516-129-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/516-130-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/516-137-0x0000000001212000-0x0000000001213000-memory.dmpFilesize
4KB
-
memory/516-132-0x00000000010E0000-0x00000000010E1000-memory.dmpFilesize
4KB
-
memory/1420-123-0x0000000009BC0000-0x0000000009BC1000-memory.dmpFilesize
4KB
-
memory/1420-148-0x0000000009DB0000-0x0000000009DB1000-memory.dmpFilesize
4KB
-
memory/1420-131-0x0000000006700000-0x000000000671F000-memory.dmpFilesize
124KB
-
memory/1420-122-0x000000000A020000-0x000000000A021000-memory.dmpFilesize
4KB
-
memory/1420-141-0x000000000A990000-0x000000000A991000-memory.dmpFilesize
4KB
-
memory/1420-121-0x00000000099E0000-0x0000000009B15000-memory.dmpFilesize
1.2MB
-
memory/1420-117-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/1420-118-0x0000000006660000-0x0000000006661000-memory.dmpFilesize
4KB
-
memory/1420-115-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB
-
memory/3968-152-0x00000000085D0000-0x00000000085D1000-memory.dmpFilesize
4KB
-
memory/3968-126-0x0000000000F60000-0x0000000000F61000-memory.dmpFilesize
4KB
-
memory/3968-135-0x0000000007580000-0x0000000007581000-memory.dmpFilesize
4KB
-
memory/3968-146-0x0000000007E20000-0x0000000007E21000-memory.dmpFilesize
4KB
-
memory/3968-155-0x0000000000F60000-0x0000000000F61000-memory.dmpFilesize
4KB
-
memory/3968-127-0x0000000000F60000-0x0000000000F61000-memory.dmpFilesize
4KB
-
memory/3968-169-0x00000000092E0000-0x0000000009313000-memory.dmpFilesize
204KB
-
memory/3968-128-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/3968-193-0x000000007EF20000-0x000000007EF21000-memory.dmpFilesize
4KB
-
memory/3968-124-0x0000000000000000-mapping.dmp
-
memory/3968-198-0x0000000004B33000-0x0000000004B34000-memory.dmpFilesize
4KB
-
memory/3968-138-0x0000000004B32000-0x0000000004B33000-memory.dmpFilesize
4KB
-
memory/3968-144-0x0000000007CB0000-0x0000000007CB1000-memory.dmpFilesize
4KB
-
memory/3968-142-0x0000000007D70000-0x0000000007D71000-memory.dmpFilesize
4KB