Analysis
-
max time kernel
134s -
max time network
134s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
19-10-2021 16:37
Static task
static1
Behavioral task
behavioral1
Sample
637c0a1232a65aba8a98acb8ec9787af.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
637c0a1232a65aba8a98acb8ec9787af.exe
Resource
win10-en-20211014
General
-
Target
637c0a1232a65aba8a98acb8ec9787af.exe
-
Size
2.2MB
-
MD5
637c0a1232a65aba8a98acb8ec9787af
-
SHA1
30f6d7422526ad16c3de841472eb2c8ebfe8cb3f
-
SHA256
3559806841a45de7e6ed11acf6085ddbfb7ca67781e1db676b844b0e92ac30f9
-
SHA512
0beeb98cbcacfb3a3e3321774321c18a8e5e569a4ae08889b01a214762ef0cf73c5b4d3f452aea45d74240612a791c936d7c8fe62476b333e0d3afd6cc65a938
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
restd.xyz - Port:
587 - Username:
[email protected] - Password:
0@3z{Aj3S8$H
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Executes dropped EXE 2 IoCs
Processes:
dfxzdg.exedfxzdg.exepid process 484 dfxzdg.exe 1712 dfxzdg.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
dfxzdg.exe637c0a1232a65aba8a98acb8ec9787af.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dfxzdg.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dfxzdg.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 637c0a1232a65aba8a98acb8ec9787af.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 637c0a1232a65aba8a98acb8ec9787af.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 637c0a1232a65aba8a98acb8ec9787af.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dfxzdg.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 checkip.dyndns.org 24 freegeoip.app 25 freegeoip.app 31 freegeoip.app -
Suspicious use of SetThreadContext 2 IoCs
Processes:
637c0a1232a65aba8a98acb8ec9787af.exedfxzdg.exedescription pid process target process PID 1556 set thread context of 3900 1556 637c0a1232a65aba8a98acb8ec9787af.exe 637c0a1232a65aba8a98acb8ec9787af.exe PID 484 set thread context of 1712 484 dfxzdg.exe dfxzdg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1236 schtasks.exe 1812 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
637c0a1232a65aba8a98acb8ec9787af.exedfxzdg.exepid process 3900 637c0a1232a65aba8a98acb8ec9787af.exe 1712 dfxzdg.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
637c0a1232a65aba8a98acb8ec9787af.exe637c0a1232a65aba8a98acb8ec9787af.exedfxzdg.exedfxzdg.exedescription pid process Token: SeDebugPrivilege 1556 637c0a1232a65aba8a98acb8ec9787af.exe Token: SeDebugPrivilege 3900 637c0a1232a65aba8a98acb8ec9787af.exe Token: SeDebugPrivilege 484 dfxzdg.exe Token: SeDebugPrivilege 1712 dfxzdg.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
637c0a1232a65aba8a98acb8ec9787af.execmd.exedfxzdg.execmd.exedescription pid process target process PID 1556 wrote to memory of 3900 1556 637c0a1232a65aba8a98acb8ec9787af.exe 637c0a1232a65aba8a98acb8ec9787af.exe PID 1556 wrote to memory of 3900 1556 637c0a1232a65aba8a98acb8ec9787af.exe 637c0a1232a65aba8a98acb8ec9787af.exe PID 1556 wrote to memory of 3900 1556 637c0a1232a65aba8a98acb8ec9787af.exe 637c0a1232a65aba8a98acb8ec9787af.exe PID 1556 wrote to memory of 3900 1556 637c0a1232a65aba8a98acb8ec9787af.exe 637c0a1232a65aba8a98acb8ec9787af.exe PID 1556 wrote to memory of 3900 1556 637c0a1232a65aba8a98acb8ec9787af.exe 637c0a1232a65aba8a98acb8ec9787af.exe PID 1556 wrote to memory of 3900 1556 637c0a1232a65aba8a98acb8ec9787af.exe 637c0a1232a65aba8a98acb8ec9787af.exe PID 1556 wrote to memory of 3900 1556 637c0a1232a65aba8a98acb8ec9787af.exe 637c0a1232a65aba8a98acb8ec9787af.exe PID 1556 wrote to memory of 3900 1556 637c0a1232a65aba8a98acb8ec9787af.exe 637c0a1232a65aba8a98acb8ec9787af.exe PID 1556 wrote to memory of 2124 1556 637c0a1232a65aba8a98acb8ec9787af.exe cmd.exe PID 1556 wrote to memory of 2124 1556 637c0a1232a65aba8a98acb8ec9787af.exe cmd.exe PID 1556 wrote to memory of 2124 1556 637c0a1232a65aba8a98acb8ec9787af.exe cmd.exe PID 1556 wrote to memory of 2456 1556 637c0a1232a65aba8a98acb8ec9787af.exe cmd.exe PID 1556 wrote to memory of 2456 1556 637c0a1232a65aba8a98acb8ec9787af.exe cmd.exe PID 1556 wrote to memory of 2456 1556 637c0a1232a65aba8a98acb8ec9787af.exe cmd.exe PID 2124 wrote to memory of 1236 2124 cmd.exe schtasks.exe PID 2124 wrote to memory of 1236 2124 cmd.exe schtasks.exe PID 2124 wrote to memory of 1236 2124 cmd.exe schtasks.exe PID 484 wrote to memory of 1712 484 dfxzdg.exe dfxzdg.exe PID 484 wrote to memory of 1712 484 dfxzdg.exe dfxzdg.exe PID 484 wrote to memory of 1712 484 dfxzdg.exe dfxzdg.exe PID 484 wrote to memory of 1712 484 dfxzdg.exe dfxzdg.exe PID 484 wrote to memory of 1712 484 dfxzdg.exe dfxzdg.exe PID 484 wrote to memory of 1712 484 dfxzdg.exe dfxzdg.exe PID 484 wrote to memory of 1712 484 dfxzdg.exe dfxzdg.exe PID 484 wrote to memory of 1712 484 dfxzdg.exe dfxzdg.exe PID 484 wrote to memory of 956 484 dfxzdg.exe cmd.exe PID 484 wrote to memory of 956 484 dfxzdg.exe cmd.exe PID 484 wrote to memory of 956 484 dfxzdg.exe cmd.exe PID 484 wrote to memory of 1820 484 dfxzdg.exe cmd.exe PID 484 wrote to memory of 1820 484 dfxzdg.exe cmd.exe PID 484 wrote to memory of 1820 484 dfxzdg.exe cmd.exe PID 956 wrote to memory of 1812 956 cmd.exe schtasks.exe PID 956 wrote to memory of 1812 956 cmd.exe schtasks.exe PID 956 wrote to memory of 1812 956 cmd.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
dfxzdg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dfxzdg.exe -
outlook_win_path 1 IoCs
Processes:
dfxzdg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dfxzdg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\637c0a1232a65aba8a98acb8ec9787af.exe"C:\Users\Admin\AppData\Local\Temp\637c0a1232a65aba8a98acb8ec9787af.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\637c0a1232a65aba8a98acb8ec9787af.exe"C:\Users\Admin\AppData\Local\Temp\637c0a1232a65aba8a98acb8ec9787af.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f3⤵
- Creates scheduled task(s)
PID:1236 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\637c0a1232a65aba8a98acb8ec9787af.exe" "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"2⤵PID:2456
-
C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exeC:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f3⤵
- Creates scheduled task(s)
PID:1812 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe" "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"2⤵PID:1820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exeMD5
637c0a1232a65aba8a98acb8ec9787af
SHA130f6d7422526ad16c3de841472eb2c8ebfe8cb3f
SHA2563559806841a45de7e6ed11acf6085ddbfb7ca67781e1db676b844b0e92ac30f9
SHA5120beeb98cbcacfb3a3e3321774321c18a8e5e569a4ae08889b01a214762ef0cf73c5b4d3f452aea45d74240612a791c936d7c8fe62476b333e0d3afd6cc65a938
-
C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exeMD5
637c0a1232a65aba8a98acb8ec9787af
SHA130f6d7422526ad16c3de841472eb2c8ebfe8cb3f
SHA2563559806841a45de7e6ed11acf6085ddbfb7ca67781e1db676b844b0e92ac30f9
SHA5120beeb98cbcacfb3a3e3321774321c18a8e5e569a4ae08889b01a214762ef0cf73c5b4d3f452aea45d74240612a791c936d7c8fe62476b333e0d3afd6cc65a938
-
C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exeMD5
637c0a1232a65aba8a98acb8ec9787af
SHA130f6d7422526ad16c3de841472eb2c8ebfe8cb3f
SHA2563559806841a45de7e6ed11acf6085ddbfb7ca67781e1db676b844b0e92ac30f9
SHA5120beeb98cbcacfb3a3e3321774321c18a8e5e569a4ae08889b01a214762ef0cf73c5b4d3f452aea45d74240612a791c936d7c8fe62476b333e0d3afd6cc65a938
-
memory/484-140-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/484-136-0x00000000013B0000-0x00000000013B1000-memory.dmpFilesize
4KB
-
memory/956-149-0x0000000000000000-mapping.dmp
-
memory/1236-130-0x0000000000000000-mapping.dmp
-
memory/1556-115-0x0000000000BC0000-0x0000000000BC1000-memory.dmpFilesize
4KB
-
memory/1556-120-0x0000000005620000-0x0000000005621000-memory.dmpFilesize
4KB
-
memory/1556-119-0x0000000005680000-0x0000000005681000-memory.dmpFilesize
4KB
-
memory/1556-118-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB
-
memory/1556-117-0x0000000005BB0000-0x0000000005BB1000-memory.dmpFilesize
4KB
-
memory/1712-143-0x00000000004203DE-mapping.dmp
-
memory/1712-152-0x0000000005170000-0x000000000566E000-memory.dmpFilesize
5.0MB
-
memory/1812-151-0x0000000000000000-mapping.dmp
-
memory/1820-150-0x0000000000000000-mapping.dmp
-
memory/2124-128-0x0000000000000000-mapping.dmp
-
memory/2456-129-0x0000000000000000-mapping.dmp
-
memory/3900-131-0x0000000006280000-0x0000000006281000-memory.dmpFilesize
4KB
-
memory/3900-127-0x0000000004FB0000-0x00000000054AE000-memory.dmpFilesize
5.0MB
-
memory/3900-126-0x0000000004FB0000-0x0000000004FB1000-memory.dmpFilesize
4KB
-
memory/3900-122-0x00000000004203DE-mapping.dmp
-
memory/3900-121-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB