Analysis
-
max time kernel
123s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
20-10-2021 06:24
Static task
static1
Behavioral task
behavioral1
Sample
83c11e7d4fcf13515fc5be9938dd75be.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
83c11e7d4fcf13515fc5be9938dd75be.exe
Resource
win10-en-20210920
General
-
Target
83c11e7d4fcf13515fc5be9938dd75be.exe
-
Size
641KB
-
MD5
83c11e7d4fcf13515fc5be9938dd75be
-
SHA1
5b1267583abf7803a20aa63bc9739894ee567c31
-
SHA256
df9ce9ef0fe2c633c368b9859f6f88672b5be6867c52ad54d6b7ab42081893fd
-
SHA512
6b07e7e369554e6bbe036263ef93fe2019606d8ac68049bc44b03dbcaccc5e4f47975fc59d5d54a9fde6bfced9e51f44340de1c8bc3e92f6cbbf84c99fb5f2b2
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
budgetn.shop - Port:
587 - Username:
[email protected] - Password:
rSJ9l_d%#+1Z
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org 8 freegeoip.app 9 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
83c11e7d4fcf13515fc5be9938dd75be.exedescription pid process target process PID 2024 set thread context of 520 2024 83c11e7d4fcf13515fc5be9938dd75be.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 616 2024 WerFault.exe 83c11e7d4fcf13515fc5be9938dd75be.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
vbc.exeWerFault.exepid process 520 vbc.exe 616 WerFault.exe 616 WerFault.exe 616 WerFault.exe 616 WerFault.exe 616 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 616 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
83c11e7d4fcf13515fc5be9938dd75be.exevbc.exeWerFault.exedescription pid process Token: SeDebugPrivilege 2024 83c11e7d4fcf13515fc5be9938dd75be.exe Token: SeDebugPrivilege 520 vbc.exe Token: SeDebugPrivilege 616 WerFault.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
83c11e7d4fcf13515fc5be9938dd75be.exedescription pid process target process PID 2024 wrote to memory of 520 2024 83c11e7d4fcf13515fc5be9938dd75be.exe vbc.exe PID 2024 wrote to memory of 520 2024 83c11e7d4fcf13515fc5be9938dd75be.exe vbc.exe PID 2024 wrote to memory of 520 2024 83c11e7d4fcf13515fc5be9938dd75be.exe vbc.exe PID 2024 wrote to memory of 520 2024 83c11e7d4fcf13515fc5be9938dd75be.exe vbc.exe PID 2024 wrote to memory of 520 2024 83c11e7d4fcf13515fc5be9938dd75be.exe vbc.exe PID 2024 wrote to memory of 520 2024 83c11e7d4fcf13515fc5be9938dd75be.exe vbc.exe PID 2024 wrote to memory of 520 2024 83c11e7d4fcf13515fc5be9938dd75be.exe vbc.exe PID 2024 wrote to memory of 520 2024 83c11e7d4fcf13515fc5be9938dd75be.exe vbc.exe PID 2024 wrote to memory of 520 2024 83c11e7d4fcf13515fc5be9938dd75be.exe vbc.exe PID 2024 wrote to memory of 616 2024 83c11e7d4fcf13515fc5be9938dd75be.exe WerFault.exe PID 2024 wrote to memory of 616 2024 83c11e7d4fcf13515fc5be9938dd75be.exe WerFault.exe PID 2024 wrote to memory of 616 2024 83c11e7d4fcf13515fc5be9938dd75be.exe WerFault.exe PID 2024 wrote to memory of 616 2024 83c11e7d4fcf13515fc5be9938dd75be.exe WerFault.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\83c11e7d4fcf13515fc5be9938dd75be.exe"C:\Users\Admin\AppData\Local\Temp\83c11e7d4fcf13515fc5be9938dd75be.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:520 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 8082⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:616
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/520-57-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/520-58-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/520-59-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/520-60-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/520-61-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/520-62-0x00000000004203FE-mapping.dmp
-
memory/520-63-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/520-65-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/616-66-0x0000000000000000-mapping.dmp
-
memory/616-67-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2024-54-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/2024-56-0x0000000004AA0000-0x0000000004AA1000-memory.dmpFilesize
4KB