Analysis
-
max time kernel
111s -
max time network
128s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
25-11-2021 16:47
Static task
static1
Behavioral task
behavioral1
Sample
a28c434e703d9d0961f526f87a61109c.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
a28c434e703d9d0961f526f87a61109c.exe
Resource
win10-en-20211014
General
-
Target
a28c434e703d9d0961f526f87a61109c.exe
-
Size
662KB
-
MD5
a28c434e703d9d0961f526f87a61109c
-
SHA1
c18ce22d993ee202d7c4e91aeda8f602a1ddb054
-
SHA256
1a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30
-
SHA512
a380bd060f69d0813fa1c1141fc960225fbeb1a13195ed7349a2d0f7d3ad72e9b37df4f2f8afe45ac8b6bf4997fdc5bac69d9ec93123a1ef5e8f0871dc29e72d
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
octfirr.shop - Port:
587 - Username:
income@octfirr.shop - Password:
oPU]A^_2)Udl
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
a28c434e703d9d0961f526f87a61109c.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 a28c434e703d9d0961f526f87a61109c.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 a28c434e703d9d0961f526f87a61109c.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 a28c434e703d9d0961f526f87a61109c.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 checkip.dyndns.org 25 freegeoip.app 26 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a28c434e703d9d0961f526f87a61109c.exedescription pid process target process PID 3672 set thread context of 972 3672 a28c434e703d9d0961f526f87a61109c.exe a28c434e703d9d0961f526f87a61109c.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
a28c434e703d9d0961f526f87a61109c.exea28c434e703d9d0961f526f87a61109c.exepid process 3672 a28c434e703d9d0961f526f87a61109c.exe 3672 a28c434e703d9d0961f526f87a61109c.exe 3672 a28c434e703d9d0961f526f87a61109c.exe 972 a28c434e703d9d0961f526f87a61109c.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a28c434e703d9d0961f526f87a61109c.exea28c434e703d9d0961f526f87a61109c.exedescription pid process Token: SeDebugPrivilege 3672 a28c434e703d9d0961f526f87a61109c.exe Token: SeDebugPrivilege 972 a28c434e703d9d0961f526f87a61109c.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a28c434e703d9d0961f526f87a61109c.exedescription pid process target process PID 3672 wrote to memory of 972 3672 a28c434e703d9d0961f526f87a61109c.exe a28c434e703d9d0961f526f87a61109c.exe PID 3672 wrote to memory of 972 3672 a28c434e703d9d0961f526f87a61109c.exe a28c434e703d9d0961f526f87a61109c.exe PID 3672 wrote to memory of 972 3672 a28c434e703d9d0961f526f87a61109c.exe a28c434e703d9d0961f526f87a61109c.exe PID 3672 wrote to memory of 972 3672 a28c434e703d9d0961f526f87a61109c.exe a28c434e703d9d0961f526f87a61109c.exe PID 3672 wrote to memory of 972 3672 a28c434e703d9d0961f526f87a61109c.exe a28c434e703d9d0961f526f87a61109c.exe PID 3672 wrote to memory of 972 3672 a28c434e703d9d0961f526f87a61109c.exe a28c434e703d9d0961f526f87a61109c.exe PID 3672 wrote to memory of 972 3672 a28c434e703d9d0961f526f87a61109c.exe a28c434e703d9d0961f526f87a61109c.exe PID 3672 wrote to memory of 972 3672 a28c434e703d9d0961f526f87a61109c.exe a28c434e703d9d0961f526f87a61109c.exe -
outlook_office_path 1 IoCs
Processes:
a28c434e703d9d0961f526f87a61109c.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 a28c434e703d9d0961f526f87a61109c.exe -
outlook_win_path 1 IoCs
Processes:
a28c434e703d9d0961f526f87a61109c.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 a28c434e703d9d0961f526f87a61109c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a28c434e703d9d0961f526f87a61109c.exe"C:\Users\Admin\AppData\Local\Temp\a28c434e703d9d0961f526f87a61109c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a28c434e703d9d0961f526f87a61109c.exeC:\Users\Admin\AppData\Local\Temp\a28c434e703d9d0961f526f87a61109c.exe2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a28c434e703d9d0961f526f87a61109c.exe.logMD5
10e24c22b1795d288fb8a915db04a7f1
SHA1595e82869944ffad9577b4927084cbf0495e6c39
SHA256858c0144b55f4b3d33b00ec7c91c6d891ffbfcca694afd7115ce767119c9b759
SHA512262b15d857618556aa7e0943a41698f03b5d4bd50e3cd53862f30a8dbbaca30ce7aa1cbd7baf8a5f3d046190c5be2cd8d6ad39f2842c030e2c68974a9935ab95
-
memory/972-125-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/972-133-0x0000000005F20000-0x0000000005F21000-memory.dmpFilesize
4KB
-
memory/972-132-0x0000000002850000-0x0000000002851000-memory.dmpFilesize
4KB
-
memory/972-131-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/972-126-0x00000000004204CE-mapping.dmp
-
memory/3672-119-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/3672-123-0x00000000055A0000-0x00000000055BB000-memory.dmpFilesize
108KB
-
memory/3672-124-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/3672-122-0x0000000005570000-0x0000000005597000-memory.dmpFilesize
156KB
-
memory/3672-121-0x00000000052D0000-0x00000000057CE000-memory.dmpFilesize
5.0MB
-
memory/3672-120-0x0000000005690000-0x0000000005691000-memory.dmpFilesize
4KB
-
memory/3672-115-0x00000000008B0000-0x00000000008B1000-memory.dmpFilesize
4KB
-
memory/3672-118-0x00000000052D0000-0x000000000534B000-memory.dmpFilesize
492KB
-
memory/3672-117-0x00000000057D0000-0x00000000057D1000-memory.dmpFilesize
4KB