Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
01-12-2021 07:40
Static task
static1
Behavioral task
behavioral1
Sample
Details.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
Details.exe
Resource
win10-en-20211104
General
-
Target
Details.exe
-
Size
399KB
-
MD5
4a2394c58bbba9bd7d72f10c4f0cbc70
-
SHA1
4b4de49d29474fcbbc0fed996e551848d14ef5e8
-
SHA256
1909bc166ed4a9211d5d4fff2baf93a07268335ac80b372b0552fe414013d45d
-
SHA512
026686a8769fdf1d779ede9bb6e1e9cf448e4677086d078eee4500f8d40d6e2630b46185adaad8c48221f80430afd1d97abf0ffc6917b34355b9b127693ef5be
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.greentrading.com.pk - Port:
26 - Username:
info@greentrading.com.pk - Password:
lovetoall
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1644-57-0x0000000000400000-0x0000000000477000-memory.dmp family_snakekeylogger behavioral1/memory/1644-58-0x000000000040188B-mapping.dmp family_snakekeylogger behavioral1/memory/1644-60-0x0000000000400000-0x0000000000477000-memory.dmp family_snakekeylogger behavioral1/memory/1644-61-0x0000000001DA0000-0x0000000001E02000-memory.dmp family_snakekeylogger -
Loads dropped DLL 1 IoCs
Processes:
Details.exepid process 1316 Details.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Details.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Details.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Details.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Details.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org 8 freegeoip.app 9 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Details.exedescription pid process target process PID 1316 set thread context of 1644 1316 Details.exe Details.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Details.exepid process 1644 Details.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Details.exepid process 1644 Details.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Details.exedescription pid process Token: SeDebugPrivilege 1644 Details.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Details.exepid process 1644 Details.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Details.exedescription pid process target process PID 1316 wrote to memory of 1644 1316 Details.exe Details.exe PID 1316 wrote to memory of 1644 1316 Details.exe Details.exe PID 1316 wrote to memory of 1644 1316 Details.exe Details.exe PID 1316 wrote to memory of 1644 1316 Details.exe Details.exe PID 1316 wrote to memory of 1644 1316 Details.exe Details.exe PID 1316 wrote to memory of 1644 1316 Details.exe Details.exe PID 1316 wrote to memory of 1644 1316 Details.exe Details.exe PID 1316 wrote to memory of 1644 1316 Details.exe Details.exe PID 1316 wrote to memory of 1644 1316 Details.exe Details.exe PID 1316 wrote to memory of 1644 1316 Details.exe Details.exe PID 1316 wrote to memory of 1644 1316 Details.exe Details.exe -
outlook_office_path 1 IoCs
Processes:
Details.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Details.exe -
outlook_win_path 1 IoCs
Processes:
Details.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Details.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Details.exe"C:\Users\Admin\AppData\Local\Temp\Details.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Details.exe"C:\Users\Admin\AppData\Local\Temp\Details.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsiE409.tmp\kovywh.dllMD5
2a46ad24441fac8feb9c8d650b0ed7c2
SHA12a77f8fdc24dcc0851836a91535b566fa6592e13
SHA25606969a3b1796679bb1425b3ebd69e230d69ba9e021187828680071a918045ea7
SHA51276924cbb2a5c351f7335b2d95309fefcf55e8ba691d9dd3d93a54f4de884f6e38312e422f14d4484cd5edbceefdda8f81b93ca1957ea07f14ee6b4f5bbe3cf99
-
memory/1316-55-0x0000000076241000-0x0000000076243000-memory.dmpFilesize
8KB
-
memory/1644-57-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/1644-58-0x000000000040188B-mapping.dmp
-
memory/1644-60-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/1644-61-0x0000000001DA0000-0x0000000001E02000-memory.dmpFilesize
392KB
-
memory/1644-64-0x0000000004822000-0x0000000004823000-memory.dmpFilesize
4KB
-
memory/1644-63-0x0000000004821000-0x0000000004822000-memory.dmpFilesize
4KB
-
memory/1644-65-0x0000000004823000-0x0000000004824000-memory.dmpFilesize
4KB
-
memory/1644-66-0x0000000004824000-0x0000000004825000-memory.dmpFilesize
4KB
-
memory/1644-67-0x0000000004829000-0x000000000483A000-memory.dmpFilesize
68KB