Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
03-12-2021 12:19
Static task
static1
Behavioral task
behavioral1
Sample
7e3b08163812d6a9ff4e279058f603e5.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
7e3b08163812d6a9ff4e279058f603e5.exe
Resource
win10-en-20211014
General
-
Target
7e3b08163812d6a9ff4e279058f603e5.exe
-
Size
388KB
-
MD5
7e3b08163812d6a9ff4e279058f603e5
-
SHA1
29a1e69c99fadc447a6958c24e45c71127e88d6b
-
SHA256
a6a4c5aaefa51d2f614a6f21e83b64d63e29fb868c8d410dacf317ad220f774a
-
SHA512
7682105ae32834638f77c1c3282bdc3eefc42d922843d12aa346f4c9b2d68269764677b29444953bbff8a9245d2c14416817e879550b170a1921d14366af492b
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.sapphireclothing.com - Port:
587 - Username:
hr@sapphireclothing.com - Password:
hrSap2018
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
7e3b08163812d6a9ff4e279058f603e5.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 7e3b08163812d6a9ff4e279058f603e5.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 7e3b08163812d6a9ff4e279058f603e5.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 7e3b08163812d6a9ff4e279058f603e5.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 checkip.dyndns.org 24 freegeoip.app 25 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7e3b08163812d6a9ff4e279058f603e5.exedescription pid process target process PID 2728 set thread context of 924 2728 7e3b08163812d6a9ff4e279058f603e5.exe 7e3b08163812d6a9ff4e279058f603e5.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
7e3b08163812d6a9ff4e279058f603e5.exepid process 924 7e3b08163812d6a9ff4e279058f603e5.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7e3b08163812d6a9ff4e279058f603e5.exedescription pid process Token: SeDebugPrivilege 924 7e3b08163812d6a9ff4e279058f603e5.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
7e3b08163812d6a9ff4e279058f603e5.exedescription pid process target process PID 2728 wrote to memory of 924 2728 7e3b08163812d6a9ff4e279058f603e5.exe 7e3b08163812d6a9ff4e279058f603e5.exe PID 2728 wrote to memory of 924 2728 7e3b08163812d6a9ff4e279058f603e5.exe 7e3b08163812d6a9ff4e279058f603e5.exe PID 2728 wrote to memory of 924 2728 7e3b08163812d6a9ff4e279058f603e5.exe 7e3b08163812d6a9ff4e279058f603e5.exe PID 2728 wrote to memory of 924 2728 7e3b08163812d6a9ff4e279058f603e5.exe 7e3b08163812d6a9ff4e279058f603e5.exe PID 2728 wrote to memory of 924 2728 7e3b08163812d6a9ff4e279058f603e5.exe 7e3b08163812d6a9ff4e279058f603e5.exe PID 2728 wrote to memory of 924 2728 7e3b08163812d6a9ff4e279058f603e5.exe 7e3b08163812d6a9ff4e279058f603e5.exe PID 2728 wrote to memory of 924 2728 7e3b08163812d6a9ff4e279058f603e5.exe 7e3b08163812d6a9ff4e279058f603e5.exe PID 2728 wrote to memory of 924 2728 7e3b08163812d6a9ff4e279058f603e5.exe 7e3b08163812d6a9ff4e279058f603e5.exe -
outlook_office_path 1 IoCs
Processes:
7e3b08163812d6a9ff4e279058f603e5.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 7e3b08163812d6a9ff4e279058f603e5.exe -
outlook_win_path 1 IoCs
Processes:
7e3b08163812d6a9ff4e279058f603e5.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 7e3b08163812d6a9ff4e279058f603e5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e3b08163812d6a9ff4e279058f603e5.exe"C:\Users\Admin\AppData\Local\Temp\7e3b08163812d6a9ff4e279058f603e5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7e3b08163812d6a9ff4e279058f603e5.exe"C:\Users\Admin\AppData\Local\Temp\7e3b08163812d6a9ff4e279058f603e5.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7e3b08163812d6a9ff4e279058f603e5.exe.logMD5
f1181bc4bdff57024c4121f645548332
SHA1d431ee3a3a5afcae2c4537b1d445054a0a95f6e6
SHA256f1a7e138b25d0cb24bb4b23bd781b0dd357afd49d45e19ffa44cdb80170336ad
SHA512cf8059f289bcb4f33e82a2c4851fade486bd449793a39718d49bc357efd09689150aedd277c5ebcf79b5ebb4bbe36f0cbb72510a50398bee804ffd9c889604e3
-
memory/924-125-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/924-134-0x00000000069C0000-0x00000000069C1000-memory.dmpFilesize
4KB
-
memory/924-132-0x00000000055B0000-0x0000000005AAE000-memory.dmpFilesize
5.0MB
-
memory/924-126-0x000000000042052E-mapping.dmp
-
memory/2728-119-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/2728-122-0x0000000005480000-0x0000000005481000-memory.dmpFilesize
4KB
-
memory/2728-123-0x0000000005CF0000-0x0000000005CF1000-memory.dmpFilesize
4KB
-
memory/2728-124-0x0000000005CA0000-0x0000000005CEB000-memory.dmpFilesize
300KB
-
memory/2728-121-0x0000000005030000-0x0000000005038000-memory.dmpFilesize
32KB
-
memory/2728-120-0x0000000005050000-0x000000000554E000-memory.dmpFilesize
5.0MB
-
memory/2728-115-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/2728-118-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/2728-117-0x0000000005550000-0x0000000005551000-memory.dmpFilesize
4KB