Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
14-12-2021 15:40
Static task
static1
Behavioral task
behavioral1
Sample
PO2491039385.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
PO2491039385.js
Resource
win10-en-20211208
General
-
Target
PO2491039385.js
-
Size
536KB
-
MD5
e09294b9ca51300793673da85e23fa34
-
SHA1
46715b9d35152983bd452eb6bf65c588b36a7ab1
-
SHA256
915ed58984f946bee7b46fd8d6a4cc81e4d7edbd6f2c52a7d0f0f0945140d23b
-
SHA512
9d5c7dcb626c7cdb9ab7bab3d73d144b8494aac1561b2b83237007486f03404bb73e539b6847fa1ec12a04e8c5448eaaa346c4d3137b2614416a95337ca081b4
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
success21
Extracted
vjw0rm
http://myroyailrubin2019.duia.ro:7974
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\newv6.exe family_snakekeylogger C:\Users\Admin\AppData\Local\Temp\newv6.exe family_snakekeylogger -
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 524 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
newv6.exepid process 1972 newv6.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uRyLhONQMx.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uRyLhONQMx.js wscript.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
newv6.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 newv6.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 newv6.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 newv6.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\uRyLhONQMx.js\"" wscript.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 freegeoip.app 6 checkip.dyndns.org 8 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
newv6.exepid process 1972 newv6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
newv6.exedescription pid process Token: SeDebugPrivilege 1972 newv6.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
wscript.exedescription pid process target process PID 1672 wrote to memory of 524 1672 wscript.exe wscript.exe PID 1672 wrote to memory of 524 1672 wscript.exe wscript.exe PID 1672 wrote to memory of 524 1672 wscript.exe wscript.exe PID 1672 wrote to memory of 1972 1672 wscript.exe newv6.exe PID 1672 wrote to memory of 1972 1672 wscript.exe newv6.exe PID 1672 wrote to memory of 1972 1672 wscript.exe newv6.exe PID 1672 wrote to memory of 1972 1672 wscript.exe newv6.exe -
outlook_office_path 1 IoCs
Processes:
newv6.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 newv6.exe -
outlook_win_path 1 IoCs
Processes:
newv6.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 newv6.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PO2491039385.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\uRyLhONQMx.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\newv6.exe"C:\Users\Admin\AppData\Local\Temp\newv6.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\newv6.exeMD5
3f8ba3a594b42de92457cb6cf140849c
SHA1c32f9fefb03d2cb5cd47c5a8b992255313c0a864
SHA2566fc2cda350ed361c877fe0d05b67254e24129f3e5ad158ead1f6ab8c7c3e8897
SHA5129b9d34817614a1ac7b2aad8b356dc0308f9f4639e0a1dbeac46e856d2a7a4d98e2adf1423d9846472a13d513620b21788a4082faeb00dbca45b680ace401983f
-
C:\Users\Admin\AppData\Local\Temp\newv6.exeMD5
3f8ba3a594b42de92457cb6cf140849c
SHA1c32f9fefb03d2cb5cd47c5a8b992255313c0a864
SHA2566fc2cda350ed361c877fe0d05b67254e24129f3e5ad158ead1f6ab8c7c3e8897
SHA5129b9d34817614a1ac7b2aad8b356dc0308f9f4639e0a1dbeac46e856d2a7a4d98e2adf1423d9846472a13d513620b21788a4082faeb00dbca45b680ace401983f
-
C:\Users\Admin\AppData\Roaming\uRyLhONQMx.jsMD5
231e48b2a15b610eb96c574fb3584531
SHA15249109df277e52ab753d86a7f66caa64190a8a0
SHA2564a626ec97945e8fa02815b7faa4d78ed6e6f51934e71623917490672e5892be7
SHA512b2e58561307176a61d2c9a5ceb8f335198a09ac02597bde7436b4bb803234364403c654aa9c335bd1044534ba23f236705a708d2b6726af5b0addf4ccb8fbb5f
-
memory/524-56-0x0000000000000000-mapping.dmp
-
memory/1672-55-0x000007FEFC031000-0x000007FEFC033000-memory.dmpFilesize
8KB
-
memory/1972-58-0x0000000000000000-mapping.dmp
-
memory/1972-61-0x0000000001060000-0x0000000001061000-memory.dmpFilesize
4KB
-
memory/1972-63-0x0000000004D90000-0x0000000004D91000-memory.dmpFilesize
4KB