Analysis
-
max time kernel
111s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-05-2022 05:31
Static task
static1
Behavioral task
behavioral1
Sample
IMG_25579.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
IMG_25579.exe
Resource
win10v2004-20220414-en
General
-
Target
IMG_25579.exe
-
Size
1.4MB
-
MD5
5ab98f94682ec463f48cada8b9811055
-
SHA1
550fc889de33b94a63dfaf1138bcc54be489f767
-
SHA256
b1c89b167239238aea8a718d40751a1233ab4b9479b19e6feb86ed5a4c9aec20
-
SHA512
e3e4ed794ebf4bf3e246eab58699df4b822fdea5cab238b1a838c09b2d596a5228db934e631a843010df618e42524a32e7d4b750d536c9f20c827b78d71b87c6
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
server255.web-hosting.com - Port:
587 - Username:
next@janryone.xyz - Password:
Gm3v,2bov]gn
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Executes dropped EXE 2 IoCs
Processes:
bsys.exeInstallUtil.exepid process 3656 bsys.exe 1572 InstallUtil.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
IMG_25579.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation IMG_25579.exe -
Drops startup file 1 IoCs
Processes:
IMG_25579.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bsys.lnk IMG_25579.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 checkip.dyndns.org 23 freegeoip.app 24 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bsys.exedescription pid process target process PID 3656 set thread context of 1572 3656 bsys.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3840 1572 WerFault.exe InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
IMG_25579.exebsys.exeInstallUtil.exepid process 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 4588 IMG_25579.exe 3656 bsys.exe 3656 bsys.exe 1572 InstallUtil.exe 1572 InstallUtil.exe 1572 InstallUtil.exe 1572 InstallUtil.exe 1572 InstallUtil.exe 1572 InstallUtil.exe 1572 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
IMG_25579.exebsys.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 4588 IMG_25579.exe Token: SeDebugPrivilege 3656 bsys.exe Token: SeDebugPrivilege 1572 InstallUtil.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
IMG_25579.exebsys.exedescription pid process target process PID 4588 wrote to memory of 3656 4588 IMG_25579.exe bsys.exe PID 4588 wrote to memory of 3656 4588 IMG_25579.exe bsys.exe PID 4588 wrote to memory of 3656 4588 IMG_25579.exe bsys.exe PID 3656 wrote to memory of 1572 3656 bsys.exe InstallUtil.exe PID 3656 wrote to memory of 1572 3656 bsys.exe InstallUtil.exe PID 3656 wrote to memory of 1572 3656 bsys.exe InstallUtil.exe PID 3656 wrote to memory of 1572 3656 bsys.exe InstallUtil.exe PID 3656 wrote to memory of 1572 3656 bsys.exe InstallUtil.exe PID 3656 wrote to memory of 1572 3656 bsys.exe InstallUtil.exe PID 3656 wrote to memory of 1572 3656 bsys.exe InstallUtil.exe PID 3656 wrote to memory of 1572 3656 bsys.exe InstallUtil.exe -
outlook_office_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
outlook_win_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IMG_25579.exe"C:\Users\Admin\AppData\Local\Temp\IMG_25579.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\bsys.exe"C:\Users\Admin\bsys.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 18004⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1572 -ip 15721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeFilesize
41KB
MD55d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeFilesize
41KB
MD55d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
C:\Users\Admin\bsys.exeFilesize
1.4MB
MD55ab98f94682ec463f48cada8b9811055
SHA1550fc889de33b94a63dfaf1138bcc54be489f767
SHA256b1c89b167239238aea8a718d40751a1233ab4b9479b19e6feb86ed5a4c9aec20
SHA512e3e4ed794ebf4bf3e246eab58699df4b822fdea5cab238b1a838c09b2d596a5228db934e631a843010df618e42524a32e7d4b750d536c9f20c827b78d71b87c6
-
C:\Users\Admin\bsys.exeFilesize
1.4MB
MD55ab98f94682ec463f48cada8b9811055
SHA1550fc889de33b94a63dfaf1138bcc54be489f767
SHA256b1c89b167239238aea8a718d40751a1233ab4b9479b19e6feb86ed5a4c9aec20
SHA512e3e4ed794ebf4bf3e246eab58699df4b822fdea5cab238b1a838c09b2d596a5228db934e631a843010df618e42524a32e7d4b750d536c9f20c827b78d71b87c6
-
memory/1572-136-0x0000000000000000-mapping.dmp
-
memory/1572-137-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/1572-140-0x0000000005EE0000-0x0000000006484000-memory.dmpFilesize
5.6MB
-
memory/1572-141-0x0000000006C80000-0x0000000006E42000-memory.dmpFilesize
1.8MB
-
memory/3656-133-0x0000000000000000-mapping.dmp
-
memory/4588-130-0x00000000002A0000-0x0000000000410000-memory.dmpFilesize
1.4MB
-
memory/4588-131-0x0000000004D70000-0x0000000004E0C000-memory.dmpFilesize
624KB
-
memory/4588-132-0x0000000007760000-0x00000000077F2000-memory.dmpFilesize
584KB