Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 06:01
Static task
static1
Behavioral task
behavioral1
Sample
Documents for your perusal.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Documents for your perusal.js
Resource
win10v2004-20220414-en
General
-
Target
Documents for your perusal.js
-
Size
290KB
-
MD5
aea6c9f795a0d2d9b3c04607264089db
-
SHA1
12a0f096bb384a03a948d81ac40bf8acc5a51549
-
SHA256
b4c23e9ce7984024ba96876bdb1b68b13b41ca70f77efab5e157c8ce130edd39
-
SHA512
83201ec2c617e24edaccd3c9cde0486187ca0880bbea8fba95974ef386275d52c33564571d3f231e6ea750be33bc60c12fac2f0a9927f613f9a09e4224625338
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.theroyalreception.com - Port:
587 - Username:
[email protected] - Password:
computer@147 - Email To:
[email protected]
https://api.telegram.org/bot5463029534:AAGQ1do_-JYjhQ1yKKugHhT9LGbrpA7291Y/sendMessage?chat_id=1604450602
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe family_snakekeylogger C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe family_snakekeylogger behavioral1/memory/1248-61-0x0000000000910000-0x0000000000936000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 13 IoCs
Processes:
wscript.exeflow pid process 5 1616 wscript.exe 8 1616 wscript.exe 9 1616 wscript.exe 12 1616 wscript.exe 13 1616 wscript.exe 14 1616 wscript.exe 16 1616 wscript.exe 17 1616 wscript.exe 18 1616 wscript.exe 20 1616 wscript.exe 21 1616 wscript.exe 22 1616 wscript.exe 24 1616 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Documents for your perusal.exepid process 1248 Documents for your perusal.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lqJNbTkidY.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lqJNbTkidY.js wscript.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Documents for your perusal.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Documents for your perusal.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Documents for your perusal.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Documents for your perusal.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\lqJNbTkidY.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Documents for your perusal.exepid process 1248 Documents for your perusal.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Documents for your perusal.exedescription pid process Token: SeDebugPrivilege 1248 Documents for your perusal.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
wscript.exedescription pid process target process PID 2016 wrote to memory of 1616 2016 wscript.exe wscript.exe PID 2016 wrote to memory of 1616 2016 wscript.exe wscript.exe PID 2016 wrote to memory of 1616 2016 wscript.exe wscript.exe PID 2016 wrote to memory of 1248 2016 wscript.exe Documents for your perusal.exe PID 2016 wrote to memory of 1248 2016 wscript.exe Documents for your perusal.exe PID 2016 wrote to memory of 1248 2016 wscript.exe Documents for your perusal.exe PID 2016 wrote to memory of 1248 2016 wscript.exe Documents for your perusal.exe -
outlook_office_path 1 IoCs
Processes:
Documents for your perusal.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Documents for your perusal.exe -
outlook_win_path 1 IoCs
Processes:
Documents for your perusal.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Documents for your perusal.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.js"1⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lqJNbTkidY.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe"C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1248
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exeFilesize
126KB
MD5af90c0480c35c4e2aeb47e16794da0ee
SHA1916ce4839b204a9da2905ce4ac83c2cd04f983a0
SHA256036915c768b87a03cb7133a3099ceaf9172fe11d49345bf8a4efe7583f35e586
SHA512aa1ee2015c874c06af0d759924dcb65e8d68a4112d89efebf88afd6ff7ba324b6982cc599affd7506d56288993b940bb07a626fb0b14b63d8e7e3ad584764d9c
-
C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exeFilesize
126KB
MD5af90c0480c35c4e2aeb47e16794da0ee
SHA1916ce4839b204a9da2905ce4ac83c2cd04f983a0
SHA256036915c768b87a03cb7133a3099ceaf9172fe11d49345bf8a4efe7583f35e586
SHA512aa1ee2015c874c06af0d759924dcb65e8d68a4112d89efebf88afd6ff7ba324b6982cc599affd7506d56288993b940bb07a626fb0b14b63d8e7e3ad584764d9c
-
C:\Users\Admin\AppData\Roaming\lqJNbTkidY.jsFilesize
24KB
MD5acb8a6b6b7572ea81759a59fc9f3dfbd
SHA1daf92ab556c9f9c19605c128ff16222fd77ac491
SHA256e523e1d6b4f5480535791c7eed1764cc84b2ad631b396a834b21ab38680e6bf9
SHA51296c85c9d0372b1817e81e4553cf40d43f8e393936e69f76f3a0d2fb7d85a1162e701f49f2a7f8e6b782ddff4be8b166cf4a3e305476ae96f42bcc81a8058422c
-
memory/1248-57-0x0000000000000000-mapping.dmp
-
memory/1248-61-0x0000000000910000-0x0000000000936000-memory.dmpFilesize
152KB
-
memory/1248-62-0x0000000075191000-0x0000000075193000-memory.dmpFilesize
8KB
-
memory/1616-55-0x0000000000000000-mapping.dmp
-
memory/2016-54-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmpFilesize
8KB