Analysis
-
max time kernel
154s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 06:01
Static task
static1
Behavioral task
behavioral1
Sample
Documents for your perusal.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Documents for your perusal.js
Resource
win10v2004-20220414-en
General
-
Target
Documents for your perusal.js
-
Size
290KB
-
MD5
aea6c9f795a0d2d9b3c04607264089db
-
SHA1
12a0f096bb384a03a948d81ac40bf8acc5a51549
-
SHA256
b4c23e9ce7984024ba96876bdb1b68b13b41ca70f77efab5e157c8ce130edd39
-
SHA512
83201ec2c617e24edaccd3c9cde0486187ca0880bbea8fba95974ef386275d52c33564571d3f231e6ea750be33bc60c12fac2f0a9927f613f9a09e4224625338
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.theroyalreception.com - Port:
587 - Username:
[email protected] - Password:
computer@147 - Email To:
[email protected]
https://api.telegram.org/bot5463029534:AAGQ1do_-JYjhQ1yKKugHhT9LGbrpA7291Y/sendMessage?chat_id=1604450602
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe family_snakekeylogger C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe family_snakekeylogger behavioral2/memory/2056-135-0x0000000000010000-0x0000000000036000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 9 IoCs
Processes:
wscript.exeflow pid process 6 1848 wscript.exe 23 1848 wscript.exe 25 1848 wscript.exe 30 1848 wscript.exe 38 1848 wscript.exe 56 1848 wscript.exe 57 1848 wscript.exe 63 1848 wscript.exe 70 1848 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Documents for your perusal.exepid process 2056 Documents for your perusal.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lqJNbTkidY.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lqJNbTkidY.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\lqJNbTkidY.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5024 2056 WerFault.exe Documents for your perusal.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Documents for your perusal.exepid process 2056 Documents for your perusal.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Documents for your perusal.exedescription pid process Token: SeDebugPrivilege 2056 Documents for your perusal.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wscript.exedescription pid process target process PID 3864 wrote to memory of 1848 3864 wscript.exe wscript.exe PID 3864 wrote to memory of 1848 3864 wscript.exe wscript.exe PID 3864 wrote to memory of 2056 3864 wscript.exe Documents for your perusal.exe PID 3864 wrote to memory of 2056 3864 wscript.exe Documents for your perusal.exe PID 3864 wrote to memory of 2056 3864 wscript.exe Documents for your perusal.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lqJNbTkidY.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe"C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 15763⤵
- Program crash
PID:5024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2056 -ip 20561⤵PID:1504
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exeFilesize
126KB
MD5af90c0480c35c4e2aeb47e16794da0ee
SHA1916ce4839b204a9da2905ce4ac83c2cd04f983a0
SHA256036915c768b87a03cb7133a3099ceaf9172fe11d49345bf8a4efe7583f35e586
SHA512aa1ee2015c874c06af0d759924dcb65e8d68a4112d89efebf88afd6ff7ba324b6982cc599affd7506d56288993b940bb07a626fb0b14b63d8e7e3ad584764d9c
-
C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exeFilesize
126KB
MD5af90c0480c35c4e2aeb47e16794da0ee
SHA1916ce4839b204a9da2905ce4ac83c2cd04f983a0
SHA256036915c768b87a03cb7133a3099ceaf9172fe11d49345bf8a4efe7583f35e586
SHA512aa1ee2015c874c06af0d759924dcb65e8d68a4112d89efebf88afd6ff7ba324b6982cc599affd7506d56288993b940bb07a626fb0b14b63d8e7e3ad584764d9c
-
C:\Users\Admin\AppData\Roaming\lqJNbTkidY.jsFilesize
24KB
MD5acb8a6b6b7572ea81759a59fc9f3dfbd
SHA1daf92ab556c9f9c19605c128ff16222fd77ac491
SHA256e523e1d6b4f5480535791c7eed1764cc84b2ad631b396a834b21ab38680e6bf9
SHA51296c85c9d0372b1817e81e4553cf40d43f8e393936e69f76f3a0d2fb7d85a1162e701f49f2a7f8e6b782ddff4be8b166cf4a3e305476ae96f42bcc81a8058422c
-
memory/1848-130-0x0000000000000000-mapping.dmp
-
memory/2056-132-0x0000000000000000-mapping.dmp
-
memory/2056-135-0x0000000000010000-0x0000000000036000-memory.dmpFilesize
152KB
-
memory/2056-136-0x0000000004F70000-0x0000000005514000-memory.dmpFilesize
5.6MB
-
memory/2056-137-0x0000000004A60000-0x0000000004AFC000-memory.dmpFilesize
624KB