Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 06:39
Static task
static1
Behavioral task
behavioral1
Sample
AWB15062022.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
AWB15062022.js
Resource
win10v2004-20220414-en
General
-
Target
AWB15062022.js
-
Size
512KB
-
MD5
7e151e208de35b5a41db278b3cf0c5b3
-
SHA1
65f43e422b7eb98d7ec4ba37b259d05c1a2d8f4b
-
SHA256
c5c7f846d0827315b9b120e873703cf986109ddffc986387fc66e32e6c0e5534
-
SHA512
04b1d02fb14ec2c8011e4fc42e53cead12d6acddb8fb856b8367fa83ee5d3481898a26020255562133a37f8d7c6a232b20247b980f84310dbd105a23788d6dd4
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5391573401:AAGU5n0aN7puxUq5oVT1MVi83gk5owTXei0/sendMessage?chat_id=1962160861
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Tempwinlogon.exe family_snakekeylogger C:\Users\Admin\AppData\Local\Tempwinlogon.exe family_snakekeylogger behavioral1/memory/1800-64-0x0000000000AB0000-0x0000000000AD4000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 15 IoCs
Processes:
wscript.exeflow pid process 5 940 wscript.exe 8 940 wscript.exe 9 940 wscript.exe 11 940 wscript.exe 13 940 wscript.exe 14 940 wscript.exe 16 940 wscript.exe 17 940 wscript.exe 18 940 wscript.exe 20 940 wscript.exe 21 940 wscript.exe 22 940 wscript.exe 24 940 wscript.exe 25 940 wscript.exe 26 940 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Tempwinlogon.exepid process 1800 Tempwinlogon.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QKNyvYIQHA.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QKNyvYIQHA.js wscript.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Tempwinlogon.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Tempwinlogon.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Tempwinlogon.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Tempwinlogon.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\QKNyvYIQHA.js\"" wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Tempwinlogon.exepid process 1800 Tempwinlogon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Tempwinlogon.exedescription pid process Token: SeDebugPrivilege 1800 Tempwinlogon.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 1504 wrote to memory of 940 1504 wscript.exe wscript.exe PID 1504 wrote to memory of 940 1504 wscript.exe wscript.exe PID 1504 wrote to memory of 940 1504 wscript.exe wscript.exe PID 1504 wrote to memory of 1052 1504 wscript.exe wscript.exe PID 1504 wrote to memory of 1052 1504 wscript.exe wscript.exe PID 1504 wrote to memory of 1052 1504 wscript.exe wscript.exe PID 1052 wrote to memory of 1800 1052 wscript.exe Tempwinlogon.exe PID 1052 wrote to memory of 1800 1052 wscript.exe Tempwinlogon.exe PID 1052 wrote to memory of 1800 1052 wscript.exe Tempwinlogon.exe PID 1052 wrote to memory of 1800 1052 wscript.exe Tempwinlogon.exe -
outlook_office_path 1 IoCs
Processes:
Tempwinlogon.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Tempwinlogon.exe -
outlook_win_path 1 IoCs
Processes:
Tempwinlogon.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Tempwinlogon.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\AWB15062022.js1⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\QKNyvYIQHA.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:940 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\AWB15062022.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Local\Tempwinlogon.exe"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1800
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AWB15062022.vbsFilesize
251KB
MD54eb2e71f5af75446efae80ee4457ac16
SHA122f002cee2b80eef7a4fbe5daa596a6eca5056a2
SHA25682c959dc9c7960278bf6094af37d6fff0387602769202afd496c97835c91c8af
SHA512b1fb12b37ebef5b5955bc932b8bc5f3428d64f8278056a4f4a6569ac2d1716fa0498b69536623914a1d8a3591dc5cf374501c1eff94095975abfaad73d01c984
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exeFilesize
125KB
MD58855fe5a81d674f17f378896eb0effc1
SHA1e27c1b5b9f21501cd889c960b16c0951f3204aca
SHA256f11b2c02ce17039f849429b4904c2ec75ad1c6a0b7204c42238df6ae587b4be4
SHA512c3ca4ee469ed41b2f8ab4075fc17f462041fe533dfa175b3c48fd907d6dd0feb5a35657f8780479c5e5498e094ae5b14d31f61fd6a9294b8cae3fc035b996e39
-
C:\Users\Admin\AppData\Local\Tempwinlogon.exeFilesize
125KB
MD58855fe5a81d674f17f378896eb0effc1
SHA1e27c1b5b9f21501cd889c960b16c0951f3204aca
SHA256f11b2c02ce17039f849429b4904c2ec75ad1c6a0b7204c42238df6ae587b4be4
SHA512c3ca4ee469ed41b2f8ab4075fc17f462041fe533dfa175b3c48fd907d6dd0feb5a35657f8780479c5e5498e094ae5b14d31f61fd6a9294b8cae3fc035b996e39
-
C:\Users\Admin\AppData\Roaming\QKNyvYIQHA.jsFilesize
24KB
MD57379d86ded0c9249110530cdb1d3a009
SHA1bfb440be5ce783cf0666fa2e7261181a048f4204
SHA256d2e1e531bf52550f5bf876ed5a87dbfaeb8a652c3fac0f8372bfbe9bd0bb9681
SHA51269c350f81d6399d198a6d071153ec0187c492c541e3b9faa0b0e94dc748d74cede4deed08e9175d0eb77f9c22cee59d93d63d963411937fb1b7e50bd4fa9c762
-
memory/940-55-0x0000000000000000-mapping.dmp
-
memory/1052-56-0x0000000000000000-mapping.dmp
-
memory/1504-54-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmpFilesize
8KB
-
memory/1800-61-0x0000000000000000-mapping.dmp
-
memory/1800-64-0x0000000000AB0000-0x0000000000AD4000-memory.dmpFilesize
144KB
-
memory/1800-65-0x0000000075271000-0x0000000075273000-memory.dmpFilesize
8KB