Analysis
-
max time kernel
91s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
02-07-2022 13:10
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220414-en
General
-
Target
tmp.exe
-
Size
433KB
-
MD5
a359ed6ff4218c76aedfbc4e7bf21f8e
-
SHA1
348741f5e4239294319343588bb782f253ab654d
-
SHA256
a5f3c49331caf70461e36db7db7dc0d6ebeb8dcfc06a5d5a747681fb75ae9a50
-
SHA512
4fbc20666bd5202a50ee04efed6afaddfb5c93d39d65b26d51987fd84b745102718f674252e7477301d637db2ffaefcfc920b0420cad9aaebb3ce080247f4730
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
cp5ua.hyperhost.ua - Port:
587 - Username:
wealthlog@saonline.xyz - Password:
7213575aceACE@#$ - Email To:
wealth@saonline.xyz
https://api.telegram.org/bot5321688653:AAEI2yqGrOA_-sRZ3xaqutrexraSgFa0AnA/sendMessage?chat_id=5048077662
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4280-135-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 tmp.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 tmp.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 tmp.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 33 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 3840 set thread context of 4280 3840 tmp.exe tmp.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
tmp.exepid process 4280 tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tmp.exedescription pid process Token: SeDebugPrivilege 4280 tmp.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
tmp.exedescription pid process target process PID 3840 wrote to memory of 4280 3840 tmp.exe tmp.exe PID 3840 wrote to memory of 4280 3840 tmp.exe tmp.exe PID 3840 wrote to memory of 4280 3840 tmp.exe tmp.exe PID 3840 wrote to memory of 4280 3840 tmp.exe tmp.exe PID 3840 wrote to memory of 4280 3840 tmp.exe tmp.exe PID 3840 wrote to memory of 4280 3840 tmp.exe tmp.exe PID 3840 wrote to memory of 4280 3840 tmp.exe tmp.exe PID 3840 wrote to memory of 4280 3840 tmp.exe tmp.exe -
outlook_office_path 1 IoCs
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 tmp.exe -
outlook_win_path 1 IoCs
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tmp.exe.logFilesize
1KB
MD536049bae97bba745c793444373453cb0
SHA1eb6e9a822944e8e207abba1a5e53f0183a1684f1
SHA256839fa1f9725719938ffa24533587b168bae2768f23ac09dccb3ad4ab8ae6abcd
SHA512a6584b7b435afeffb6becfbed82517087030eb23534fa50deecd02330bf36d633ba22e979e36b9c27e35885f9cc1cc9481dadc53cc265be61391e11a7c2c7cdb
-
memory/3840-130-0x0000000000D00000-0x0000000000D72000-memory.dmpFilesize
456KB
-
memory/3840-131-0x0000000005DE0000-0x0000000006384000-memory.dmpFilesize
5.6MB
-
memory/3840-132-0x00000000058E0000-0x0000000005972000-memory.dmpFilesize
584KB
-
memory/3840-133-0x0000000009120000-0x00000000091BC000-memory.dmpFilesize
624KB
-
memory/4280-134-0x0000000000000000-mapping.dmp
-
memory/4280-135-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4280-137-0x0000000006340000-0x0000000006502000-memory.dmpFilesize
1.8MB
-
memory/4280-138-0x00000000062C0000-0x00000000062CA000-memory.dmpFilesize
40KB