Analysis
-
max time kernel
85s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
05-07-2022 12:02
Static task
static1
Behavioral task
behavioral1
Sample
4214190838420220705 09222727 HesapO.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4214190838420220705 09222727 HesapO.exe
Resource
win10v2004-20220414-en
General
-
Target
4214190838420220705 09222727 HesapO.exe
-
Size
797KB
-
MD5
130ed2e738b249c2b1957aaa561008f5
-
SHA1
9ea02b6e8fb044eb486a34cc05b380145d51de30
-
SHA256
37e2d7561400f8872ec3c2f4f484a5275c36fb82ee98580e2dfe3b71ba1629bd
-
SHA512
3142ecfb0a263cbd4d04c142258723c72ae4f2edd989ebb178a80b49f8b0aaed9413d3af48144ef14fefad31902b04d94000c4c292f13327f43d599a34db8fbc
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5412042498:AAH4OVSAlB-9yvO0MxObTPVF8mPej6Ln4M4/sendMessage?chat_id=5573520537
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1956-67-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1956-69-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1956-70-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1956-71-0x00000000004204AE-mapping.dmp family_snakekeylogger behavioral1/memory/1956-73-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1956-75-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
4214190838420220705 09222727 HesapO.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions 4214190838420220705 09222727 HesapO.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
4214190838420220705 09222727 HesapO.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools 4214190838420220705 09222727 HesapO.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
4214190838420220705 09222727 HesapO.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4214190838420220705 09222727 HesapO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4214190838420220705 09222727 HesapO.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
4214190838420220705 09222727 HesapO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4214190838420220705 09222727 HesapO.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4214190838420220705 09222727 HesapO.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4214190838420220705 09222727 HesapO.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
4214190838420220705 09222727 HesapO.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 4214190838420220705 09222727 HesapO.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 4214190838420220705 09222727 HesapO.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4214190838420220705 09222727 HesapO.exedescription pid process target process PID 1868 set thread context of 1956 1868 4214190838420220705 09222727 HesapO.exe 4214190838420220705 09222727 HesapO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
4214190838420220705 09222727 HesapO.exe4214190838420220705 09222727 HesapO.exepowershell.exepid process 1868 4214190838420220705 09222727 HesapO.exe 1868 4214190838420220705 09222727 HesapO.exe 1868 4214190838420220705 09222727 HesapO.exe 1868 4214190838420220705 09222727 HesapO.exe 1868 4214190838420220705 09222727 HesapO.exe 1956 4214190838420220705 09222727 HesapO.exe 1688 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
4214190838420220705 09222727 HesapO.exe4214190838420220705 09222727 HesapO.exepowershell.exedescription pid process Token: SeDebugPrivilege 1868 4214190838420220705 09222727 HesapO.exe Token: SeDebugPrivilege 1956 4214190838420220705 09222727 HesapO.exe Token: SeDebugPrivilege 1688 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
4214190838420220705 09222727 HesapO.exedescription pid process target process PID 1868 wrote to memory of 1688 1868 4214190838420220705 09222727 HesapO.exe powershell.exe PID 1868 wrote to memory of 1688 1868 4214190838420220705 09222727 HesapO.exe powershell.exe PID 1868 wrote to memory of 1688 1868 4214190838420220705 09222727 HesapO.exe powershell.exe PID 1868 wrote to memory of 1688 1868 4214190838420220705 09222727 HesapO.exe powershell.exe PID 1868 wrote to memory of 868 1868 4214190838420220705 09222727 HesapO.exe schtasks.exe PID 1868 wrote to memory of 868 1868 4214190838420220705 09222727 HesapO.exe schtasks.exe PID 1868 wrote to memory of 868 1868 4214190838420220705 09222727 HesapO.exe schtasks.exe PID 1868 wrote to memory of 868 1868 4214190838420220705 09222727 HesapO.exe schtasks.exe PID 1868 wrote to memory of 776 1868 4214190838420220705 09222727 HesapO.exe 4214190838420220705 09222727 HesapO.exe PID 1868 wrote to memory of 776 1868 4214190838420220705 09222727 HesapO.exe 4214190838420220705 09222727 HesapO.exe PID 1868 wrote to memory of 776 1868 4214190838420220705 09222727 HesapO.exe 4214190838420220705 09222727 HesapO.exe PID 1868 wrote to memory of 776 1868 4214190838420220705 09222727 HesapO.exe 4214190838420220705 09222727 HesapO.exe PID 1868 wrote to memory of 1956 1868 4214190838420220705 09222727 HesapO.exe 4214190838420220705 09222727 HesapO.exe PID 1868 wrote to memory of 1956 1868 4214190838420220705 09222727 HesapO.exe 4214190838420220705 09222727 HesapO.exe PID 1868 wrote to memory of 1956 1868 4214190838420220705 09222727 HesapO.exe 4214190838420220705 09222727 HesapO.exe PID 1868 wrote to memory of 1956 1868 4214190838420220705 09222727 HesapO.exe 4214190838420220705 09222727 HesapO.exe PID 1868 wrote to memory of 1956 1868 4214190838420220705 09222727 HesapO.exe 4214190838420220705 09222727 HesapO.exe PID 1868 wrote to memory of 1956 1868 4214190838420220705 09222727 HesapO.exe 4214190838420220705 09222727 HesapO.exe PID 1868 wrote to memory of 1956 1868 4214190838420220705 09222727 HesapO.exe 4214190838420220705 09222727 HesapO.exe PID 1868 wrote to memory of 1956 1868 4214190838420220705 09222727 HesapO.exe 4214190838420220705 09222727 HesapO.exe PID 1868 wrote to memory of 1956 1868 4214190838420220705 09222727 HesapO.exe 4214190838420220705 09222727 HesapO.exe -
outlook_office_path 1 IoCs
Processes:
4214190838420220705 09222727 HesapO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4214190838420220705 09222727 HesapO.exe -
outlook_win_path 1 IoCs
Processes:
4214190838420220705 09222727 HesapO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 4214190838420220705 09222727 HesapO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4214190838420220705 09222727 HesapO.exe"C:\Users\Admin\AppData\Local\Temp\4214190838420220705 09222727 HesapO.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gdboFfFRcT.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gdboFfFRcT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp71C7.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\4214190838420220705 09222727 HesapO.exe"C:\Users\Admin\AppData\Local\Temp\4214190838420220705 09222727 HesapO.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\4214190838420220705 09222727 HesapO.exe"C:\Users\Admin\AppData\Local\Temp\4214190838420220705 09222727 HesapO.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp71C7.tmpFilesize
1KB
MD574f6034ea126f98602581effbf533ac2
SHA103d56d83618c26fbac5f0021794ed574e07ef46b
SHA256a1dacdb4c1559f20cd14c8b7d884eb149aaa634d80358241369c1e4324b6c2ca
SHA5129111b2e66b97e5679dfb37126832ce16f3b1438adaefefa3a16bc46d99f7ee490df86430bb7a051e1dc5b9c6090899f663a7e6caebef7689f49cbd283bf930f6
-
memory/868-60-0x0000000000000000-mapping.dmp
-
memory/1688-59-0x0000000000000000-mapping.dmp
-
memory/1688-78-0x000000006DFF0000-0x000000006E59B000-memory.dmpFilesize
5.7MB
-
memory/1688-77-0x000000006DFF0000-0x000000006E59B000-memory.dmpFilesize
5.7MB
-
memory/1868-63-0x0000000004F80000-0x0000000004FA6000-memory.dmpFilesize
152KB
-
memory/1868-58-0x0000000004790000-0x00000000047FA000-memory.dmpFilesize
424KB
-
memory/1868-57-0x0000000000560000-0x000000000056E000-memory.dmpFilesize
56KB
-
memory/1868-54-0x0000000000BD0000-0x0000000000C9C000-memory.dmpFilesize
816KB
-
memory/1868-55-0x00000000759E1000-0x00000000759E3000-memory.dmpFilesize
8KB
-
memory/1868-56-0x00000000004E0000-0x0000000000500000-memory.dmpFilesize
128KB
-
memory/1956-69-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1956-67-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1956-70-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1956-71-0x00000000004204AE-mapping.dmp
-
memory/1956-73-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1956-75-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1956-65-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1956-64-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB