Analysis
-
max time kernel
101s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
11/09/2022, 06:38
General
-
Target
RFQ K28765.exe
-
Size
845KB
-
MD5
e849c525b770b4765fbbb36d5ad95030
-
SHA1
c6a6a20b612bd6a1213dac6ae07dc650df5d72e9
-
SHA256
1a3fd2d2b2c9d14ff022b6a5e62e2aaa3848fb9b5714bac5ed136c3d82d6f58d
-
SHA512
6c94931189113d843dd361bac94f3fd9913c051a13ddee0c913300154203c32c4b6239f6749b8d71346f1465f4f7bc0926d4af7535a32898301d8c9671272a1e
-
SSDEEP
12288:HRNdSxnDFHzp2oFo7yDQBBA7AbVGUy8V4CchNr/:xnS3TgUNQBBjVZar
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
xCj*aYU6 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ K28765.exe"C:\Users\Admin\AppData\Local\Temp\RFQ K28765.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ K28765.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\juTWUYwFur.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\juTWUYwFur" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2EB1.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5b8ec3b9123f19d2d5c1a53cf46bc6194
SHA1584f344a657c636a74c4a40670184673af08335f
SHA256d412f95837343a6691cfd6496aaa12be220c729dd2e6cfd95073aad6701d7273
SHA5123bc13c9cfb7e15d8aec3c18363a35949aa631d341fe7123cc556b84b3febaeba1d0a2934a76f982e059c96c6d77d901be73d4483bb419a46ffd03fc64a6ef984
-
Filesize
1KB
MD5eff39f1d5fb72e38394a1174cc094f92
SHA15566888b33ab0eb4d21c03457dd9b7187806564e
SHA256870a566167c0e3a6b543b51f76c956b8a83a4271cf17483da5e54d4fe772e5c7
SHA5127a37286d320c9b2c4b57e1185adb5f992be0d230dc4400f6e2c89d7f43c22b297962306024da079fb30d3c331bb3678743efa307beba44fe094b04e2bf9f9f0c
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
104KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
56KB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
200KB
-
Filesize
600KB
-
Filesize
304KB
-
Filesize
40KB
-
Filesize
624KB
-
Filesize
872KB
-
Filesize
40KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
1.8MB
-
Filesize
152KB