Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11-09-2022 12:08
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe
Resource
win10v2004-20220812-en
General
-
Target
SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe
-
Size
908KB
-
MD5
08b1020247eb5352d484f254433a7471
-
SHA1
20905f3566f4670dae9982a0f831c1406a0342be
-
SHA256
05c411c9f179d759acaf615a61a43c6cd8b5b76fa41177185a229ba5e1db0827
-
SHA512
729cb653b56088442556aa5801ca484309414dca6fa1c50d79a54a84230fbc5428f09b54005482dbc912b758e1bf2ebf3e6770518d91107abd2f0c8c920aba4e
-
SSDEEP
24576:oBGfXIPdZtiYoAg0IzljgKjrAc1l+16f:oVZEYvIzlgK4c1jf
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.rinc.in - Port:
587 - Username:
stores@rinc.in - Password:
easter@499 - Email To:
zakirrome@ostdubai.com
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/4308-141-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 45 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4724 set thread context of 4308 4724 SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1932 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4724 SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe 4308 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4724 SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe Token: SeDebugPrivilege 4308 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4724 wrote to memory of 1932 4724 SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe 93 PID 4724 wrote to memory of 1932 4724 SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe 93 PID 4724 wrote to memory of 1932 4724 SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe 93 PID 4724 wrote to memory of 4308 4724 SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe 95 PID 4724 wrote to memory of 4308 4724 SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe 95 PID 4724 wrote to memory of 4308 4724 SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe 95 PID 4724 wrote to memory of 4308 4724 SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe 95 PID 4724 wrote to memory of 4308 4724 SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe 95 PID 4724 wrote to memory of 4308 4724 SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe 95 PID 4724 wrote to memory of 4308 4724 SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe 95 PID 4724 wrote to memory of 4308 4724 SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe 95 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uxCVHcDzsxpQW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5217.tmp"2⤵
- Creates scheduled task(s)
PID:1932
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4308
-
Network
-
Remote address:8.8.8.8:53Requestcheckip.dyndns.orgIN AResponsecheckip.dyndns.orgIN CNAMEcheckip.dyndns.comcheckip.dyndns.comIN A132.226.247.73checkip.dyndns.comIN A132.226.8.169checkip.dyndns.comIN A193.122.130.0checkip.dyndns.comIN A193.122.6.168checkip.dyndns.comIN A158.101.44.242
-
Remote address:132.226.247.73:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 104
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
427 B 485 B 6 5
HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58b90eeab57835fbd30854a1b9804797f
SHA180114e3f4c7b662768b41fa1c7707b860743e547
SHA2565fb1274a109c5151adf1634b1e45b34a140a32f057b501d85f762e6ac45b989c
SHA512bddc8d8e4079596c5d5391d4bd02e5e46d5ea951d3d7fc57948f0e35187868f478eae332e9ca2bc5519b46e645eb8a9ee70d44b83ca6ddc4304f8055d47a76bf