Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-09-2022 12:08

General

  • Target

    SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe

  • Size

    908KB

  • MD5

    08b1020247eb5352d484f254433a7471

  • SHA1

    20905f3566f4670dae9982a0f831c1406a0342be

  • SHA256

    05c411c9f179d759acaf615a61a43c6cd8b5b76fa41177185a229ba5e1db0827

  • SHA512

    729cb653b56088442556aa5801ca484309414dca6fa1c50d79a54a84230fbc5428f09b54005482dbc912b758e1bf2ebf3e6770518d91107abd2f0c8c920aba4e

  • SSDEEP

    24576:oBGfXIPdZtiYoAg0IzljgKjrAc1l+16f:oVZEYvIzlgK4c1jf

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.rinc.in
  • Port:
    587
  • Username:
    stores@rinc.in
  • Password:
    easter@499
  • Email To:
    zakirrome@ostdubai.com

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 1 IoCs
  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.Krypt.31548.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uxCVHcDzsxpQW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5217.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1932
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:4308

Network

  • flag-us
    DNS
    checkip.dyndns.org
    RegSvcs.exe
    Remote address:
    8.8.8.8:53
    Request
    checkip.dyndns.org
    IN A
    Response
    checkip.dyndns.org
    IN CNAME
    checkip.dyndns.com
    checkip.dyndns.com
    IN A
    132.226.247.73
    checkip.dyndns.com
    IN A
    132.226.8.169
    checkip.dyndns.com
    IN A
    193.122.130.0
    checkip.dyndns.com
    IN A
    193.122.6.168
    checkip.dyndns.com
    IN A
    158.101.44.242
  • flag-br
    GET
    http://checkip.dyndns.org/
    RegSvcs.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 11 Sep 2022 12:08:49 GMT
    Content-Type: text/html
    Content-Length: 104
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • 20.42.73.24:443
    322 B
    7
  • 8.252.117.126:80
    322 B
    7
  • 8.252.117.126:80
    322 B
    7
  • 8.252.117.126:80
    322 B
    7
  • 132.226.247.73:80
    http://checkip.dyndns.org/
    http
    RegSvcs.exe
    427 B
    485 B
    6
    5

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200
  • 8.8.8.8:53
    checkip.dyndns.org
    dns
    RegSvcs.exe
    64 B
    176 B
    1
    1

    DNS Request

    checkip.dyndns.org

    DNS Response

    132.226.247.73
    132.226.8.169
    193.122.130.0
    193.122.6.168
    158.101.44.242

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp5217.tmp

    Filesize

    1KB

    MD5

    8b90eeab57835fbd30854a1b9804797f

    SHA1

    80114e3f4c7b662768b41fa1c7707b860743e547

    SHA256

    5fb1274a109c5151adf1634b1e45b34a140a32f057b501d85f762e6ac45b989c

    SHA512

    bddc8d8e4079596c5d5391d4bd02e5e46d5ea951d3d7fc57948f0e35187868f478eae332e9ca2bc5519b46e645eb8a9ee70d44b83ca6ddc4304f8055d47a76bf

  • memory/1932-138-0x0000000000000000-mapping.dmp

  • memory/4308-140-0x0000000000000000-mapping.dmp

  • memory/4308-141-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/4308-142-0x0000000006150000-0x0000000006312000-memory.dmp

    Filesize

    1.8MB

  • memory/4724-132-0x00000000001C0000-0x00000000002AA000-memory.dmp

    Filesize

    936KB

  • memory/4724-133-0x0000000004C90000-0x0000000004D2C000-memory.dmp

    Filesize

    624KB

  • memory/4724-134-0x00000000052E0000-0x0000000005884000-memory.dmp

    Filesize

    5.6MB

  • memory/4724-135-0x0000000004D30000-0x0000000004DC2000-memory.dmp

    Filesize

    584KB

  • memory/4724-136-0x0000000004C30000-0x0000000004C3A000-memory.dmp

    Filesize

    40KB

  • memory/4724-137-0x0000000004F60000-0x0000000004FB6000-memory.dmp

    Filesize

    344KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.