Overview

overview

10

Static

static

file01.ps1

windows7-x64

10

file01.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-09-2022 23:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file01.ps1

  • Size

    541KB

  • MD5

    8b1e1389854e7efed04472288a9445d8

  • SHA1

    9cb77f0e0e7c1276d684e88c384155ee9504fe1a

  • SHA256

    21d2842bf7e9b12dec350a2fdb9a8185c3ec1e07d27d631e2ed5909065c22551

  • SHA512

    2edc673d0df9933ce2f13f24e435edb743de5b334b5abbdfaa9ad3f63170643804c6ac945d5a98d4422ccbcd1abd039202cc94b3468c4f2919f0cda85061a926

  • SSDEEP

    12288:vXi4xmh3fnwCiEgzChnmYyUX3EjZrk2SvvGrdKNOQCqe6d7:vXa7

Score
10/10
snakekeyloggercollectionkeyloggerpersistencestealer

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 2 IoCs
  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file01.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4864
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1'"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3532
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs"
        3⤵
          PID:1384
    • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
      POWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat
      1⤵
      • Process spawned unexpected child process
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4664
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4652
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
          3⤵
          • Modifies registry class
          • Modifies registry key
          PID:3976
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
          3⤵
          • Registers COM server for autorun
          • Modifies registry class
          • Modifies registry key
          PID:728
        • C:\Windows\system32\cmd.exe
          cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4828
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"
            4⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1548
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              5⤵
              • Accesses Microsoft Outlook profiles
              • Suspicious behavior: EnumeratesProcesses
              • outlook_office_path
              • outlook_win_path
              PID:2160

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1
      Filesize

      531KB

      MD5

      da701326299f1b03fdedec3275a8a1cb

      SHA1

      668822c65bfbe6b20ea53ff2e0a1bc27b13e16c4

      SHA256

      afd512f0bf829f866e0db57b89d52ece8c2e10944d8f5c314c9163857a02deee

      SHA512

      107812fa6fd40449733aa2d94c196f7c736afcfdfdd212014f2ece7747c4596a4083c4f6b5176dae0eb3462d0c70ef939d7fae4420fe1d95dc9eca1105e2ac9f

      Download Submit
    • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat
      Filesize

      706B

      MD5

      5f47e284245ee4f81f03eb432c946a88

      SHA1

      0a95478eafa3e994bf3e6e166b4a43ba9d63fe2e

      SHA256

      a749e67a7b277f33e03aa41b2dc19d09e7bebdb45ebe2c686ed410ed80980090

      SHA512

      f41c1717f966513dfdea116d171fcbb964b3ddff37df8466e73c887fbbd8521832a111e63ef2b00a95b6dba8e293ca6b196f16018a88f4534e751832092ead2b

      Download Submit
    • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1
      Filesize

      3KB

      MD5

      67a502ba0f7e94457ee7a901066e176c

      SHA1

      09b7a7edafcb084398270e46689853dc1bb56fd9

      SHA256

      127cb052f9cc719b08bc165b04f4a54c6c616981370f21025b39139c9b8abd87

      SHA512

      5810cc4c466d1e16dedb5ef02fd416e343e3772442b0e06b8e2b8fbdd696f06374b14a2776f4e39b9071884457d49892d71db141377b8b53257fa4ccf29d2c4c

      Download Submit
    • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs
      Filesize

      2KB

      MD5

      50868a55a1f3c71fec65535055a9ce84

      SHA1

      485524c1b3cd4bda27cede63bb11d120b2b0d134

      SHA256

      966b292093b03191aa3855a053f2f6150f2e9a84d507438e08260992a921f579

      SHA512

      5f3491b4135339a5e63b85e2a47a69c31be44fc9a2eb281153f40ce9ce400e59bce70dcee7b4ef2473e2cb11589b21905cecfad919107d2fa76dc73605326feb

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      00e7da020005370a518c26d5deb40691

      SHA1

      389b34fdb01997f1de74a5a2be0ff656280c0432

      SHA256

      a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

      SHA512

      9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      95e1c8db6eb5be60fa7c5f7ca36bfaed

      SHA1

      5b23544fe29ddd6f07852b4ff8971a5bf6c0fdf9

      SHA256

      3b3202f973ef9c0f477b91a022fd535a21e8b444279d8be34fcd16fccfe68a18

      SHA512

      de221bd9c8728434d7a463d7bc5123c5bc45362224b8e312abef60e2e89197cd9b77839df07069d663a483233d3395e9cd8b414d68c3b857eb9171d6d8a195db

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      55263022bc9d9761db86e6dd7cd852a7

      SHA1

      4e071c0f4059c5c763a0832f714e4dafcfc2a574

      SHA256

      6df1b5a88fca88a99c24ed36bc5e860ce95cb6efaf57775fc3b3fbf8360aa52c

      SHA512

      f4200dbd37e3f2b0d20fa9923ac54f3eed7435dd74c930f9887f388a749c0f7fc3fcf4ddbb62b343e5ce3832d991899f5d9cd98323aa823187f30baa91d9fa63

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      50a8221b93fbd2628ac460dd408a9fc1

      SHA1

      7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

      SHA256

      46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

      SHA512

      27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

      Download Submit
    • memory/728-144-0x0000000000000000-mapping.dmp
      Download
    • memory/1384-138-0x0000000000000000-mapping.dmp
      Download
    • memory/1548-157-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1548-146-0x0000000000000000-mapping.dmp
      Download
    • memory/1548-147-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1548-153-0x0000029A71D10000-0x0000029A71D2A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2160-160-0x0000000000180000-0x00000000001A6000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2160-161-0x00000000050A0000-0x0000000005644000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2160-162-0x0000000004AF0000-0x0000000004B8C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2160-163-0x0000000005C90000-0x0000000005E52000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/2160-164-0x0000000005E60000-0x0000000005EF2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2160-165-0x0000000005C10000-0x0000000005C1A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2160-155-0x000000000042060E-mapping.dmp
      Download
    • memory/3532-148-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3532-137-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3532-135-0x0000000000000000-mapping.dmp
      Download
    • memory/3976-143-0x0000000000000000-mapping.dmp
      Download
    • memory/4652-141-0x0000000000000000-mapping.dmp
      Download
    • memory/4664-159-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4664-140-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4828-145-0x0000000000000000-mapping.dmp
      Download
    • memory/4864-152-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4864-132-0x0000024DA5790000-0x0000024DA57B2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4864-134-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4864-133-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmp
      Filesize

      10.8MB

      Download