Overview

overview

10

Static

static

blessed1.ps1

windows7-x64

10

blessed1.ps1

windows10-2004-x64

10

Resubmissions

16/03/2023, 18:25

230316-w2mwcaee8s 10

30/09/2022, 08:58

220930-kxf2fsdah5 10

Analysis

  • max time kernel
    52s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2022, 08:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    blessed1.ps1

  • Size

    540KB

  • MD5

    297b8e10650755c2076d5ea6c298d7b5

  • SHA1

    3ef255b390d42017069762e5b2f068a2dbb5bfe5

  • SHA256

    3db43c5dc157dc3380f32a9814c1e590a1cb1fe0e9ba35706e56888de9230b4c

  • SHA512

    04fb650b1eb36296ac4b3ff7d80f0fa077214e899f9c6139bbec3f6b7ddee6980e15989b337f9f4f176e994a7a25f69e64c4921e814298eacb8baa82f9648b12

  • SSDEEP

    12288:VXD4xmh3fnwCiEgzChnmYyUX3EjZrk2SvvGrdKNOQCqe6YG:VXEG

Score
10/10
snakekeyloggercollectionkeyloggerpersistencestealer

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 2 IoCs
  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\blessed1.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2752
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1'"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:740
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs"
        3⤵
          PID:4352
    • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
      POWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat
      1⤵
      • Process spawned unexpected child process
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3760
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1888
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
          3⤵
          • Modifies registry class
          • Modifies registry key
          PID:1116
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
          3⤵
          • Registers COM server for autorun
          • Modifies registry class
          • Modifies registry key
          PID:1084
        • C:\Windows\system32\cmd.exe
          cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2336
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"
            4⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1492
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              5⤵
              • Accesses Microsoft Outlook profiles
              • Suspicious behavior: EnumeratesProcesses
              • outlook_office_path
              • outlook_win_path
              PID:3308

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1
            Filesize

            531KB

            MD5

            cf926b0be724d46e228175953d33a988

            SHA1

            4b87320b4a3b75be7414f82e3cc83abed0f2123b

            SHA256

            3a0b71b1c003590b1eb5a0f5e5e1ccf5af14fca8a264ff1f01c153c2a3806e00

            SHA512

            349ac83e0e2e14c6e9089020ce2c8f07800381840ea5ea574bc6b9ccf67ab603112efb9188950d495f1c18ffd36096aaf6a74d5bbaddc7a3ab13bc24ca7b3b40

            Download Submit

          • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat
            Filesize

            693B

            MD5

            5a52e1c0f7e19f6b96c875310238e048

            SHA1

            6a017b2933ffb51c025fce852abd0e356b0e2b1d

            SHA256

            14e860c94a8664901099340f7a4f97362a64ef149a53e5df31a5a4d383a51d2a

            SHA512

            ddeb3ffd4c2c88c264c6c3587a33ac229afd44ed3a82fcf244e3069e8e0a28be328fded4b40d438185ccacbefb5ccd5d1df40292be825b0f9587b63fbc781f5d

            Download Submit

          • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1
            Filesize

            3KB

            MD5

            21df908f451a93e32692c2fe8b34162e

            SHA1

            25f4e917312bf21ad9289348b682a292e657cc4d

            SHA256

            ce05b804fdf14f27ab9617e55a7b431bba49325ae749a97a3ee9cff469b36e2e

            SHA512

            6f4d3f109fec3a9d92f36fae2d1eb2bea4c59dbe2b73e92e7f2175f2ca985b9c71f8905d4e6589d4cc010497403729bf7b718efb437f47fd819f16d74bea5ace

            Download Submit

          • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs
            Filesize

            2KB

            MD5

            1f420d8b494afee108abdbdce860be6d

            SHA1

            06029153e26d9a107f5831ab001f3e43ae6d4aae

            SHA256

            51bfac3e3d2230f21591bd59362c2f657a69614ea893a64644879f3010540275

            SHA512

            bf1e5b622141bb19096f6b8674b92579d0a045f7919beebdcca57f620900836e43d06f17d938697924942b0746087ddad902129887b7da3788256c0a0356d217

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            3KB

            MD5

            00e7da020005370a518c26d5deb40691

            SHA1

            389b34fdb01997f1de74a5a2be0ff656280c0432

            SHA256

            a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

            SHA512

            9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            71444def27770d9071039d005d0323b7

            SHA1

            cef8654e95495786ac9347494f4417819373427e

            SHA256

            8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

            SHA512

            a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            75b4b2eecda41cec059c973abb1114c0

            SHA1

            11dadf4817ead21b0340ce529ee9bbd7f0422668

            SHA256

            5540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134

            SHA512

            87feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            64B

            MD5

            d8b9a260789a22d72263ef3bb119108c

            SHA1

            376a9bd48726f422679f2cd65003442c0b6f6dd5

            SHA256

            d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

            SHA512

            550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

            Download Submit

          • memory/740-147-0x00007FF857620000-0x00007FF8580E1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/740-136-0x00007FF857620000-0x00007FF8580E1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1492-157-0x00007FF857620000-0x00007FF8580E1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1492-153-0x000001D1B1630000-0x000001D1B164A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/1492-149-0x00007FF857620000-0x00007FF8580E1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2752-132-0x0000022255070000-0x0000022255092000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2752-134-0x00007FF857620000-0x00007FF8580E1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2752-133-0x00007FF857620000-0x00007FF8580E1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2752-152-0x00007FF857620000-0x00007FF8580E1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3308-161-0x0000000005D20000-0x00000000062C4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/3308-160-0x00000000011C0000-0x00000000011E6000-memory.dmp

            Filesize

            152KB

            Download

          • memory/3308-154-0x0000000000400000-0x0000000000426000-memory.dmp

            Filesize

            152KB

            Download

          • memory/3308-162-0x0000000005810000-0x00000000058AC000-memory.dmp

            Filesize

            624KB

            Download

          • memory/3308-163-0x00000000069D0000-0x0000000006B92000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3308-164-0x0000000006BA0000-0x0000000006C32000-memory.dmp

            Filesize

            584KB

            Download

          • memory/3308-165-0x0000000006950000-0x000000000695A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3760-148-0x00007FF857620000-0x00007FF8580E1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3760-159-0x00007FF857620000-0x00007FF8580E1000-memory.dmp

            Filesize

            10.8MB

            Download