Analysis
-
max time kernel
55s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 04:36
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.22537.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.PWSX-gen.22537.exe
Resource
win10v2004-20220901-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.22537.exe
-
Size
900KB
-
MD5
96d1155766e94985bae9254b1519a08f
-
SHA1
20542794a283bb390e1f25e6150cd994a0b3a2a0
-
SHA256
006248ca6292f9ca72274fc84e5cea8fc72aa2df7079e849835c232bea1b1c47
-
SHA512
f5ab3b93729e7fc67e23a63006bec797f2a8d26fb9fae0a3c078ded809a16926d4226ced8ecc854eb988307beec635c63a439db24a29f3187b7af31fdd10f9af
-
SSDEEP
12288:f0fnBqhbu2e3h6FeBj2GwlRda0TmgnHzIVrURPSjSK4HTN:qMbjah6FeBjkvBzc8PS
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.hemegas.es - Port:
587 - Username:
[email protected] - Password:
@Bastilipo1 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1164-67-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1164-69-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1164-71-0x00000000004201FE-mapping.dmp family_snakekeylogger behavioral1/memory/1164-70-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1164-73-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1164-75-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.22537.exedescription pid process target process PID 1492 set thread context of 1164 1492 SecuriteInfo.com.Win32.PWSX-gen.22537.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepowershell.exepid process 1164 RegSvcs.exe 592 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegSvcs.exepowershell.exedescription pid process Token: SeDebugPrivilege 1164 RegSvcs.exe Token: SeDebugPrivilege 592 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.22537.exedescription pid process target process PID 1492 wrote to memory of 592 1492 SecuriteInfo.com.Win32.PWSX-gen.22537.exe powershell.exe PID 1492 wrote to memory of 592 1492 SecuriteInfo.com.Win32.PWSX-gen.22537.exe powershell.exe PID 1492 wrote to memory of 592 1492 SecuriteInfo.com.Win32.PWSX-gen.22537.exe powershell.exe PID 1492 wrote to memory of 592 1492 SecuriteInfo.com.Win32.PWSX-gen.22537.exe powershell.exe PID 1492 wrote to memory of 1368 1492 SecuriteInfo.com.Win32.PWSX-gen.22537.exe schtasks.exe PID 1492 wrote to memory of 1368 1492 SecuriteInfo.com.Win32.PWSX-gen.22537.exe schtasks.exe PID 1492 wrote to memory of 1368 1492 SecuriteInfo.com.Win32.PWSX-gen.22537.exe schtasks.exe PID 1492 wrote to memory of 1368 1492 SecuriteInfo.com.Win32.PWSX-gen.22537.exe schtasks.exe PID 1492 wrote to memory of 1164 1492 SecuriteInfo.com.Win32.PWSX-gen.22537.exe RegSvcs.exe PID 1492 wrote to memory of 1164 1492 SecuriteInfo.com.Win32.PWSX-gen.22537.exe RegSvcs.exe PID 1492 wrote to memory of 1164 1492 SecuriteInfo.com.Win32.PWSX-gen.22537.exe RegSvcs.exe PID 1492 wrote to memory of 1164 1492 SecuriteInfo.com.Win32.PWSX-gen.22537.exe RegSvcs.exe PID 1492 wrote to memory of 1164 1492 SecuriteInfo.com.Win32.PWSX-gen.22537.exe RegSvcs.exe PID 1492 wrote to memory of 1164 1492 SecuriteInfo.com.Win32.PWSX-gen.22537.exe RegSvcs.exe PID 1492 wrote to memory of 1164 1492 SecuriteInfo.com.Win32.PWSX-gen.22537.exe RegSvcs.exe PID 1492 wrote to memory of 1164 1492 SecuriteInfo.com.Win32.PWSX-gen.22537.exe RegSvcs.exe PID 1492 wrote to memory of 1164 1492 SecuriteInfo.com.Win32.PWSX-gen.22537.exe RegSvcs.exe PID 1492 wrote to memory of 1164 1492 SecuriteInfo.com.Win32.PWSX-gen.22537.exe RegSvcs.exe PID 1492 wrote to memory of 1164 1492 SecuriteInfo.com.Win32.PWSX-gen.22537.exe RegSvcs.exe PID 1492 wrote to memory of 1164 1492 SecuriteInfo.com.Win32.PWSX-gen.22537.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22537.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22537.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IfykhIvtYRbIfN.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IfykhIvtYRbIfN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC0FF.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC0FF.tmpFilesize
1KB
MD5238ffc1b19ab17f9512bd4952582b345
SHA10b908d2c2813dcd411b68302734db2c5feae25f9
SHA2569fd7270c330a47acf601012dea6136b414d4273d421b35ae32f34ccb6cb82113
SHA51215a9cdab99f83ef8fc60d0ff827ab910c7624513af8a6c106a7a7f97bd8e45fdcccc3b18a3bd92b9a6031b403d66490e8ca36d3582b0e0bd7fc1649f5ba8c000
-
memory/592-59-0x0000000000000000-mapping.dmp
-
memory/592-78-0x000000006F060000-0x000000006F60B000-memory.dmpFilesize
5.7MB
-
memory/592-77-0x000000006F060000-0x000000006F60B000-memory.dmpFilesize
5.7MB
-
memory/1164-64-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1164-73-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1164-75-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1164-70-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1164-71-0x00000000004201FE-mapping.dmp
-
memory/1164-65-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1164-67-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1164-69-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1368-60-0x0000000000000000-mapping.dmp
-
memory/1492-58-0x0000000005510000-0x000000000558E000-memory.dmpFilesize
504KB
-
memory/1492-63-0x00000000050A0000-0x00000000050C6000-memory.dmpFilesize
152KB
-
memory/1492-54-0x0000000010720000-0x0000000010804000-memory.dmpFilesize
912KB
-
memory/1492-57-0x0000000000700000-0x000000000070C000-memory.dmpFilesize
48KB
-
memory/1492-56-0x00000000006D0000-0x00000000006EC000-memory.dmpFilesize
112KB
-
memory/1492-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmpFilesize
8KB