snakekeylogger | 1e9bbbeb040fa46c67bc853dcc4f0e7f10c9bb1f45b67b0060b2b5fe2c1ad398

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/11/2022, 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e9bbbeb040fa46c67bc853dcc4f0e7f10c9bb1f45b67b0060b2b5fe2c1ad398.exe
Size

1.1MB
MD5

fd06aeefc7397dd23b37723a015bb4f7
SHA1

7ae26b0c428dc50fa802c16aeb555602b63b255b
SHA256

1e9bbbeb040fa46c67bc853dcc4f0e7f10c9bb1f45b67b0060b2b5fe2c1ad398
SHA512

4cdf4c17c0a646e3586d88784aed09e0e31b2e55dd8c502012f5d7d2af7c20882114ae9b50771ce80e1fa8435414a7097d3c75959923ab4e30121650620afb45
SSDEEP

24576:wAOcZlYFHb9hHgV07huAPNnjLzCXPQ+T5beBP:uBHbfAV0lHCXY+TUBP

Score

10^/10

snakekeylogger collection evasion keylogger persistence spyware stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

resource	yara_rule
behavioral1/memory/364-77-0x00000000003106CE-mapping.dmp	family_snakekeylogger
behavioral1/memory/364-76-0x00000000002F0000-0x0000000000A04000-memory.dmp	family_snakekeylogger
behavioral1/memory/364-80-0x00000000002F0000-0x0000000000A04000-memory.dmp	family_snakekeylogger
behavioral1/memory/364-82-0x00000000002F0000-0x0000000000A04000-memory.dmp	family_snakekeylogger
behavioral1/memory/364-84-0x00000000002F0000-0x0000000000316000-memory.dmp	family_snakekeylogger

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
2004	kxvcvt.exe
364	RegSvcs.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	kxvcvt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	kxvcvt.exe

Loads dropped DLL 2 IoCs

pid	Process
1560	WScript.exe
2004	kxvcvt.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	kxvcvt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6_84\\kxvcvt.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\6_84\\FKWFSI~1.DOC"	kxvcvt.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	kxvcvt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\6_84 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6_84\\start.vbs"	kxvcvt.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 364	2004	kxvcvt.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
364	RegSvcs.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
364	RegSvcs.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe
2004	kxvcvt.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	364	RegSvcs.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 1560	1592	1e9bbbeb040fa46c67bc853dcc4f0e7f10c9bb1f45b67b0060b2b5fe2c1ad398.exe	27
PID 1592 wrote to memory of 1560	1592	1e9bbbeb040fa46c67bc853dcc4f0e7f10c9bb1f45b67b0060b2b5fe2c1ad398.exe	27
PID 1592 wrote to memory of 1560	1592	1e9bbbeb040fa46c67bc853dcc4f0e7f10c9bb1f45b67b0060b2b5fe2c1ad398.exe	27
PID 1592 wrote to memory of 1560	1592	1e9bbbeb040fa46c67bc853dcc4f0e7f10c9bb1f45b67b0060b2b5fe2c1ad398.exe	27
PID 1560 wrote to memory of 2004	1560	WScript.exe	28
PID 1560 wrote to memory of 2004	1560	WScript.exe	28
PID 1560 wrote to memory of 2004	1560	WScript.exe	28
PID 1560 wrote to memory of 2004	1560	WScript.exe	28
PID 2004 wrote to memory of 1932	2004	kxvcvt.exe	29
PID 2004 wrote to memory of 1932	2004	kxvcvt.exe	29
PID 2004 wrote to memory of 1932	2004	kxvcvt.exe	29
PID 2004 wrote to memory of 1932	2004	kxvcvt.exe	29
PID 2004 wrote to memory of 528	2004	kxvcvt.exe	30
PID 2004 wrote to memory of 528	2004	kxvcvt.exe	30
PID 2004 wrote to memory of 528	2004	kxvcvt.exe	30
PID 2004 wrote to memory of 528	2004	kxvcvt.exe	30
PID 2004 wrote to memory of 1784	2004	kxvcvt.exe	31
PID 2004 wrote to memory of 1784	2004	kxvcvt.exe	31
PID 2004 wrote to memory of 1784	2004	kxvcvt.exe	31
PID 2004 wrote to memory of 1784	2004	kxvcvt.exe	31
PID 2004 wrote to memory of 1684	2004	kxvcvt.exe	32
PID 2004 wrote to memory of 1684	2004	kxvcvt.exe	32
PID 2004 wrote to memory of 1684	2004	kxvcvt.exe	32
PID 2004 wrote to memory of 1684	2004	kxvcvt.exe	32
PID 2004 wrote to memory of 1876	2004	kxvcvt.exe	33
PID 2004 wrote to memory of 1876	2004	kxvcvt.exe	33
PID 2004 wrote to memory of 1876	2004	kxvcvt.exe	33
PID 2004 wrote to memory of 1876	2004	kxvcvt.exe	33
PID 2004 wrote to memory of 1988	2004	kxvcvt.exe	34
PID 2004 wrote to memory of 1988	2004	kxvcvt.exe	34
PID 2004 wrote to memory of 1988	2004	kxvcvt.exe	34
PID 2004 wrote to memory of 1988	2004	kxvcvt.exe	34
PID 2004 wrote to memory of 972	2004	kxvcvt.exe	35
PID 2004 wrote to memory of 972	2004	kxvcvt.exe	35
PID 2004 wrote to memory of 972	2004	kxvcvt.exe	35
PID 2004 wrote to memory of 972	2004	kxvcvt.exe	35
PID 2004 wrote to memory of 364	2004	kxvcvt.exe	36
PID 2004 wrote to memory of 364	2004	kxvcvt.exe	36
PID 2004 wrote to memory of 364	2004	kxvcvt.exe	36
PID 2004 wrote to memory of 364	2004	kxvcvt.exe	36
PID 2004 wrote to memory of 364	2004	kxvcvt.exe	36
PID 2004 wrote to memory of 364	2004	kxvcvt.exe	36
PID 2004 wrote to memory of 364	2004	kxvcvt.exe	36
PID 2004 wrote to memory of 364	2004	kxvcvt.exe	36
PID 2004 wrote to memory of 364	2004	kxvcvt.exe	36

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\1e9bbbeb040fa46c67bc853dcc4f0e7f10c9bb1f45b67b0060b2b5fe2c1ad398.exe
"C:\Users\Admin\AppData\Local\Temp\1e9bbbeb040fa46c67bc853dcc4f0e7f10c9bb1f45b67b0060b2b5fe2c1ad398.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\6_84\ntie.vbe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\6_84\kxvcvt.exe
    "C:\Users\Admin\AppData\Local\Temp\6_84\kxvcvt.exe" fkwfsiwr.docx
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1932
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:528
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1784
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:972
  - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6_84\DBGIWD~1.WEJ

Filesize
254KB

MD5
8832f3614c9b59deb2956971f62c6d5b

SHA1
0a0e3d69ade88530b4039aaf00a813466b5fed6c

SHA256
e174bbb6a357e15b4608c0dce987ed3e8738f450cf395419d9317d00d2a51cec

SHA512
707e81fd06358ea2b769c245c85174d591cbb9e93a568690d260a8dbfb0f3ef28f93f22dc286d0f1382eb814a495e371accf9781e22d2c2eb075c1a3156027b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_84\fkwfsiwr.docx

Filesize
110.1MB

MD5
008d7f78ef10f6973cd1457857ce237b

SHA1
3fea1659a5749d2ede04ee10b8c45b5d8d038c86

SHA256
b231b1c0f33616c41f4a87feeb71c4e02a86a9545b784159e860d06db0920831

SHA512
b1045db22d00a7ae68364995674b4c7af30cd73e5159fd341fcfe460ae32bd798b84493cd93947c9e826eec406794eb632fe9acc547f4e18dcc9fe75bc5194bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_84\kxvcvt.exe

Filesize
1.1MB

MD5
0c8370cbb51a8835068114629d94dab1

SHA1
f6fceae38ed84e9f83ec91ad6d879061f884d4a4

SHA256
ccdd89da940950d5637f6fa41b1ec6a1fc65d8f564dd747644d9b768853f415c

SHA512
15961d30b14a53d0b00bb25446cce8414161ca7cb88a0fee7e2bce67274d0cb5abcc4962259ec55355e469bfbd30167f435abfbb16738b29b593f01be4e65a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_84\kxvcvt.exe

Filesize
1.1MB

MD5
0c8370cbb51a8835068114629d94dab1

SHA1
f6fceae38ed84e9f83ec91ad6d879061f884d4a4

SHA256
ccdd89da940950d5637f6fa41b1ec6a1fc65d8f564dd747644d9b768853f415c

SHA512
15961d30b14a53d0b00bb25446cce8414161ca7cb88a0fee7e2bce67274d0cb5abcc4962259ec55355e469bfbd30167f435abfbb16738b29b593f01be4e65a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_84\womfala.xml

Filesize
67KB

MD5
08701371739f806eb67ba04ddb11de54

SHA1
ff126de452631d7bf71443f75c30222df1a3549d

SHA256
c151259ec9ab64de94e9266ca2cb9f8a5e670bf9d35e8a7becc166527fe4c72a

SHA512
44ce09184875c88c62aee5a17d1ab386a11fb80874a8a21f293b1c455b55876af1319ebb485dca450e9673de4261f3ebd6d5555dd3369b39ebc4fda7f63b2c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\temp\6_84\ntie.vbe

Filesize
67KB

MD5
6863f6c0f22b25009ca51f169073e8dd

SHA1
fb2273661d07063f3a3f262f56c36af85fc0d3d4

SHA256
b35ba4d16bed878dba20daf93186f3b8818d3f0a6b770ae70274bbedc1453ced

SHA512
0c85762acf589b05630036449403cdcd62b6772333c797a5fbfb17cc6e8408ea8853a21971e5ce10b9a1a18a32e259a6fedf108a0b2bb9e041571f13681a55f8

Download Submit
\Users\Admin\AppData\Local\Temp\6_84\kxvcvt.exe

Filesize
1.1MB

MD5
0c8370cbb51a8835068114629d94dab1

SHA1
f6fceae38ed84e9f83ec91ad6d879061f884d4a4

SHA256
ccdd89da940950d5637f6fa41b1ec6a1fc65d8f564dd747644d9b768853f415c

SHA512
15961d30b14a53d0b00bb25446cce8414161ca7cb88a0fee7e2bce67274d0cb5abcc4962259ec55355e469bfbd30167f435abfbb16738b29b593f01be4e65a8e

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/364-74-0x00000000002F0000-0x0000000000A04000-memory.dmp

Filesize
7.1MB

Download
memory/364-82-0x00000000002F0000-0x0000000000A04000-memory.dmp

Filesize
7.1MB

Download
memory/364-84-0x00000000002F0000-0x0000000000316000-memory.dmp

Filesize
152KB

Download
memory/364-76-0x00000000002F0000-0x0000000000A04000-memory.dmp

Filesize
7.1MB

Download
memory/364-80-0x00000000002F0000-0x0000000000A04000-memory.dmp

Filesize
7.1MB

Download
memory/1592-54-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download