Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 19:18
Static task
static1
Behavioral task
behavioral1
Sample
Agents Letter.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Agents Letter.exe
Resource
win10v2004-20220812-en
General
-
Target
Agents Letter.exe
-
Size
430KB
-
MD5
2c27fdafaa47f61b79d8b5513c8e4d23
-
SHA1
262e6cb688ad062bdde2b6702871a5a07e4409f4
-
SHA256
6b1ee9252cc101156e585e7cd6c59ea3850a010c57a7f1b1915d5438cbc5b4de
-
SHA512
d3fdfb89c23329e36a2c043a8159bf8816e2a0c8df432dc407f9c45f3c8b1f2c719c9a57c028ed7c81154c72fcb66147c223d25c73ef77a66a9114024444aa24
-
SSDEEP
3072:w9Op4I8ZZpSOs4PNdvr+1UjTsvY3h4I5UWIDRRineV3Kap/ObYOOt7POITGCotdK:WIMZUOJpq1B4UhDqe5pmboNNPonA4
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5008-146-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Agents Letter.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Agents Letter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Agents Letter.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yndvivvuap = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ugysow\\Yndvivvuap.exe\"" Agents Letter.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 53 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Agents Letter.exedescription pid process target process PID 4468 set thread context of 5008 4468 Agents Letter.exe Agents Letter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeAgents Letter.exeAgents Letter.exepid process 1080 powershell.exe 1080 powershell.exe 4468 Agents Letter.exe 4468 Agents Letter.exe 5008 Agents Letter.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Agents Letter.exepowershell.exeAgents Letter.exedescription pid process Token: SeDebugPrivilege 4468 Agents Letter.exe Token: SeDebugPrivilege 1080 powershell.exe Token: SeDebugPrivilege 5008 Agents Letter.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Agents Letter.exedescription pid process target process PID 4468 wrote to memory of 1080 4468 Agents Letter.exe powershell.exe PID 4468 wrote to memory of 1080 4468 Agents Letter.exe powershell.exe PID 4468 wrote to memory of 1080 4468 Agents Letter.exe powershell.exe PID 4468 wrote to memory of 428 4468 Agents Letter.exe Agents Letter.exe PID 4468 wrote to memory of 428 4468 Agents Letter.exe Agents Letter.exe PID 4468 wrote to memory of 428 4468 Agents Letter.exe Agents Letter.exe PID 4468 wrote to memory of 5008 4468 Agents Letter.exe Agents Letter.exe PID 4468 wrote to memory of 5008 4468 Agents Letter.exe Agents Letter.exe PID 4468 wrote to memory of 5008 4468 Agents Letter.exe Agents Letter.exe PID 4468 wrote to memory of 5008 4468 Agents Letter.exe Agents Letter.exe PID 4468 wrote to memory of 5008 4468 Agents Letter.exe Agents Letter.exe PID 4468 wrote to memory of 5008 4468 Agents Letter.exe Agents Letter.exe PID 4468 wrote to memory of 5008 4468 Agents Letter.exe Agents Letter.exe PID 4468 wrote to memory of 5008 4468 Agents Letter.exe Agents Letter.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Agents Letter.exe"C:\Users\Admin\AppData\Local\Temp\Agents Letter.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Agents Letter.exe"C:\Users\Admin\AppData\Local\Temp\Agents Letter.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Agents Letter.exe"C:\Users\Admin\AppData\Local\Temp\Agents Letter.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Agents Letter.exe.logFilesize
1KB
MD5026fb31495d30e5dbfd00f398c2efbf8
SHA19cda8f5f58129e4d592ca1b9867835c86f38ab1b
SHA256b008f16eeae90b4c6ba119fb308616c0795cdaca51adf2b64470a0c01aeeb8b7
SHA5126d1cc01c90613522cfb7be7ea67ff03732b367dfc7bfd245ad6d7ea8e5e5def431b3339d17893b7b193cee2c3b4c22a459acd3d852ee88fce711e30c5af195a1
-
memory/428-144-0x0000000000000000-mapping.dmp
-
memory/1080-136-0x0000000000000000-mapping.dmp
-
memory/1080-141-0x0000000005BF0000-0x0000000005C0E000-memory.dmpFilesize
120KB
-
memory/1080-143-0x0000000006190000-0x00000000061AA000-memory.dmpFilesize
104KB
-
memory/1080-137-0x00000000022E0000-0x0000000002316000-memory.dmpFilesize
216KB
-
memory/1080-138-0x0000000004F70000-0x0000000005598000-memory.dmpFilesize
6.2MB
-
memory/1080-139-0x0000000004D50000-0x0000000004DB6000-memory.dmpFilesize
408KB
-
memory/1080-140-0x00000000055A0000-0x0000000005606000-memory.dmpFilesize
408KB
-
memory/1080-142-0x00000000074F0000-0x0000000007B6A000-memory.dmpFilesize
6.5MB
-
memory/4468-135-0x0000000005ED0000-0x0000000005EF2000-memory.dmpFilesize
136KB
-
memory/4468-132-0x0000000000630000-0x00000000006A2000-memory.dmpFilesize
456KB
-
memory/4468-134-0x0000000006450000-0x00000000069F4000-memory.dmpFilesize
5.6MB
-
memory/4468-133-0x0000000005E00000-0x0000000005E92000-memory.dmpFilesize
584KB
-
memory/5008-145-0x0000000000000000-mapping.dmp
-
memory/5008-146-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/5008-148-0x0000000005540000-0x00000000055DC000-memory.dmpFilesize
624KB